CompTIA SY0-401 Exam Practice Questions (P. 2)
- Full Access (1780 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #11
Mike, a network administrator, has been asked to passively monitor network traffic to the companys sales websites. Which of the following would be BEST suited for this task?
- AHIDS
- BFirewall
- CNIPS
- DSpam filter
Correct Answer:
C
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.
Incorrect Answers:
A: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
B: Firewalls provide protection by controlling traffic entering and leaving a network.
D: A spam filter is a software or hardware tool whose primary purpose is to identify and block/filter/remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), short message service (SMS), Usenet, and web discussions/forums/comments/ blogs.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, pp. 42, 47
C
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.
Incorrect Answers:
A: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
B: Firewalls provide protection by controlling traffic entering and leaving a network.
D: A spam filter is a software or hardware tool whose primary purpose is to identify and block/filter/remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), short message service (SMS), Usenet, and web discussions/forums/comments/ blogs.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, pp. 42, 47
send
light_mode
delete
Question #12
Which of the following should be deployed to prevent the transmission of malicious traffic between virtual machines hosted on a singular physical device on a network?
- AHIPS on each virtual machine
- BNIPS on the network
- CNIDS on the network
- DHIDS on each virtual machine
Correct Answer:
A
Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
Incorrect Answers:
B: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.
C: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
D: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
A
Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
Incorrect Answers:
B: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.
C: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
D: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
send
light_mode
delete
Question #13
Pete, a security administrator, has observed repeated attempts to break into the network. Which of the following is designed to stop an intrusion on the network?
- ANIPS
- BHIDS
- CHIPS
- DNIDS
Correct Answer:
A
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it
Incorrect Answers:
B: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
C: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
D: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
A
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it
Incorrect Answers:
B: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
C: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
D: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
send
light_mode
delete
Question #14
An administrator is looking to implement a security device which will be able not only to detect network intrusions at the organization level, but also help to defend against them.
Which of the following is being described here?
Which of the following is being described here?
- ANIDS
- BNIPS
- CHIPS
- DHIDS
Correct Answer:
B
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it
Incorrect Answers:
A: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
C: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
D: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
B
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it
Incorrect Answers:
A: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
C: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
D: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
, Sybex, Indianapolis, 2014, p. 21
send
light_mode
delete
Question #15
In intrusion detection system vernacular, which account is responsible for setting the security policy for an organization?
- ASupervisor
- BAdministrator
- CRoot
- DDirector
Correct Answer:
B
The administrator is the person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS.
Incorrect Answers:
A, C: Almost every operating system in use today employs the concept of differentiation between users and groups at varying levels. As an example, there is always a system administrator (SA) account that has godlike control over everything: root in Unix/Linux, admin (or a deviation of it) in Windows, administrator in
Apple OS X, supervisor in Novell NetWare, and so on.
D: A director is a person from a group of managers who leads or supervises a particular area of a company, program, or project.
References:
, 6th Edition, Sybex, Indianapolis, 2014, pp. 107, 153
http://en.wikipedia.org/wiki/Director_(business)
B
The administrator is the person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS.
Incorrect Answers:
A, C: Almost every operating system in use today employs the concept of differentiation between users and groups at varying levels. As an example, there is always a system administrator (SA) account that has godlike control over everything: root in Unix/Linux, admin (or a deviation of it) in Windows, administrator in
Apple OS X, supervisor in Novell NetWare, and so on.
D: A director is a person from a group of managers who leads or supervises a particular area of a company, program, or project.
References:
, 6th Edition, Sybex, Indianapolis, 2014, pp. 107, 153
http://en.wikipedia.org/wiki/Director_(business)
send
light_mode
delete
Question #16
When performing the daily review of the system vulnerability scans of the network Joe, the administrator, noticed several security related vulnerabilities with an assigned vulnerability identification number. Joe researches the assigned vulnerability identification number from the vendor website. Joe proceeds with applying the recommended solution for identified vulnerability.
Which of the following is the type of vulnerability described?
Which of the following is the type of vulnerability described?
- ANetwork based
- BIDS
- CSignature based
- DHost based
Correct Answer:
C
A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures.
Incorrect Answers:
A: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
B: An intrusion detection system (IDS) is an automated system that either watches activity in real time or reviews the contents of audit logs in order to detect intrusions or security policy violations.
C: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
, Sybex, Indianapolis, 2014, p. 21
C
A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures.
Incorrect Answers:
A: A network-based IDS (NIDS) watches network traffic in real time. Its reliable for detecting network-focused attacks, such as bandwidth-based DoS attacks.
B: An intrusion detection system (IDS) is an automated system that either watches activity in real time or reviews the contents of audit logs in order to detect intrusions or security policy violations.
C: A host-based IDS (HIDS) watches the audit trails and log files of a host system. Its reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.
References:
, Sybex, Indianapolis, 2014, p. 21
send
light_mode
delete
Question #17
The network security engineer just deployed an IDS on the network, but the Chief Technical Officer (CTO) has concerns that the device is only able to detect known anomalies. Which of the following types of IDS has been deployed?
- ASignature Based IDS
- BHeuristic IDS
- CBehavior Based IDS
- DAnomaly Based IDS
Correct Answer:
A
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.
Incorrect Answers:
B, C: The technique used by anomaly-based IDS/IPS systems is also referred as network behavior analysis or heuristics analysis.
D: An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is "normal" for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different than the baseline.
References:
https://technet.microsoft.com/en-us/library/dd277353.aspx
http://en.wikipedia.org/wiki/Intrusion_detection_system#Signature-based_IDS http://en.wikipedia.org/wiki/Intrusion_detection_system#Statistical_anomaly-based_IDS
A
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.
