The CompTIA Security+ certification exam will verify the successful candidate has the knowledge and skills required to assess the security posture of an enterprise environment and recommend and implement appropriate security solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT; operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance; identify, analyze, and respond to security events and incidents
You are responsible for application security for a small startup. You are responsible for conducting regular penetration tests. Recently the startup has faced some budget issues and lacks the funds to create a stand alone system to be used for vulnerability scanning applications. Due to this constraint you must conduct vulnerability scans on the live system (the same one being used by customers). What type of scan should be used to ensure vulnerabilities are found but not executed?
As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.
You have purchased brand new Cisco network routers and switches from your companies infrastructure supplier, Expert Infra, Inc. While working with the networking team to unbox them and begin setting them up you notice several of them look slightly different despite being the same make and model. What step should you take next?
The slight difference in appearance between the devices is an indicator that some devices may be counterfeit. It is also possible the manufacture simply made small changes to the devices and you have received two versions. You should take the serial numbers and verify their authenticity with Cisco and then return them if they are indeed counterfeit.
Counterfeit electronic components are electronic parts whose origin or quality is deliberately misrepresented. Counterfeiting of electronic components can infringe the legitimate producer's trademark rights. Because counterfeit parts often have inferior specifications and/or quality, they may represent a hazard if incorporated into critical systems such as aircraft navigation, life support, military equipment, or space vehicles. The marketing of electronic components has been commoditized, making it easier for the counterfeiter to introduce substandard and counterfeit devices into the supply chain.Counterfeit_electronic_components - Wikipedia, the free encyclopedia
You have ordered a penetration test on the companies website from a 3rd party IT Security consultant. Your web administration team has created a stand-alone test network to ensure the penetration tests do not cause issues on the live website. Other than the IP address of the web server you have not provided the penetration testers with any information. What type of test best describes this scenario?
This type of penetration test is known as a black box test. In this scenario the tests have little to no information on how the website works. For example they are not given the type of web server or access to the source code. Instead the 'attackers' will have to gather information and test different attack methods to see what works and what doesn't.
Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance. It is sometimes referred to as specification-based testing.Black-box_testing - Wikipedia, the free encyclopedia
'deny tcp any server tcp 80' will deny all tcp traffic to any server on port 80.
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object) An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation For instance, if a file object has an ACL that contains (Alice: read,write Bob: read), this would give Alice permission to read and write the file and only give Bob permission to read itAccess_control_list - Wikipedia, the free encyclopedia
Your coworker identified a vulnerability for a 3rd party software solution hosted on premise. The coworker is out sick today and has asked you remediate this issue as quickly as possible. You have identified a patch to fix the security vulnerability from the vendor's official website. What step should you take NEXT?
Changes, even urgent ones, should be documented and approved based on company policy. This is typically called something like a "Change Request" or CR, or a "Request For Change" or RFC. This is the first step in deploying updates, configuration changes, etc.
Change management (sometimes abbreviated as CM) is a collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change. It includes methods that redirect or redefine the use of resources, business process, budget allocations, or other modes of operation that significantly change a company or organization. Organizational change management (OCM) considers the full organization and what needs to change, while change management may be used solely to refer to how people and teams are affected by such organizational transition. It deals with many different disciplines, from behavioral and social sciences to information technology and business solutions. As change management becomes more necessary in the business cycle of organizations, it is beginning to be taught as its own academic discipline at universities. There are a growing number of universities with research units dedicated to the study of organizational change. One common type of organizational change may be aimed at reducing outgoing costs while maintaining financial performance, in an attempt to secure future profit margins. In a project-management context, the term "change management" may be used as an alternative to change control processes wherein changes to the scope of a project are formally introduced and approved.Drivers of change may include the ongoing evolution of technology, internal reviews of processes, crisis response, customer demand changes, competitive pressure, acquisitions and mergers, and organizational restructuring.Change_management - Wikipedia, the free encyclopedia
You are a security analyst and have networking monitoring solutions in place to detect strange or potentially malicious traffic. One of these solutions has sent an alert saying it detected outgoing network traffic from the company's network that was routing to a well-known malicious endpoint. Of the following options which is the most likely to be the cause of this traffic?
Some Malware will attempt to contact a Command-and-Control (C2) server or network to let the creators of the malware know it has infected a target. The malware will then be given commands remotely from the C2 server to steal data, infect more hosts or begin monitoring the infected device. The act of calling a C2 server is also called a beacon. The communication with known C2 addresses is a common sign that an infection has occurred within a network. One common use of this type of Malware is for a botnet. The C2 server may for example then send a command to all infected devices to initiate a Distributed Denial of Service (DDOS) attack (this is just one example).
Which containment technique would be the best response when a system is believed to be infected with malware?
