[CompTIA] SY0-701 - Security+ Exam Dumps & Study Guide

Free [CompTIA] SY0-701 - Security+ Practice Questions Preview

• Question 1

  Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?

  • A. Hacktivist
  • B. Whistleblower
  • C. Organized crime
  • D. Unskilled attacker

  Correct Answer: C

  Explanation:

  I disagree with the suggested answer. The best answer is not C, but another choice based on the context of the question.
  The question asks about threat actors most likely to be hired by a foreign government to attack critical systems in other countries. While organized crime groups may possess resources, their primary motivation is typically financial gain, not necessarily alignment with a foreign government's geopolitical objectives. Therefore, while they *could* be hired, it's not their *most likely* scenario.
  Here's why the other options are less likely:

  • A. Hacktivist: Hacktivists are driven by political or social causes. While their actions can align with a foreign government's interests, they are less likely to be directly hired and controlled by one.
  • B. Whistleblower: Whistleblowers expose information, but they don't typically engage in attacks on critical systems.
  • D. Unskilled attacker: Unskilled attackers lack the expertise to target critical systems effectively.

  The best answer is a threat actor that is highly skilled, well-resourced, and likely to be aligned with a nation-state's goals. Although it is not listed as an option, an APT (Advanced Persistent Threat) group falls in this category, some comments in the discussion also mentioned that, these groups often consist of state-sponsored hackers and have the capabilities and objectives that align with the scenario described in the question. Since an APT group is not listed as a choice, the best option may have to be excluded. So the next best choice would be Organized Crime, considering their capabilities and resource. However, it is important to note that, organized crime's primary motivation is financial gain, not geopolitical objectives.
  Given the choices, and re-evaluate the question, the most likely answer is C. Organized crime because they have resources and expertise, also may be hired for a price.

  
  Reasoning for Choosing C: Organized crime groups possess the resources, expertise, and networks to execute sophisticated cyberattacks. While their primary motivation is financial, they can be hired by governments for specific operations.
  Reasoning for Not Choosing Other Answers:

  • Hacktivists are driven by ideology, not financial gain or government control.
  • Whistleblowers expose information, but don't typically engage in attacks.
  • Unskilled attackers lack the capability to attack critical systems.

  Citations:

  • Advanced Persistent Threat (APT), https://www.cisa.gov/uscert/glossary
  • Who are the threat actors?, https://www.ibm.com/topics/threat-actors

• Question 2

  Which of the following is used to add extra complexity before using a one-way data transformation algorithm?

  • A. Key stretching
  • B. Data masking
  • C. Steganography
  • D. Salting

  Correct Answer: D

  Explanation:

  I agree with the suggested answer.
  Reason: Salting is specifically designed to add complexity to data before it undergoes a one-way transformation like hashing. This added complexity makes it significantly harder for attackers to crack the hashed data, especially through methods like rainbow table attacks. A salt is a random value added to each password before hashing, ensuring that even identical passwords result in different hashes. This enhances security.
  Reasons for not choosing the other answers:

  • Key stretching: While key stretching also increases the time it takes to crack a password, it primarily works by repeatedly hashing the password, rather than adding a unique, random value before the initial hashing.
  • Data masking: Data masking is a technique to hide sensitive data by replacing it with modified or fake data. It's not directly related to adding complexity before a one-way transformation.
  • Steganography: Steganography involves hiding data within other data, like an image or audio file. It's not used to add complexity to data before hashing.

• Question 3

  An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?

  • A. Brand impersonation
  • B. Pretexting
  • C. Typosquatting
  • D. Phishing

  Correct Answer: D

  Explanation:

  I agree with the suggested answer, which is D. Phishing.
  
  Reasoning:
  The scenario clearly describes a phishing attack. The employee received an email that appeared to be from a legitimate payment website, prompting them to update their contact information via a link. This link led to a fake login page where the employee entered their credentials. This is a classic example of an attacker attempting to steal sensitive information (login credentials) by disguising themselves as a trusted entity.
  
