Try our new practice tests feature: configure your own test including the number of questions, objectives and time limits
This free CompTIA Security+ practice exam covers basic knowledge in the field of Information Systems Security. To pass the CompTIA Security+ exam, a candidate will need knowledge in Network Security, Compliance and operational security, threats and vulnerabilities, access control and identity management, cryptography, and application, data, and host security. This free practice test will test your knowledge and readiness for the CompTIA Security+ Examination.
Your employer's security policies state that all externally facing servers should only be accessible via ports that are absolutely required. Generally your company only has web servers that are accessible from outside the companies network. A recent security review showed that it was possible to ping several of these web servers. What protocol should be disabled using a firewall to ensure pings do not successfully contact the servers?
Network diagnostic tools like ping and tracert use the Internet Control Message Protocol (ICMP) to function. Using a firewall to block external systems from using this protocol to contact internal solutions will ensure ping cannot be used against the servers discussed in the question.
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute). ICMP for IPv4 is defined in RFC 792. A separate ICMPv6, defined by RFC 4443, is used with IPv6.Internet_Control_Message_Protocol - Wikipedia, the free encyclopedia
You are in the onboarding process with a new employer. Your new manager has asked you to review and sign a document that outlines how you can use their IT systems and what types of uses are not permitted. What type of policy document is this?
An Acceptable Use Policy (AUP) will outline how users can use an IT system or group of IT systems. They are generally used by businesses and organisations to ensure users are aware of what actions are acceptable and what actions could warrant administrative actions. For example an acceptable use policy could state that pirating movies using company resources is not permitted.
An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service. That restricts the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement. Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear. While at the same time covering the most important points about what users are, and are not allowed to do with the IT systems of an organization, it should refer users to the more comprehensive security policy where relevant. It should also, and very notably define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should as usual, be measured by regular audits. In some cases a fair usage policy applied to a service allowing nominally unlimited use for a fixed fee simply sets a cap on what may be used. Intended to allow normal usage but, prevent what is considered excessive. ForAcceptable_use_policy - Wikipedia, the free encyclopedia
A large chemical company will soon be legally required to offer phone support for customers to contact in the event of a chemical spill or other similar issue. The new law requires the company be available 24/7, 365 days a year or large fines will be levied against the company. You have been contracted to ensure a power outage does not prevent the help desk from being available to callers. You have been given the requirement that all electronic equipment (desktops, servers, network equipment, phones, etc.) must operate for up to 24 hours without interruption during a power outage. Which of the following options would best meet requirement?
A generator is the best option here because it can operate for as long as there is fuel and can power entire buildings at once. It is also the most expensive solution. An Uninterruptible Power Supply (UPS) will provide temporary power (a few minutes to a few hours) to electronic devices in the event of a power outage, so while helpful it is not enough to meet the 24 hour requirement.
You are a network engineer for a mid-sized consulting company. Your employer is currently in the role of a systems integrator for a transformation project at a retail company. You have been tasked with configuring a new network switch. Upon accessing the switch via SSH you receive a message stating only authorized users from ACME Enterprise and authorized 3rd party partners are permitted. You are not required to acknowledge or accept this warning in any way. What type of control best classifies this type of message?
This type of warning is a deterrent. Deterrents is anything intended to warn a (potential) malicious user that they should not access a system, area or conduct a certain action. Examples are warning messages, signs, posted notices, etc.
You are a penetration tester for a network security consulting company. You are currently on-site at a customer's premises and are doing your first analysis of the customer's network security. You check if they are using Wifi and find that they are using a deprecated protocol with known vulnerabilities. Which of the options is most likely being used?
Wired Equivalent Privacy (WEP) was a commonly used security protocol for encrypted wireless networks. It has been deprecated and is outdated with known vulnerabilities. WEP should not be used, instead a newer and more robust option like WPA2 should be implemented.
Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely used, and was often the first security choice presented to users by router configuration tools.In 2003, the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 have been deprecated.WEP was the only encryption protocol available to 802.11a and 802.11b devices built before the WPA standard, which was available for 802.11g devices. However, some 802.11b devices were later provided with firmware or software updates to enable WPA, and newer devices had it built in.Wired_Equivalent_Privacy - Wikipedia, the free encyclopedia
You are a network security technician at a mid-sized company. Your employer is planning for significant growth and the CIO has tasked you with implementing a system to consolidate all critical network device logs to a central location. The system should support logs from all routers, firewalls, switches and business critical servers and should send alerts in the event of security issues. What type of solution would best meet these requirements?
Security Information and Event Management (SIEM) systems are used to centralize logging and alerting from various types of network devices. Common functionalities include data aggregation, alerting, forensic analysis and data retention/compliance. They are most commonly found in mid-size to larger networks where there are too many devices to monitor separately.