Incorrect Answers:
B, C: The technique used by anomaly-based IDS/IPS systems is also referred as network behavior analysis or heuristics analysis.
D: An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is "normal" for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different than the baseline.
References:
https://technet.microsoft.com/en-us/library/dd277353.aspx
http://en.wikipedia.org/wiki/Intrusion_detection_system#Signature-based_IDS http://en.wikipedia.org/wiki/Intrusion_detection_system#Statistical_anomaly-based_IDS
send
light_mode
delete
Question #18
Joe, the Chief Technical Officer (CTO), is concerned about new malware being introduced into the corporate network. He has tasked the security engineers to implement a technology that is capable of alerting the team when unusual traffic is on the network. Which of the following types of technologies will BEST address this scenario?
- AApplication Firewall
- BAnomaly Based IDS
- CProxy Firewall
- DSignature IDS
Correct Answer:
B
Anomaly-based detection watches the ongoing activity in the environment and looks for abnormal occurrences. An anomaly-based monitoring or detection method relies on definitions of all valid forms of activity. This database of known valid activity allows the tool to detect any and all anomalies. Anomaly-based detection is commonly used for protocols. Because all the valid and legal forms of a protocol are known and can be defined, any variations from those known valid constructions are seen as anomalies.
Incorrect Answers:
A: An application aware firewall provides filtering services for specific applications.
C: Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them for use internally.
D: A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity.
References:
, Sybex, Indianapolis, 2014, pp. 16, 20
, Sybex, Indianapolis, 2014, p. 98
B
Anomaly-based detection watches the ongoing activity in the environment and looks for abnormal occurrences. An anomaly-based monitoring or detection method relies on definitions of all valid forms of activity. This database of known valid activity allows the tool to detect any and all anomalies. Anomaly-based detection is commonly used for protocols. Because all the valid and legal forms of a protocol are known and can be defined, any variations from those known valid constructions are seen as anomalies.
Incorrect Answers:
A: An application aware firewall provides filtering services for specific applications.
C: Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them for use internally.
D: A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity.
References:
, Sybex, Indianapolis, 2014, pp. 16, 20
, Sybex, Indianapolis, 2014, p. 98
send
light_mode
delete
Question #19
Matt, an administrator, notices a flood fragmented packet and retransmits from an email server.
After disabling the TCP offload setting on the NIC, Matt sees normal traffic with packets flowing in sequence again. Which of the following utilities was he MOST likely using to view this issue?
After disabling the TCP offload setting on the NIC, Matt sees normal traffic with packets flowing in sequence again. Which of the following utilities was he MOST likely using to view this issue?
- ASpam filter
- BProtocol analyzer
- CWeb application firewall
- DLoad balancer
Correct Answer:
B
A protocol analyzer is a tool used to examine the contents of network traffic. Commonly known as a sniffer, a protocol analyzer can be a dedicated hardware device or software installed onto a typical host system. In either case, a protocol analyzer is first a packet capturing tool that can collect network traffic and store it in memory or onto a storage device. Once a packet is captured, it can be analyzed either with complex automated tools and scripts or manually.
Incorrect Answers:
A: A spam filter is a software or hardware tool whose primary purpose is to identify and block/filter/remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), short message service (SMS), Usenet, and web discussions/forums/comments/ blogs. Because spam consumes about 89 percent of all email traffic (see the Intelligence Reports at www.messagelabs.com), its essential to filter and block spam at every opportunity.
C: A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors.
Its intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks.
D: A load balancer is used to spread or distribute network traffic load across several network links or network devices.
References:
, Sybex, Indianapolis, 2014, pp. 10, 18, 19
B
A protocol analyzer is a tool used to examine the contents of network traffic. Commonly known as a sniffer, a protocol analyzer can be a dedicated hardware device or software installed onto a typical host system. In either case, a protocol analyzer is first a packet capturing tool that can collect network traffic and store it in memory or onto a storage device. Once a packet is captured, it can be analyzed either with complex automated tools and scripts or manually.
Incorrect Answers:
A: A spam filter is a software or hardware tool whose primary purpose is to identify and block/filter/remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), short message service (SMS), Usenet, and web discussions/forums/comments/ blogs. Because spam consumes about 89 percent of all email traffic (see the Intelligence Reports at www.messagelabs.com), its essential to filter and block spam at every opportunity.
C: A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors.
Its intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks.
D: A load balancer is used to spread or distribute network traffic load across several network links or network devices.
References:
, Sybex, Indianapolis, 2014, pp. 10, 18, 19
send
light_mode
delete
Question #20
Which the following flags are used to establish a TCP connection? (Choose two.)
- APSH
- BACK
- CSYN
- DURG
- EFIN
Correct Answer:
BC
To establish a TCP connection, the three-way (or 3-step) handshake occurs:
1. SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.
Incorrect Answers:
A: The PSH flag tells the TCP stack to flush all buffers and send any outstanding data up to and including the data that had the PSH flag set.
D: URG indicates that the urgent pointer field has a valid pointer to data that should be treated urgently and be transmitted before non-urgent data.
E: FIN is used to indicate that the client will send no more data.
References:
http://linuxpoison.blogspot.com/2007/11/what-are-tcp-control-bits.html
BC
To establish a TCP connection, the three-way (or 3-step) handshake occurs:
1. SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.
Incorrect Answers:
A: The PSH flag tells the TCP stack to flush all buffers and send any outstanding data up to and including the data that had the PSH flag set.
D: URG indicates that the urgent pointer field has a valid pointer to data that should be treated urgently and be transmitted before non-urgent data.
E: FIN is used to indicate that the client will send no more data.
References:
http://linuxpoison.blogspot.com/2007/11/what-are-tcp-control-bits.html
send
light_mode
delete
All Pages