Chapter 1

What is the purpose of network reconnaissance in the context of network security?

To gather detailed information about the network and its devices

What is the purpose of the pipe operator (|) in the command ’sudo cat /var/log/auth.log | more’?

It sends the results of the first command to the second command

What principle ensures that systems are available when needed and often addresses single points of failure in network systems?

Redundancy and Fault Tolerance

What is used to query the Linux system logging utility (journald) and why?

journalctl, because journald stores log data in binary.

What is the purpose of redundancy in networking?

To ensure high availability and fault tolerance

What information does the auth.log contain in a Linux system?

Information related to successful and unsuccessful logins

What is a major function of a ’Log collector’ as it pertains to a Security Information and Event Management (SIEM)?

Log collectors gather log data from devices within the network and store them in a searchable database.

What is risk in the context of IT security?

Risk is the possibility of a threat exploiting a vulnerability resulting in a loss.

What type of information does the ’date’ field record in the Common Log format standardized by the World Wide Web Consortium (W3C)?

The date and time of the request

What does the ’Alternate flow’ element in a use case describe?

The variations in the execution of use case when conditions change or when exceptions occur.

What does the command ’sudo cat /var/log/auth.log’ do in Linux?

Displays the entire content of the auth.log file

What is one of the methods utilized by organizations to keep their systems available?

Regularly updating the system with current patches

How can a systems administrator use the ’ping’ command to assess organizational security?

By using it to verify that firewalls, routers, and Intrusion Prevention Systems (IPSs) block ICMP traffic when configured to do so

In the context of security controls, what purpose does change management serve?

It ensures that changes don’t result in unintended outages

Why might organizations choose not to encrypt all of their data despite the increase in security?

Encryption increases the data volume by about 40 percent, requiring more resources.

What is the content of the NIST SP 800-53 Revision 5?

It provides detailed information on security controls, divided into 20 different families.

What is the role of ’Data Inputs’ in a Security Information and Event Management (SIEM) system?

To collect log data from various sources such as routers, firewalls and servers

Which of the following statements is true about the sensitivity levels in a SIEM system?

Setting the sensitivity levels correctly helps limit false positives and avoid false negatives

Which of the following best describes what Corrective controls do according to the CompTIA?

They reverse the impact of an incident

What is included in ’Physical and environmental protection’ as an operational control?

Physical controls like cameras and door locks and heating and ventilation systems

What does log aggregation in a Security Information and Event Management (SIEM) system refer to?

It refers to the combination of dissimilar items into a similar format.

What type of control can a lock be classified as, in addition to being a physical control?

Deterrent control

What does the command sudo ifconfig eth0 do on Linux systems?

Shows the configuration of the first Ethernet interface (NIC)

What does the ’arp -a’ command do in the context of a Windows operating system?

It shows the ARP cache

What are the key elements of access controls that help ensure the confidentiality of data?

Identification, Authentication, Authorization

Which of the following is a function that firewalls perform as a technical control?

Restrict network traffic going in and out of a network

What does sentiment analysis refer to within a SIEM system?

It refers to the analysis of text to detect an opinion or emotion and uses UBA technologies to observe user behaviors to detect unwanted behavior.

What is the ’host’ in the context of Network logs and Common Log Format?

The IP address or hostname of the client requesting the page

Most SIEM systems include multiple built-in reports. What do these reports typically cover?

Network traffic event monitoring and device events

What is the primary difference between scalability and elasticity in terms of system availability?

Scalability refers to manually adding or removing resources, while elasticity is about dynamically managing resources.

What is the primary purpose of using physical locks as a part of security controls?

To deter potential attacks and unauthorized access

What type of information does the /var/log/auth.log file contain on a Linux system?

It contains information related to successful and unsuccessful logins.

What does the ’ping 192.168.1.1’ command do?

It verifies if your machine can connect with the computer at the IP address 192.168.1.1

Which log file in a Linux system contains entries generated during system boot-up?

var/log/boot.log

Which is NOT a correct definition of a particular control type according to CompTIA?

Corrective controls attempt to discourage individuals from causing an incident.

What is the primary purpose of a cable lock as a deterrent control?

To deter potential thieves by securing the laptop to furniture

What is the CIA security triad in the context of organizational security principles?

Confidentiality, Integrity, and Availability

What is stored in the var/log/messages file?