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.Security_information_and_event_management - Wikipedia, the free encyclopedia
What type of NIDS commonly uses artificial intelligence and data mining to identify malicious network traffic?
An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.
An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detectionAnomaly-based_intrusion_detection_system - Wikipedia, the free encyclopedia
What acronym refers to the amount of time between the failure of a device and the device's return to normally functionality?
Mean time to recovery (MTTR) is the estimated amount of time between a failure and recovery of a device. Mean time between failures (MTBF) is the average amount of time between failures of a device (generally provided by the manufacturer). Mean time to failure (MTTF) is the length of time a device lasts in operation. MRTR is something we made up.
Mean time to recovery (MTTR) is the average time that a device will take to recover from any failure. Examples of such devices range from self-resetting fuses (where the MTTR would be very short, probably seconds), to whole systems which have to be repaired or replaced. The MTTR would usually be part of a maintenance contract, where the user would pay more for a system MTTR of which was 24 hours, than for one of, say, 7 days. This does not mean the supplier is guaranteeing to have the system up and running again within 24 hours (or 7 days) of being notified of the failure. It does mean the average repair time will tend towards 24 hours (or 7 days). A more useful maintenance contract measure is the maximum time to recovery which can be easily measured and the supplier held accountably. Note that some suppliers will interpret MTTR to mean 'mean time to respond' and others will take it to mean 'mean time to replace/repair/recover/resolve'. The former indicates that the supplier will acknowledge a problem and initiate mitigation within a certain timeframe. Some systems may have an MTTR of zero, which means that they have redundant components which can take over the instant the primary one fails, see RAID for example. However, the failed device involved in this redundant configuration still needs to be returned to service and hence the device itself has a non-zero MTTR even if the system as a whole (through redundancy) has an MTTR of zero.Mean_time_to_recovery - Wikipedia, the free encyclopedia
Which of the following options is a functionality or tool that disallows access to a wireless network based on the layer 2 address of the client device?
Layer 2 addresses (also called physical address) are MAC addresses. Using MAC filtering you can disallow any devices that are not explicitly granted access. While this can help increase security, it is not fool proof and advanced attackers can easily spoof the MAC address to gain access. MAC filtering alone is not sufficient to protect a network.
In computer networking, MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that they would like to access the network. While giving a network some additional protection, MAC filtering can be circumvented by using a packet analyzer to find a valid MAC and then using MAC spoofing to access the network using that address. MAC address filtering can be considered as security through obscurity because the effectiveness is based on "the secrecy of the implementation or its components".MAC_filtering - Wikipedia, the free encyclopedia
Your employer uses a third party service provider to store files like word documents and presentations. These files can be accessed and collaborated on by other employees through a website. There are many companies that use this same service, but data is controlled using various methods to ensure users can only access their own companies files. What type of service is this?
You are a member of the security team in the IT Infrastructure department at a manufacturer. You have received a ticket from the network architecture team who have requested your approval of a proposed network change. The change is to replace a network device that allows internal servers to make requests to the internet without external systems being able to determine what internal server made the original request. What type of system is being changed?
When a user or system wants to make a request to another system without revealing it's identity a proxy can be used. Proxies act as intermediaries to transmit data between systems. The most common use case is to route web requests from internal users and devices through a reverse proxy so that external web servers cannot tell which internal user or device made the original request.
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.Instead of connecting directly to a server that can fulfill a request for a resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.Proxy_server - Wikipedia, the free encyclopedia
A full-scale test is exactly what it sounds like, a full test of disaster recovery. This type of test simulates a real-life disaster scenario as closely as possible and will require extensive resources and manpower.
Disaster recovery involves a set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the information technology (IT) or technology systems supporting critical business functions as opposed to business continuity. This involves keeping all essential aspects of a business functioning despite significant disruptive events; it can therefore be considered a subset of business continuity. Disaster recovery assumes that the primary site is not recoverable for some time and represents a process of restoring data and services to a secondary survived site, which is opposite to restoring it back to its original place.Disaster_recovery - Wikipedia, the free encyclopedia
Your employer has several thousand internal users all who need to access the internet on a daily basis to complete their work. What technology should be used to mask the internal IP addresses of these users and allow access to the internet through shared public IP addresses?
Network Address Translation (NAT) allows many devices to share an IP when accessing another network. Most commonly it is used to allow internal devices to share public IP addresses when accessing the internet. Benefits of NAT include minimizing the number of public IP addresses required (they cost money and for IPv4 there is a limited number available) as well as masking the origin of the request which provides security benefits. Generally NAT is used on a router or firewall.
Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to avoid the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations.Network_address_translation - Wikipedia, the free encyclopedia
Which of the following options is a valid type of evidence in a computer forensics investigation that proves innocence?
Exculpatory evidence is evidence in an investigation the proves the innocence of a suspected person or party. Inculpatory evidence is the opposite and proves guilt. Demonstrative evidence is evidence that helps explain facts, common examples are charts, graphs, videos, etc.
Exculpatory evidence is evidence favorable to the defendant in a criminal trial that exonerates or tends to exonerate the defendant of guilt. It is the opposite of inculpatory evidence, which tends to present guilt. In many countries, including the United States, police and prosecutors are required to disclose to the defendant exculpatory evidence they possess before the defendant enters a plea (guilty or not guilty). In some countries such as Germany, the prosecution has to actively search for both exculpatory and inculpatory circumstances and evidence before filing of action.Per the Brady v. Maryland decision, prosecutors in the United States have a duty to disclose exculpatory evidence even if not requested to do so. While the prosecution is not required to search for exculpatory evidence and must disclose only the evidence in its possession, custody, or control, the prosecution's duty is to disclose all information known to any member of its team, e.g., police, investigators, crime labs, et cetera. In Brady v. Maryland, the U.S. Supreme Court held that such a requirement follows from constitutional due process and is consistent with the prosecutor's duty to seek justice. The Brady doctrine is a pretrial discovery rule that was established by the United States Supreme Court in Brady v. Maryland (1963). The rule requires that the prosecution must turn over all exculpatory evidence to the defendant in a criminal case. Exculpatory evidence is evidence that might exonerate the defendant.Exculpatory_evidence - Wikipedia, the free encyclopedia
You need to record packet data being sent to and from a server running a Linux operating system. After recording the network traffic you want to view the data in a visualization tool like Wireshark. What command line tool is best suited for this task?
tcpdump is a packet analyzer or packet sniffer available on many Linux operating systems. It can be used to record all packets being sent to/from a server and reviewed in real time or saved to a file for later review/analysis.
tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows version of libpcap.tcpdump - Wikipedia, the free encyclopedia
A string of text is converted to a numeric value that uniquely identifies the original text. With only the numeric value it is impossible to reproduce the original text value. Which term correctly identifies this numeric value?
A hash value, hashed value or just a hash is the result of a one-way cryptographic function. Hashes are used to verify the integrity of data (e.g. a file download) as well as to store sensitive data such like passwords.
A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size (often called the "message") to a bit array of a fixed size (the "hash value", "hash", or "message digest"). It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography. A cryptographic hash function must be deterministic, meaning that the same message always results in the same hash. Ideally it should also have the following properties: it is quick to compute the hash value for any given message it is infeasible to generate a message that yields a given hash value (i.e. to reverse the process that generated the given hash value) it is infeasible to find two different messages with the same hash value a small change to a message should change the hash value so extensively that a new hash value appears uncorrelated with the old hash value (avalanche effect) Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidentalCryptographic_hash_function - Wikipedia, the free encyclopedia
You are an IT specialist on the Network Security team of a large enterprise. You have been tasked to implement a wireless network to be used by employees in the corporate headquarters. Your employer is very security conscious and instructs you to use the best possible encryption protocol available. What 802.11 protocol would you use to fulfill this requirement?
WiFi Protected Access 2 (WPA2) is the strongest encryption currently available for wireless networks. WPA and Wired Equivalent Privacy (WEP) are both options available on the market but are less secure and have known vulnerabilities. WIFI-S is not a real protocol.
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP)WPA (sometimes referred to TKIP standard) became available in 2003 The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 80211i (or IEEE 802WPA2 - Wikipedia, the free encyclopedia
The steps of the incident response process are: Preparation, Identification, Containment, Eradication, Recovery, Lessons learned.
When configuring a wireless access point what configuration change will hide the name of the wireless network and require users who want to connect to the network to know the wireless name?
When a wireless network broadcasts it includes the network name, called a Service Set Identifier (SSID). Most commonly the SSID will be a user-friendly name to help people identify which network they want to connect to (e.g. Smith WiFi, Friendly's Guest, etc.). Disabling SSID broadcast will still allow the network to be visible to nearby devices but in order to connect to the network they will need to know the SSID (as well as a password/key if configured).
syslog is a vendor neutral standard for message logging. It includes a standard format for logs as well as a network protocol for sending log data to another device. Common uses of syslog are on Unix and Linux operating systems and network devices like routers, switches and firewalls.
In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level. Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems. When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.Syslog - Wikipedia, the free encyclopedia
Looks like thats it! You can go back and review your answers or click the button below to grade your test.