Practice Free SY0-601 Exam Online Questions
The following are the logs of a successful attack.
Which of the following controls would be BEST to use to prevent such a breach in the future?
- A . Password history
- B . Account expiration
- C . Password complexity
- D . Account lockout
C
Explanation:
To prevent such a breach in the future, the BEST control to use would be Password complexity. Password complexity is a security measure that requires users to create strong passwords that are difficult to guess or crack. It can help prevent unauthorized access to systems and data by making it more difficult for attackers to guess or crack passwords.
The best control to use to prevent a breach like the one shown in the logs is password complexity. Password complexity requires users to create passwords that are harder to guess, by including a mix of upper and lowercase letters, numbers, and special characters. In the logs, the attacker was able to guess the user’s password using a dictionary attack, which means that the password was not complex enough.
Reference: CompTIA Security+ Certification Exam Objectives – Exam SY0-601
A security analyst is reviewing SIEM logs during an ongoing attack and notices the following:
http://company.com/get php? f=/etc/passwd
http://company.com/..%2F. .42F..42F.. $2Fetct2Fshadow
http: //company.com/../../../ ../etc/passwd
Which of the following best describes the type of attack?
- A . SQLi
- B . CSRF
- C . API attacks
- D . Directory traversal
D
Explanation:
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files1. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server1.
Directory traversal in its simplest form uses the …/ pattern, which means to step up one level in the directory structure. By repeating this pattern, an attacker can traverse to the root directory and then access any file or folder on the server. For example, the following request attempts to read the Unix password file /etc/passwd from the server:
http://company.com/get.php?f=/etc/passwd
Some web applications may implement some defenses against directory traversal attacks, such as filtering out …/ patterns or percent-decoding the user input before validating it. However, these defenses can often be bypassed by using variations or encoding techniques. For example, the following requests use different ways to represent …/ or / characters: http://company.com/…%2F…%2F…%2Fetc%2Fpasswd
http://company.com/…/…/…/%2Fetc%2Fpasswd http://company.com/%2E%2E/%2E%2E/%2E%2E/etc/passwd
These requests may still result in directory traversal attacks if the web application does not properly handle them12.
A company executive experienced a security issue at an airport Photos taken during a strategy meeting were stolen when the executive used a free smartphone-charging station.
Which of the following can be used to prevent this from occurring in the future?
- A . Cable locks
- B . Screened subnets
- C . Faraday cages
- D . Data blockers
An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users’ passwords.
Which of the following should the administrator implement to prevent this type of attack from succeeding in the future?
- A . Multifactor authentication
- B . Permissions assignment
- C . Access management
- D . Password complexity
Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed.
Which of the following explains this process?
- A . Data breach notification
- B . Accountability
- C . Legal hold
- D . Chain of custody
C
Explanation:
A legal hold is a process that requires an organization to preserve electronically stored information and paper documents that are relevant to a pending or anticipated litigation or investigation. It suspends the normal retention and destruction policies and procedures for such information and documents until the legal hold is lifted or released.
A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage.
Which of the following is most likely the cause?
- A . The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage
- B . The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application’s allow list, temporarily restricting the drives to 512KB of storage.
- C . The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.
- D . The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.
D
Explanation:
Mimikatz is a tool that can extract plaintext credentials from memory on Windows systems. A malicious flash drive can bypass the GPO blocking the flash drives by using techniques such as autorun.inf or HID spoofing to execute Mimikatz on the target system without user interaction or consent. This can cause AV alerts indicating Mimikatz attempted to run on the remote systems and also reduce the storage capacity of the flash drives to only 512KB by creating hidden partitions or files on them.
The most recent vulnerability scan flagged the domain controller with a critical vulnerability. The systems administrator researched the vulnerability and discovered the domain controller does not run the associated application with the vulnerability.
Which of the following steps should the administrator take next?
- A . Ensure the scan engine is configured correctly.
- B . Apply a patch to the domain controller.
- C . Research the CVE.
- D . Document this as a false positive.
D
Explanation:
A false positive is a result that indicates a problem when there is no actual problem. In this case, the vulnerability scan flagged the domain controller with a critical vulnerability, but the domain controller does not run the application that is vulnerable. Therefore, the scan result is inaccurate and should be documented as a false positive.
A company is implementing a vendor’s security tool in the cloud. The security director does not want to manage users and passwords specific to this tool but would rather utilize the company’s standard user directory.
Which of the following should the company implement?
- A . 802.1X
- B . SAML
- C . RADIUS
- D . CHAP
Two companies are in the process of merging. The companies need to decide how to standardize the<r information security programs.
Which of the following would best align the security programs?
- A . Shared deployment of CIS baselines
- B . Joint cybersecurity best practices
- C . Both companies following the same CSF
- D . Assessment of controls in a vulnerably report
During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations.
Which of the following data sources would be BEST to use to assess the accounts impacted by this attack?
- A . User behavior analytics
- B . Dump files
- C . Bandwidth monitors
- D . Protocol analyzer output
A
Explanation:
User behavior analytics (UBA) would be the best data source to assess the accounts impacted by the attack, as it can identify abnormal activity, such as repeated brute-force attacks and logins from unfamiliar geographic locations, and provide insights into the behavior of the impacted accounts.
Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7: Incident
Response, pp. 338-341