CompTIA Security Certification
Question No: 581 – (Topic 3)
Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms?
Signature based IPS
Signature based IDS
Application based IPS
Anomaly based IDS
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization#39;s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.
Question No: 582 – (Topic 3)
A user has unknowingly gone to a fraudulent site. The security analyst notices the following system change on the user’s host:
Old `hosts’ file:
127.0.0.1 localhost New `hosts’ file:
Which of the following attacks has taken place?
Answer: B Explanation:
We can see in this question that a fraudulent entry has been added to the user’s hosts file. This will point the URL: www.comptia.com to 18.104.22.168 instead of the correct IP address.
Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming #39;poisons#39; a DNS server (or hosts file) by infusing false information into the DNS server, resulting in a user#39;s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
Question No: 583 – (Topic 3)
Which of the following tools would a security administrator use in order to identify all running services throughout an organization?
Answer: C Explanation:
Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server.
A port scanner is a software application designed to probe a server or host for open ports.
This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.
A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.
Question No: 584 – (Topic 3)
How must user accounts for exiting employees be handled?
Disabled, regardless of the circumstances
Disabled if the employee has been terminated
Deleted, regardless of the circumstances
Deleted if the employee has been terminated
Answer: A Explanation:
You should always disable an employee’s account as soon as they leave. The employee knows the username and password of the account and could continue to log in for potentially malicious purposes. Disabling the account will ensure that no one can log in using that account.
Question No: 585 – (Topic 3)
Which of the following should an administrator implement to research current attack methodologies?
A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.
According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:
The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned.
The hacker can be caught and stopped while trying to obtain root access to the system.
By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.
There are two main types of honeypots:
Production – A production honeypot is one used within an organization#39;s environment to help mitigate risk.
Research – A research honeypot add value to research in computer security by providing a platform to study the threat.
Question No: 586 – (Topic 3)
The Quality Assurance team is testing a new third party developed application. The Quality team does not have any experience with the application. Which of the following is the team performing?
Grey box testing
Black box testing
White box testing
Answer: B Explanation:
Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well.
Specific knowledge of the application#39;s code/internal structure and programming
knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Question No: 587 – (Topic 3)
Which device monitors network traffic in a passive manner?
Answer: A Explanation:
A sniffer is another name for a protocol analyzer. A protocol analyzer performs its function in a passive manner. In other words, computers on the network do not know that their data packets have been captured.
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
Question No: 588 – (Topic 3)
Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number displayed on the caller ID matches the vendor’s number. When the purchasing agent asks to call the vendor back, they are given a different phone number with a different area code.
Which of the following attack types is this?
Answer: B Explanation:
In this question, the impersonator is impersonating a vendor and asking for payment. They have managed to ‘spoof’ their calling number so that their caller ID matches the vendor’s number.
Impersonation is where a person, computer, software application or service pretends to be someone or something it’s not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.
Question No: 589 – (Topic 3)
An IT auditor tests an application as an authenticated user. This is an example of which of the following types of testing?
Answer: D Explanation:
In this question, the tester is testing the application as an authenticated user. We can assume from this that the tester has at least limited knowledge of the application. This meets the criteria of a grey-box test.
Gray box testing, also called gray box analysis, is a strategy for software debugging in
which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood.
Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests.
Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
Question No: 590 – (Topic 3)
A user casually browsing the Internet is redirected to a warez site where a number of pop- ups appear. After clicking on a pop-up to complete a survey, a drive-by download occurs. Which of the following is MOST likely to be contained in the download?
Spyware is software that is used to gather information about a person or organization without their knowledge and sends that information to another entity.
Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|