Latest Certified Success Dumps Download

SY0-401 Latest Exam (Sep 2017)

[Free] 2017(Sep) EnsurePass Passguide CompTIA SY0-401 Dumps with VCE and PDF 671-680

September 20, 2017

2017 Sep CompTIA Official New Released SY0-401
100% Free Download! 100% Pass Guaranteed!

CompTIA Security Certification

Question No: 671 – (Topic 3)

A computer is found to be infected with malware and a technician re-installs the operating system. The computer remains infected with malware. This is an example of:

  1. a rootkit.

  2. a MBR infection.

  3. an exploit kit.

  4. Spyware.

Answer: B Explanation:

An MBR infection is malware that is installed into the Master Boot Record (MBR) of a hard disk. Reinstalling the operating system does not remove the malware from the MBR. A ‘Bootkit’ is a rootkit that infects the Master Boot Record.

Bootkits are an advanced form of rootkits that take the basic functionality of a rootkit and extend it with the ability to infect the master boot record (MBR) or volume boot record (VBR) so that the bootkit remains active even after a system reboot.

Bootkits are designed to not only load from the master boot record but also remain active in the system memory from protected mode through the launch of the operating system and during the computer’s active state.

Question No: 672 – (Topic 3)

Which of the following types of wireless attacks would be used specifically to impersonate another WAP in order to gain unauthorized information from mobile users?

  1. IV attack

  2. Evil twin

  3. War driving

  4. Rogue access point

Answer: B Explanation:

An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider.

In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique.

For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name.

In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.

Question No: 673 – (Topic 3)

Ann, the security administrator, received a report from the security technician, that an unauthorized new user account was added to the server over two weeks ago. Which of the following could have mitigated this event?

  1. Routine log audits

  2. Job rotation

  3. Risk likelihood assessment

  4. Separation of duties

Answer: A Explanation:

When a new user account is created, an entry is added to the Event Logs. By routinely auditing the event logs, you would know that an account has been created.

Question No: 674 – (Topic 3)

A computer supply company is located in a building with three wireless networks. The system security team implemented a quarterly security scan and saw the following.


Computer AreUs1connected170dbm Computer AreUs2connected580dbm Computer AreUs3connected375dbm Computer AreUs4connected695dbm

Which of the following is this an example of?

  1. Rogue access point

  2. Near field communication

  3. Jamming

  4. Packet sniffing

Answer: A Explanation:

The question states that the building has three wireless networks. However, the scan is showing four wireless networks with the SSIDs: Computer AreUs1 , Computer AreUs2 , Computer AreUs3 and Computer AreUs4. Therefore, one of these wireless networks probably shouldn’t be there. This is an example of a rogue access point.

A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non- maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.

To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Question No: 675 – (Topic 3)

An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use?

  1. Packet

  2. Active

  3. Port

  4. Passive

Answer: D Explanation:

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine#39;s operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems and different versions of the same operating system set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. Just inspecting the Initial TTL and window size TCP/IP fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.

Passive OS fingerprinting is the examination of a passively collected sample of packets from a host in order to determine its operating system platform. It is called passive because it doesn’t involve communicating with the host being examined.

In this question, the proxy will use passive fingerprinting because the proxy is a ‘transparent proxy’. It isn’t seen by the computer.

Question No: 676 – (Topic 3)

Which of the following would MOST likely involve GPS?

  1. Wardriving

  2. Protocol analyzer

  3. Replay attack

  4. WPS attack

Answer: A Explanation:

War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. A GPS (Global Positioning System) system can be used to accurately map your location while detecting the wireless networks.

Question No: 677 – (Topic 3)

An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.

*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp (FastEthernet

0/3) -gt; (6667), 3 packets.

*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp (FastEthernet

0/3) -gt; (6667), 6 packets.

*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp (FastEthernet

0/3) -gt; (6667), 8 packets.

Which of the following BEST describes the compromised system?

  1. It is running a rogue web server

  2. It is being used in a man-in-the-middle attack

  3. It is participating in a botnet

  4. It is an ARP poisoning attack

Answer: C Explanation:

In this question, we have a source computer ( sending data to a single destination IP address No data is being received back by source computer which suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks.

Software running on infected computers called zombies is often known as a botnet. Bots,

by themselves, are but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to find web pages and bring back values for the index.)

Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder.

Denial-of-service attacks-DoS and DDoS-can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.

Question No: 678 – (Topic 3)

A system administrator has noticed vulnerability on a high impact production server. A recent update was made available by the vendor that addresses the vulnerability but requires a reboot of the system afterwards. Which of the following steps should the system administrator implement to address the vulnerability?

  1. Test the update in a lab environment, schedule downtime to install the patch, install the patch and reboot the server and monitor for any changes

  2. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the patch, and monitor for any changes

  3. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the update, reboot the server, and monitor for any changes

  4. Backup the server, schedule downtime to install the patch, installs the patch and monitor for any changes

Answer: C Explanation:

We have an update to apply to fix the vulnerability. The update should be tested first in a lab environment, not on the production server to ensure it doesn’t cause any other problems with the server. After testing the update, we should backup the server to enable us to roll back any changes in the event of any unforeseen problems with the update. The question states that the server will require a reboot. This will result in downtime so you should schedule the downtime before installing the patch. After installing the update, you should monitor the server to ensure it is functioning correctly.

Question No: 679 – (Topic 3)

An auditor’s report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors’ accounts who would be returning in three months and would need to resume the activities. Which of the following would mitigate and secure the auditors finding?

  1. Disable unnecessary contractor accounts and inform the auditor of the update.

  2. Reset contractor accounts and inform the auditor of the update.

  3. Inform the auditor that the accounts belong to the contractors.

  4. Delete contractor accounts and inform the auditor of the update.

Answer: A Explanation:

A disabled account cannot be used. It is ‘disabled’. Whenever an employee leaves a company, the employee’s user account should be disabled. The question states that the accounts are contractors’ accounts who would be returning in three months. Therefore, it would be easier to keep the accounts rather than deleting them which would require that the accounts are recreated in three months time. By disabling the accounts, we can ensure that the accounts cannot be used; in three months when the contractors are back, we can simply re-enable the accounts.

Question No: 680 – (Topic 3)

Which of the following BEST describes a protective countermeasure for SQL injection?

  1. Eliminating cross-site scripting vulnerabilities

  2. Installing an IDS to monitor network traffic

  3. Validating user input in web applications

  4. Placing a firewall between the Internet and database servers

Answer: C Explanation:

By validating user input and preventing special characters, we can prevent the injection of client-side scripting code.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application#39;s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites

but can be used to attack any type of SQL database.

100% Free Download!
Download Free Demo:SY0-401 Demo PDF
100% Pass Guaranteed!
Download 2017 EnsurePass SY0-401 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 EnsurePass IT Certification PDF and VCE