CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 751:

  A security analyst is investigation an incident that was first reported as an issue connecting to network shares and the internet, While reviewing logs and tool output, the analyst sees the following:

  

  Which of the following attacks has occurred?

  A. IP conflict

  B. Pass-the-hash

  C. MAC flooding

  D. Directory traversal

  E. ARP poisoning

  Correct Answer: E

  Address Resolution Protocol (ARP) resolves IPv4 addresses to MAC addresses. MAC addresses are the physical addresses or hardware addresses. TCP/IP uses the IP address to get a packet to a destination network. ARP poisoning attacks use ARP packets to give clients false hardware address updates, and attackers use them to redirect or interrupt network traffic https://www.radware.com/security/ddos-knowledge-center/ddospedia/arp-poisoning

• Question 752:

  Local guidelines require that all information systems meet a minimum-security baseline to be compliant.

  Which of the following can security administrators use to assess their system configurations against the baseline?

  A. SOAR playbook

  B. Security control matrix

  C. Risk management framework

  D. Benchmarks

  Correct Answer: D

  Security administrators can use benchmarks to assess their system configurations against a minimum security baseline required for compliance. Benchmarks are documents that provide guidance and best practices for configuring and securing various types of systems and software. These benchmarks are often created by trusted organizations, such as the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST).

  Security control matrices and risk management frameworks are important tools for managing and assessing security controls and risks within an organization, but they are not typically used to directly assess system configurations against a specific security baseline.

  SOAR (Security Orchestration, Automation, and Response) playbooks are used for automating incident response and security processes and are not specifically designed for assessing system configurations against security baselines.

• Question 753:

  Which of the following would an organization use to assign a value to risks based on probability of occurrence and impact?

  A. Risk matrix

  B. Risk register

  C. Risk appetite

  D. Risk mitigation plan

  Correct Answer: B

• Question 754:

  A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a projected network segment.

  Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

  A. DNS sinkholing

  B. DLP rules on the terminal

  C. An IP blacklist

  D. Application whitelisting

  Correct Answer: D

  Application whitelisting. Application whitelisting is a security measure that allows only approved and trusted applications to run on a system, while blocking all other applications. By implementing application whitelisting on the vulnerable process control terminal, any attempt to install and execute unauthorized software would be blocked, effectively mitigating the reported vulnerability..

• Question 755:

  An attacker is exploiting a vulnerability that does not have a patch available. Which of the following is the attacker exploiting?

  A. Zero-day

  B. Default permissions

  C. Weak encryption

  D. Unsecure root accounts

  Correct Answer: A

• Question 756:

  Some laptops recently went missing from a locked storage area that is protected by keyless RFID-enabled locks. There is no obvious damage to the physical space. The security manager identifies who unlocked the door, however, human resources confirms the employee was on vacation at the time of the incident. Which of the following describes what MOST likely occurred?

  A. The employee's physical access card was cloned.

  B. The employee is colluding with human resources

  C. The employee's biometrics were harvested

  D. A criminal used lock picking tools to open the door.

  Correct Answer: A

• Question 757:

  Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe, was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and It has continues to evade detection. Which of the following should administrator implement to protect the environment from this malware?

  A. Install a definition-based antivirus.

  B. Implement an IDS/IPS

  C. Implement a heuristic behavior-detection solution.

  D. Implement CASB to protect the network shares.

  Correct Answer: C

  Heuristic analysis is also one of the few methods capable of combating polymorphic viruses -- the term for malicious code that constantly changes and adapts. Heuristic analysis is incorporated into advanced security solutions offered by companies like Kaspersky Labs to detect new threats before they cause harm, without the need for a specific signature. https://usa.kaspersky.com/resource-center/definitions/heuristic-analysis

• Question 758:

  An organization routes all of its traffic through a VPN Most users are remote and connect into a corporate datacenter that houses confidential information There is a firewall at the Internet border followed by a DIP appliance, the VPN server and the datacenter itself. Which of the following is the WEAKEST design element?

  A. The DLP appliance should be integrated into a NGFW.

  B. Split-tunnel connections can negatively impact the DLP appliance's performance

  C. Encrypted VPN traffic will not be inspected when entering or leaving the network

  D. Adding two hops in the VPN tunnel may slow down remote connections

  Correct Answer: C

  In this scenario, the weakest design element is that encrypted VPN traffic will not be inspected when entering or leaving the network. Since the traffic is encrypted, the DLP (Data Loss Prevention) appliance will not be able to inspect the content of the data packets passing through the VPN tunnel. This lack of inspection can potentially allow malicious or unauthorized data to be transmitted without detection.

  To enhance security, it is essential to implement a solution that allows for the inspection of encrypted VPN traffic. One approach is to deploy a next-generation firewall (NGFW) with SSL/TLS decryption capabilities. The NGFW can decrypt the VPN traffic, inspect it for potential threats or sensitive data, and then re-encrypt it before sending it to its destination. By doing so, the organization can maintain security while still enabling remote users to access corporate resources through the VPN.

• Question 759:

  A company's Chief Information Office (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers?

  A. A capture-the-flag competition

  B. A phishing simulation

  C. Physical security training

  D. Baste awareness training

  Correct Answer: A

  capture-the-flag (CTF) competitions can be a suitable training option for enhancing the skill levels of a company's developers in cybersecurity. CTF competitions can help developers learn how to identify and exploit security vulnerabilities in

  various systems, applications, and networks, which is essential for building secure software.

  CTF challenges can be designed to simulate real-world scenarios and can test a variety of skills at any level, including cryptography, network analysis, reverse engineering, exploitation, web technologies, memory corruption, forensics, and

  open-source cyber intelligence. CTF competitions can also provide a well-rounded approach to enhancing developer skills in cybersecurity, as they can help developers learn how to secure their code and applications effectively.

  On the other hand, A phishing simulation is one set of learning while CTF is well rounded one.

• Question 760:

  After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review?

  A. The vulnerability scan output

  B. The IDS logs

  C. The full packet capture data

  D. The SIEM alerts

  Correct Answer: A

  By using a venerability scanner you can check for any points that may have caused the attacker to get their way into the network.

  They want a list of priority for forensic review. Having the vulnerability scan output would give you a list of potentially machines that could be compromised. If it was the SIEM you wouldn't need that list, just check the alerts.