CompTIA Security+ Practice Test (SY0-701)

Environmental threats involve natural disasters like floods, earthquakes, and fires that can physically damage an organization's assets and infrastructure. Unlike human-driven attacks, these threats originate from environmental factors. Brute force attacks are attempts to guess credentials through trial and error, RFID cloning involves duplicating access badges, and logic bombs are malicious code triggered by specific conditions. Recognizing environmental threats is crucial for comprehensive security planning.

Transport Layer Security provides end-to-end encryption for applications such as HTTP, validates the server (and optionally the client) through X.509 certificates, and includes message authentication codes to detect tampering. SSH also offers encryption, but it is designed for interactive sessions and port forwarding rather than directly protecting web traffic. PEM is only a text encoding for keys and certificates, not a protocol. IPsec can secure network traffic but is most commonly deployed for site-to-site or remote-access VPN tunnels, not for protecting individual web sessions.

Recording the date, time, and individuals who handle the evidence ensures a documented trail, which is crucial for maintaining the chain of custody. This documentation verifies that the evidence has not been tampered with and is admissible in court. While other actions like using write-blocking devices are important for preserving evidence integrity, they do not directly address the documentation aspect of the chain of custody.

This scenario describes DNS cache poisoning, also known as DNS spoofing. In this attack, an attacker introduces incorrect DNS data into a DNS resolver's cache, causing the server to return a malicious IP address for a legitimate domain. When users attempt to access the legitimate site, they are redirected to the attacker's fraudulent site. A DDoS attack would make the service unavailable, not redirect it. An on-path attack could potentially intercept and redirect traffic, but DNS poisoning specifically targets the name resolution process itself. Credential replay involves an attacker maliciously reusing stolen credentials, which would be a potential outcome of this attack, not the cause of the redirection.

OBJ-1.6: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.

Vishing (or voice phishing) is phishing done using voice over the telephone. This type of phishing often involves the use of voice over IP technology to spoof the caller ID of a legitimate phone number.

A firewall is a technical control that acts as a barrier between trusted internal networks and untrusted external networks, such as the Internet. It monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls can prevent unauthorized access, block malicious traffic, and enforce network security policies.

Access controls and encryption are also examples of technical controls, but they are not as specific to network resource protection as a firewall. Security awareness training is a managerial control focused on educating users about security best practices and policies.

Placing NIDS sensors in tap/monitor mode would allow the organization to detect unauthorized activities by mirroring the traffic that flows through the network, without injecting any additional latency or load on the primary network path. This strategy helps ensure network performance is not significantly impacted while maintaining an effective security posture. In contrast, inline mode can introduce latency since traffic must flow through the sensor, and promiscuous mode lacks the capability of real-time traffic replication typical of a tap/monitor setup.

Integrated Penetration Testing involves the collaboration of offensive and defensive techniques to comprehensively evaluate an organization's security. This approach allows for a more effective identification of vulnerabilities by leveraging multiple perspectives and methods.

The correct answer is Hacktivist, as their primary motivation is often to promote political or social change, and they are known to deface websites to send a message. This type of activity is consistent with the observed unauthorized alterations containing political slogans without any financial gain or significant disruption of services, which diverges from the modus operandi of other threat actors like nation-states or organized crime groups.

'Impossible travel' refers to a situation where a user account is accessed from geographically distant locations within a timeframe that is too short for normal travel to occur, suggesting the use of compromised credentials. This is an important red flag for security analysts as it may indicate an account takeover by an unauthorized user. In contrast, 'Concurrent session usage' may raise concern but does not imply physical impossibility, 'Account lockout' is a response to suspicious activities and itself is not an indicator, and 'Time-of-check (TOC)' relates to a specific vulnerability type concerning the timing of security checks.

The organization should conduct a gap analysis. Gap analysis involves comparing the current state of security controls and processes with the desired future state to identify areas that need improvement. By understanding these gaps, the organization can develop a plan to address deficiencies and enhance security measures. Other options like risk assessment, vulnerability scanning, and penetration testing are important but serve different purposes: risk assessment identifies potential risks, vulnerability scanning detects known vulnerabilities, and penetration testing simulates attacks to find exploitable weaknesses.

A SQL Injection attack takes advantage of a bug or vulnerability in an application that uses a database such as a web application or API. Structured Query Language (SQL) is the language used by applications internally to query a database for information. If the application takes input from end users it needs to ensure the given information is not SQL. If it fails to do so malicious actors can manipulate the application into sending unauthorized commands to the database.

For example if a web application has a search feature that allows searching by first and last names, SQL could be given instead of a real name and a poorly secured application would pass this SQL to the database directly - allowing malicious actors to query or delete data in the database directly!

Closing unused ports on a server helps to minimize the attack surface by ensuring that only necessary network services are accessible. This effectively reduces the number of entry points available to an attacker. Keeping unused ports open does not contribute to security, as it unnecessarily exposes the server to potential exploitation. Switching port numbers can obscure services but does not decrease the attack surface. Using complex passwords is good practice for account security but does not pertain to network services and port/protocol security.

A sign-in/out log with a security guard would be the best compensating control because it would provide a record of all individuals accessing the server room and could be carefully monitored. While it's not as secure as biometric controls, it is a reasonable temporary measure that also ensures human oversight. Using a key code might still be secure but it doesn't provide an audit trail of who actually enters, as codes can be shared. CCTV is a deterrent and provides a record but does not control access. A standard key lock might be easy to implement but it is less secure than biometrics. A notice is simply a warning and does nothing to secure the area.

The correct answer is a threat feed. A threat feed is a real-time or near-real-time stream of data providing information on current and potential cyber threats, including indicators of compromise like malicious IPs, URLs, and malware signatures. A security baseline defines a standard state for a system, a SIEM is used to aggregate and analyze log data from internal sources, and a vulnerability scanner actively probes systems for weaknesses rather than providing a continuous external data stream.

Snapshots provide a point-in-time copy of the virtual machine's disk file, which can be used to restore a system back to a particular state with minimal downtime. This makes them highly suitable for environments where data needs to be restored quickly and efficiently, such as in a healthcare company handling sensitive patient records. Traditional backups involve copying files to another location and often result in longer recovery times. Differential and incremental backups, while useful for saving storage space and reducing backup time, do not provide the immediate state recovery that snapshots offer.

To address the limitation of a system that only provides notifications when a potential breach occurs, implementing a solution that can take preventative action is necessary. An Intrusion Prevention System is designed to not only detect but to preventively respond to threats by blocking them, therefore enhancing the network's defensive capabilities. The options of bolstering data loss prevention (DLP) strategies, incorporating additional security information and event management (SIEM) features, and enhancing public key infrastructure (PKI) are all valuable in their respective contexts. However, none of these solutions are purposed to block malicious traffic in the way an Intrusion Prevention System would. DLP focuses on preventing data leaks, SIEM centralizes logging and provides threat detection, and PKI deals with encryption and authentication, not inline traffic analysis and intervention.

A collision attack specifically targets the collision resistance property of a hash function: it tries to generate two distinct inputs that yield the same hash value. Discovering two different files with an identical digest is the textbook symptom of such an attack.

Why the others are wrong:

• Birthday attack: Although it exploits the birthday paradox to find a collision faster, it does not fit the scenario where a collision has already been observed.
• Downgrade attack: Forces parties to use a weaker algorithm or protocol version; it does not involve identical hashes for different inputs.
• Replay attack: Captures and reuses valid authentication data but does not manipulate hash functions or create identical digests.

A penetration test conducted by a Red team is done without the knowledge of the team in charge of defending against intrusions. This allows for the testing of defenses in a more real world like scenario.