Chapter 1
What is the purpose of network reconnaissance in the context of network security?
To gather detailed information about the network and its devicesWhat is the purpose of the pipe operator (|) in the command ’sudo cat /var/log/auth.log | more’?
It sends the results of the first command to the second commandWhat principle ensures that systems are available when needed and often addresses single points of failure in network systems?
Redundancy and Fault ToleranceWhat is used to query the Linux system logging utility (journald) and why?
journalctl, because journald stores log data in binary.What is the purpose of redundancy in networking?
To ensure high availability and fault toleranceWhat information does the auth.log contain in a Linux system?
Information related to successful and unsuccessful loginsWhat is a major function of a ’Log collector’ as it pertains to a Security Information and Event Management (SIEM)?
Log collectors gather log data from devices within the network and store them in a searchable database.What is risk in the context of IT security?
Risk is the possibility of a threat exploiting a vulnerability resulting in a loss.What type of information does the ’date’ field record in the Common Log format standardized by the World Wide Web Consortium (W3C)?
The date and time of the requestWhat does the ’Alternate flow’ element in a use case describe?
The variations in the execution of use case when conditions change or when exceptions occur.What does the command ’sudo cat /var/log/auth.log’ do in Linux?
Displays the entire content of the auth.log fileWhat is one of the methods utilized by organizations to keep their systems available?
Regularly updating the system with current patchesHow can a systems administrator use the ’ping’ command to assess organizational security?
By using it to verify that firewalls, routers, and Intrusion Prevention Systems (IPSs) block ICMP traffic when configured to do soIn the context of security controls, what purpose does change management serve?
It ensures that changes don’t result in unintended outagesWhy might organizations choose not to encrypt all of their data despite the increase in security?
Encryption increases the data volume by about 40 percent, requiring more resources.What is the content of the NIST SP 800-53 Revision 5?
It provides detailed information on security controls, divided into 20 different families.What is the role of ’Data Inputs’ in a Security Information and Event Management (SIEM) system?
To collect log data from various sources such as routers, firewalls and serversWhich of the following statements is true about the sensitivity levels in a SIEM system?
Setting the sensitivity levels correctly helps limit false positives and avoid false negativesWhich of the following best describes what Corrective controls do according to the CompTIA?
They reverse the impact of an incidentWhat is included in ’Physical and environmental protection’ as an operational control?
Physical controls like cameras and door locks and heating and ventilation systemsWhat does log aggregation in a Security Information and Event Management (SIEM) system refer to?
It refers to the combination of dissimilar items into a similar format.What type of control can a lock be classified as, in addition to being a physical control?
Deterrent controlWhat does the command sudo ifconfig eth0 do on Linux systems?
Shows the configuration of the first Ethernet interface (NIC)What does the ’arp -a’ command do in the context of a Windows operating system?
It shows the ARP cacheWhat are the key elements of access controls that help ensure the confidentiality of data?
Identification, Authentication, AuthorizationWhich of the following is a function that firewalls perform as a technical control?
Restrict network traffic going in and out of a networkWhat does sentiment analysis refer to within a SIEM system?
It refers to the analysis of text to detect an opinion or emotion and uses UBA technologies to observe user behaviors to detect unwanted behavior.What is the ’host’ in the context of Network logs and Common Log Format?
The IP address or hostname of the client requesting the pageMost SIEM systems include multiple built-in reports. What do these reports typically cover?
Network traffic event monitoring and device eventsWhat is the primary difference between scalability and elasticity in terms of system availability?
Scalability refers to manually adding or removing resources, while elasticity is about dynamically managing resources.What is the primary purpose of using physical locks as a part of security controls?
To deter potential attacks and unauthorized accessWhat type of information does the /var/log/auth.log file contain on a Linux system?
It contains information related to successful and unsuccessful logins.What does the ’ping 192.168.1.1’ command do?
It verifies if your machine can connect with the computer at the IP address 192.168.1.1Which log file in a Linux system contains entries generated during system boot-up?
var/log/boot.logWhich is NOT a correct definition of a particular control type according to CompTIA?
Corrective controls attempt to discourage individuals from causing an incident.What is the primary purpose of a cable lock as a deterrent control?
To deter potential thieves by securing the laptop to furnitureWhat is the CIA security triad in the context of organizational security principles?
Confidentiality, Integrity, and AvailabilityWhat is stored in the var/log/messages file?
A wide variety of general system messagesIn the context of network logs, what does the ’status’ refer to?
The HTTP status code returned to the clientWhat is a key benefit of using a centralized security information and event management (SIEM) system in a large organization?
It collects data from various sources and stores them in a searchable databaseWhich of the following is NOT an example of a detective control?
Password complexity policyWhat is a discriminating feature about the NXLog Community Edition compared to other log management tools?
It supports log formats for Windows, such as event log entriesWhat does the authuser field in a web server log typically record?
The logon name of the user requested in the page, if the user logged on.Which of the following best describes Detective controls, in terms of security controls?
Controls that attempt to detect incidents after they have occurred.What are the key elements of access controls?
Identification, Authentication, AuthorizationWhich of the following accurately describes a common capability of a SIEM system?
Collects log data and stores it in a searchable databaseWhich of the following is NOT a control type listed by CompTIA in the Security+ objectives?
Spatial controlsWhich of the following best describes the purpose of preventative controls in IT security?
To prevent security incidents from occurringWhich command provides a comprehensive listing of TCP/IP configuration for each NIC, including MAC address, address of assigned DNS servers and address of a DHCP server?
ipconfig /all and ifconfig -aWhat is the role of antivirus software as a technical control?
After it’s installed, it protects against malware infection.What does the /var/log/messages log contain in a Linux environment?
A wide variety of general system messages, including some messages logged during startup, some messages related to mail, the kernel, and messages related to authenticationWhich of the following options accurately describes technical controls, as per the CompTIA Security+ objectives?
They use technology such as hardware, software, and firmware to reduce vulnerabilities.What is the purpose of the ’journalctl –list-boots’ command in Linux system?
It shows the available boot logsWhich command is used to search for a specific text in a file?
grepWhat does the ’ifconfig eth0’ command in a Linux-based system do?
It shows the configuration of the first Ethernet interface (NIC).Why is time synchronization important in a SIEM system?
It ensures all servers sending data to SIEM are synchronized with the same timeA network log entry in the Common Log format standardized by the W3C typically contains which of the following details?
The IP address or hostname of the client requesting the pageWhat does the ’ip -s link’ command do on Linux systems?
It shows statistics on the network interfacesWhat is the role of ’Deterrent controls’ in Organization’s security policy?
Deter individuals from causing an incidentWhat is the function of a correlation engine in a SIEM system?
It collects and analyzes event log data from various systems within the network, looking for common attributes and detecting patterns of potential security eventsWhat is the function of the ’logger’ command in the CompTIA Security+ context?
It enables users to create entries in the /var/log/syslog file from the terminal or scripts and applicationsWhat does the TIME_WAIT state indicate in the netstat command?
The system is waiting for enough time to pass to be sure the remote system received a TCP-based acknowledgment of the connection.What information does the ’Netstat -a’ command display on a system?
Displays a listing of all TCP and UDP ports that a system is listening on, in addition to all open connectionsWhat does the ’ifconfig eth0 promisc’ command do on a Linux system?
It enables promiscuous mode on the first Ethernet interface.What is the function of video surveillance as a detective control in a security setting?
It detects when vulnerabilities have been exploited after an incident has occurredWhich Windows log type records auditable events, such as a user’s success or failure in performing actions like logging on or deleting a file, by default?
Security logWhat does ’WORM’ refer to in the context of a security information and event management (SIEM) system?
Write Once Read ManyWhat does the command ’sudo head /var/log/syslog’ do?
It shows the first 10 lines of the syslog file.What is the purpose of compensating controls in a security framework?
To act as alternative controls when a primary control is not feasibleWhat does the ’more’ command do when used in conjunction with the ’cat’ command in a Linux environment?
It allows you to view the contents of a file one page at a timeWhat is the primary function of managerial controls in a security structure?
They are primarily administrative and documented in an organization’s security policy.What role do security guards play as a type of preventative control?
They stop unauthorized access into secure areas by verifying user identitiesWhat does the term ’least privilege’ in the context of technical controls refer to?
It refers to the minimum level of access required to perform tasks or functions.What does the ’bytes’ denote in the Common Log format standardized by the World Wide Web Consortium (W3C)?
The byte length of the replyWhat does the pathping -n command do in network administration?
It prints only IP addresses instead of both hostnames and IP addresses.What does the command ’chmod 760 filename’ represent in Linux?
Read, write, and execute permissions for the owner, read and write for the group, and none for all othersWhat is the purpose of using the command ’sudo grep “authentication failure”/var/log/auth.log’?
To search for a specific text within a fileWhat is the result of running the command ’sudo cat /var/log/auth.log’ in a Linux system?
The command will display the entire contents of the auth.log fileWhat is the purpose of using the ping command to check name resolution based on the provided passage?
To verify that the name resolution process from hostname to IP address is working correctlyWhat is the primary function of the ’head’ command in the context of log files?
It shows the first 10 lines of a fileWhat is the definition of risk in the context of IT security?
The possibility or likelihood of a threat exploiting a vulnerability resulting in a lossWhat is the primary function of the ’ipconfig’ command on a Windows system?
It provides Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for a systemWhat does the ’netstat -p tcp’ command do?
Displays statistics on a specific protocol, such as TCPWhat does the ’Netstat -e’ command do?
It displays details on network statistics, including how many bytes the system sent and receivedWhat does the pathping command do?
It identifies all the hops on the path between two systems and computes statistics based on the number of ping responses from each.What are the two types of common managerial controls in an organization’s written security policy, according to the given text?
Risk assessments and Vulnerability assessmentsWhat is event deduplication in the context of a Security Information and Event Management (SIEM) system?
It is the process of removing duplicate entries by ensuring that the SIEM stores only a single copy of any duplicate log entries and associates the entries with all sources.Which of the following is NOT an example of a corrective or recovery control?
System monitoring toolsWhat does the /var/log/faillog Linux log file contain information about?
Failed login attemptsWhat is the primary function of the ’ping -t 192.168.1.1’ command on a Windows system?
It sends a continuous stream of ICMP echo requests until stopped manuallyWhat is a key function of Security information and event management (SIEM) systems as a detective control?
It detects trends and raises alerts in real timeWhat does the ’Netstat -n’ command do?
Displays addresses and port numbers in numerical order.What is the function of the ’ipconfig /flushdns’ command?
It erases the contents of the DNS cacheWhich tool helps in detecting malicious traffic after it enters a network in the context of detective controls?
Intrusion detection system (IDS)What type of events does the Application log record in a Windows operating system?
Events sent to it by applications or programs running on the systemWhat is a common goal of fault tolerance and redundancy techniques in an information system?
To remove each single point of failure (SPOF)Which of the following best describes the function of disk redundancies in the context of availability and fault tolerance?
Disk redundancies, such as RAID-1, RAID-5, and RAID-10, allow a system to continue to operate even if a disk fails.What does the ’user-identifier’ field in the Common Log Format represent?
The name of the user requesting the pageWhat does the acronym LAMP stand for in the context of web hosting?
Linux, Apache, MySQL, PHP/Perl/PythonWhich of the following best describes the combination of control categories and types based on the provided excerpt?
Encryption can be described as a preventative technical control.What is the role of ’request’ in the data logged by a web server?
It contains the actual request line sent by the client.What are the three types of permissions that can be modified with the chmod command on Linux system files and folders?
Read, Write, ExecuteWhat is the unique functionality that Rsyslog provides as an improvement over Syslog-ng?
Ability to send log entries directly into database enginesWhat does the ’SYN_RECEIVED’ state in Netstat mean?
It indicates the system sent a TCP SYNACK packet after receiving a SYN packet, and it is now waiting for the ACK response to establish the connection.What does the ESTABLISHED state in the netstat command output indicate?
This is the normal state for the data transfer phase of a connection.What is a major feature of the Rsyslog software utility that differentiates it from Syslog-ng as mentioned in the provided text?
It has the ability to send log entries directly into database enginesWhat is the definition of risk in IT security context?
It is the possibility of a threat exploiting a vulnerability, resulting in loss.What does the ’tail’ command in Unix or Linux do by default?
It displays the last 10 lines of a log file.According to the ’Place Order’ use case, who are classified as the ’actors’?
Lisa, Billing system, and Fulfillment systemWhat does the ’Netstat -p protocol’ command do?
It shows statistics on a specific protocol, such as TCP or UDPWhat is the function of the ’ip link show’ command?
It shows the interfaces along with some details on themWhat does the SYN_SENT state indicate when using the netstat command?
The system sent a TCP SYN packet and is waiting for the SYN-ACK responseWhat does a protocol analyzer do in a SIEM system?
It captures network traffic and allows for analyzing individual packets.What does the ’journalctl -1’ command do in a Linux system?
Retrieves the boot log identified with number -1What are the two common managerial controls mentioned in the text?
Risk assessments and Vulnerability assessmentsWhat is the function of sensors in a Security Information and Event Management (SIEM) system?
They collect logs from devices and send these logs to the SIEM system.What is the purpose of User Behavior Analysis in a SIEM system?
To focus on what users are doing and look for abnormal patterns of activity that may indicate malicious intentWhat does the /var/log/kern.log file do in Linux?
Logs information by the system kernelWhat is one key feature of NXLog Enterprise Edition that is not included in the Community Edition?
It provides real-time event correlation and remote administrationWhat does Hardening mean in the context of preventative controls?
It is the practice of making a system or application more secure than its default configurationWhat types of intrusions can the intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) monitor?
Both network and host intrusionsWhat is the primary function of backups and system recovery in corrective and recovery controls?
They enable system administrators to recover a system after a security breachWhat is a common goal of fault tolerance and redundancy techniques in server redundancies?
To remove each single point of failure (SPOF)What starts the use case in the scenario of Lisa purchasing an item online?
The triggerWhat does the ’logger Backup started’ command do according to the text?
Adds a time-stamped entry of ’Backup started’ in the /var/log/syslog fileWhat does the ’-n 15’ switch specify when used with the ’sudo tail’ command in relation to the /var/log/messages file?
It specifies that the command should display the last 15 lines of the file.What do log entries in a system help administrators and security investigators determine?
The location, time, and event that led to a security incidentWhat does a security incident refer to in IT security?
It refers to the situation when a threat exploits a vulnerability, resulting in a loss.What does the ’Netstat -s’ command do?
Displays statistics of packets sent or received for specific protocols, such as IP, ICMP, TCP, and UDP.What are some examples of preventative controls?
Hardening, training, security guards, change management, account disablement policy, Intrusion prevention system (IPS)What are the features of Syslog-ng as an extension of syslogd on Linux-like systems?
It provides correlation and routing abilities to route log entries to any log analysis tool.What is the purpose of the command ’sudo cat /var/log/auth.log | grep ’authentication failure’’ in a Linux system?
It searches for and displays all entries related to authentication failures in the auth.log file.What information does the ’Netstat –r’ command on a system provide?
Display of the routing tableWhat does the Linux ’chmod g=r filename’ command do?
Gives read permissions to the owner group of the fileWhich of the following commands enables promiscuous mode on the first Ethernet interface of a Linux-based system?
ifconfig eth0 promiscWhy might a ping command fail even if a system is operational and reachable?
The firewalls are blocking ICMP echo requestsWhat is the purpose of the correlation engine in a Security Information and Event Management (SIEM) system?
To collect and analyze event log data from various systemsWhich of the following is NOT included in operational controls?
Software developmentWhat is the correct naming strategy for a use case in systems analysis and software development?
Verb-noun formatWhat is the function of ARP?
It resolves IP addresses to MAC addressesIn the context of a use case, what does the term ’Normal flow’ refer to?
The order of steps in a use case.What is the purpose of using encryption as a technical control?
To protect the confidentiality of data both transferred over a network and stored on devicesWhat would be the effect of the ’chmod o-x filename’ command on a Linux system?
It removes execute permission from all others for the specified file.What is the primary task of the ’Log Monitoring’ as part of the detective controls?
To detect potential incidents and report after they’ve occurredWhich of the following is NOT an example of a detective control?
FirewallWhich of the following statements best describes a ’precondition condition’ within the context of use cases?
It is an essential state of affairs that must be met before the execution of use case can begin.What does the command ’ping gcgapremium.com’ do?
It tells the computer to send 4 packets of data to the IP address associated with gcgapremium.com.Which of the following is strongly recommended if you do not have a Linux system, according to the information given in the text above?
Check out the online labsWhat are some capabilities of the hping command?
It can send pings using TCP, UDP, and ICMP.What method is used to provide assurance that data has not changed and thus providing integrity?
Hashing techniquesWhich media protection control best ensures the security of data on physical media like USB flash drives or backup tapes?
Locking devices safely in a secure locationWhat is the main function of detective controls in an organization’s security control system?
They attempt to detect incidents after they have occurredWhat is the main function of detective controls in an organization’s security control system?
It limits the log entries displayed to only those from the last hourWhat is the function of the ’-c’ switch when used with the ping command on a Linux system?
It specifies a count of how many times the ping command should send ICMP Echo requests.What does the command ’arp -a 192.168.1.1’ do?
It displays the ARP cache entry for the specified IP addressWhat is the primary function of an Intrusion prevention system (IPS) in the context of preventative controls?
IPS blocks malicious traffic before it reaches a networkWhat are the key features of NXLog Enterprise Edition as compared to the Community Edition?
It includes all the features of the Community Edition and adds real-time event correlation and remote administration.Which log of the operating system records events related to the functioning of the operating system such as when it starts, when it shuts down, and information on services starting and stopping?
System logWhat is the purpose of an ’Account disablement policy’?
To guarantee that user accounts are disabled when an employee leaves the organizationWhich of the following best describes automated triggers in the context of a SIEM system?
They are actions in response to a predefined number of repeated events.In a use case, what is meant by ’Postcondition’?
It is the action that occurs after the actor triggers the processWhat type of information does the ’var/log/syslog’ file contain on a Linux system?
All system activity, including startup activityWhat does the ’ipconfig /displaydns’ command do in a Windows system?
It shows the contents of the DNS cache and any hostname to IP address mappings included in the hosts fileWhat does the correlation engine in a SIEM system do?
Collects and analyzes event log data from various systems within the network.Which is the correct description of the command ’ip link set eth0 up’ as per the text above?
It enables a network interfaceWhat is the purpose of operational controls in organization’s overall security plan?
To reduce risks by training users to understand threatsWhat does the command netstat -anp tcp show you?
A listing of TCP ports that the system is listening on listed in numerical orderWhat is the role of Authentication in maintaining confidentiality as per the given text?
It verifies the identity of the user as legitimate or notWhat are response controls in the context of security?
Controls designed to prepare for and respond to security incidentsWhat is the primary function of the ’cat’ command in Linux?
It displays the contents of filesWhat does the ’ifconfig eth0 allmulti’ command enable?
It enables multicast mode on the NICWhat is the main purpose of a tracert, or traceroute, command?
It is used to determine the number of hops it takes to reach a destinationWhat is a compensating control as described in the context of network security?
An alternative security measure used when a primary control cannot be implemented immediatelyWhich of the following accurately describes a function provided by security information and event management (SIEM) systems?
SIEM systems combine log data from various devices and store it in a searchable database for easy analysis.What is the difference between scalability and elasticity in terms of system availability?
Scalability refers to manually adjusting resources to handle workload, while elasticity refers to automatic adjustment in response to workload changes.What is the role of a syslog collector?
It receives messages from external devices and applications on the same systemWhich statement best describes the meaning of the ’ping -c 4 192.168.1.1’ command?
It sends four ICMP echo request packets to the IP address 192.168.1.1.What are two common types of managerial controls described in the given text?
Vulnerability assessments and Risk assessmentsWhich of the following is an example of deterrent control in terms of physical security?
Cable locks on laptopsWhich of the following is a NOT a common feature of a SIEM system?
Synthesizing new malware for system testing.Which statement describes operational controls in the context of organizational security?
Operational controls include training to help users understand threats such as phishing and malwareWhich of the following is NOT an example of a technical control?
Motion detectorsWhat does the ’CLOSE_WAIT’ state indicate when using the netstat command?
The system is waiting for a connection termination request.Which of the following methods is used to ensure confidentiality by scrambling data, thereby making it unreadable to unauthorized personnel?
EncryptionWhat is the primary function of the Security log in a Windows system?
To function as a security log, audit log, and access log, recording auditable events such as successes or failuresWhat is the primary goal of corrective and recovery controls?
All of the aboveHow can you limit the output of the journalctl command to only logs from the last hour?
journalctl — since ’1 hour ago’What does the ’LISTEN’ state in the netstat command indicate?
The system is waiting for a connection request.What does /var/log/httpd/ directory contain in Linux as pointed out by CompTIA Security+ exam?
Access and error logs related to Apache web serverWhat is the purpose of power redundancies in ensuring a system’s availability?
They provide power to key systems even if commercial power failsWhich of the following techniques can be used to ensure data confidentiality?
EncryptionWhat is the primary use of the ’Netstat -n’ command?
Display addresses and port numbers in numerical order.Which of the following is NOT an example of a preventative control type?
EncryptionWhat is the purpose of motion detection as a detective control in terms of security?
To detect when vulnerabilities have been exploited after an eventLast updated