CompTIA SY0-601 Online Practice Questions and Exam Preparation

CompTIA SY0-601 Online Questions & Answers

• Question 871:

  DRAG DROP

  A security auditor is reviewing the following output from file integrity monitoring software installed on a very busy server at a large service provider. The server has not been updates since it was installed. Drag and drop the log entry that identifies the first instance of server compromise.

  Hot Area:

  

  

  ---

  Explanation/Reference:

  

• Question 872:

  During a wireless network scan at a data center the IT security team discovered Wi-Fi signals broadcasting from an unknown device. Which of the following best describes the cause of the incident?

  A. Domain hijacking
  B. On-path attack
  C. Rogue access point
  D. Jamming
  C. Rogue access point

• Question 873:

  Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing?

  A. Development
  B. Staging
  C. Production
  D. Test
  B. Staging

• Question 874:

  A security administrator checks the table of a network switch, which shows the following output:

  

  Which of the following is happening to this switch?

  A. MAC Flooding
  B. DNS poisoning
  C. MAC cloning
  D. ARP poisoning
  A. MAC Flooding

  ---

  Explanation Explanation/Reference:The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch. This table allows the switches to direct the data out of the ports where the recipient is located. The aim of the MAC Flooding is to takedown this MAC Table. In a typical MAC Flooding attack, the attacker sends Ethernet Frames in a huge number. When sending many Ethernet Frames to the switch, these frames will have various sender addresses. The intention of the attacker is consuming the memory of the switch that is used to store the MAC address table. The MAC addresses of legitimate users will be pushed out of the MAC Table. Now the switch cannot deliver the incoming data to the destination system. So considerable number of incoming frames will be flooded at all ports. https://www.interserver.net/tips/kb/mac-flooding-prevent/

• Question 875:

  An organization hired a consultant to assist with an active attack, and the consultant was able to identify the compromised accounts and computers. Which of the following is the consultant MOST likely to recommend to prepare for eradication?

  A. Quarantining the compromised accounts and computers, only providing them with network access
  B. Segmenting the compromised accounts and computers into a honeynet so as to not alert the attackers.
  C. Isolating the compromised accounts and computers, cutting off all network and internet access.
  D. Logging off and deleting the compromised accounts and computers to eliminate attacker access.
  B. Segmenting the compromised accounts and computers into a honeynet so as to not alert the attackers.

• Question 876:

  A security analyst needs to perform periodic vulnerability scans on production systems. Which of the following scan types would produce the BEST vulnerability scan report?

  A. Port
  B. Intrusive
  C. Host discovery
  D. Credentialed
  D. Credentialed

• Question 877:

  A security modern may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO) A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

  A. Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag
  B. Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd command m a live Linux environment to create a duplicate copy
  C. Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches
  D. Refrain from completing a forensic analysts of the CEO's hard drive until after the incident is confirmed, duplicating the hard drive at this stage could destroy evidence
  B. Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd command m a live Linux environment to create a duplicate copy

  ---

  "To obtain a forensically sound image from nonvolatile storage, you need to ensure that nothing you do alters data or metadata (properties) on the source disk or file system. A write blocker assures this process by preventing any data on the disk or volume from being changed by filtering write commands at the driver and OS level. Data acquisition would normally proceed by attaching the target device to a forensics workstation or field capture device equipped with a write blocker." For purposes of knowing, https://security.opentext.com/tableau/hardware/details/t8u write blockers like this are the most popular hardware blockers

• Question 878:

  A user's PC was recently infected by malware. The user has a legacy printer without vendor support, and the user's OS is fully patched. The user downloaded a driver package from the internet. No threats were found on the downloaded file, but during file installation, a malicious runtime threat was detected. Which of the following is MOST likely cause of the infection?

  A. The driver has malware installed and was refactored upon download to avoid detection.
  B. The user's computer has a rootkit installed that has avoided detection until the new driver overwrote key files
  C. The user's antivirus software definitions were out of date and were damaged by the installation of the driver.
  D. The user's computer has been infected with a logic bomb set to run when new driver was installed
  B. The user's computer has a rootkit installed that has avoided detection until the new driver overwrote key files

• Question 879:

  Which of the following environments would MOST likely be used to assess the execution of component parts of a system at both the hardware and software levels and to measure performance characteristics?

  A. Test
  B. Staging
  C. Development
  D. Production
  A. Test

  ---

  The question is about "component parts", so not the entire application. Assessment of components is done on test, not staging. Keyword: "execution of component parts " Source:https://www.flagship.io/test-environment/ Testing Env- the focus here is testing individual components rather than the entire application Staging - The focus here is to test the application or software as a whole

• Question 880:

  The Chief Information Security Officer is concerned about employees using personal email rather than company email to communicate with clients and sending sensitive business information and PII. Which of the following would be the BEST solution to install on the employees' workstations to prevent information from leaving the company's network?

  A. HIPS
  B. DLP
  C. HIDS
  D. EDR
  B. DLP