CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 1041:

  A user contacts the help desk to report the following:

  1.

  Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID.

  2.

  This had never happened before, but the user entered the information as requested.

  3.

  The user was able to access the Internet but had trouble accessing the department share until the next day.

  4.

  The user is now getting notifications from the bank about unauthorized transactions.

  Which of the following attack vectors was MOST likely used in this scenario?

  A. Rogue access point

  B. Evil twin

  C. DNS poisoning

  D. ARP poisoning

  Correct Answer: B

  The person started seeing fraudulent bank activity after connecting to the wireless network. On top of that a rogue access point would most likely NOT have the same SSID as the corporate network.

  https://security.stackexchange.com/questions/152816/whats-the-difference-between-an-evil-twin-and-a-rogue-access-point#:~:text=A%20rogue%20access%20point%20is,network%20or%20even%20to%20internet.

• Question 1042:

  The process of passively gathering information poor to launching a cyberattack is called:

  A. tailgating

  B. reconnaissance

  C. pharming

  D. prepending

  Correct Answer: B

• Question 1043:

  An organization's Chief Security Officer (CSO) wants to validate the business's involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

  A. An external security assessment

  B. A bug bounty program

  C. A tabletop exercise

  D. A red-team engagement

  Correct Answer: C

  Reference: https://www.redlegg.com/solutions/advisory-services/tabletop-exercise-pretty-much-everything-you-need-to-know

• Question 1044:

  Rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring?

  A. Configure the perimeter firewall to deny inbound external connections to SMB ports.

  B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections.

  C. Deny unauthenticated users access to shared network folders.

  D. Verify computers are set to install monthly operating system, updates automatically

  Correct Answer: A

  Because of it is zero-day, detection system will not trigger alert, because it is still unknown vulnerability.

  Of course it can block a lot of other functions, which uses SMB, however it is better than ransomware hit, which blocks everything.

• Question 1045:

  A large industrial system's smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs the company's security manager notices the generator's IP is sending packets to an internal file server's IP.

  Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

  A. Segmentation

  B. Firewall whitelisting

  C. Containment D. isolation

  Correct Answer: A

  Segmentation. DMZ and VLAN are examples of segmentation. You can configure the device to be on its own isolated network while having access to the third-party vendor. The device will still try to communicate with the file server but traffic will be dropped and logged. This is how you would want to set up IoT and untrusted devices.

• Question 1046:

  A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers.

  Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

  A. perform attribution to specific APTs and nation-state actors.

  B. anonymize any PII that is observed within the IoC data.

  C. add metadata to track the utilization of threat intelligence reports.

  D. assist companies with impact assessments based on the observed data

  Correct Answer: B

• Question 1047:

  Accompany has a flat network that is deployed in the cloud. Security policy states that all production and development servers must be segmented. Which of the following should be used to design the network to meet the security requirements?

  A. CASB

  B. VPC

  C. Perimeter network

  D. WAF

  Correct Answer: B

  "Security policy states that all production and development servers must be segmented" which can be achieved by using a VPC

• Question 1048:

  A security engineer has enabled two-factor authentication on all workstations. Which of the following approaches are the MOST secure? (Select TWO).

  A. Password and security question

  B. Password and CAPTCHA

  C. Password and smart card

  D. Password and fingerprint

  E. Password and one-time token

  F. Password and voice

  Correct Answer: CD

  couldn't be E because the word everyone is missing is TIME BASED one time Token. where after a certain time the token expires. On one-time token, it relies for the token to be Authenticated to expire, if it never gets authenticated it can still

  be used later.

  Two-factor/MFA requires two different forms of either (1) something you know (2) something you have, or (3) something you are. It cannot be two of the same.

• Question 1049:

  A security administrator checks the table of a network switch, which shows the following output:

  

  Which of the following is happening to this switch?

  A. MAC Flooding

  B. DNS poisoning

  C. MAC cloning

  D. ARP poisoning

  Correct Answer: A

  The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch. This table allows the switches to direct the data out of the ports where the recipient is located.

  The aim of the MAC Flooding is to takedown this MAC Table. In a typical MAC Flooding attack, the attacker sends Ethernet Frames in a huge number. When sending many Ethernet Frames to the switch, these frames will have various sender addresses. The intention of the attacker is consuming the memory of the switch that is used to store the MAC address table. The MAC addresses of legitimate users will be pushed out of the MAC Table. Now the switch cannot deliver the incoming data to the destination system. So considerable number of incoming frames will be flooded at all ports.

  https://www.interserver.net/tips/kb/mac-flooding-prevent/

• Question 1050:

  An attacked is attempting to exploit users by creating a fake website with the URL www.validwebsite.com.

  The attacker's intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users.

  Which of the following social-engineering attacks does this describe?

  A. Information elicitation

  B. Type squatting

  C. Impersonation

  D. Watering-hole attack

  Correct Answer: B

  It's really the only logical answer. Everything else is more plausible to eliminate.

  Information elicitation is done directly in-person, meaning it's typically conversational in nature.

  Impersonation centers around PERSONS, not websites. You can't impersonate websites; you can only create similar-looking ones.

  Water-hole attacks are performed on third-party websites one suspects the targeted organization uses; this can't be the case here if the attacker created the website themselves.

  That leaves typosquatting. While it doesn't explicitly say it's a misspelling of another website, we can't outright rule out that possibility either. It's literally the only applicable answer for creating a website that imitates a legitimate one, after all,

  and it implies it's not the original site by saying it's emulating the "look and feel of a legitimate website."

  Either way, it's ridiculously ambiguous. I'm hoping CompTIA weights answers so that not ALL of them award zero points.