This free CompTIA Security+ practice exam covers basic knowledge in the field of Information Systems Security. To pass the CompTIA Security+ exam, a candidate will need knowledge in Network Security, Compliance and operational security, threats and vulnerabilities, access control and identity management, cryptography, and application, data, and host security. This free practice test will test your knowledge and readiness for the CompTIA Security+ Examination.
1) During a regular security scan of the network you find that several user laptops are infected with the same malware. After cross-referencing the laptop users with the reverse proxy logs you find that they all accessed a industry news website the day before. You believe your organization may have been specifically targeted for this malware. What type of attack would best describe this theory?
In a watering hole attack the attacker infects a website that is known to be commonly used by an organisation or industry. For example a specific industry news site to attack a business in that industry or the entire industry in general. With the knowledge that users frequent the website the attackers are able to target them with malware and if the attack is successful to install malicious software.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Watering hole is a computer attack strategy, in which the victim is of a particular group (organization, industry, or region) In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware Eventually, some member of the targeted group becomes infected Hacks looking for specific information may only attack users coming from a specific IP address This also makes the hacks harder to detect and research The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes… Read More
2) During routine security checks you discover that a wireless access point is setup on the outside of your employer's office building. The access point has the same SSID as the internal WiFi network but is unsecured to allow anyone access. What type of attack have you discovered?
This type of attack is known as an Evil Twin. The attacker sets up a wireless access point in the hopes of tricking users to use it instead of the valid one (for example by giving it the same or similar SSID). Users that fall for the trick may expose sensitive information like passwords by using evil twin access point.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications The evil twin is the wireless LAN equivalent of the phishing scam This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there… Read More
3) What type of DOS attack sends a large number of new TCP requests to a server in order to overwhelm it with unused open sessions?
A SYN Flood sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections. By doing so the server will not be able to respond to valid traffic from normal users - thus resulting in a Denial of Service (DOS).
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
4) What option would create a new ACL entry that would deny any port 80 HTTP traffic?
'deny tcp any server tcp 80' will deny all tcp traffic to any server on port 80.
This question is filed under objective 2, Technologies and Tools
An access-control list (ACL), with respect to a computer file system, is a list of permissions attached to an object An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation For instance, if a file object has an ACL that contains (Alice: read,write Bob: read), this would give Alice permission to read and write the file and Bob to only read it … Read More
5) Your employer allows BYOD because the companies software landscape is entirely based on SaaS applications on the internet. Recently an employee's various accounts were accessed by a hacker. The user tells you they had different passwords for all of the applications. No one else has reported similar issues. After helping the user conduct a malware scan on their personnel device you find that they have malware that records input given to the PC by the user. What option best describes the type of malware found?
The malware found is a Keylogger. It records the input typed by the user and in this case recorded user account credentials (username and password). Situations like this are common when companies allow Bring Your Own Device (BYOD) as network administrators have very limited control over devices not owned by the company.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored Data can then be retrieved by the person operating the logging program A keylogger can be either software or hardware While the programs themselves are legal, with many of them being designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential informationKeylogging can also be used to study human-computer interaction… Read More
6) A lazy programmer at a startup was recently fired for sleeping at their cubicle. Angry about being fired and wanting revenge, the programmer accessed the admin panel the startups website using a method they previously programmed into the application before being fired. With access to the admin panel the former employee was able to delete user account from the database which caused a lot of issues for the company. Which of the following options best describes the methodology of the attack?
The programmer created a backdoor into the application to grant themselves access later on. The backdoor allowed them a way to bypass the applications usual authentication measures. A backdoor could also be setup by a malicious application, but in this case was the work of a lazy programmer than new he would be fired soon.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device (eg a home router), or its embodiment (eg part of a cryptosystem, algorithm, chipset, or even a "homunculus computer" —a tiny computer-within-a-computer such as that found in Intel's AMT technology) Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks A backdoor may take the form of a hidden part of a program, a separate program (e… Read More
7) You are working as a security consultant for a small company. The owner of the company states they were recently targeted by hackers who gained access to their email account. Since then the attackers have taken control of the companies website and have stated they will only return control to the company after receiving a payment. The hosting provider has stated the web servers are not infected and no unusual logins have occurred. Despite this users are reporting they cannot access the companies website. Based on this information, what type of attack has occurred to the website?
Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in… Read More
8) Your bank has contacted you and informed you they recognized an unusual login with your username and password on their website. As a precaution they have locked your account and stated the login came from a foreign country. You run a security scan on your PC which finds malware. The description of the malware states that it intercepts normal web traffic from your browser executable. What type of attack best describes this?
A Man in the Browser (MitB is a type of man in the middle (MitM) attack using a Trojan Horse to infect the victim's computer. Once installed the trojan will use attempt to use known vulnerabilities in a browser's executable to intercept or modify web traffic. A successful MiTB can occur even with SSL/TLS and without the web application being aware of the attack.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone… Read More
9) You have ordered a penetration test on the companies website from a 3rd party IT Security consultant. Your web administration team has created a stand-alone test network to ensure the penetration tests due not cause issues on the live website. Other than the IP address of the web server you have not provided the penetration testers with any information. What type of test best describes this scenario?
This type of penetration test is known as a black box test. In this scenario the tests have little to no information on how the website works. For example they are not given the type of web server or access to the source code. Instead the 'attackers' will have to gather information and test different attack methods to see what works and what doesn't.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance It is sometimes referred to as specification-based testing… Read More
10) A smaller online retailer is experiencing huge numbers of requests on their websites. They are not running any major marketing campaigns and while seeing a lot of traffic are not seeing a rise in sales or logins. Eventually their web servers become overloaded and users are unable to load pages on the website. What type of attack most likely occurred?
Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilledIn a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources This effectively makes it impossible to stop the attack simply by blocking a single source… Read More
11) Your coworker is out sick due to an illness. In his absence you have received the results of a vulnerability scan he ordered from an external provider. Unfortunately your coworker did not give you any information on what type of scan was conducted or what methods were used. The results show that 3 injection vulnerabilities were identified but are only possible when attempted from an authenticated user account. Based on the information you have, what type of vulnerability scan was most likely completed?
A credentialed vulnerability scan was done. While the other answers could also be correct (e.g. it could have been an intrusive and credentialed scan) but with the information given in the question you could not know this. When a credentialed scan is used the scanner has valid user credentials while in a non-credentialed attack they do not.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
12) You are conducting a penetration test on a web application recently purchased by the HR department of your employer. You find that when creating a new user account in the Web UI you can delete data from the database by entering '; DROP TABLE Users' into the field for the user account. What type of vulnerability have you discovered?
This is a Structured Query Language (SQL) injection. SQL is a standard language for relational database management. It's common for an application to take data from a user, create a SQL script and pass this to the underlying database. When an application has a SQL injection vulnerability the application is not validating user input to check for SQL. This allows a malicious user to send SQL commands through the application and into the database for execution.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (eg to dump the database contents to the attacker) SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or… Read More
13) Your employer is planning to place wireless devices at the entrance of their retail locations. The devices will use WiFi to connect to the store's wireless network and use beams of light to detect when someone enters through the entrance. Other than WiFi, what type of wireless communication is being used?
Infrared is the only option that uses light as a communication medium. 802.11 (the standard for WLAN), Near Field Communication (NFC) & Bluetooth all use Radio Frequencies. Infrared is best for the type of device in the question as it requires line of sight to operate. When LOS is broken the device will register a person in the entrance.
This question is filed under objective 3, Architecture and Design
Infrared radiation (IR), sometimes called infrared light, is electromagnetic radiation (EMR) with wavelengths longer than those of visible light It is therefore generally invisible to the human eye, although IR at wavelengths up to 1050 nanometers (nm)s from specially pulsed lasers can be seen by humans under certain conditions IR wavelengths extend from the nominal red edge of the visible spectrum at 700 nanometers (frequency 430 THz), to 1 millimeter (300 GHz) Most of the thermal radiation emitted by objects near room temperature is infrared As with all EMR, IR carries radiant energy and behaves both like a wave and like its quantum particle, the photon… Read More
14) You work for a large national realty company in the networking department. Recently your department received a help desk call from a smaller satellite office stating their WiFi is no longer working. The trouble ticket was escalated to you because company policy does not allow wireless networks. After further investigation you learn that an employee in the office setup a simple wireless router themselves. Which option best defines this situation?
The installation of an unauthorized wireless router or access point is known as a Rogue Access Point or Rogue AP. A Rogue AP could be an attack or simply an employee breaking policy and setting up a wireless AP without permission. This is dangerous as the wireless device (without proper configuration) would allow outside devices onto the network and would be the equivalent of gaining physical access to the network.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker … Read More
15) Which regulation in the United States would apply to a healthcare organization and require they protect the confidentially of patient data?
The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory act in the United States that sets requirements for companies that store sensitive health data. It applies to hospitals, insurance companies, etc. as well as any companies that store health related data in HR systems (one example could be if an employee in a warehouse cannot lift above a certain weight).
This question is filed under objective 5, Risk Management
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) was enacted by the 104th United States Congress and signed by President Bill Clinton in 1996 It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverageThe act consists of five titles Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national… Read More
16) You are observing an outage of your employers website. While investigating the cause of the outage you learn that there is a large-scale DDOS attack that has caused network outages for large percentages of the internet. The attack is targeting key infrastructure of major web service providers. According to news sources the attackers are sending huge numbers of requests to open DNS servers with spoofed IP addresses. The responses from the DNS servers are sent to the spoofed IP addresses which have resulted in network outages due to overwhelmed infrastructure. What type of attack is being conducted?
The attack described in the question is an Amplification attack using the DNS protocol. Amplification attacks are done by sending small requests to servers that will receive large responses. Add a spoofed IP to the mix and an attacker can send huge numbers of the requests (because they are small) which will result in large responses being sent to the victim. This is a type of DDOS attack. DNS and NTP are common protocols used to conduct an amplification attack.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
17) You have been called to the office of the CEO for a confidential meeting. In the meeting the CEO informs you he 'has a virus that won't let him login without paying a fee.' You begin to investigate the issue and find that the CEO downloaded a file from a website a friend shared on a social media site. After downloading the file his computer restarted and now will not allow anyone to login unless they enter credit card information. Which option best describes the attack used in this scenario based on the information available?
This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the… Read More
18) You are responsible for application security for a small startup. You are responsible for conducting regular penetration tests. Recently the startup has faced some budget issues and lacks the funds to create a stand alone system to be used for vulnerability scanning applications. Due to this constraint you must conduct vulnerability scans on the live system (the same one being used by customers). What type of scan should be used to ensure vulnerabilities are found but not executed?
As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
19) You are the resident IT within your family. While relaxing and enjoying a family Thanksgiving dinner your sweet old Grandmother mentions that Microsoft called her cell phone and helped her with a virus on her computer. You explain to her that Microsoft does not call people directly to help with computer issues and that she was likely targeted by a malicious attacker. You scan her computer for viruses and find several. Your poor sweet old Grandmother was a victim of what type of attack?
Gran' was a victim of a voice phishing or vishing attack. This is the term used when an attacker contacts the victim via phone and attempts to steal personal information or by tricking the user to install malware on their computer. They may claim to be from a valid tech support company or vendor such as Microsoft or as a bill collector from a local utility company or anything in between.
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward It is sometimes referred to as 'vishing' - a portmanteau of "voice" and phishing Landline telephone services have traditionally been trustworthy terminated in physical locations known to the telephone company, and associated with a bill-payer Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to make it difficult for legal authorities to monitor, trace or block Voice phishing is typically used to steal credit card numbers or other information used in identity… Read More
20) Which option best describes the following situation: An attacker has intercepted network packets between a browser and web server. The attack then re-transmits the intercepted data to the web server hoping the server will respond with useful information (e.g. a session id, credit card information, etc.).
The attack described is called a Replay or Playback attack. The attacker is able to eavesdrop on network data (through some other method) and is resending the collected network data to gain access to confidential data or to hijack a users session. Aside from ensuring network data is not intercepted, the easiest way to defend against a replay attack is to use encrypted connections (e.g. HTTPS for a website).
This question is filed under objective 1, Threats, Attacks and Vulnerabilities
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution This is one of the lower tier versions of a "Man-in-the-middle attack" Another way of describing such an attack is: "an attack on a security protocol using replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run… Read More
You can go back and review your answers or grade your test.