Try our new practice tests feature: configure your own test including the number of questions, objectives and time limits
This free CompTIA Security+ practice exam covers basic knowledge in the field of Information Systems Security. To pass the CompTIA Security+ exam, a candidate will need knowledge in Network Security, Compliance and operational security, threats and vulnerabilities, access control and identity management, cryptography, and application, data, and host security. This free practice test will test your knowledge and readiness for the CompTIA Security+ Examination.
During a regular security scan of the network you find that several user laptops are infected with the same malware. After cross-referencing the laptop users with the reverse proxy logs you find that they all accessed a industry news website the day before. You believe your organization may have been specifically targeted for this malware. What type of attack would best describe this theory?
In a watering hole attack the attacker infects a website that is known to be commonly used by an organisation or industry. For example a specific industry news site to attack a business in that industry or the entire industry in general. With the knowledge that users frequent the website the attackers are able to target them with malware and if the attack is successful to install malicious software.
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.Watering_hole_attack - Wikipedia, the free encyclopedia
Your bank has contacted you and informed you they recognized an unusual login with your username and password on their website. As a precaution they have locked your account and stated the login came from a foreign country. You run a security scan on your PC which finds malware. The description of the malware states that it intercepts normal web traffic from your browser executable. What type of attack best describes this?
A Man in the Browser (MitB is a type of man in the middle (MitM) attack using a Trojan Horse to infect the victim's computer. Once installed the trojan will use attempt to use known vulnerabilities in a browser's executable to intercept or modify web traffic. A successful MiTB can occur even with SSL/TLS and without the web application being aware of the attack.
Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.A related, simpler attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a 2014 survey considered MitB to be the greatest threat to online banking.Man-in-the-browser - Wikipedia, the free encyclopedia
You have been called to the office of the CEO for a confidential meeting. In the meeting the CEO informs you he 'has a virus that won't let him login without paying a fee.' You begin to investigate the issue and find that the CEO downloaded a file from a website a friend shared on a social media site. After downloading the file his computer restarted and now will not allow anyone to login unless they enter credit card information. Which option best describes the attack used in this scenario based on the information available?
This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This record marks a 229% increase over this same time frame in 2017. In June 2014, vendor McAfee released data showing that it had collected more than double the number of ransomware samples that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US$3 million before it was taken down by authorities,Ransomware - Wikipedia, the free encyclopedia
Your employer is planning to place wireless devices at the entrance of their retail locations. The devices will use WiFi to connect to the store's wireless network and use beams of light to detect when someone enters through the entrance. Other than WiFi, what type of wireless communication is being used?
Infrared is the only option that uses light as a communication medium. 802.11 (the standard for WLAN), Near Field Communication (NFC) & Bluetooth all use Radio Frequencies. Infrared is best for the type of device in the question as it requires line of sight to operate. When LOS is broken the device will register a person in the entrance.
Infrared (sometimes called infrared light and IR) is electromagnetic radiation (EMR) with wavelengths longer than those of visible light and shorter than radio waves. It is therefore invisible to the human eye. IR is generally understood to encompass wavelengths from around 1 millimeter (300 GHz) to the nominal red edge of the visible spectrum, around 700 nanometers (430 THz). IR is commonly divided between longer wavelength thermal infrared that is emitted from terrestrial sources and shorter wavelength near-infrared that is part of the solar spectrum. Longer IR wavelengths (30 μm-100 μm) are sometimes included as part of the terahertz radiation range. Almost all black-body radiation from objects near room temperature is at infrared wavelengths. As a form of electromagnetic radiation, IR propagates energy and momentum, exerts radiation pressure, and has properties corresponding to both those of a wave and of a particle, the photon. It was long known that fires emit invisible heat; in 1681 the pioneering experimenter Edme Mariotte showed that glass, though transparent to sunlight, obstructed radiant heat. In 1800 the astronomer Sir William Herschel discovered that infrared radiation is a type of invisible radiation in the spectrum lower in energy than red light, by means of its effect on a thermometer. Slightly more than half of the energy from the Sun was eventually found, through Herschel's studies, to arrive on Earth in the form of infrared. The balance between absorbed and emitted infrared radiation has an important effect on Earth's climate. Infrared radiation is emitted or absorbed by molecules when changing rotational-vibrationalInfrared - Wikipedia, the free encyclopedia
Which regulation in the United States would apply to a healthcare organization and require they protect the confidentially of patient data?
The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory act in the United States that sets requirements for companies that store sensitive health data. It applies to hospitals, insurance companies, etc. as well as any companies that store health related data in HR systems (one example could be if an employee in a warehouse cannot lift above a certain weight).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends, or other individuals not a part of a covered entity. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.Health_Insurance_Portability_and_Accountability_Act - Wikipedia, the free encyclopedia
You are conducting a penetration test on a web application recently purchased by the HR department of your employer. You find that when creating a new user account in the Web UI you can delete data from the database by entering '; DROP TABLE Users' into the field for the user account. What type of vulnerability have you discovered?
