Free CompTIA SY0-601 Practice Exam with Questions & Answers | Set: 13

Monitoring outbound traffic is a technique that can detect the behavior of malware that allows the unauthorized movement of data from a system. Outbound traffic refers to the data that leaves a system or network and goes to an external destination, such as another network, server, or website. Monitoring outbound traffic can help identify any suspicious or anomalous patterns, such as large volumes of data being sent to unknown or malicious destinations, which could indicate a malware infection or a data exfiltration attempt. Monitoring outbound traffic can also help prevent malware from communicating with command-and-control servers or downloading additional payloads101112 References: CompTIA Security+ SY0-601 Certification Study Guide, Chapter 11: Explaining Digital Forensics Concepts, page 496; Outbound Traffic Monitoring: Why It’s Important for Your Network | SolarWinds MSP; How to Monitor Outbound Traffic on Your Network | NetFort Blog; Why You Should Monitor Outbound Traffic on Your Network | CSO Online

ARP poisoning is a technique by which an attacker sends spoofed ARP messages to alter routing on a local area network. It can be used to intercept, modify, or stop data frames, or launch other attacks3 In this scenario, the attacker likely used ARP poisoning to associate their MAC address with the IP address of the time-keeping website, causing the kiosks to send a copy of all the submitted credentials to the attacker’s machine. This explains why only the credentials of the employees who clocked in and out while inside the building were stolen, and why the compromise was not detected by the DNS servers or the website itself4

nmap is a network scanning tool that can perform various tasks such as port scanning, service detection, version detection, OS detection, vulnerability scanning, etc… nmap comptia.org -p 80 -sv is a command that scans port 80 (the default port for HTTP) on comptia.org domain name and tries to identify the service name and version running on that port. This can help identify potential vulnerabilities in the web server software by comparing the version with known exploits or patches.

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files1. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server1.

Directory traversal in its simplest form uses the …/ pattern, which means to step up one level in the directory structure. By repeating this pattern, an attacker can traverse to the root directory and then access any file or folder on the server. For example, the following request attempts to read the Unix password file /etc/passwd from the server:

http://company.com/get.php?f=/etc/passwd

Some web applications may implement some defenses against directory traversal attacks, such as filtering out …/ patterns or percent-decoding the user input before validating it. However, these defenses can often be bypassed by using variations or encoding techniques. For example, the following requests use different ways to represent …/ or / characters:

http://company.com/…%2F…%2F…%2Fetc%2Fpasswd

http://company.com/…/…/…/%2Fetc%2Fpasswd

http://company.com/%2E%2E/%2E%2E/%2E%2E/etc/passwd

These requests may still result in directory traversal attacks if the web application does not properly handle them12.

A. SQLi. This is not the correct answer, because SQLi stands for SQL Injection, which is an attack that exploits a vulnerability in a web application’s database layer, where malicious SQL statements are inserted into an entry field for execution3. The requests in the question do not contain any SQL statements or commands.

B. CSRF. This is not the correct answer, because CSRF stands for Cross-Site Request Forgery, which is an attack that exploits the trust a web server has in a user’s browser, where malicious requests are sent to the web server using the user’s credentials4. The requests in the question do not indicate that they are forged or sent by another website.

C. API attacks. This is not the correct answer, because API stands for Application Programming Interface, which is a set of rules and specifications that allow software components to communicate and exchange data. API attacks are attacks that target the vulnerabilities or weaknesses of APIs, such as authentication, authorization, encryption, rate limiting, or input validation5. The requests in the question do not target any specific API functionality or feature.

D. Directory traversal. This is the correct answer, because directory traversal is an attack that exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory” are passed through to the operating system’s file system API12. The requests in the question contain various patterns of …/ or / characters that attempt to access restricted files and directories on the server.

Tokenization is a privacy technique that replaces sensitive data elements, such as credit card numbers, with non-sensitive equivalents, called tokens, that have no intrinsic or exploitable value. Tokenization can be used to enable established customers to safely store credit card information without exposing their actual card numbers to potential theft or misuse. The tokens can be used to process payments without revealing the original data456 References: CompTIA Security+ SY0-601 Certification Study Guide, Chapter 8: Implementing Secure Protocols, page 362; What is tokenization? | McKinsey; What is Tokenization? Definition and Examples | OpenText - Micro Focus; Tokenization (data security) - Wikipedia

Thin clients are devices that rely on a server or a cloud service to perform most of the processing and storage tasks, while only providing a minimal interface for the user. Thin clients are low-cost solutions that can enable users on the shop floor to log in to the VDI (virtual desktop infrastructure) environment directly, without requiring a full-fledged computer or laptop.

An employee receiving a gift card request in an email that has an executive’s name in the display field to the email describes a possible business email compromise attack. Business email compromise (BEC) is a type of phishing attack that targets employees who have access to financial or sensitive information, such as accounting, human resources, or executive staff. The attacker impersonates a trusted person, such as a manager, vendor, or client, and requests a fraudulent payment, wire transfer, gift card purchase, or personal information. The attacker may spoof the email address or display name, use a look-alike domain, or compromise a legitimate email account to make the request seem authentic.

Dynamic resource allocation is a technique that allows cloud providers to adjust the amount and distribution of computing resources according to the changing demand and capacity of the cloud environment1. Dynamic resource allocation can improve the efficiency and utilization of available computing power, as well as reduce the cost and energy consumption of the cloud infrastructure1. Dynamic resource allocation can also enhance the system availability and reliability by avoiding potential denial-of-service situations caused by overloading or under-provisioning of resources1.

A false positive is a result that indicates a problem when there is no actual problem. In this case, the vulnerability scan flagged the domain controller with a critical vulnerability, but the domain controller does not run the application that is vulnerable. Therefore, the scan result is inaccurate and should be documented as a false positive.

A. Ensure the scan engine is configured correctly. This is not the next step, because the scan engine may be configured correctly and still produce false positives due to various factors, such as outdated signatures, network latency, or misconfigured devices.

B. Apply a patch to the domain controller. This is not the next step, because applying a patch to a system that does not have the vulnerability may cause unnecessary problems or conflicts.

C. Research the CVE. This is not the next step, because the systems administrator already researched the vulnerability and discovered that it does not affect the domain controller.

D. Document this as a false positive. This is the correct answer, because documenting false positives helps to improve the accuracy and efficiency of future scans and audits.

The web server logs are records of the requests and responses that occur between a web server and a web client, such as a browser. The web server logs can show where the malware originated by indicating the source IP address, the destination URL, the date and time, the HTTP status code, the user agent, etc., of each request and response. The web server logs can help the incident response team to trace back the malicious website that infected the host with malware.

Impossible travel time is an anomaly detection that indicates a possible compromise of a user account. It occurs when the same user connects from two different countries and the time between those connections is shorter than the time it would take to travel from the first location to the second by conventional means. This suggests that a different user is using the same credentials or that a proxy or VPN is being used to mask the true location. The log activity shows that the user connected from two different IP addresses in different countries (US and Brazil) within a span of 37 minutes, which is impossible to achieve by normal travel. References: Detecting and Remediating Impossible Travel - Microsoft Community Hub; Anomaly detection policies - Microsoft Defender for Cloud Apps; Understanding Microsoft 365 Impossible Travel Rules | Blumira