  Why other options are incorrect:

  • A. Brand impersonation: While this is an element of the attack, the core action is to obtain credentials, which falls squarely under phishing. Brand impersonation is a technique *used* in phishing.
  • B. Pretexting: Pretexting involves creating a fabricated scenario or story (the pretext) to trick someone into divulging information or performing an action. While there's a slight pretext here (updating contact information), the main goal and method is credential theft via a fake website, which is the definition of phishing.
  • C. Typosquatting: Typosquatting involves registering domain names that are similar to popular websites with common typos, hoping that users will accidentally visit the malicious site. This is not the case here as the user clicked the link provided in the email.

  The CompTIA Security+ certification exam often tests the ability to identify the *most* accurate answer given a scenario. While brand impersonation and pretexting are *elements* of the attack, phishing is the most comprehensive and accurate description of the attack as a whole.

• Question 4

  An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?

  • A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53
  • B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
  • C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53
  • D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D.
  The question asks to limit outbound DNS traffic to only one device with the IP address 10.50.10.25. This means we need to explicitly allow traffic from this IP and deny all other outbound DNS traffic.
  The reasoning for choosing answer D: The first line "Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53" permits outbound DNS requests (port 53) originating from the IP address 10.50.10.25/32 (a /32 mask specifies a single host). The second line "Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53" denies all other outbound DNS requests. This configuration ensures that only the specified device can make outbound DNS requests, fulfilling the requirement.
  The reasons for not choosing the other answers:

  • A: This option first permits all outbound DNS traffic and then attempts to deny traffic from 10.50.10.25. Due to the order of operations in ACLs (first match wins), the deny rule will never be hit because all DNS traffic is already permitted.
  • B: This option permits traffic destined to 10.50.10.25 on port 53. This isn't what we want, as we want to allow traffic *from* that IP to any DNS server. Additionally, it denies all outbound traffic which, while restrictive, doesn't align with the requirement of allowing ONLY 10.50.10.25 to make DNS queries.
  • C: This option first permits all outbound DNS traffic and then attempts to deny traffic destined to 10.50.10.25. This is the opposite of what's intended. It will effectively allow all outbound DNS traffic, rendering the second line useless as it tries to block destined to a specific IP address (which is not limiting outbound DNS from internal network).

  Therefore, option D is the correct choice.

  Citations:

  • Access Control Lists (ACLs): https://www.fortinet.com/resources/cyberglossary/access-control-list-acl
  • How Access Control Lists Work: https://www.paloaltonetworks.com/cyberpedia/what-is-an-access-control-list-acl

• Question 5

  A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?

  • A. SSO
  • B. LEAP
  • C. MFA
  • D. PEAP

  Correct Answer: A

  Explanation:

  I agree with the suggested answer, which is A. SSO (Single Sign-On).
  
  Reasoning:
  The question asks for a method that allows employees to use their domain credentials to access SaaS applications, thereby reducing the number of credentials they need to maintain. SSO directly addresses this requirement. SSO enables users to authenticate once, typically with their domain credentials, and then access multiple applications (including SaaS applications) without needing to re-enter their credentials. This significantly reduces the burden of managing multiple usernames and passwords.
  
  Reasons for not choosing the other options:

  • B. LEAP (Lightweight Extensible Authentication Protocol): LEAP is a Cisco proprietary wireless authentication protocol. It is not relevant to authenticating to SaaS applications using domain credentials.
  • C. MFA (Multi-Factor Authentication): MFA adds an additional layer of security to the authentication process but does not inherently reduce the number of credentials users need to manage. It typically works in conjunction with a username and password.
  • D. PEAP (Protected Extensible Authentication Protocol): PEAP is another wireless authentication protocol, often used with 802.1X. While it's more secure than LEAP, it doesn't directly address the problem of reducing the number of credentials for SaaS applications.

