CompTIA CySA+ (CS0-001)

Matt is creating a scope worksheet for a penetration test for his organization. Which of the following techniques is not usually included in a pentest?

Options are :

  • Reverse engineering
  • Social engineering
  • Denial-of-service attacks
  • Physical penetration attempts

Answer : Denial-of-service attacks

Explanation A denial-of-service or DoS attack isn’t usually part of a penetration test. The DoS attack contains too much risk for a facility to allow.

CompTIA Network+ (N10-007) 6 Practice Exams and Simulations Set 9

What type of information will a Cisco switch log at log level 7?

Options are :

  • Emergencies
  • Errors
  • Warnings
  • Debugging

Answer : Debugging

Explanation Cisco’s log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for troubleshooting.

Steven is monitoring and managing an environment where a cybersecurity exercise is conducted. What team is he on?

Options are :

  • Red team
  • White team
  • Blue team
  • Black team

Answer : White team

Explanation Steven is on the white team. The red team is the team responsible for attacking and the blue team is responsible for defending. Black team isn’t an industry term.

Which government program wants to provide trusted sources that meet the following requirements: Provide a chain of custody for classified/unclassified integrated circuits, ensure there’s no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing?

Options are :

  • Trusted Foundry
  • Chain of Custody
  • Trusted Suppliers
  • Trusted Access Program

Answer : Trusted Foundry

Explanation The correct answer is Trusted Foundry. The US DOD implemented a Trusted Foundry program to ensure the integrity and confidentiality of circuits throughout the design/manufacturing lifecycle that retain access for trusted and untrusted uses.

CompTIA CT0-101 Convergence+ Certification Practice Exam Set 4

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system?

Options are :

  • Route poisoning
  • Anti-malware router filters
  • Subdomain whitelisting
  • DNS blackholing

Answer : DNS blackholing

Explanation The best answer selection is DNS blackholing. This is a process that uses a list of known domains/IP addresses belonging to malicious hosts and relies on the listing from an internal DNS server, which gives a fake reply. Route poisoning prevents networks from sending data somewhere when the destination is invalid; routers don’t usually have a filter and whitelisting doesn’t apply here, it’s just to throw you off.

What port is most likely to be used in a web-based attack?

Options are :

  • 389
  • 3389
  • 443
  • 21

Answer : 443

Explanation Port 389 is used by LDAP, Port 21 is used by FTP, and port 3389 is used by RDP. Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS)

Jack is assessing the likelihood of reconnaissance activities against his organization, which is a small business. His first assignment is to determine the likelihood of port scans against his DMZ. How should he rate the likelihood of this happening?

Options are :

  • Low
  • Medium
  • High
  • There is not enough information to provide a rating

Answer : High

Explanation The best option listed is high. He knows the systems exposed to the Internet are constantly being scanned because chances are good there’s even a scan occurring while the assessment is taking place.

FC0-U41 CompTIA Strata IT Fundamentals Practice Test Set 9

Caleb is   working to prevent remote login attacks to the root account on a Linux   system. What method would be the best option to stop attacks like this while   still allowing normal users to use ssh?

Options are :

  • Add an iptables rule blocking root logins.
  • Add root to the subdoers group.
  • Change sshd_config to deny root login.
  • Add a network IPS rule to block root logins.

Answer : Change sshd_config to deny root login.

Explanation Out of all of the choices given, the sshd service has a configuration setting that’s named PermitRootLogin and if you set this config to no or deny, this will best accomplish the task at hand.

John wanted to grab the banner from a web server using common tools. Which of the following tools would not be used to grab the banner from the remote host?

Options are :

  • netcat
  • telnet
  • wget
  • ftp

Answer : ftp

Explanation FTP will not accomplish the task at hand. Netcat, telnet, and wget will all allow him to grab the banner, but FTP will not allow that in this particular scenario.

What technique is a penetration tester using if they are reviewing data and publicly available information to gather intelligence about target organization without scanning or other technical information gathering activities?

Options are :

  • Passive footprinting
  • Active footprinting
  • Vulnerability scanning
  • Patch management

Answer : Passive footprinting

Explanation Passive footprinting combines publicly available data from a variety of sources about an organization and does not use active scanning or data gathering methods.

FC0-U41 CompTIA Strata IT Fundamentals Practice Test Set 9

An SNMP sweep is being conducted. The sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this mean?