This is a Structured Query Language (SQL) injection. SQL is a standard language for relational database management. It's common for an application to take data from a user, create a SQL script and pass this to the underlying database. When an application has a SQL injection vulnerability the application is not validating user input to check for SQL. This allows a malicious user to send SQL commands through the application and into the database for execution.
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented NoSQL databases can also be affected by this security vulnerability. In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.SQL_injection - Wikipedia, the free encyclopedia
A lazy programmer at a startup was recently fired for sleeping at their cubicle. Angry about being fired and wanting revenge, the programmer accessed the admin panel the startups website using a method they previously programmed into the application before being fired. With access to the admin panel the former employee was able to delete user account from the database which caused a lot of issues for the company. Which of the following options best describes the methodology of the attack?
The programmer created a backdoor into the application to grant themselves access later on. The backdoor allowed them a way to bypass the applications usual authentication measures. A backdoor could also be setup by a malicious application, but in this case was the work of a lazy programmer than new he would be fired soon.
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. a home router), or its embodiment (e.g. part of a cryptosystem, algorithm, chipset, or even a "homunculus computer" —a tiny computer-within-a-computer such as that found in Intel's AMT technology). Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks. A backdoor may take the form of a hidden part of a program, a separate program (e.g. Back Orifice may subvert the system through a rootkit), code in the firmware of the hardware, or parts of an operating system such as Windows. Trojan horses can be used to create vulnerabilities in a device. A Trojan horse may appear to be an entirely legitimate program, but when executed, it triggers an activity that may install a backdoor. Although some are secretly installed, other backdoors are deliberate and widely known. These kinds of backdoors have "legitimate" uses such as providing the manufacturer with a way to restore user passwords. Many systems that store information within the cloud fail to create accurate security measures. If many systems are connected within the cloud, hackers can gain access to all other platforms through the most vulnerable system. Default passwords (or other default credentials) can function as backdoors if they are not changedBackdoor_(computing) - Wikipedia, the free encyclopedia
You are the resident IT within your family. While relaxing and enjoying a family Thanksgiving dinner your sweet old Grandmother mentions that Microsoft called her cell phone and helped her with a virus on her computer. You explain to her that Microsoft does not call people directly to help with computer issues and that she was likely targeted by a malicious attacker. You scan her computer for viruses and find several. Your poor sweet old Grandmother was a victim of what type of attack?
Gran' was a victim of a voice phishing or vishing attack. This is the term used when an attacker contacts the victim via phone and attempts to steal personal information or by tricking the user to install malware on their computer. They may claim to be from a valid tech support company or vendor such as Microsoft or as a bill collector from a local utility company or anything in between.
Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.Bank account data is not the only sensitive information being targeted. Fraudsters sometimesVoice_phishing - Wikipedia, the free encyclopedia
You are observing an outage of your employers website. While investigating the cause of the outage you learn that there is a large-scale DDOS attack that has caused network outages for large percentages of the internet. The attack is targeting key infrastructure of major web service providers. According to news sources the attackers are sending huge numbers of requests to open DNS servers with spoofed IP addresses. The responses from the DNS servers are sent to the spoofed IP addresses which have resulted in network outages due to overwhelmed infrastructure. What type of attack is being conducted?
The attack described in the question is an Amplification attack using the DNS protocol. Amplification attacks are done by sending small requests to servers that will receive large responses. Add a spoofed IP to the mix and an attacker can send huge numbers of the requests (because they are small) which will result in large responses being sent to the victim. This is a type of DDOS attack. DNS and NTP are common protocols used to conduct an amplification attack.
You work for a large national realty company in the networking department. Recently your department received a help desk call from a smaller satellite office stating their WiFi is no longer working. The trouble ticket was escalated to you because company policy does not allow wireless networks. After further investigation you learn that an employee in the office setup a simple wireless router themselves. Which option best defines this situation?
The installation of an unauthorized wireless router or access point is known as a Rogue Access Point or Rogue AP. A Rogue AP could be an attack or simply an employee breaking policy and setting up a wireless AP without permission. This is dangerous as the wireless device (without proper configuration) would allow outside devices onto the network and would be the equivalent of gaining physical access to the network.
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.Rogue_access_point - Wikipedia, the free encyclopedia
You have ordered a penetration test on the companies website from a 3rd party IT Security consultant. Your web administration team has created a stand-alone test network to ensure the penetration tests do not cause issues on the live website. Other than the IP address of the web server you have not provided the penetration testers with any information. What type of test best describes this scenario?
