WGU 178 comptia Security+ Critical Terms
Exam Questions with Detailed Solutions
2024/2025
Simple Network Management Protocol (SNMP). - correct answer Protocol for
monitoring and managing network devices. Works over UDP ports 161 and 162 by
default.
Nmap Security Scanner - correct answer Uses diverse methods of host discovery, can
operate stealthily and serve to defeat security mechanisms such as firewalls and IDS.
Open-source tool for Windows, Linux, and macos and can be operated with a command
line or via a GUI (Zenmap).
Netstat - correct answer show the state of TCP/UDP ports on the local machine.
Nslookup/dig - correct answer query name records for a given domain using a DNS
resolver. Attacker may test a network to find out if the DNS service is misconfigured
which may allow a zone transfer, which gives the attacker complete records of every
host in the domain, revealing how a network is configured.
Protocol analysis - correct answer means using statistical tools to analyze a sequence
of packets, or packet trace.
Zero-day - correct answer A vulnerability that is exploited before the developer knows
about it or can release a patch
Network vulnerability scanner ie: Nessus or openvas - correct answer Designed to test
network hosts, including client pcs, mobile devices, servers, routers, and switches. It
examines an organization's on-premises systems, apps, and devices and compares the
scan results to configuration templates plus lists of known vulnerabilities. Typical results
from a vulnerability assessment will identify missing patches, deviations from baseline
configuration templates, and other related vulnerabilities.
,Black box - correct answer consultant given no privileged info about the network and
its security systems. This type of test would require the tester to perform a
reconnaissance phase. Useful for simulating the behavior of an external threat.
White box - correct answer consultant given complete access to information about the
network. Sometimes conducted as a follow-up to a black box test to fully evaluate flaws
discovered during the black box test. Tester skips the reconnaissance phase in this type
of test. Useful for simulating the behavior of a privileged insider threat.
Gray box - correct answer Consultant given some info; would resemble the knowledge
of junior or non-IT staff to model particular types of insider threats. This type of test
requires partial reconnaissance on the part of the tester. Useful for simulating the
behavior of an unprivileged insider threat.
Red team - correct answer performs the offensive role to try to infiltrate the target.
Blue team - correct answer performs the defensive role by operating monitoring and
alerting controls to detect and prevent the infiltration.
White team - correct answer sets the rules of engagement and monitors the exercise,
providing arbitration and guidance. If the red team is third party, this team will include a
rep from the consultancy company. Can halt the exercise should it become too risky.
War driving - correct answer mapping the location and type (frequency channel and
security method) of wireless networks operated by the target. Sniffing the presence of
wireless networks is a passive activity, though there is the risk of being observed by
security guards or cameras.
Persistence - correct answer tester's ability to reconnect to the compromised host and
use it as a remote access tool (RAT) or backdoor; the tester must establish a command
and control (C2 or C&C) network to use to control the compromised host, upload
additional attack tools, and download exfiltrated data. The connection to the
compromised host will typically require a malware executable to run after shut down/log
off events and a connection to a network port and the attacker's IP address to be
available.
,Privilege escalation - correct answer persistence along with more reconnaissance; pen
tester maps out the internal network and discovers services running and accounts
configured to access it; likely to require higher privilege levels. The original malware
may have run with local administrator privileges on a client workstation or as the Apache
user on a web server. Another exploit might allow malware to execute with system/root
privileges, or to use network administrator privileges on other hosts, such as application
servers.
Lateral movement - correct answer gain control over other hosts which is done to
discover more opportunities to widen access (harvesting credentials, detecting software
vulnerabilities, etc). Also to Identify where valuable data assets might be located and to
evade detection. Usually involves executing the attack tools over remote process
shares or using scripting tools, such as powershell.
Actions on Objectives - correct answer Threat actor stealing data from one or more
systems (exfiltration). From the perspective of a pen tester, it would be a matter of the
scope definition whether this would be attempted. It is usually sufficient to show that
actions on objectives could be achieved.
UAT - correct answer User acceptance training
Smtp - correct answer sends email on port 25 or port 587
Technical - correct answer Control implemented as a system (hardware, software, or
firmware). IE: firewalls, antivirus software, and OS access control models and may also
be described as logical controls.
Operational - correct answer the control is implemented primarily by people rather than
systems. IE: security guards and training programs are ____ controls rather than
technical controls.
Managerial - correct answer the control gives oversight of the information system.
Examples could include risk identification or a tool allowing the evaluation and selection
of other security controls.
, Preventive - correct answer Control type acts to eliminate/reduce the likelihood that an
attack can succeed. Operates before an attack can take place; IE: ACL configured on
firewalls and file system objects are. Anti-malware software also acts as a control, by
blocking processes identified as malicious from executing.
Detective - correct answer the control may not prevent or deter access, but it will
identify and record any attempted or successful intrusion. Operates during the progress
of an attack. IE: Logs
Corrective - correct answer Control acts to eliminate/reduce the impact of an intrusion
event and is used after an attack. IE: a backup system that can restore data that was
damaged during an intrusion or a patch mgmt system that acts to eliminate the
vulnerability exploited during the attack
Physical - correct answer controls such as alarms, gateways, locks, lighting, security
cameras, and guards that deter and detect access to premises and hardware are often
classed separately.
Deterrent - correct answer the control may not physically or logically prevent access,
but psychologically discourages an attacker from attempting an intrusion. This could
include signs and warnings of legal penalties against trespass or intrusion.
Compensating - correct answer the control serves as a substitute for a principal
control, as recommended by a security standard, and affords the same (or better) level
of protection but uses a different methodology or technology.
Kerberos - correct answer SSO network authentication/authorization protocol used on
many networks, by Microsoft's (AD) service. Clients request services from app servers,
which rely on a Key Distribution Center (KDC)—to vouch for their identity. Two services
make up a KDC: the Authentication Service & Ticket Granting Service; runs on port 88
TCP or UDP.
Smurf/smurfing - correct answer Attack is based on the ICMP echo reply function. It is
more commonly known as ping. Attacker sends ping packets to the broadcast address
