CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 261:

  Users are encouraged to click on a link in an email to obtain exclusive access to the newest version of a popular Smartphone. This is an example of.

  A. Scarcity

  B. Familiarity

  C. Intimidation

  D. Trust

  Correct Answer: A

  Scarcity, in the area of social psychology, works much like scarcity in the area of economics. Simply put, humans place a higher value on an object that is scarce, and a lower value on those that are abundant. The thought that we, as humans, want something we cannot have drives us to desire the object even more. This idea is deeply embedded in the intensely popular, "Black Friday" shopping extravaganza that U.S. consumers participate in every year on the day after Thanksgiving. More than getting a bargain on a hot gift idea, shoppers thrive on the competition itself, in obtaining the scarce product.

  In this question, people want the brand new latest version of a smartphone. The temptation of being one of the first to get the new phone will tempt people into clicking the link in the email.

  Incorrect Answers:

  B: Familiarity is a generic feeling in which a situation, event, place, person or object directly provokes a subjective feeling of recognition which we then believe to be a memory. As a result, we recognize "it".

  In this question, the temptation is a new smartphone. Familiarity with the older model of the smartphone might make the new model desirable. However, the scarcity of the new phone makes it more desirable and so more tempting to click the

  link. Therefore, this answer is incorrect.

  C: If the users were being threatened to force them to click the link that would be intimidation. However, the users are being tempted to click the link due to the scarcity of the new smartphone.

  Therefore, this answer is incorrect.

  D: This is not an example of trust. The users may trust the source of the email but it's the scarcity of the new smartphone that makes it more desirable and so more tempting for the users to click the link. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Scarcity_%28social_psychology%29

• Question 262:

  Which of the following attacks targets high level executives to gain company information?

  A. Phishing

  B. Whaling

  C. Vishing

  D. Spoofing

  Correct Answer: B

  Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.

  Incorrect Answers:

  A: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

  Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website,

  however, is bogus and set up only to steal the information the user enters on the page.

  Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the "phisher" counts on the email being read by a percentage of people who actually have an account with the legitimate

  company being spoofed in the email and corresponding webpage. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some

  will be tempted into biting. Phishing is not specifically targeted toward high-level executives. Therefore, this answer is incorrect.

  C: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the

  Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.

  The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is

  told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source,

  such as a bank or a government agency.

  Vishing is not specifically targeted toward high-level executives. Therefore, this answer is incorrect.

  D: There are several kinds of spoofing including email, caller ID, MAC address, and uniform resource locator (URL) spoof attacks. All types of spoofing are designed to imitate something or someone.

  Email spoofing (or phishing), used by dishonest advertisers and outright thieves, occurs when email is sent with falsified "From:" entry to try and trick victims that the message is from a friend, their bank, or some other legitimate source. Any

  email that claims it requires your password or any personal information could be a trick.

  Spoofing is not specifically targeted toward high-level executives. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/P/phishing.html http://searchunifiedcommunications.techtarget.com/definition/vishing

• Question 263:

  Which of the following is characterized by an attacker attempting to map out an organization's staff hierarchy in order to send targeted emails?

  A. Whaling

  B. Impersonation

  C. Privilege escalation

  D. Spear phishing

  Correct Answer: A

  A whaling attack is targeted at company executives. Mapping out an organization's staff hierarchy to determine who the people at the top are is also part of a whaling attack. Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.

  Incorrect Answers:

  B: Impersonation is where a person, computer, software application or service pretends to be someone it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. No examples of impersonation occurred in this question. Therefore, this answer is incorrect.

  C: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The attack described in the question is not an example of privilege escalation. Therefore, this answer is incorrect.

  D: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority. Mapping out an organization's staff hierarchy could be used for a spear phishing attack. However, the emails in a spear phishing attack would be sent to everyone in the company (not targeted to specific people) with the sender ID spoofed to appear to be from someone in authority. In this question, it's likely that the emails would be targeted to the executives and that would be an example of whaling. Therefore, this answer is incorrect.

  References: http://www.techopedia.com/definition/28643/whaling http://searchsecurity.techtarget.com/definition/spear-phishing

• Question 264:

  Sara, an attacker, is recording a person typing in their ID number into a keypad to gain access to the building. Sara then calls the helpdesk and informs them that their PIN no longer works and would like to change it. Which of the following attacks occurred LAST?

  A. Phishing

  B. Shoulder surfing

  C. Impersonation

  D. Tailgating

  Correct Answer: C

  Two attacks took place in this question. The first attack was shoulder surfing. This was the act of Sara recording a person typing in their ID number into a keypad to gain access to the building. The second attack was impersonation. Sara called the helpdesk and used the PIN to impersonate the person she recorded.