A wide variety of general system messages

In the context of network logs, what does the ’status’ refer to?

The HTTP status code returned to the client

What is a key benefit of using a centralized security information and event management (SIEM) system in a large organization?

It collects data from various sources and stores them in a searchable database

Which of the following is NOT an example of a detective control?

Password complexity policy

What is a discriminating feature about the NXLog Community Edition compared to other log management tools?

It supports log formats for Windows, such as event log entries

What does the authuser field in a web server log typically record?

The logon name of the user requested in the page, if the user logged on.

Which of the following best describes Detective controls, in terms of security controls?

Controls that attempt to detect incidents after they have occurred.

What are the key elements of access controls?

Identification, Authentication, Authorization

Which of the following accurately describes a common capability of a SIEM system?

 Collects log data and stores it in a searchable database

Which of the following is NOT a control type listed by CompTIA in the Security+ objectives?

Spatial controls

Which of the following best describes the purpose of preventative controls in IT security?

To prevent security incidents from occurring

Which command provides a comprehensive listing of TCP/IP configuration for each NIC, including MAC address, address of assigned DNS servers and address of a DHCP server?

ipconfig /all and ifconfig -a

What is the role of antivirus software as a technical control?

After it’s installed, it protects against malware infection.

What does the /var/log/messages log contain in a Linux environment?

A wide variety of general system messages, including some messages logged during startup, some messages related to mail, the kernel, and messages related to authentication

Which of the following options accurately describes technical controls, as per the CompTIA Security+ objectives?

They use technology such as hardware, software, and firmware to reduce vulnerabilities.

What is the purpose of the ’journalctl –list-boots’ command in Linux system?

It shows the available boot logs

Which command is used to search for a specific text in a file?

grep

What does the ’ifconfig eth0’ command in a Linux-based system do?

 It shows the configuration of the first Ethernet interface (NIC).

Why is time synchronization important in a SIEM system?

It ensures all servers sending data to SIEM are synchronized with the same time

A network log entry in the Common Log format standardized by the W3C typically contains which of the following details?

The IP address or hostname of the client requesting the page

What does the ’ip -s link’ command do on Linux systems?

It shows statistics on the network interfaces

What is the role of ’Deterrent controls’ in Organization’s security policy?

Deter individuals from causing an incident

What is the function of a correlation engine in a SIEM system?

It collects and analyzes event log data from various systems within the network, looking for common attributes and detecting patterns of potential security events

What is the function of the ’logger’ command in the CompTIA Security+ context?

It enables users to create entries in the /var/log/syslog file from the terminal or scripts and applications

What does the TIME_WAIT state indicate in the netstat command?

The system is waiting for enough time to pass to be sure the remote system received a TCP-based acknowledgment of the connection.

What information does the ’Netstat -a’ command display on a system?

Displays a listing of all TCP and UDP ports that a system is listening on, in addition to all open connections

What does the ’ifconfig eth0 promisc’ command do on a Linux system?

It enables promiscuous mode on the first Ethernet interface.

What is the function of video surveillance as a detective control in a security setting?

It detects when vulnerabilities have been exploited after an incident has occurred

Which Windows log type records auditable events, such as a user’s success or failure in performing actions like logging on or deleting a file, by default?

Security log

What does ’WORM’ refer to in the context of a security information and event management (SIEM) system?

Write Once Read Many

What does the command ’sudo head /var/log/syslog’ do?

It shows the first 10 lines of the syslog file.

What is the purpose of compensating controls in a security framework?

To act as alternative controls when a primary control is not feasible

What does the ’more’ command do when used in conjunction with the ’cat’ command in a Linux environment?

It allows you to view the contents of a file one page at a time

What is the primary function of managerial controls in a security structure?

They are primarily administrative and documented in an organization’s security policy.

What role do security guards play as a type of preventative control?

They stop unauthorized access into secure areas by verifying user identities

What does the term ’least privilege’ in the context of technical controls refer to?

It refers to the minimum level of access required to perform tasks or functions.

What does the ’bytes’ denote in the Common Log format standardized by the World Wide Web Consortium (W3C)?

The byte length of the reply

What does the pathping -n command do in network administration?

It prints only IP addresses instead of both hostnames and IP addresses.

What does the command ’chmod 760 filename’ represent in Linux?

