CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 671:

  A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

  A. http://sample.url.com/

  B. http://sample.url.com/someotherpageonsite/../../../etc/shadow

  C. http://sample.url.com/select-from-database-where-password-null

  D. http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect

  Correct Answer: B

  B. http://sample.url.com/someotherpageonsite/../../../etc/shadow is most likely a directory traversal attack.

  A directory traversal attack, also known as a "dot-dot-slash" attack, involves manipulating the directory structure of a web server to access restricted directories and files. This is typically done by using the "../" sequence to move up the directory tree and access directories that are outside the intended directory. In this scenario, the log files indicate that an attacker has used a directory traversal attack to access the "etc/shadow" file, which typically contains hashed passwords for system accounts. This is different from an SQL injection attack (C), which involves injecting malicious code into an SQL statement in order to access or modify data in a database, or a phishing attack (A), which involves tricking users into visiting a malicious website or divulging sensitive information. A malicious DNS redirect (D) involves redirecting a user to a different website than the one they intended to visit by manipulating the Domain Name System (DNS) records.

• Question 672:

  A security administrator checks the table of a network switch, which shows the following output:

  

  Which of the following is happening to this switch?

  A. MAC Flooding

  B. DNS poisoning

  C. MAC cloning

  D. ARP poisoning

  Correct Answer: A

  The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch. This table allows the switches to direct the data out of the ports where the recipient is located.

  The aim of the MAC Flooding is to takedown this MAC Table. In a typical MAC Flooding attack, the attacker sends Ethernet Frames in a huge number. When sending many Ethernet Frames to the switch, these frames will have various sender addresses. The intention of the attacker is consuming the memory of the switch that is used to store the MAC address table. The MAC addresses of legitimate users will be pushed out of the MAC Table. Now the switch cannot deliver the incoming data to the destination system. So considerable number of incoming frames will be flooded at all ports.

  https://www.interserver.net/tips/kb/mac-flooding-prevent/

• Question 673:

  A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

  A. Recovery

  B. Identification

  C. Lessons learned

  D. Preparation

  Correct Answer: C

  Lessons learned or remediation step is the final phase of the incident response. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be avoided in the future.

  =======================

  Phases of the Incident Response Plan:

  1.

  Preparation - Preparing for an attack and how to respond

  2.

  Identification - Identifying the threat

  3.

  Containment - Containing the threat

  4.

  Eradication - Removing the threat

  5.

  Recovery - Recovering affected systems

  6.

  Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.

• Question 674:

  A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet.

  Which of the following should the engineer employ to meet these requirements?

  A. Implement open PSK on the APs

  B. Deploy a WAF

  C. Configure WIPS on the APs

  D. Install a captive portal

  Correct Answer: D

  captive portal = a webpage where the user has to sign in

• Question 675:

  A recent malware outbreak across a subnet included successful rootkit installations on many PCs, ensuring persistence by rendering remediation efforts ineffective. Which of the following would BEST detect the presence of a rootkit in the future?

  A. FDE

  B. NIDS

  C. EDR

  D. DLP

  Correct Answer: C

  EDR (Endpoint Detection and Response) is the most suitable solution among the given options for detecting the presence of a rootkit. EDR solutions continuously monitor and collect data from endpoints, looking for suspicious activities and behavior patterns that might indicate the presence of malware, including rootkits. They also provide tools for investigating and responding to security incidents, making them effective for dealing with sophisticated threats that can evade traditional antivirus solutions.

• Question 676:

  Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a software company's final software releases? (Select TWO.)

  A. Unsecure protocols

  B. Use of penetration-testing utilities

  C. Weak passwords

  D. Included third-party libraries

  E. Vendors/supply chain

  F. Outdated anti-malware software

  Correct Answer: DE

  A. Unsecure protocols

  --> Could be correct. This is a vector that could be used shortly before the final release to somehow include malicious code.

  B. Use of penetration-testing utilities

  --> Makes no sense

  C. Weak passwords

  --> Is an attack vector and "unauthorized" could match that. Might be correct.

  D. Included third-party libraries

  --> unintentional would fit. But if there was something wrong with a 3rd party libary, that should have been discovered before the final release.

  E. Vendors/supply chain

  --> Depends on what these vendors do. If they are developing code that is used in the final release it could contain vulnerabilities that are included unintentionally. But that would be kind of similar to the 3rd party libraries.

  F. Outdated anti-malware software

  --> With outdated anti-malware, and attacker could gain acces to a developers machine and include vulnerable code. The developer could then commit it unintentionally.

• Question 677:

  The following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

  A. Security awareness training

  B. Frequency of NIDS updates

  C. Change control procedures

  D. EDR reporting cycle

  Correct Answer: A

• Question 678:

  A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO).

  A. VPN

  B. Drive encryption

  C. Network firewall

  D. File level encryption

  E. USB blocker

  F. MFA

  Correct Answer: BE

  No USBs are the first level of removing exfiltration on a non-network connected device. However, the choice then comes down to Drive Encryption or File-Level Encryption. FDE once you login the encryption is no longer present so data COULD be exfiltrated at that point via bluetooth, CDs, or other. FLE is encrypted even after login so even if stolen that data would remain unreadable. However, with no external access and no USBs the next step could be to remove the drive completely and exfiltrate that. Nothing would be able to be read. With FE only those files that have been encrypted are unreadable. I would choose FDE as we are talking specifically about exfiltrating data but no specification of which files being important vs all information being important.

• Question 679:

  A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application.

  The security administrator isolated the switch on a separate VLAN and set up a patch routine. Which of the following steps should also be taken to harden the smart switch?

  A. Set up an air gap for the switch.

  B. Change the default password for the switch.

  C. Place the switch In a Faraday cage.

  D. Install a cable lock on the switch

  Correct Answer: B

  A. Set up an air gap for the switch. - it uses cloud monitoring, this doesn't work

  B. Change the default password for the switch. - only one that makes sense, seems to easy, but the other answers are ridiculous given the information.

  C. Place the switch in a Faraday cage. - this is a red haring

  D. Install a cable lock on the switch. - you don't do this with switches, like physically locking a switch in place - you could put cable locks on the individual patch cable, but not the switch itself, this is typically secured behind a locked door or locked rack door.

• Question 680:

  An organization is repairing the damage after an incident. Which of the following controls is being implemented?

  A. Detective

  B. Preventive

  C. Corrective

  D. Compensating

  Correct Answer: C

  Corrective controls are measures that are put in place to fix problems or weaknesses that have been identified. They are typically implemented after an incident has occurred in order to repair the damage and prevent similar incidents from happening in the future. In this scenario, the organization is repairing the damage after an incident, which suggests that corrective controls are being implemented.

  Detective controls are measures that are put in place to detect when a problem or weakness has occurred. Preventive controls are measures that are put in place to prevent problems or weaknesses from occurring in the first place. Compensating controls are measures that are put in place to compensate for weakness or deficiency in another control.