Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam

Exam SY0-601 topic 1 question 828 discussion

Actual exam question from CompTIA's SY0-601

Question #: 828
Topic #: 1

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.

Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.

Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

A. A brute-force attack was used against the time-keeping website to scan for common passwords.
B. A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.
C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.
D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

Show Suggested Answer

Suggested Answer: C 🗳️

by Baba111222 at Jan. 17, 2024, 8:05 p.m.

Comments

Submit Cancel

sysics

Highly Voted 1 year, 3 months ago

Selected Answer: C

C makes more sense to me. BTW the question is tooo long to read.

upvoted 10 times

chizzuck

1 year, 1 month ago

Some Comptia questions are very long to read. during the tests I think... I hope this is worth a ton of points.

upvoted 1 times

...

LinkinTheStinkin

Highly Voted 1 year, 4 months ago

Selected Answer: C

The question says that multiple routers are in use within the building. This rules out ARP poisoning, since ARP is a layer 2 protocol, and limited to a single broadcast domain, it would only affect a portion of the network. It says people at home were able to use the website and not have their credentials compromised, so the website itself has no issue. The only answer it can be is is C.

upvoted 5 times

mikzer

1 year, 3 months ago

That's correct. DNS poisoning can occur for a brief period and return to normal allowing the people outside the building to later clock out without having their credentials stolen. ARP will stay poisoned because it involves storing the attacker's MAC in everyone’s cache.

upvoted 2 times

...

Rami1996

Most Recent 1 year, 4 months ago

Selected Answer: B

there are some potential issues with option C: Complexity: DNS poisoning attacks, while possible, typically require a significant level of access to internal systems. If internal DNS servers were compromised, it would likely have broader implications beyond just redirecting traffic to a single website. Detection: DNS poisoning attacks are usually detectable, especially if employees were being redirected to a malicious domain. Such activities often trigger security alerts or anomalies that would prompt investigation. While option C offers a plausible explanation, it may not be the most likely scenario given the complexity and detectability of DNS poisoning attacks.

upvoted 2 times

Mehe323

1 year, 3 months ago

B doesn't explain why only those with a hourly wage AND used the kiosks inside the building to clock in and out were affected, and not the hourly paid that only clocked out. It can't be an attack on the website for the hourly salaried.

upvoted 3 times

Gigi42

1 year, 1 month ago

I agree with you 💯. The acmetimekeeping site is available on the internet, so why is it that only employees who clocked in and out inside the building are the only ones affected? Those were left the building and clocked out at home, didn't get their credentials stolen. If a malicious actor did something to website, wouldn't everyone, everywhere be affected? Option C seems like the BEST answer here.

upvoted 1 times

...

BD69

1 year, 4 months ago

Selected Answer: C

With so many internal DNS servers (especially windows domains) default settings to allow non-authoritative changes to DNS records, answer C is the most likely via MITM attack. Answer B is certainly possible, however, that would affect every company that uses that service (this was not mentioned), not just the company in question. Answer D would work too, but this requires a bit more work, non-locked down switches and would be identified quickly by security & network software (immediate conflict alerts) .

upvoted 1 times

...

MF757

1 year, 5 months ago

Selected Answer: B

The fact that only hourly employees who clocked in and out while inside the building had their credentials stolen suggests that the compromise is likely related to the usage of the time-keeping website.

upvoted 1 times

...

TM78

1 year, 6 months ago

Selected Answer: D

D. DNS Poisoning You can get a very basic explanation here (time stamp 5:50 if you don’t care to watch the whole video): https://youtu.be/7MT1F0O3_Yw?si=K7Rung_UtsGcnX7Y If you don’t feel the warm fuzzies about clicking some random link, go YouTube > search DNS Cache Poisoning - Computerphile. The reason why I don’t think it is ARP is because of an assumption (yeah, bad word) that the time card website is https, meaning that the information intercepted by the bad actor should be encrypted and unable to use.

upvoted 1 times

TM78

1 year, 6 months ago

Gosh. I mean C. DNS Poisoning.

upvoted 3 times

...

7308365

1 year, 6 months ago

ARP poisoning attacks can compromise systems and redirect network traffic to the threat actor, who leverages their position to insert malware and steal sensitive data. Only those who clocked in and out while inside the building had credentials stolen. D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

upvoted 3 times

BD69

1 year, 4 months ago

ARP poisoning would be the most difficult way of achieving this and require a lot more information about the internal network, not to mention would also require malware on all segments.

upvoted 1 times

...

Payu1994

1 year, 6 months ago

D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine. Explanation: ARP Poisoning (Option D): ARP (Address Resolution Protocol) poisoning involves manipulating the ARP cache on a local network, leading to the association of incorrect MAC addresses with IP addresses. In this scenario, if ARP poisoning occurred, it could lead to the kiosks sending a copy of the submitted credentials to a malicious machine before reaching the legitimate server. This could happen if the ARP cache on the local network was manipulated to redirect traffic through a malicious machine.

upvoted 2 times

BD69

1 year, 4 months ago

true, but not the most likely way to do it as the difficulty level is a bit higher. Many internal DNS servers are not secure, for starters, and will accept record changes from non-authoritative sources, if not locked down.

upvoted 1 times

...

licks0re

1 year, 6 months ago

Selected Answer: C

Clearly C, see comments below.

upvoted 2 times

...

johnabayot

1 year, 7 months ago

Selected Answer: B

This option explains why only the hourly employees who used the kiosks inside the building were affected, and not the salaried employees or the hourly employees who clocked out from home. If the time-keeping website was compromised, then anyone who accessed it from the kiosks would have their credentials stolen by the malicious code. The other options do not account for this scenario.

upvoted 2 times

johnabayot

1 year, 7 months ago

DNS poisoning (option C) would affect anyone who tried to access the website from any device, not just the kiosks. DNS poisoning is a technique that alters the DNS records of a domain name, so that it points to a different IP address than the legitimate one. This would redirect users to a fake website that looks like the real one, but steals their credentials. This would also affect both hourly and salaried employees, and those who clocked out from home.

upvoted 2 times

licks0re

1 year, 6 months ago

"internal dns" were poisoned. Hence ppl from home arrived on a safe website while people inside arrived on a fake website. C is my choice.

upvoted 1 times

Payu1994

1 year, 6 months ago

DNS poisoning redirecting the time-keeping website to a malicious domain is less likely since employees would likely notice if they were redirected to a different website. Additionally, DNS poisoning would likely affect all users accessing the time-keeping website, not just those inside the building.

upvoted 1 times

TM78

1 year, 6 months ago

Not if it’s from a DNS cache.

upvoted 1 times

...

Hs1208

1 year, 7 months ago

Selected Answer: C

C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.

upvoted 5 times

...

Baba111222

1 year, 7 months ago

Selected Answer: C

It can't be B. If the actual website was compromised, employees signing after they left would also be affected. In this case only ones using the kiosks connected to the same network were affected, thus DNS poisoning being the only logical option here.

upvoted 4 times

...