This type of penetration test is known as a black box test. In this scenario the tests have little to no information on how the website works. For example they are not given the type of web server or access to the source code. Instead the 'attackers' will have to gather information and test different attack methods to see what works and what doesn't.
Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance. It is sometimes referred to as specification-based testing.Black-box_testing - Wikipedia, the free encyclopedia
'deny tcp any server tcp 80' will deny all tcp traffic to any server on port 80.
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object) An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation For instance, if a file object has an ACL that contains (Alice: read,write Bob: read), this would give Alice permission to read and write the file and only give Bob permission to read itAccess_control_list - Wikipedia, the free encyclopedia
Your employer allows BYOD because the companies software landscape is entirely based on SaaS applications on the internet. Recently an employee's various accounts were accessed by a hacker. The user tells you they had different passwords for all of the applications. No one else has reported similar issues. After helping the user conduct a malware scan on their personnel device you find that they have malware that records input given to the PC by the user. What option best describes the type of malware found?
The malware found is a Keylogger. It records the input typed by the user and in this case recorded user account credentials (username and password). Situations like this are common when companies allow Bring Your Own Device (BYOD) as network administrators have very limited control over devices not owned by the company.
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information.Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist, ranging from hardware and software-based approaches to acoustic cryptanalysis.Keystroke_logging - Wikipedia, the free encyclopedia
A smaller online retailer is experiencing huge numbers of requests on their websites. They are not running any major marketing campaigns and while seeing a lot of traffic are not seeing a rise in sales or logins. Eventually their web servers become overloaded and users are unable to load pages on the website. What type of attack most likely occurred?
Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack, as simply attempting to block a single source is insufficient because there are multiple sources.A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade and losing the business money. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and hacktivism can motivate these attacks.Denial-of-service_attack - Wikipedia, the free encyclopedia
Which option best describes the following situation: An attacker has intercepted network packets between a browser and web server. The attack then re-transmits the intercepted data to the web server hoping the server will respond with useful information (e.g. a session id, credit card information, etc.).
The attack described is called a Replay or Playback attack. The attacker is able to eavesdrop on network data (through some other method) and is resending the collected network data to gain access to confidential data or to hijack a users session. Aside from ensuring network data is not intercepted, the easiest way to defend against a replay attack is to use encrypted connections (e.g. HTTPS for a website).
A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run."Replay_attack - Wikipedia, the free encyclopedia
Your coworker is out sick due to an illness. In his absence you have received the results of a vulnerability scan he ordered from an external provider. Unfortunately your coworker did not give you any information on what type of scan was conducted or what methods were used. The results show that 3 injection vulnerabilities were identified but are only possible when attempted from an authenticated user account. Based on the information you have, what type of vulnerability scan was most likely completed?
A credentialed vulnerability scan was done. While the other answers could also be correct (e.g. it could have been an intrusive and credentialed scan) but with the information given in the question you could not know this. When a credentialed scan is used the scanner has valid user credentials while in a non-credentialed attack they do not.
What type of DOS attack sends a large number of new TCP requests to a server in order to overwhelm it with unused open sessions?
A SYN Flood sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections. By doing so the server will not be able to respond to valid traffic from normal users - thus resulting in a Denial of Service (DOS).
A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.The packet that the attacker sends is the SYN packet, a part of TCP's three-way handshake used to establish a connection.SYN_flood - Wikipedia, the free encyclopedia
You are working as a security consultant for a small company. The owner of the company states they were recently targeted by hackers who gained access to their email account. Since then the attackers have taken control of the companies website and have stated they will only return control to the company after receiving a payment. The hosting provider has stated the web servers are not infected and no unusual logins have occurred. Despite this users are reporting they cannot access the companies website. Based on this information, what type of attack has occurred to the website?
Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.
Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain.Domain_hijacking - Wikipedia, the free encyclopedia
You are responsible for application security for a small startup. You are responsible for conducting regular penetration tests. Recently the startup has faced some budget issues and lacks the funds to create a stand alone system to be used for vulnerability scanning applications. Due to this constraint you must conduct vulnerability scans on the live system (the same one being used by customers). What type of scan should be used to ensure vulnerabilities are found but not executed?
As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.
During routine security checks you discover that a wireless access point is setup on the outside of your employer's office building. The access point has the same SSID as the internal WiFi network but is unsecured to allow anyone access. What type of attack have you discovered?
This type of attack is known as an Evil Twin. The attacker sets up a wireless access point in the hopes of tricking users to use it instead of the valid one (for example by giving it the same or similar SSID). Users that fall for the trick may expose sensitive information like passwords by using evil twin access point.
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there.Evil_twin_(wireless_networks) - Wikipedia, the free encyclopedia
Looks like thats it! You can go back and review your answers or click the button below to grade your test.