  Incorrect Answers:

  A: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

  Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website,

  however, is bogus and set up only to steal the information the user enters on the page.

  Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the "phisher" counts on the email being read by a percentage of people who actually have an account with the legitimate

  company being spoofed in the email and corresponding webpage. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some

  will be tempted into biting.

  No examples of phishing occurred in this question. Therefore, this answer is incorrect.

  B: Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to

  someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To

  prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand. Shoulder surfing was the first attack in this question. This was the act of Sara recording a person

  typing in their ID number into a keypad to gain access to the building. Therefore, this answer is incorrect.

  D: Just as a driver can tailgate another driver's car by following too closely, in the security sense, tailgating means to compromise physical security by following somebody through a door meant to keep out intruders. Tailgating is actually a

  form of social engineering, whereby someone who is not authorized to enter a particular area does so by following closely behind someone who is authorized.

  No examples of tailgating occurred in this question. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/P/phishing.html http://searchsecurity.techtarget.com/definition/shoulder-surfing http://www.yourdictionary.com/tailgating

• Question 265:

  A security administrator forgets their card to access the server room. The administrator asks a coworker if they could use their card for the day. Which of the following is the administrator using to gain access to the server room?

  A. Man-in-the-middle

  B. Tailgating

  C. Impersonation

  D. Spoofing

  Correct Answer: C

  Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non- maliciously used in client/server applications. However, it can also be used as a security threat.

  In this question, by using the coworker's card, the security administrator is `impersonating' the coworker. The server room locking system and any logging systems will `think' that the coworker has entered the server room.

  Incorrect Answers:

  A: In cryptography and computer security, a man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

  One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in

  fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an

  attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle. This is not what is described in this question. Therefore, this answer is incorrect.

  B: Just as a driver can tailgate another driver's car by following too closely, in the security sense, tailgating means to compromise physical security by following somebody through a door meant to keep out intruders. Tailgating is actually a

  form of social engineering, whereby someone who is not authorized to enter a particular area does so by following closely behind someone who is authorized. If the security administrator had followed the co-worker into the server room, that

  would be an example of tailgating. However, borrowing the co-worker's card is not tailgating.

  Therefore, this answer is incorrect.

  D: There are several kinds of spoofing including email, caller ID, MAC address, and uniform resource locator (URL) spoof attacks. All types of spoofing are designed to imitate something or someone.

  Email spoofing (or phishing), used by dishonest advertisers and outright thieves, occurs when email is sent with falsified "From:" entry to try and trick victims that the message is from a friend, their bank, or some other legitimate source. Any

  email that claims it requires your password or any personal information could be a trick. If the security administrator had created a card the same as the co-worker's card, that could be an example of spoofing. However, borrowing the coworker's card is not spoofing. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Man-in-the-middle_attack http://www.yourdictionary.com/tailgating

• Question 266:

  A database administrator receives a call on an outside telephone line from a person who states that they work for a well-known database vendor. The caller states there have been problems applying the newly released vulnerability patch for

  their database system, and asks what version is being used so that they can assist.

  Which of the following is the BEST action for the administrator to take?

  A. Thank the caller, report the contact to the manager, and contact the vendor support line to verify any reported patch issues.

  B. Obtain the vendor's email and phone number and call them back after identifying the number of systems affected by the patch.

  C. Give the caller the database version and patch level so that they can receive help applying the patch.

  D. Call the police to report the contact about the database systems, and then check system logs for attack attempts.

  Correct Answer: A

  Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non- maliciously used in client/server applications. However, it can also be used as a security threat.

  In this question, the person making the call may be impersonating someone who works for a well-known database vendor. The actions described in this answer would mitigate the risk. By not divulging information about your database system and contacting the vendor directly, you can be sure that you are talking to the right people.

  Incorrect Answers:

  B: Identifying the number of systems affected by the patch would involve divulging the version number to the caller without being able to verify his identity. Therefore, this answer is incorrect.

  C: Giving the caller the database version and patch level so that they can receive help applying the patch would be divulging potentially sensitive information to someone without being able to verify their identity. The version information could then be used for malicious purposes later especially if that version of software has known vulnerabilities. Therefore, this answer is incorrect.

  D: Calling the police to report the contact about the database systems, and then checking system logs for attack attempts may be overkill. You don't know that the caller is malicious. He may well be from the vendor company. You just need a way to verify his identity. Therefore, this answer is incorrect.

