CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 491:

  While investigating a recent security incident, a security analyst decides to view all network connections on a particular server, Which of the following would provide the desired information?

  A. arp

  B. nslookup

  C. netstat

  D. nmap

  Correct Answer: C

  The netstat command shows all active network connections, network interface information, and ports that are listening. The question is asking to view all the connections on the server which the netstat command will do.

  ==================================

  Nmap or network mapper is a network discovery and security auditing tool mainly used to find services, hosts, and open ports on a network.

  Nslookup - This command queries DNS servers to obtain DNS records

  ARP Command is a TCP/IP utility used for viewing and modifying the local Address Resolution Protocol (ARP) cache.

• Question 492:

  A security analyst is reviewing application logs to determine the source of a breach and locates the following log: Which Of the following has been observed?

  

  A. DLL Injection

  B. API attack

  C. SQLI

  D. XSS

  Correct Answer: C

  SQLi (SQL injection) has been observed.

  SQL injection is a type of cyber attack that involves injecting malicious code into a database through a vulnerable web application. The malicious code is typically designed to manipulate or extract data from the database, allowing the attacker to gain unauthorized access to sensitive information.

  The log provided in the question appears to be a URL for a login page, with a string of text appended to the end. This string includes the text "or '1'1='1", which is a common syntax used in SQL injection attacks. This indicates that an SQL injection attack may have been attempted or successfully carried out against the website.

• Question 493:

  The new Chief Information Security Officer at a company has asked the security team to implement stronger user account policies. The new policies require:

  1.

  Users to choose a password unique to their last ten passwords

  2.

  Users to not log in from certain high-risk countries

  Which of the following should the security team implement? (Select TWO).

  A. Password complexity

  B. Password history

  C. Geolocation

  D. Geofencing

  E. Geotagging

  F. Password reuse

  Correct Answer: BD

  From the CompTIA Study guide - "Geofencing refers to accepting or rejecting access based on location."

• Question 494:

  Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

  A. To avoid data leakage

  B. To protect surveillance logs

  C. To ensure availability

  D. To facilitate third-party access

  Correct Answer: C

  "HVACKer attacks are only useful for relaying commands into an air-gapped network, but not for stealing data. While malware can control a computer's heat emissions, *HVAC units are not equipped with enough accurate temperature sensors to pick up data* from a computer's almost indiscernible heat emissions."

• Question 495:

  During a security incident investigation, an analyst consults the company's SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide the information?

  A. WAF logs

  B. DNS logs

  C. System logs

  D. Application logs

  Correct Answer: B

  DNS logs can contain a record for every query and response. It can show the IP addresses and domain names that your system should/shouldn't be communicating with, it can reveal malware calling out to its command-and-control server, or data transfers to non-company locations. This is one of the reasons why DNS logs are some of the most valuable logs to import into a SIEM system.

• Question 496:

  A network engineer created two subnets that will be used for production and development servers. Per security policy, production and development servers must each have a dedicated network that cannot communicate with one another directly.

  Which of the following should be deployed so that server administrators can access these devices?

  A. VLANS

  B. Internet proxy servers

  C. NIDS

  D. Jump servers

  Correct Answer: D

  A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them

• Question 497:

  A Chief Information Security Officer wants to ensure the organization is validating and checking the Integrity of zone transfers. Which of the following solutions should be implemented?

  A. DNSSEC

  B. LOAPS

  C. NGFW

  D. DLP

  Correct Answer: A

  Domain Name System Security Extensions (DNSSEC) is a set of specifications that extend the DNS protocol by adding cryptographic authentication

• Question 498:

  A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

  A. Race-condition

  B. Pass-the-hash

  C. Buffer overflow

  D. XSS

  Correct Answer: C

  The penetration tester is planning to execute a buffer overflow attack. A buffer overflow attack is a type of security vulnerability that occurs when a program attempts to write data to a memory buffer that is too small to hold it. This can cause the program to crash or, in some cases, allow an attacker to execute arbitrary code. One way to identify where the EIP of the stack is located on memory is to use a technique called fuzzing, which involves sending large amounts of data to an application in order to identify areas where the application is vulnerable to buffer overflow attacks

• Question 499:

  After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?

  A. SSH

  B. SNMPv3

  C. SFTP

  D. Telnet

  E. FTP

  Correct Answer: A

  SSH (22)

  Port 23 (Telnet) and Port 22 (SSH) are network protocols used to remotely access and manage systems however telnet does not encrypt the connection so captured traffic appears in cleartext whereas an ssh connection would be encrypted.

  =========================

  SNMP (Simple Network Management Protocol) - is a protocol for collecting and organizing information about managed devices on networks. Devices that typically support SNMP include servers/desktops, routers, switches, etc.

  SFTP (Secure File Transfer Protocol) is a secure file transfer protocol that uses SSH encryption to securely sending and receiving file transfers.

  FTP (File Transfer Protocol) - For file transfers

• Question 500:

  Which of the following is a reason to publish files' hashes?

  A. To validate the integrity of the files

  B. To verify if the software was digitally signed

  C. To use the hash as a software activation key

  D. To use the hash as a decryption passphrase

  Correct Answer: A

  To validate the integrity of the files - Hash function algorithms compares the file's original and current hash values. And if a byte or even a piece of the file's data has been changed, the original and current hash values will be different, and therefore you will know whether it's the same file or not.