Options are :

  • The machines are unreachable
  • The machines are not running SNMP servers
  • The community string being used is invalid
  • Any listed answers may be true

Answer : Any listed answers may be true

Explanation The best option is all of the answers listed. SNMP doesn’t report closed UDP ports and SNMP servers don’t respond to requests with invalid information. The "no response? can mean that the systems cannot be reached (either internally or externally).

A cyber security analyst has been hired to perform an assessment of a company's current security posture. The analyst first would like to determine how much information about the company is exposed to an external attacker. What technique would BEST help the analyst?

Options are :

  • DNS query log reviews
  • Intranet portal reviews
  • Fingerprinting
  • Technical control audits

Answer : Fingerprinting

Explanation Footprinting is the blueprinting of the security profile of an organization, undertaken in a methodological manner. Footprinting is one of the three pre-attack phases. If fingerprinting is conducted from outside of the company’s network, it can be used to determine the network devices and information available to an unauthorized and external attacker.

As part of a penetration test, Nick is put on the defending team for his company. What is this team often called?

Options are :

  • The red team
  • The white team
  • The blue team
  • The yellow team

Answer : The blue team

Explanation Internal security teams are often referred to as the blue team. The attack team is the red team and the white team is the team that manages the test.

FC0-U51 CompTIA IT Fundamentals Certification Exam Set 9

James hopes to perform passive reconnaissance for an evaluation of his company’s security controls. Which technique is valid to perform as part of a passive DNS assessment?

Options are :

  • A DNS forward or reverse lookup
  • A zone transfer
  • A WHOIS query
  • Using maltego

Answer : A WHOIS query

Explanation The best answer is performing a WHOIS query. The WHOIS query is a passive recon option while each of the other options are active techniques.

Jason sets up an alert that detects when users login from other companies, who typically do not travel there. What type of analysis is this?

Options are :

  • Trend
  • Availability
  • Heuristic
  • Behavior

Answer : Behavior

Explanation Through this scenario, it’s given that Jason has set up behavior-based detection. Behavioral detection is used to detect anomalies and other behaviors to verify if the login is legitimate or not.

It is suspected that the Linux system currently logged may be Trojaned. Sarah would like to check where the bash shell running is being executed from. What command should be run to determine this?

Options are :

  • where bash
  • ls -l bash
  • which bash
  • printenv bash

Answer : which bash

Explanation The which command shows where the bash command is being run from. If the directory where bash is running is different from the default, it would need to be reported as the machine could be compromised.

CD0-001 CDIA+ Certification Practice Exam Set 5

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

Options are :

  • Processor utilization
  • Virtual hosts
  • Organizational governance
  • Log disposition

Answer : Virtual hosts

Explanation Vulnerability reports should include not just physical hosts but also virtual hosts. A common mistake of new cyber security analysts is to only include physical hosts, thereby missing a large number of assets on the network.

Steven is preparing to run a vulnerability scan. The scan will be of a dedicated Apache server that is going to be moved into a DMZ. Which of the following vulnerability scans is least likely to provide beneficial results?

Options are :

  • Web application vulnerability scan
  • Database vulnerability scan
  • Port scan
  • Network vulnerability scan

Answer : Database vulnerability scan

Explanation From this scenario, there’s nothing that states the server is running a database, instead, it states that it’s running an Apache web service. It’s not very realistic that a database vulnerability would yield any results, but the other three scans should be run and if they indicate that a database server is there, specialized scans should follow.

Katie is working to deploy a new vulnerability scanner and wanted to verify that she can get the most accurate view of some configuration issues on laptops that belong to traveling people who work in sales. Which listed technology will work best in this situation?

Options are :

  • Agent-based scanning
  • Server-based scanning
  • Passive network monitoring
  • Noncredentialed scanning

Answer : Agent-based scanning

Explanation The best choice is agent-based scanning. Using agent-based scanning, you typically get the most reliable results for systems that aren’t connected to the network, as well as ones that are. The other technologies require that the system be connected to the network during the scan.

CompTIA JK0-015 E2C Security+ Certification Practice Test Set 27

Derrick is responsible for the security of his network. His company recently signed a contract with a vendor that will be using laptops that will not need to be controlled by Derrick, but do need to be connected to the systems. He believes that these laptops potentially contain some vulnerabilities. What can be done to mitigate the risk to other devices on the network without having admin access?

Options are :

  • Apply necessary security patches
  • Increase encryption level of VPN
  • Implement a jump-box system.
  • Require 2FA (two factor authentication).

Answer : Implement a jump-box system.

Explanation The best option is a jump-box system which would allow him to isolate vendor systems from the network systems. The other options may be good practices but they do not fully mitigate the risk that insecure systems pose.

Out of all the protocols listed, which one might be used inside of a virtual system to manage and monitor the network?

Options are :

  • SNMP
  • SMTP
  • BGP

Answer : SNMP

Explanation SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email, while BGP and EIGRP are used for routing.

What is NOT a good source of information to validate scan results?

Options are :

  • Log files
  • SIEM systems
  • Configuration Management Systems
  • An Analyst's "gut feeling"

Answer : An Analyst's "gut feeling"

Explanation Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources including logs, SIEM systems, and configuration management systems.

LX0-104 CompTIA Linux + Powered by LPI Practice Exam Set 1

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning: 

"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.? 

You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:
<form action=authenticate.php?>  Enter your username: <BR> 
<input type="text? name="user? value="? autofocus><BR>  Enter your Password: <BR> 
<input type="password? name="pass? value="? maxlength="32?><BR> 
<input type="submit? value="submit?> </form> 

Based on your analysis, what do you recommend?

Options are :

  • You should implement a scanner exception to ensure you don’t receive this false positive again during your next scan
  • You tell the system administrator to disable SSL and implement TLS
  • You tell the developer to review their code and implement a bug/code fix
  • You recommend that your company should update the browser’s GPO to solve this issue

Answer : You recommend that your company should update the browser’s GPO to solve this issue

Explanation Since the passwords could be stored in the browser, updating the GPO for the company's web browsers would be the best option.

When using nmap, what flag do you use in the syntax to conduct operating system identification during the scan?

Options are :

  • -os
  • -O
  • -id
  • -osscan

Answer : -O

Explanation The -O flag tells nmap to identify the operating systems during the scanning process by evaluating the responses it received during the scan to its database/signatures for each operating system.

John is a consultant who wants to sell his services to a new client. He’d like to have a vulnerability scan of their network prior to their initial meeting to show the client, for added security. What is the most significant problem with this approach?

Options are :

  • He doesn’t know the client’s infrastructure design
  • He doesn’t have permission to perform the scan
  • He doesn’t know what operating systems and applications are in use
  • He doesn’t know the IP range of the client systems

Answer : He doesn’t have permission to perform the scan

Explanation All options listed should be concerning, but the most concerning issue is that he doesn’t have administrative access to perform the scan and may wind up violating the law or causing issues with the client.

CompTIA SY0-401 Security Certification Practice Exam Set 6

Peter is working with an application team on the remediation of a critical SQL injection vulnerability that exists on a public-facing server. The team is worried that deploying the fix will require several hours of downtime that will also block customer transactions from completing. What is the most reasonable action to take?

Options are :

  • Wait until next scheduled maintenance window
  • Demand that the vulnerability be remediated immediately
  • Schedule an emergency maintenance for an off-peak time later in the day
  • Convene a working group to assess the situation

Answer : Schedule an emergency maintenance for an off-peak time later in the day

Explanation Public-facing servers have critical needs to be patched quickly and it isn’t unreasonable to schedule an emergency update/upgrade for this evening and inform your customers of the outage. Without informing your customers of the outage, this may not need to happen as quickly. This system would need to be patched as soon as possible to protect the data.

What remediation strategies is MOST effective in reducing the risk to an embedded ICS from a network-based compromise?

Options are :

  • Patching
  • NIDS
  • Firewalling
  • Disabling unused services

Answer : Disabling unused services

Explanation By disabling unused services, the footprint of the embedded ICS is reduced and this most effectively reduces its risk to a network-based attack or compromise.

TRUE or FALSE: Some vulnerability scans require account credentials to log on to scanned servers.

Options are :

  • TRUE

Answer : TRUE

Explanation Credentialed scans use read-only accounts to log on to the servers being scanned and retrieve configuration information.

CompTIA Network+ (N10-007) 6 Practice Exams and Simulations Set 2

Which of the following is NOT a part of the vulnerability management lifecycle?