Containment techniques are options for limiting the spread of malware after it has been discovered on a network. The best response is to isolate any systems that are infected or believed to be infected so they cannot propagate the malware to other systems. From the security and IT teams can begin determining the impact and remediation options.
syslog is a vendor neutral standard for message logging. It includes a standard format for logs as well as a network protocol for sending log data to another device. Common uses of syslog are on Unix and Linux operating systems and network devices like routers, switches and firewalls.
In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level. Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems. When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.Syslog - Wikipedia, the free encyclopedia
Which of the following options is a network device that can use VLANs to reduce collisions and the size of broadcast domains?
Switches automatically reduce collision domains by only transmitting data on the physical ports that are needed based on MAC addresses (as opposed to a Hub which broadcasts all data to all ports). When used with VLANs switches also reduce broadcast domains.
A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.Switches for Ethernet are the most common form of network switch. The first MAC Bridge was invented in 1983 by Mark Kempf, an engineer in the Networking Advanced Development group of Digital Equipment Corporation. The first 2 port Bridge product (LANBridge 100) was introduced by that company shortly after. The company subsequently produced multi-port switches for both Ethernet and FDDI such as GigaSwitch. Digital decided to license its MAC Bridge patent in a royalty-free, non-discriminatory basis that allowed IEEE standardization. This permitted a number of other companies to produce multi-port switches, including Kalpana. Ethernet was initially a shared-access medium, but the introduction of the MAC bridge began its transformation into its most-common point-to-point form without a collision domain. Switches also exist for other types of networks including Fibre Channel, Asynchronous Transfer Mode, and InfiniBand. Unlike repeater hubs, which broadcast the same data out of each port and let the devices pick out the data addressed to them,Network_switch - Wikipedia, the free encyclopedia
You are working as a security consultant for a small company. The owner of the company states they were recently targeted by hackers who gained access to their email account. Since then the attackers have taken control of the companies website and have stated they will only return control to the company after receiving a payment. The hosting provider has stated the web servers are not infected and no unusual logins have occurred. Despite this users are reporting they cannot access the companies website. Based on this information, what type of attack has occurred to the website?
Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.
Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domainDomain_hijacking - Wikipedia, the free encyclopedia
You work for a large firm that uses a server to host a publicly facing webserver and SFTP server. This server runs Ubuntu Server 22.04.1 LTS. A system administrator who has access to this server was recently a victim of a phishing attack and it was found that the individual reuses the same password for all of the different authentication mechanisms and applications at work. You want to verify that their Ubuntu user with a UID of 1234 has not been used on any publicly facing servers such as the webserver and SFTP server. Which command would help achieve this?
history | grep -e [Uu]id | grep 1234
net user 1234 | sort -i
net user 1234
Ubuntu is a Linux distribution that uses systemd and has a command line tool
journalctl to review and query system logs. Using the
_UID=$UID option you can filter to certain users using the User ID (UID). History is a similar tool in Linux to show a users history of commands, however it does not track everything, can be cleared and deleted easily and finally only tracks a limited number of past commands (it is intended for convenience not security reviews). Finally
net user is a Windows command and not Linux.
systemd is a software suite that provides an array of system components for Linux operating systems. The main aim is to unify service configuration and behavior across Linux distributions. Its primary component is a "system and service manager" — an init system used to bootstrap user space and manage user processes. It also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging. The name systemd adheres to the Unix convention of naming daemons by appending the letter d. It also plays on the term "System D", which refers to a person's ability to adapt quickly and improvise to solve problems.Since 2015, the majority of Linux distributions have adopted systemd, having replaced other init systems such as SysV init. It has been praised by developers and users of distributions that adopted it for providing a stable, fast out-of-the-box solution for issues that had existed in the Linux space for years. At the time of adoption of systemd on most Linux distributions, it was the only software suite that offered reliable parallelism during boot as well as centralized management of processes, daemons, services and mount points. Critics of systemd contend that it suffers from mission creep and bloat; the latter affecting other software (such as the GNOME desktop), adding dependencies on systemd, reducing its compatibility with other Unix-like operating systems and making it difficult for sysadmins to integrate alternate solutions. Concerns have also been raised about Red Hat and its parent company IBMSystemd - Wikipedia, the free encyclopedia
You are a member of the security team in the IT Infrastructure department at a manufacturer. You have received a ticket from the network architecture team who have requested your approval of a proposed network change. The change is to replace a network device that allows internal servers to make requests to the internet without external systems being able to determine what internal server made the original request. What type of system is being changed?
When a user or system wants to make a request to another system without revealing it's identity a proxy can be used. Proxies act as intermediaries to transmit data between systems. The most common use case is to route web requests from internal users and devices through a reverse proxy so that external web servers cannot tell which internal user or device made the original request.
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.Instead of connecting directly to a server that can fulfill a request for a resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.Proxy_server - Wikipedia, the free encyclopedia
What term defines an operating system that has been verified as having a sufficient level of security based on the Common Criteria for Information Technology Security Evaluation?
The term Trusted Operating System (TOS) refers to an operating system that has been certified to have a certain level of security. The requirement of this certification are defined in the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC). Many organizations (especially governments) may only use operating systems certified as Trusted OS's.
Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC). The Common Criteria is the result of a multi-year effort by the governments of the U.S., Canada, United Kingdom, France, Germany, the Netherlands and other countries to develop a harmonized security criteria for IT products.Trusted_operating_system - Wikipedia, the free encyclopedia
Which of the following options is a functionality or tool that disallows access to a wireless network based on the layer 2 address of the client device?
Layer 2 addresses (also called physical address) are MAC addresses. Using MAC filtering you can disallow any devices that are not explicitly granted access. While this can help increase security, it is not fool proof and advanced attackers can easily spoof the MAC address to gain access. MAC filtering alone is not sufficient to protect a network.
In computer networking, MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that they would like to access the network. While giving a network some additional protection, MAC filtering can be circumvented by using a packet analyzer to find a valid MAC and then using MAC spoofing to access the network using that address. MAC address filtering can be considered as security through obscurity because the effectiveness is based on "the secrecy of the implementation or its components".MAC_filtering - Wikipedia, the free encyclopedia
What role is responsible for ensuring that an organization's processes and systems protect any PII data about customers or staff as defined by data privacy regulations like GDPR?
A Data Protection Officer (DPO) is a role given to someone in an organization who is responsible for ensuring the security and confidentiality of any personal data the organization stores. This includes employees, third party vendors, customers and any other Personally Identifiable Information (PII). Typically the role is given to a higher level executive, director or manager.
A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation. According to the GDPR, the DPO shall directly report to the highest management level. This doesn't mean the DPO has to be directly managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.The core responsibilities of the DPO include ensuring his/her organization is aware of, and trained on, all relevant GDPR obligations. Additionally, they must conduct audits to ensure compliance, address potential issues proactively, and act as a liaison between his/her organization and the public regarding all data privacy matters.In Germany, a 2001 law established a requirement for a DPO in certain organizations and included various protections around the scope and tenure for the role, including protections against dismissal for bringing problems to the attention of management. Many of these concepts were incorporated into the drafting of Article 38 of the GDPR and have continued to be incorporated in other privacy standards.Data_protection_officer - Wikipedia, the free encyclopedia
A smaller online retailer is experiencing huge numbers of requests on their websites. They are not running any major marketing campaigns and while seeing a lot of traffic are not seeing a rise in sales or logins. Eventually their web servers become overloaded and users are unable to load pages on the website. What type of attack most likely occurred?
Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack, as simply attempting to block a single source is insufficient because there are multiple sources.A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and hacktivism can motivate these attacks.Denial-of-service_attack - Wikipedia, the free encyclopedia
What type of NIDS commonly uses artificial intelligence and data mining to identify malicious network traffic?
An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.
An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detectionAnomaly-based_intrusion_detection_system - Wikipedia, the free encyclopedia
You are working as a cybersecurity analyst for a 3rd party contractor. You have been brought in by an organization who believes they were hacked by a malicious actor. Their internal security team has hired you to determine the impact of the unauthorized access. At the time of the intrusion there were 5 servers online: DEV_APP_001, PRD_APP_002, PRD_DB_008, STG_DB_004 and FINANCE_009. What step should you take to begin the analysis?
You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.
You have been called to the office of the CEO for a confidential meeting. In the meeting the CEO informs you he 'has a virus that won't let him login without paying a fee.' You begin to investigate the issue and find that the CEO downloaded a file from a website a friend shared on a social media site. After downloading the file his computer restarted and now will not allow anyone to login unless they enter credit card information. Which option best describes the attack used in this scenario based on the information available?
This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This record marks a 229% increase over this same time frame in 2017. In June 2014, vendor McAfee released data showing that it had collected more than double the number of ransomware samples that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US$3 million before it was taken down by authorities,Ransomware - Wikipedia, the free encyclopedia
You are the resident IT within your family. While relaxing and enjoying a family Thanksgiving dinner your sweet old Grandmother mentions that Microsoft called her cell phone and helped her with a virus on her computer. You explain to her that Microsoft does not call people directly to help with computer issues and that she was likely targeted by a malicious attacker. You scan her computer for viruses and find several. Your poor sweet old Grandmother was a victim of what type of attack?
Gran' was a victim of a voice phishing or vishing attack. This is the term used when an attacker contacts the victim via phone and attempts to steal personal information or by tricking the user to install malware on their computer. They may claim to be from a valid tech support company or vendor such as Microsoft or as a bill collector from a local utility company or anything in between.
Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.Bank account data is not the only sensitive information being targeted. Fraudsters sometimesVoice_phishing - Wikipedia, the free encyclopedia
Looks like thats it! You can go back and review your answers or click the button below to grade your test.