CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 1081:

  Which of the following is the MOST relevant security check to be performed before embedding third-parry libraries in developed code?

  A. Check to see if the third party has resources to create dedicated development and staging environments.

  B. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository.

  C. Assess existing vulnerabilities affecting the third-parry code and the remediation efficiency of the libraries' developers.

  D. Read multiple penetration-testing reports for environments running software that reused the library.

  Correct Answer: C

  What to be done to best prevent issues in third-party code?

  Establish a baseline and process for every third-party software that is introduced into the organisation, including performing a risk assessment to establish the risk associated with implementing a certain piece of code.

• Question 1082:

  Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to connect network traffic between workstation throughout the network. The analysts review the following logs:

  

  The layer 2 address table has hundred of entries similar to the ones above. Which of the following attacks has MOST likely occurred?

  A. SQL injection

  B. DNS spoofing

  C. MAC flooding

  D. ARP poisoning

  Correct Answer: C

  The question mentions that the table is on Layer 2 which is the Data link layer. The data-link layer is where switches operates on to move traffic. Switches will use MAC addresses to find the physical address of the device. This is because the Layer 2 address(MAC Address) will be unique on the local network.

  MAC flooding is a cyber attack that overflows the MAC Table (Layer 2 Table) of switches by sending out invalid MAC addresses.

  When a MAC Address table is full, the switch is no longer able to save new addresses, so it will enter into fail-open mode and begin broadcasting data (like a hub) to all ports. This will allow an attacker to get data packets intended for another computer and be able to steal sensitive information.

• Question 1083:

  A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected

  Which of the following is the security analyst MOST likely implementing?

  A. Vulnerability scans

  B. User behavior analysis

  C. Security orchestration, automation, and response

  D. Threat hunting

  Correct Answer: B

  "UEBA is an extension of SIEM where, in addition to observing suspicious network behavior, they also trigger alerts when unusual entity or user behavior is observed"

• Question 1084:

  A forensic analyst needs to prove that data has not been tampered with since it was collected

  Which of the following methods will the analyst MOST likely use?

  A. Look for tampenng on the evidence collection bag

  B. Encrypt the collected data using asymmetric encryption

  C. Ensure proper procedures for chain of custody are being followed

  D. Calculate the checksum using a hashing algorithm

  Correct Answer: D

  A checksum is specifically intended to verify the integrity of data or find data corruption. Comparing a file's original and current checksum. And if a byte or even a piece of the file's data has been changed, the original and current checksum will

  be different, and therefore you will know whether it's the same file or not.

  =====================

  (A)

  - This is essentially the physical version of checking if something was tampered but wouldn't work for virtual data

  (B)

  - Dont need to encrypt anything

  (C)

  - Even if a proper chain of custody was followed, it doesn't guarantee that data hasn't been modified by anyone that had access to the data.

• Question 1085:

  During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?

  A. The forensic investigator forgot to run a checksum on the disk image after creation

  B. The chain of custody form did not note time zone offsets between transportation regions

  C. The computer was turned off. and a RAM image could not be taken at the same time

  D. The hard drive was not properly kept in an antistatic bag when rt was moved

  Correct Answer: B

  The question states that a trial Judge determined evidence gathered from a hard drive was not admissible. It is obvious that this is a legal matter. All of the remaining answers are of a technical nature, So consequently the only issue that a Judge can rule on is a Chain of custody issue. So, ladies and gentlemen, I rest my case (quickly bangs a gavel upon the desk)

• Question 1086:

  A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement?

  A. SSO

  B. IDS

  C. MFA

  D. TPM

  Correct Answer: C

  MFA = harder to impersonate due to having multifactor authentication.

• Question 1087:

  DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost-effective way.

  Which of the following options BEST fulfils the architect's requirements?

  A. An orchestration solution that can adjust scalability of cloud assets

  B. Use of multipath by adding more connections to cloud storage

  C. Cloud assets replicated on geographically distributed regions

  D. An on-site backup that is deployed and only used when the load increases

  Correct Answer: A

  Scaling cloud infrastructures can experience lag during the periods of high activity, where other assets have to either be added, or become active. This is the compromise for a cost- effective solution that scales. The company could go for a system that is absolutely overkill on assets at all times, in preparation for those brief peak moments. But this is expensive, and unlikely to be taken by most companies. Only case you would want to use one of these is if you have a sensitive or critical service that MUST remain online. Stock exchange servers, military servers, bank servers, etc. come to mind for this criteria.

• Question 1088:

  Which of the following statements BEST describes zero-day exploits'?

  A. When a zero-day exploit is discovered, the system cannot be protected by any means

  B. Zero-day exploits have their own scoring category in CVSS

  C. A zero-day exploit is initially undetectable and no patch for it exists

  D. Discovering zero-day exploits is always performed via bug bounty programs

  Correct Answer: C

  Zero-day = Never seen before attack

  Therefore it cannot be patched or recognized in a database if it has not occurred or been documented before.

• Question 1089:

  A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the following is the BEST way for the company to mitigate this attack?

  A. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing.

  B. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each.

  C. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.

  D. Use an automated tool to flood the phishing websites with fake usernames and passwords.

  Correct Answer: B

  The best way for the company to mitigate this attack would be to implement a DNS sinkhole for domains similar to the company's own. A DNS sinkhole is a security measure that redirects traffic from known malicious or fraudulent websites to a safe location. By generating a list of domains similar to the company's own and setting up a DNS sinkhole for each, the company can prevent employees from accidentally accessing phishing websites that mimic the company's own domain. Other solutions such as disabling POP and IMAP on email servers, implementing SMTPS, or using an automated tool to flood phishing websites with fake credentials may also be effective, but a DNS sinkhole would be the most direct and effective way to prevent employees from accessing the phishing sites. Creating a honeynet would not be relevant in this scenario.

• Question 1090:

  A tax organization is working on a solution to validate the online submission of documents The solution should be earned on a portable USB device that should be inserted on any computer that is transmitting a transaction securely.

  Which of the following is the BEST certificate for these requirements?

  A. User certificate

  B. Self-signed certificate

  C. Computer certificate

  D. Root certificate

  Correct Answer: A

  The best certificate for these requirements would be a user certificate. A user certificate is a digital certificate that is issued to an individual and is used to authenticate the user's identity when accessing a network or system. In this case, the organization could issue a user certificate to each individual who is authorized to submit documents online, and the certificate could be stored on a portable USB device. When the individual inserts the USB device into a computer and initiates a transaction, the user certificate would be used to securely authenticate the user's identity and allow the transaction to be processed. Other types of certificates such as a self-signed certificate, a computer certificate, or a root certificate could potentially be used for these purposes, but a user certificate would be the most appropriate solution in this scenario.