CompTIA SY0-601 Online Practice Questions and Exam Preparation

CompTIA SY0-601 Online Questions & Answers

• Question 981:

  A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing?

  A. A packet capture
  B. A user behavior analysis
  C. Threat hunting
  D. Credentialed vulnerability scanning
  C. Threat hunting

  ---

  According to Mike Chapple 'Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption.

• Question 982:

  The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC investigates the workstation and discovers malware that is associated with a botnet is installed on the

  device.

  A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator.

  To which of the following groups should the analyst report this real-world event?

  A. The NOC team
  B. The vulnerability management team
  C. The CIRT
  D. The read team
  C. The CIRT

  ---

  Explanation Explanation/Reference:Also known as a "computer incident response team," this group is responsible for responding to security breaches, viruses and other potentially catastrophic incidents in enterprises that face significant security risks. In addition to technical specialists capable of dealing with specific threats, it should include experts who can guide enterprise executives on appropriate communication in the wake of such incidents. https://csrc.nist.gov/glossary/term/computer_incident_response_team

• Question 983:

  A user forwarded a suspicious email to the security team, Upon investigation, a malicious URL was discovered. Which of the following should be done FIRST to prevent other users from accessing the malicious URL?

  A. Configure the web content filter for the web address.
  B. Report the website to threat intelligence partners
  C. Set me SIEM to alert for any activity to the web address.
  D. Send out a corporate communication to warn all users Of the malicious email.
  A. Configure the web content filter for the web address.

  ---

  Web content filtering is the practice of blocking access to web content that may be deemed offensive, inappropriate, or even dangerous. Better to just block out the URL since we already know its malicious now and notify later since you don't know how many other people received the email.

• Question 984:

  An engineer is configuring AAA authentication on a Cisco MDS 9000 Series Switch. The LDAP server is located under the IP 10.10.2.2. The data sent to the LDAP server should be encrypted. Which command should be used to meet these requirements?

  A. Idap-server 10.10.2.2 key SSL_KEY
  B. Idap-server host 10.10.2.2 key SSL_KEY
  C. Idap-server 10.10.2.2 port 443
  D. Idap-server host 10.10.2.2 enable-ssl
  D. Idap-server host 10.10.2.2 enable-ssl

  ---

  Explanation Explanation/Reference:Example: switch(config)# ldap-server host 10.10.2.2 enable-ssl The enable-ssl keyword ensures the integrity and confidentiality of the transferred data by causing the LDAP client to establish a Secure Sockets Layer (SSL) session prior to sending the bind or search request.

• Question 985:

  A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.)

  A. Perform a site survey
  B. Deploy an FTK Imager
  C. Create a heat map
  D. Scan for rogue access points
  E. Upgrade the security protocols
  F. Install a captive portal
  A. Perform a site survey
  C. Create a heat map

  ---

  site survey shows what WiFi APs are out there + heat map shows the strength of the signal

• Question 986:

  During an engagement, penetration testers left USB keys that contained specially crafted malware in the company's parking lot. A couple days later, the malware contacted the command-and-control server, giving the penetration testers unauthorized access to the company endpoints. Which of the following will most likely be a recommendation in the engagement report?

  A. Conduct an awareness campaign on the usage of removable media.
  B. Issue a user guidance program focused on vishing campaigns.
  C. Implement more complex password management practices.
  D. Establish a procedure on identifying and reporting suspicious messages.
  A. Conduct an awareness campaign on the usage of removable media.

• Question 987:

  While reviewing the /etc/shadow file, a security administrator notices files with the same values. Which of the following attacks should the administrator be concerned about?

  A. Plaintext
  B. Birthdat
  C. Brute-force
  D. Rainbow table
  D. Rainbow table

  ---

  Rainbow table is a type of attack that should concern a security administrator when reviewing the /etc/shadow file. The /etc/shadow file is a file that stores encrypted passwords of users in a Linux system. A rainbow table is a precomputed table of hashes and their corresponding plaintext values that can be used to crack hashed passwords. If an attacker obtains a copy of the /etc/shadow file, they can use a rainbow table to find the plaintext passwords of users. References: https://www.comptia.org/certifications/security#examdetails https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives https://www.geeksforgeeks.org/rainbow-table-in-cryptography/

• Question 988:

  An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139. Which of the following sources should the analyst review to BEST ascertain how the incident could have been prevented?

  A. The vulnerability scan output
  B. The security logs
  C. The baseline report
  D. The correlation of events
  B. The security logs

• Question 989:

  A company was recently breached. Part of the company's new cybersecurity strategy is to centralize the logs from all security devices. Which of the following components forwards the logs to a central source?

  A. Log enrichment
  B. Log queue
  C. Log parser
  D. Log collector
  D. Log collector

  ---

  A log collector can collect logs from various sources, such as servers, devices, applications, or network components, and forward them to a central source for analysis and storage23.

• Question 990:

  Which of the following supplies non-repudiation during a forensics investigation?

  A. Dumping volatile memory contents first
  B. Duplicating a drive with dd
  C. Using a SHA-2 signature of a drive image
  D. Logging everyone in contact with evidence
  E. Encrypting sensitive data
  C. Using a SHA-2 signature of a drive image

  ---

  Nonrepudiation is specifically talking about the proof that someone has done something on the system. Taking a hash of the original disk is proof that it represents the state of the data when the investigation began. It's not a signature in the sense of an encryption cert or something like that, but it is definitely a method of ensuring that the data on the drive represents the user's changes, vice those of the investigator or someone else after the fact. Chain of custody doesn't apply because nonrepudiation is talking about the data itself.