CompTIA CompTIA Certifications SY0-601 Questions & Answers

• Question 101:

  A systems engineer thinks a business system has been compromised and is being used to exfiltrated data to a competitor The engineer contacts the CSIRT The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else.

  Which of the following is the most likely reason for this request?

  A. The CSIRT thinks an insider threat is attacking the network

  B. Outages of business-critical systems cost too much money

  C. The CSIRT does not consider the systems engineer to be trustworthy

  D. Memory contents including fileles malware are lost when the power is turned off

  Correct Answer: A

• Question 102:

  A major manufacturing company updated its internal infrastructure and just started to allow OAuth application to access corporate data Data leakage is being reported.

  Which of following most likely caused the issue?

  A. Privilege creep

  B. Unmodified default

  C. TLS

  D. Improper patch management

  Correct Answer: B

• Question 103:

  A retail store has a business requirement to deploy a kiosk computer In an open area The kiosk computer's operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to

  install a rootkit.

  Which should the security engineer configure to BEST protect the kiosk computer?

  A. Measured boot

  B. Boot attestation

  C. UEFI

  D. EDR

  Correct Answer: A

• Question 104:

  A security administrator is compiling information from all devices on the local network in order to gain better visibility into user activities. Which of the following is the best solution to meet this objective?

  A. SIEM

  B. HIDS

  C. CASB

  D. EDR

  Correct Answer: A

  SIEM stands for Security Information and Event Management, which is a solution that can collect, correlate, and analyze security logs and events from various devices on a network. SIEM can provide better visibility into user activities by generating reports, alerts, dashboards, and metrics. SIEM can also help detect and respond to security incidents, comply with regulations, and improve security posture.

• Question 105:

  Which of the following incident response phases should the proper collection of the detected 'ocs and establishment of a chain of custody be performed before?

  A. Containment

  B. Identification

  C. Preparation

  D. Recovery

  Correct Answer: A

  Containment is the phase where the incident response team tries to isolate and stop the spread of the incident12. Before containing the incident, the team should collect and preserve any evidence that may be useful for analysis and investigation12 . This includes documenting the incident details, such as date, time, location, source, and impact12. It also includes establishing a chain of custody, which is a record of who handled the evidence, when, where, how, and why3. A chain of custody ensures the integrity and admissibility of the evidence in court or other legal proceedings3.

• Question 106:

  While performing a threat-hunting exercise, a security analyst sees some unusual behavior occurring in an application when a user changes the display name. The security analyst decides to perform a static code analysis and receives the following pseudocode:

  

  Which of the following attack types best describes the root cause of the unusual behavior?

  A. Server-side request forgery

  B. Improper error handling

  C. Buffer overflow

  D. SQL injection

  Correct Answer: D

  SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page input12. A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system3. According to the pseudocode given in the question, the application takes a user input for display name and concatenates it with a SQL query to update the user's profile. This is a vulnerable practice that allows an attacker to inject malicious SQL code into the query and execute it on the database. For example, an attacker could enter something like this as their display name: John'; DROP TABLE users; -This would result in the following SQL query being executed: UPDATE profile SET displayname = 'John'; DROP TABLE users; --' WHERE userid = 1; The semicolon (;) terminates the original update statement and starts a new one that drops the users table. The double dash (? comments out the rest of the query. This would cause a catastrophic loss of data for the application.

• Question 107:

  A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor most likely be required to review and sign?

  A. SLA

  B. NDA

  C. MOU

  D. AUP

  Correct Answer: B

  NDA stands for Non-Disclosure Agreement, which is a legal contract that binds the parties to keep confidential information secret and not to disclose it to unauthorized parties. A third-party vendor who is doing a penetration test of a new proprietary application would most likely be required to review and sign an NDA to protect the intellectual property and trade secrets of the security team.

• Question 108:

  A Chief Information Security Officer (CISO) wants to implement a new solution that can protect against certain categories of websites, whether the employee is in the offer or away. Which of the following solutions should the CISO implement?

  A. VAF

  B. SWG

  C. VPN

  D. WDS

  Correct Answer: B

  A secure web gateway (SWG) is a solution that can filter and block malicious or inappropriate web traffic based on predefined policies. It can protect users from web- based threats, such as malware, phishing, or ransomware, whether they are in the office or away. An SWG can be deployed as a hardware appliance, a software application, or a cloud service. References: https://www.comptia.org/content/guides/what-is-a-secure-web- gateway

• Question 109:

  While reviewing the /etc/shadow file, a security administrator notices files with the same values. Which of the following attacks should the administrator be concerned about?

  A. Plaintext

  B. Birthdat

  C. Brute-force

  D. Rainbow table

  Correct Answer: D

  Rainbow table is a type of attack that should concern a security administrator when reviewing the /etc/shadow file. The /etc/shadow file is a file that stores encrypted passwords of users in a Linux system. A rainbow table is a precomputed table of hashes and their corresponding plaintext values that can be used to crack hashed passwords. If an attacker obtains a copy of the /etc/shadow file, they can use a rainbow table to find the plaintext passwords of users.

  References: https://www.comptia.org/certifications/security#examdetails https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives https://www.geeksforgeeks.org/rainbow-table-in-cryptography/

• Question 110:

  An engineer is using scripting to deploy a network in a cloud environment. Which the following describes this scenario?

  A. SDLC

  B. VLAN

  C. SDN

  D. SDV

  Correct Answer: C

  SDN stands for software-defined networking, which is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network. SDN decouples the network control plane from the data plane, enabling centralized management and programmability of network resources. SDN can help an engineer use scripting to deploy a network in a cloud environment by allowing them to define and automate network policies, configurations, and services through software commands.

  References: https://www.comptia.org/certifications/security#examdetails https://www.comptia.org/content/guides/comptia- security-sy0-601-exam-objectives https://www.cisco.com/c/en/us/solutions/software-defined-networking/overview.html