  Therefore, SSO is the most appropriate answer.

• Question 6

  Which of the following scenarios describes a possible business email compromise attack?

  • A. An employee receives a gift card request in an email that has an executive’s name in the display field of the email.
  • B. Employees who open an email attachment receive messages demanding payment in order to access files.
  • C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.
  • D. An employee receives an email with a link to a phishing site that is designed to look like the company’s email portal.

  Correct Answer: C

  Explanation:

  I disagree with the suggested answer of C and agree with the discussion summary's suggested answer of A.
  The best answer is A. An employee receives a gift card request in an email that has an executive’s name in the display field of the email.
  Reasoning:
  A Business Email Compromise (BEC) attack involves an attacker impersonating a trusted individual, often an executive, to manipulate employees into performing actions that benefit the attacker. A common tactic is to request gift cards or wire transfers. This is precisely what option A describes.
  Option A directly reflects a common BEC scenario where the attacker is spoofing the executive's email to socially engineer an employee into purchasing gift cards. This type of attack relies on trust and urgency, hallmarks of BEC.
  Reasons for Incorrectness of Other Options:

  • B: Employees who open an email attachment receive messages demanding payment in order to access files. This describes a ransomware attack, not a BEC attack.
  • C: A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account. While this is a type of social engineering and could be part of a larger attack, it is more accurately described as credential harvesting or a phishing attempt, not a BEC attack in its typical form. It is less specific to the impersonation of a business executive for financial gain than option A.
  • D: An employee receives an email with a link to a phishing site that is designed to look like the company’s email portal. This describes a phishing attack, specifically designed to steal credentials, not a BEC attack focused on manipulating behavior through impersonation.

• Question 7

  A company prevented direct access from the database administrators’ workstations to the network segment that contains database servers. Which of the following should a database administrator use to access the database servers?

  • A. Jump server
  • B. RADIUS
  • C. HSM
  • D. Load balancer

  Correct Answer: A

  Explanation:

  I agree with the suggested answer. The correct answer is A. Jump server.
  
  Reasoning: A jump server acts as an intermediary, providing a controlled and secure access point to the database servers from the database administrators' workstations. Since direct access has been restricted, a jump server allows administrators to connect to the target network segment without exposing their workstations directly.
  
  Reasons for not choosing the other options:
  

  • B. RADIUS: RADIUS (Remote Authentication Dial-In User Service) is a networking protocol used for centralized authentication, authorization, and accounting (AAA) for users who access a network. It doesn't provide a gateway to access servers.
  • C. HSM: A Hardware Security Module (HSM) is a dedicated cryptographic hardware device used for managing digital keys and providing cryptographic processing. It doesn't facilitate network access in the way described in the question.
  • D. Load balancer: A load balancer distributes network traffic across multiple servers to ensure no single server is overwhelmed. It is not used for secure administrative access to a network segment.

  In summary, A jump server fits the scenario perfectly by enabling secure, controlled access to the database servers, aligning with security best practices.

• Question 8

  An organization’s internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future?

  • A. NGFW
  • B. WAF
  • C. TLS
  • D. SD-WAN

  Correct Answer: B

  Explanation:

  I agree with the suggested answer, which is B. WAF (Web Application Firewall).
  
  Reasoning:
  The question describes a scenario where an internet-facing website was compromised due to a buffer overflow exploit. A Web Application Firewall (WAF) is specifically designed to protect web applications from various types of attacks, including buffer overflows, by inspecting HTTP traffic and filtering out malicious requests. It operates at the application layer (Layer 7) and can analyze the content of web requests to identify and block attacks that exploit vulnerabilities in web applications.
  A WAF can implement rules and policies to detect and prevent buffer overflow attacks by examining input data for excessively long strings or other malicious patterns.
  
  Reasons for not choosing other options:

  • A. NGFW (Next-Generation Firewall): While NGFWs provide comprehensive network security features, including intrusion prevention and application control, they are not specifically designed to protect against application-level attacks like buffer overflows as effectively as a WAF. NGFWs primarily focus on network traffic and may not have the granular visibility into web application traffic needed to detect and prevent buffer overflows.
  • C. TLS (Transport Layer Security): TLS provides encryption for data in transit, protecting against eavesdropping and tampering. However, it does not prevent application-level attacks like buffer overflows. TLS secures the communication channel but does not analyze the content of the traffic for malicious payloads.
  • D. SD-WAN (Software-Defined Wide Area Network): SD-WAN is a technology used to optimize network connectivity and improve application performance across a wide area network. It does not provide specific protection against web application attacks like buffer overflows.

  Therefore, a WAF is the most appropriate solution to protect against similar attacks in the future.

  
  Citations:

  • What is a WAF?, https://www.cloudflare.com/learning/cloud/what-is-a-waf/
  • Buffer Overflow, https://owasp.org/www-community/vulnerabilities/Buffer_Overflow

• Question 9

  An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users’ passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future?

  • A. Multifactor authentication
  • B. Permissions assignment
  • C. Access management
  • D. Password complexity

  Correct Answer: A

  Explanation:

  I agree with the suggested answer, which is A. Multifactor authentication.
  Reasoning:
  The scenario describes unauthorized logins from suspicious IP addresses despite password resets, indicating a possible compromise of user credentials. Multifactor authentication (MFA) adds an additional layer of security beyond passwords, requiring users to provide two or more verification factors to gain access. This significantly reduces the risk of unauthorized access, even if an attacker knows a user's password, because they would also need to possess or control another factor, such as a code sent to the user's phone or a biometric scan.
  Why other options are not the best:

  • B. Permissions assignment: While proper permission assignment is crucial for security, it doesn't directly prevent unauthorized logins if credentials are compromised. It controls what a user can do once logged in, but not the initial authentication process itself.
  • C. Access management: Access management encompasses policies and technologies for controlling user access to resources. While important, it is a broader concept than MFA and doesn't specifically address the issue of compromised credentials as effectively as MFA.
  • D. Password complexity: Password complexity policies (e.g., requiring strong passwords with mixed characters) are beneficial, but they are not sufficient to prevent attacks if passwords are stolen or phished. MFA provides an additional layer of security that mitigates the risk of compromised passwords.

  Citations:

  • Multifactor Authentication, https://www.ibm.com/topics/multi-factor-authentication

• Question 10

  An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following social engineering techniques are being attempted? (Choose two.)

  • A. Typosquatting
  • B. Phishing
  • C. Impersonation
  • D. Vishing
  • E. Smishing
  • F. Misinformation

  Correct Answer: CE

  Explanation:

  I agree with the suggested answer of CE (Impersonation and Smishing).
  
  Reasoning:
  The question describes a scenario where an employee receives a text message that appears to be from the payroll department asking for credential verification. This clearly indicates two social engineering techniques:

  • Impersonation: The attacker is pretending to be the payroll department to gain the employee's trust. This is a classic example of impersonation.
  • Smishing: "Smishing" is a form of phishing conducted through SMS (Short Message Service) or text messaging. Since the attack is delivered via a text message, it falls under the category of smishing.

  
  Why other options are incorrect:

  • A. Typosquatting: Typosquatting involves registering domain names that are similar to legitimate ones but with typos. This is not relevant to the scenario.
  • D. Vishing: Vishing is phishing conducted over the phone. This is not relevant as the attack is via text message.
  • F. Misinformation: While misinformation can be a component of social engineering, the core techniques being used here are more directly impersonation and smishing. Misinformation is too broad of a term here.

  
  

  Citations:

  • Phishing, https://www.cisa.gov/news-events/cybersecurity-awareness-month/phishing
  • Smishing, https://www.avast.com/en-us/cybersecurity-content/smishing
  • Impersonation, https://www.proofpoint.com/us/threat-reference/impersonation