• Question 267:

  Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number displayed on the caller ID matches the vendor's number. When the purchasing agent asks to call the vendor back, they are given a different phone number with a different area code.

  Which of the following attack types is this?

  A. Hoax

  B. Impersonation

  C. Spear phishing

  D. Whaling

  Correct Answer: B

  In this question, the impersonator is impersonating a vendor and asking for payment. They have managed to `spoof' their calling number so that their caller ID matches the vendor's number. Impersonation is where a person, computer,

  software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.

  Incorrect Answers:

  A: A hoax is something that makes a person believe that something is real when it is not. A hoax is usually not malicious or theft. Therefore, this answer is incorrect.

  C: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority. Spear phishing involves email spoofing rather than telephone spoofing. Therefore this answer is incorrect.

  D: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats. This is not what is described in this question. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/spear-phishing http://www.techopedia.com/definition/28643/whaling

• Question 268:

  Pete's corporation has outsourced help desk services to a large provider. Management has published a procedure that requires all users, when receiving support, to call a special number. Users then need to enter the code provided to them

  by the help desk technician prior to allowing the technician to work on their PC.

  Which of the following does this procedure prevent?

  A. Collusion

  B. Impersonation

  C. Pharming

  D. Transitive Access

  Correct Answer: B

  Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non- maliciously used in client/server applications. However, it can also be used as a security threat.

  The procedure the users have to go through is to ensure that the technician who will have access to the computer is a genuine technician and not someone impersonating a technician.

  Incorrect Answers:

  A: In computer security, `collusion' is the practice of two or more people working together to commit fraud, data theft or some other malicious act. The procedure in the question is not designed to prevent collusion. Therefore, this answer is incorrect.

  C: Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing. The procedure in the question is not designed to prevent pharming. Therefore, this answer is incorrect.

  D: With transitive access, one party (A) trusts another party (B). If the second party (B) trusts another party (C), then a relationship can exist where the first party (A) also may trust the third party (C). The procedure in the question is not designed to prevent transitive access. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/P/pharming.html

• Question 269:

  At the outside break area, an employee, Ann, asked another employee to let her into the building because her badge is missing. Which of the following does this describe?

  A. Shoulder surfing

  B. Tailgating

  C. Whaling

  D. Impersonation

  Correct Answer: B

  Although Ann is an employee and therefore authorized to enter the building, she does not have her badge and therefore strictly she should not be allowed to enter the building. Just as a driver can tailgate another driver's car by following too

  closely, in the security sense, tailgating means to compromise physical security by following somebody through a door meant to keep out intruders. Tailgating is actually a form of social engineering, whereby someone who is not authorized to

  enter a particular area does so by following closely behind someone who is authorized.

  Incorrect Answers:

  A: Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand. Incinerating documents will not prevent shoulder surfing. Ann is not trying to view sensitive information. Therefore this answer is incorrect.

  C: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats. There is no malicious intent by Ann entering the building. Therefore this answer is incorrect.

  D: Impersonation is where a person, computer, software application or service pretends to be someone it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. Ann is not trying to `impersonate' someone else. Therefore this answer is incorrect.

  References: http://www.yourdictionary.com/tailgating http://searchsecurity.techtarget.com/definition/shoulder-surfing http://www.techopedia.com/definition/28643/whaling

• Question 270:

  Physical documents must be incinerated after a set retention period is reached. Which of the following attacks does this action remediate?

  A. Shoulder Surfing

  B. Dumpster Diving

  C. Phishing

  D. Impersonation

  Correct Answer: B

  Incinerating documents (or shredding documents) instead of throwing them into a bin will prevent people being able to read the documents to view sensitive information. Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

  Incorrect Answers:

  A: Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to

  someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To

  prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand. Incinerating documents will not prevent shoulder surfing. Therefore, this answer is incorrect.

  C: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

  Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website,

  however, is bogus and set up only to steal the information the user enters on the page.

  Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the "phisher" counts on the email being read by a percentage of people who actually have an account with the legitimate

  company being spoofed in the email and corresponding webpage. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some

  will be tempted into biting. Incinerating documents will not prevent phishing. Therefore, this answer is incorrect.

  D: Impersonation is where a person, computer, software application or service pretends to be someone it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.

  While the information gained by viewing documents could be used by an impersonator, incinerating documents alone will not prevent impersonation. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/dumpster-diving http://searchsecurity.techtarget.com/definition/shoulder-surfing http://www.webopedia.com/TERM/P/ phishing.html