Read, write, and execute permissions for the owner, read and write for the group, and none for all others

What is the purpose of using the command ’sudo grep “authentication failure”/var/log/auth.log’?

To search for a specific text within a file

What is the result of running the command ’sudo cat /var/log/auth.log’ in a Linux system?

The command will display the entire contents of the auth.log file

What is the purpose of using the ping command to check name resolution based on the provided passage?

To verify that the name resolution process from hostname to IP address is working correctly

What is the primary function of the ’head’ command in the context of log files?

It shows the first 10 lines of a file

What is the definition of risk in the context of IT security?

The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss

What is the primary function of the ’ipconfig’ command on a Windows system?

It provides Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for a system

What does the ’netstat -p tcp’ command do?

Displays statistics on a specific protocol, such as TCP

What does the ’Netstat -e’ command do?

It displays details on network statistics, including how many bytes the system sent and received

What does the pathping command do?

It identifies all the hops on the path between two systems and computes statistics based on the number of ping responses from each.

What are the two types of common managerial controls in an organization’s written security policy, according to the given text?

Risk assessments and Vulnerability assessments

What is event deduplication in the context of a Security Information and Event Management (SIEM) system?

It is the process of removing duplicate entries by ensuring that the SIEM stores only a single copy of any duplicate log entries and associates the entries with all sources.

Which of the following is NOT an example of a corrective or recovery control?

System monitoring tools

What does the /var/log/faillog Linux log file contain information about?

Failed login attempts

What is the primary function of the ’ping -t 192.168.1.1’ command on a Windows system?

It sends a continuous stream of ICMP echo requests until stopped manually

What is a key function of Security information and event management (SIEM) systems as a detective control?

 It detects trends and raises alerts in real time

What does the ’Netstat -n’ command do?

Displays addresses and port numbers in numerical order.

What is the function of the ’ipconfig /flushdns’ command?

It erases the contents of the DNS cache

Which tool helps in detecting malicious traffic after it enters a network in the context of detective controls?

Intrusion detection system (IDS)

What type of events does the Application log record in a Windows operating system?

Events sent to it by applications or programs running on the system

What is a common goal of fault tolerance and redundancy techniques in an information system?

To remove each single point of failure (SPOF)

Which of the following best describes the function of disk redundancies in the context of availability and fault tolerance?

Disk redundancies, such as RAID-1, RAID-5, and RAID-10, allow a system to continue to operate even if a disk fails.

What does the ’user-identifier’ field in the Common Log Format represent?

The name of the user requesting the page

What does the acronym LAMP stand for in the context of web hosting?

Linux, Apache, MySQL, PHP/Perl/Python

Which of the following best describes the combination of control categories and types based on the provided excerpt?

Encryption can be described as a preventative technical control.

What is the role of ’request’ in the data logged by a web server?

It contains the actual request line sent by the client.

What are the three types of permissions that can be modified with the chmod command on Linux system files and folders?

Read, Write, Execute

What is the unique functionality that Rsyslog provides as an improvement over Syslog-ng?

Ability to send log entries directly into database engines

What does the ’SYN_RECEIVED’ state in Netstat mean?

It indicates the system sent a TCP SYNACK packet after receiving a SYN packet, and it is now waiting for the ACK response to establish the connection.

What does the ESTABLISHED state in the netstat command output indicate?

This is the normal state for the data transfer phase of a connection.

What is a major feature of the Rsyslog software utility that differentiates it from Syslog-ng as mentioned in the provided text?

It has the ability to send log entries directly into database engines

What is the definition of risk in IT security context?

It is the possibility of a threat exploiting a vulnerability, resulting in loss.

What does the ’tail’ command in Unix or Linux do by default?

It displays the last 10 lines of a log file.

According to the ’Place Order’ use case, who are classified as the ’actors’?

Lisa, Billing system, and Fulfillment system

What does the ’Netstat -p protocol’ command do?

It shows statistics on a specific protocol, such as TCP or UDP

What is the function of the ’ip link show’ command?

It shows the interfaces along with some details on them

What does the SYN_SENT state indicate when using the netstat command?

The system sent a TCP SYN packet and is waiting for the SYN-ACK response

What does a protocol analyzer do in a SIEM system?

It captures network traffic and allows for analyzing individual packets.

What does the ’journalctl -1’ command do in a Linux system?

Retrieves the boot log identified with number -1

What are the two common managerial controls mentioned in the text?

Risk assessments and Vulnerability assessments

What is the function of sensors in a Security Information and Event Management (SIEM) system?

They collect logs from devices and send these logs to the SIEM system.

What is the purpose of User Behavior Analysis in a SIEM system?

To focus on what users are doing and look for abnormal patterns of activity that may indicate malicious intent

What does the /var/log/kern.log file do in Linux?

Logs information by the system kernel

What is one key feature of NXLog Enterprise Edition that is not included in the Community Edition?

It provides real-time event correlation and remote administration

What does Hardening mean in the context of preventative controls?

It is the practice of making a system or application more secure than its default configuration

What types of intrusions can the intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) monitor?

Both network and host intrusions

What is the primary function of backups and system recovery in corrective and recovery controls?

They enable system administrators to recover a system after a security breach

What is a common goal of fault tolerance and redundancy techniques in server redundancies?

To remove each single point of failure (SPOF)

What starts the use case in the scenario of Lisa purchasing an item online?

The trigger

What does the ’logger Backup started’ command do according to the text?

Adds a time-stamped entry of ’Backup started’ in the /var/log/syslog file

What does the ’-n 15’ switch specify when used with the ’sudo tail’ command in relation to the /var/log/messages file?

It specifies that the command should display the last 15 lines of the file.

What do log entries in a system help administrators and security investigators determine?

The location, time, and event that led to a security incident

What does a security incident refer to in IT security?

It refers to the situation when a threat exploits a vulnerability, resulting in a loss.

What does the ’Netstat -s’ command do?

Displays statistics of packets sent or received for specific protocols, such as IP, ICMP, TCP, and UDP.

What are some examples of preventative controls?

Hardening, training, security guards, change management, account disablement policy, Intrusion prevention system (IPS)

What are the features of Syslog-ng as an extension of syslogd on Linux-like systems?

It provides correlation and routing abilities to route log entries to any log analysis tool.

What is the purpose of the command ’sudo cat /var/log/auth.log | grep ’authentication failure’’ in a Linux system?

It searches for and displays all entries related to authentication failures in the auth.log file.

What information does the ’Netstat –r’ command on a system provide?

Display of the routing table

What does the Linux ’chmod g=r filename’ command do?

Gives read permissions to the owner group of the file

Which of the following commands enables promiscuous mode on the first Ethernet interface of a Linux-based system?

ifconfig eth0 promisc

Why might a ping command fail even if a system is operational and reachable?

The firewalls are blocking ICMP echo requests

What is the purpose of the correlation engine in a Security Information and Event Management (SIEM) system?

To collect and analyze event log data from various systems

Which of the following is NOT included in operational controls?

Software development

What is the correct naming strategy for a use case in systems analysis and software development?

Verb-noun format

What is the function of ARP?

It resolves IP addresses to MAC addresses

In the context of a use case, what does the term ’Normal flow’ refer to?

The order of steps in a use case.

What is the purpose of using encryption as a technical control?

To protect the confidentiality of data both transferred over a network and stored on devices

What would be the effect of the ’chmod o-x filename’ command on a Linux system?

It removes execute permission from all others for the specified file.

What is the primary task of the ’Log Monitoring’ as part of the detective controls?

To detect potential incidents and report after they’ve occurred

Which of the following is NOT an example of a detective control?

Firewall

Which of the following statements best describes a ’precondition condition’ within the context of use cases?

It is an essential state of affairs that must be met before the execution of use case can begin.

What does the command ’ping gcgapremium.com’ do?

It tells the computer to send 4 packets of data to the IP address associated with gcgapremium.com.

Which of the following is strongly recommended if you do not have a Linux system, according to the information given in the text above?

Check out the online labs

What are some capabilities of the hping command?

It can send pings using TCP, UDP, and ICMP.

What method is used to provide assurance that data has not changed and thus providing integrity?

Hashing techniques

Which media protection control best ensures the security of data on physical media like USB flash drives or backup tapes?

Locking devices safely in a secure location

What is the main function of detective controls in an organization’s security control system?

They attempt to detect incidents after they have occurred

What is the main function of detective controls in an organization’s security control system?

It limits the log entries displayed to only those from the last hour

What is the function of the ’-c’ switch when used with the ping command on a Linux system?

It specifies a count of how many times the ping command should send ICMP Echo requests.

What does the command ’arp -a 192.168.1.1’ do?

It displays the ARP cache entry for the specified IP address

What is the primary function of an Intrusion prevention system (IPS) in the context of preventative controls?

IPS blocks malicious traffic before it reaches a network

What are the key features of NXLog Enterprise Edition as compared to the Community Edition?

It includes all the features of the Community Edition and adds real-time event correlation and remote administration.

Which log of the operating system records events related to the functioning of the operating system such as when it starts, when it shuts down, and information on services starting and stopping?

System log

What is the purpose of an ’Account disablement policy’?

To guarantee that user accounts are disabled when an employee leaves the organization

Which of the following best describes automated triggers in the context of a SIEM system?

They are actions in response to a predefined number of repeated events.

In a use case, what is meant by ’Postcondition’?

It is the action that occurs after the actor triggers the process

What type of information does the ’var/log/syslog’ file contain on a Linux system?

All system activity, including startup activity

What does the ’ipconfig /displaydns’ command do in a Windows system?

It shows the contents of the DNS cache and any hostname to IP address mappings included in the hosts file

What does the correlation engine in a SIEM system do?

Collects and analyzes event log data from various systems within the network.

Which is the correct description of the command ’ip link set eth0 up’ as per the text above?

It enables a network interface

What is the purpose of operational controls in organization’s overall security plan?

To reduce risks by training users to understand threats

What does the command netstat -anp tcp show you?

A listing of TCP ports that the system is listening on listed in numerical order

What is the role of Authentication in maintaining confidentiality as per the given text?

 It verifies the identity of the user as legitimate or not

What are response controls in the context of security?

Controls designed to prepare for and respond to security incidents

What is the primary function of the ’cat’ command in Linux?

It displays the contents of files

What does the ’ifconfig eth0 allmulti’ command enable?

It enables multicast mode on the NIC

What is the main purpose of a tracert, or traceroute, command?

It is used to determine the number of hops it takes to reach a destination

What is a compensating control as described in the context of network security?

An alternative security measure used when a primary control cannot be implemented immediately

Which of the following accurately describes a function provided by security information and event management (SIEM) systems?

SIEM systems combine log data from various devices and store it in a searchable database for easy analysis.

What is the difference between scalability and elasticity in terms of system availability?

Scalability refers to manually adjusting resources to handle workload, while elasticity refers to automatic adjustment in response to workload changes.

What is the role of a syslog collector?

It receives messages from external devices and applications on the same system

Which statement best describes the meaning of the ’ping -c 4 192.168.1.1’ command?

It sends four ICMP echo request packets to the IP address 192.168.1.1.

What are two common types of managerial controls described in the given text?

Vulnerability assessments and Risk assessments

Which of the following is an example of deterrent control in terms of physical security?

Cable locks on laptops

Which of the following is a NOT a common feature of a SIEM system?

Synthesizing new malware for system testing.

Which statement describes operational controls in the context of organizational security?

Operational controls include training to help users understand threats such as phishing and malware

Which of the following is NOT an example of a technical control?

Motion detectors

What does the ’CLOSE_WAIT’ state indicate when using the netstat command?

The system is waiting for a connection termination request.

Which of the following methods is used to ensure confidentiality by scrambling data, thereby making it unreadable to unauthorized personnel?

Encryption

What is the primary function of the Security log in a Windows system?

To function as a security log, audit log, and access log, recording auditable events such as successes or failures

What is the primary goal of corrective and recovery controls?

All of the above

How can you limit the output of the journalctl command to only logs from the last hour?

journalctl — since ’1 hour ago’

What does the ’LISTEN’ state in the netstat command indicate?

The system is waiting for a connection request.

What does /var/log/httpd/ directory contain in Linux as pointed out by CompTIA Security+ exam?

Access and error logs related to Apache web server

What is the purpose of power redundancies in ensuring a system’s availability?

They provide power to key systems even if commercial power fails

Which of the following techniques can be used to ensure data confidentiality?

Encryption

What is the primary use of the ’Netstat -n’ command?

Display addresses and port numbers in numerical order.

Which of the following is NOT an example of a preventative control type?

Encryption

What is the purpose of motion detection as a detective control in terms of security?

To detect when vulnerabilities have been exploited after an event