Options are :

  • Remediation
  • Testing
  • Detection
  • Investigating

Answer : Investigating

Explanation The three phases of the vulnerability management lifecycle are detection, remediation, and testing.

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

Options are :

  • Perform an unauthenticated vulnerability scan on all servers in the environment
  • Perform a scan for the specific vulnerability on all web severs
  • Perform a web vulnerability scan on all servers in the environment
  • Perform an authenticated scan on all web servers in the environment

Answer : Perform a scan for the specific vulnerability on all web severs

Explanation Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers is chosen because Apache is a web server application.

Ciera discovered an administrative interface to a storage system was exposed to the Internet while performing a vulnerability scan. She’s looking through firewall logs and is attempting to determine whether any access attempts came from external sources. Which of the following IP addresses is from an external source?

Options are :


Answer :

Explanation IP address in the 10…, 172…, and 192…, ranges are all considered to be private IP addresses and aren’t "routable? over the Internet. By the process of elimination, the only IP address left is 12…, therefore, this is the only IP that could exist outside of the local network.

CompTIA MB0-001 Mobility+ Certification Practice Exam Set 2

What condition occurs when a scanner reports a vulnerability that does not exist?

Options are :

  • False positive error
  • False negative error
  • True positive error
  • True negative error

Answer : False positive error

Explanation False positive errors occur when a scanner reports a vulnerability that does not actually exist on a system.

The management at Steven’s work is concerned about rogue devices attached to the network. If Steven would like to identify rogue devices on a wired network, which of the following solutions would quickly provide the most accurate information?

Options are :

  • A discovery scan using a port scanner
  • Router and switch-based MAC address reporting
  • A physical survey
  • Reviewing a central administration tool like an SCCM.

Answer : Router and switch-based MAC address reporting

Explanation The best option is MAC address reporting coming from the source like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of those devices will show what’s connected, even when they’re not currently in the inventory. From there, the device can be tracked down to the physical port where it’s connected.

Based on some old SIEM alerts, you have been asked to perform some forensic analysis on a particular host. You have noticed that some SSL network connections are occurring over ports other than port 443. Additionally, the SIEM alerts state that copies of svchost.exe and cmd.exe have been found in the %TEMP% folder on the host, as well as showing that RDP connections have previously connected with an IP address that is external to the corporate intranet. What threat might you have uncovered during your analysis?

Options are :

  • DDoS
  • APT
  • Ransomware
  • Software vulnerability

Answer : APT

Explanation The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months, and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host.

CV0-001 CompTIA Cloud+ Certification Practice Exam Set 5

Chris needs to ensure that accessing a drive to analyze it does not change the contents of the drive. What tools should he use?

Options are :

  • Forensic drive duplicator
  • Hardware write blocker
  • Software write monitor
  • Degausser

Answer : Hardware write blocker

Explanation Hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. Forensic drive duplicators copy drives and validate that they match the original, software write monitors are not used for forensic use like this, and a degausser is used to wipe magnetic media.

Barrett needs to verify settings on a macOS computer to be sure that the configuration he expects is what’s set on the system. What type of file is commonly used to store configuration settings for macOS systems?

Options are :

  • The registry
  • .profile files
  • Plists
  • .config files

Answer : Plists

Explanation Barrett should expect to find these settings in the plists or property lists.

John has reason to believe that systems on his network have been compromised by an APT actor. He has noticed a large number of file transfers outbound to a remote site via TLS-protected HTTP sessions from unknown systems. Which of the following techniques is most likely to detect the APT infections?

Options are :

  • Network traffic analysis
  • Network forensics
  • Endpoint behavior analysis
  • Endpoint forensics

Answer : Endpoint forensics

Explanation APTs (also known as advanced persistent threats) send traffic that’s encrypted, so network tests will provide information about potentially infected hosts only. John would need the actual tools that are located on endpoint systems, so he should work with an endpoint forensics resource. To work through this, he may still use network forensics and traffic analysis for information.

HT0-201 CEA- CompTIA DHTI+ Certification Practice Exam Set 2

You are a cyber security analyst sitting in an working group that is updating the incident response communications plan. A coworker, a business analyst, suggests that if the company suffers from a data breach, the correct action would be to only notify the affected parties in order to minimize the chances of the company receiving bad publicity from the media. What should you recommend to the working group in response to the business analyst’s recommendation?

Options are :

  • The first responder should contact law enforcement upon confirmation of a security incident in order for a forensic team to preserve the chain of custody
  • Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance
  • An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource
  • The Human Resources department should have information security personnel who are involved in the investigation n of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation

Answer : The first responder should contact law enforcement upon confirmation of a security incident in order for a forensic team to preserve the chain of custody

Explanation Anytime a data breach occurs, your company should first contact local, state, or federal law enforcement so that their forensically qualified investigators can collect the appropriate evidence and maintain the chain of custody.

Which type of threat will patches NOT effectively combat as a security control?

Options are :

  • zero-day attacks
  • known vulnerabilities
  • discovered software bugs
  • malware with defined indicators of compromise

Answer : zero-day attacks

Explanation Zero-day attacks have no known fix, so patches will not correct them.

What containment techniques is the strongest possible response to an incident?

Options are :

  • Segmentation
  • Isolating affected systems
  • Isolating the attacker
  • Removal

Answer : Removal

Explanation Removal of a compromised system is the strongest available containment technique. The affected system is completely disconnected from other networks.

JK0-017 CompTIA E2C Project+ Certification Practice Exam Set 8

Natalie is hoping to create a backup of Linux permissions before making changes to the Linux workstation she wants to remediate. What Linux tool can she use to back up the permissions of the complete directory on the system?

Options are :

  • chbkup
  • getfacl
  • aclman
  • There is not a common Linux permission backup tool.

Answer : getfacl

Explanation The best answer chosen would be getfacl. Linux actually comes with two useful ACL commands used for backup and restore. Getfacl allows backups of directories, to include permissions, which are saved to a text file and setfacl restores the permissions from the backup created. Aclman and chbkup are not legitimate Linux commands.

What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems?

Options are :

  • Attrition
  • Impersonation
  • Improper usage
  • Loss or theft of equipment

Answer : Attrition

Explanation Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services.

What does the bs operator do when using the Linux dd command?

Options are :

  • Sends output to a blank sector
  • Sets the beginning sector
  • Sets the block size
  • Removes error messages and other incorrect data

Answer : Sets the block size

Explanation The bs operator sets the block size when using the Linux dd command.

CompTIA JK0-022 E2C Security Data & Host Security Exam Set 3

Late one afternoon, Josh is notified that his email servers have been blacklisted because of an email that showed to originate from his domain. What information does he need to start investigating the source of the spam emails?

Options are :

  • Firewall logs showing SMTP connections
  • The SMTP audit log from his email server
  • The full headers of one of the spam messages
  • Network flows for the network

Answer : The full headers of one of the spam messages

Explanation The best thing for Josh to do is to find out the source of the email and read through the full headers of one of the messages. This helps him to know where the email originally came from, whether it’s on his email system or if it’s external and if it’s a spoofed email or a legitimate email. Once this information has been acquired, he will be able to work through it. If enough information cannot be found, more research is needed to determine the best method to solve the problem.

You are reviewing the IDS logs and notice the following log entry: (where [email protected] and password=‘ or 7==7’) What type of attack is being performed?

Options are :

  • XML injection
  • SQL injection
  • Header manipulation
  • Cross-site scripting

Answer : SQL injection

Explanation SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example 7 == 7.

Kerri is following the CompTIA process for validation after a compromise. Which of the following actions is one that should be included in this phase?

Options are :

  • Sanitization
  • Re-imaging
  • Setting permissions
  • Secure disposal

Answer : Setting permissions

Explanation CompTIA has two phases which are incident eradication and validation. Validation activities include patching, permissions and scanning, as well as verifying logging works correctly. The best choice is setting permissions.

SY0-401 CompTIA Security+ Certification Practice Exam Set 9

Lonnie is worried about the master account for a cloud service and the access to it. This service is used to manage payment transactions. He has decided to implement a new multifactor authentication process where one individual, on the IT team, has the password to the account, but another user in the accounting department has a token to the account. What principle is identified here?

Options are :

  • Dual control
  • Separation of duties
  • Lease privilege
  • Security through obscurity

Answer : Dual control

Explanation The scenario here is an example of dual control. This happens when performing a sensitive action requires participation of two individuals. Separation of duties is the closest other option but it doesn’t allow the same person to perform two separate actions that would be harmful to the network/company.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions