ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam
Go to Exam

Exam SY0-601 topic 1 question 828 discussion

Actual exam question from CompTIA's SY0-601
Question #: 828
Topic #: 1
[All SY0-601 Questions]

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.

Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.

Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

  • A. A brute-force attack was used against the time-keeping website to scan for common passwords.
  • B. A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.
  • C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.
  • D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Baba111222 at Jan. 17, 2024, 8:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sysics
Highly Voted 1 year ago
Selected Answer: C
C makes more sense to me. BTW the question is tooo long to read.
upvoted 10 times
chizzuck
9 months, 3 weeks ago
Some Comptia questions are very long to read. during the tests I think... I hope this is worth a ton of points.
upvoted 1 times
...
...
LinkinTheStinkin
Highly Voted 1 year, 1 month ago
Selected Answer: C
The question says that multiple routers are in use within the building. This rules out ARP poisoning, since ARP is a layer 2 protocol, and limited to a single broadcast domain, it would only affect a portion of the network. It says people at home were able to use the website and not have their credentials compromised, so the website itself has no issue. The only answer it can be is is C.
upvoted 5 times
mikzer
1 year ago
That's correct. DNS poisoning can occur for a brief period and return to normal allowing the people outside the building to later clock out without having their credentials stolen. ARP will stay poisoned because it involves storing the attacker's MAC in everyone’s cache.
upvoted 2 times
...
...
Rami1996
Most Recent 1 year, 1 month ago
Selected Answer: B
there are some potential issues with option C: Complexity: DNS poisoning attacks, while possible, typically require a significant level of access to internal systems. If internal DNS servers were compromised, it would likely have broader implications beyond just redirecting traffic to a single website. Detection: DNS poisoning attacks are usually detectable, especially if employees were being redirected to a malicious domain. Such activities often trigger security alerts or anomalies that would prompt investigation. While option C offers a plausible explanation, it may not be the most likely scenario given the complexity and detectability of DNS poisoning attacks.
upvoted 2 times
Mehe323
12 months ago
B doesn't explain why only those with a hourly wage AND used the kiosks inside the building to clock in and out were affected, and not the hourly paid that only clocked out. It can't be an attack on the website for the hourly salaried.
upvoted 3 times
Gigi42
10 months, 1 week ago
I agree with you 💯. The acmetimekeeping site is available on the internet, so why is it that only employees who clocked in and out inside the building are the only ones affected? Those were left the building and clocked out at home, didn't get their credentials stolen. If a malicious actor did something to website, wouldn't everyone, everywhere be affected? Option C seems like the BEST answer here.
upvoted 1 times
...
...
...
BD69
1 year, 1 month ago
Selected Answer: C
With so many internal DNS servers (especially windows domains) default settings to allow non-authoritative changes to DNS records, answer C is the most likely via MITM attack. Answer B is certainly possible, however, that would affect every company that uses that service (this was not mentioned), not just the company in question. Answer D would work too, but this requires a bit more work, non-locked down switches and would be identified quickly by security & network software (immediate conflict alerts) .
upvoted 1 times
...
MF757
1 year, 1 month ago
Selected Answer: B
The fact that only hourly employees who clocked in and out while inside the building had their credentials stolen suggests that the compromise is likely related to the usage of the time-keeping website.
upvoted 1 times
...
TM78
1 year, 2 months ago
Selected Answer: D
D. DNS Poisoning You can get a very basic explanation here (time stamp 5:50 if you don’t care to watch the whole video): https://youtu.be/7MT1F0O3_Yw?si=K7Rung_UtsGcnX7Y If you don’t feel the warm fuzzies about clicking some random link, go YouTube > search DNS Cache Poisoning - Computerphile. The reason why I don’t think it is ARP is because of an assumption (yeah, bad word) that the time card website is https, meaning that the information intercepted by the bad actor should be encrypted and unable to use.
upvoted 1 times
TM78
1 year, 2 months ago
Gosh. I mean C. DNS Poisoning.
upvoted 3 times
...
...
7308365
1 year, 2 months ago
ARP poisoning attacks can compromise systems and redirect network traffic to the threat actor, who leverages their position to insert malware and steal sensitive data. Only those who clocked in and out while inside the building had credentials stolen. D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.
upvoted 3 times
[Removed]
1 year, 2 months ago
..Each of the kiosks are on different floors, and there are multiple routers..think about it .. dns poisoning is better attack then arp poisoning because you have different routers so probably differeng gw on each floor ..atc..
upvoted 1 times
...
BD69
1 year, 1 month ago
ARP poisoning would be the most difficult way of achieving this and require a lot more information about the internal network, not to mention would also require malware on all segments.
upvoted 1 times
...
...
Payu1994
1 year, 3 months ago
D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine. Explanation: ARP Poisoning (Option D): ARP (Address Resolution Protocol) poisoning involves manipulating the ARP cache on a local network, leading to the association of incorrect MAC addresses with IP addresses. In this scenario, if ARP poisoning occurred, it could lead to the kiosks sending a copy of the submitted credentials to a malicious machine before reaching the legitimate server. This could happen if the ARP cache on the local network was manipulated to redirect traffic through a malicious machine.
upvoted 2 times
BD69
1 year, 1 month ago
true, but not the most likely way to do it as the difficulty level is a bit higher. Many internal DNS servers are not secure, for starters, and will accept record changes from non-authoritative sources, if not locked down.
upvoted 1 times
...
...
licks0re
1 year, 3 months ago
Selected Answer: C
Clearly C, see comments below.
upvoted 2 times
...
johnabayot
1 year, 3 months ago
Selected Answer: B
This option explains why only the hourly employees who used the kiosks inside the building were affected, and not the salaried employees or the hourly employees who clocked out from home. If the time-keeping website was compromised, then anyone who accessed it from the kiosks would have their credentials stolen by the malicious code. The other options do not account for this scenario.
upvoted 2 times
johnabayot
1 year, 3 months ago
DNS poisoning (option C) would affect anyone who tried to access the website from any device, not just the kiosks. DNS poisoning is a technique that alters the DNS records of a domain name, so that it points to a different IP address than the legitimate one. This would redirect users to a fake website that looks like the real one, but steals their credentials. This would also affect both hourly and salaried employees, and those who clocked out from home.
upvoted 2 times
licks0re
1 year, 3 months ago
"internal dns" were poisoned. Hence ppl from home arrived on a safe website while people inside arrived on a fake website. C is my choice.
upvoted 1 times
Payu1994
1 year, 2 months ago
DNS poisoning redirecting the time-keeping website to a malicious domain is less likely since employees would likely notice if they were redirected to a different website. Additionally, DNS poisoning would likely affect all users accessing the time-keeping website, not just those inside the building.
upvoted 1 times
TM78
1 year, 2 months ago
Not if it’s from a DNS cache.
upvoted 1 times
...
...
...
...
...
Hs1208
1 year, 3 months ago
Selected Answer: C
C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.
upvoted 5 times
...
Baba111222
1 year, 3 months ago
Selected Answer: C
It can't be B. If the actual website was compromised, employees signing after they left would also be affected. In this case only ones using the kiosks connected to the same network were affected, thus DNS poisoning being the only logical option here.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago