Answers to Performance-Based Questions (PBQs) | Security+ 601
This post contains the answers and explanations to our free Performance-Based Questions (PBQs) that we specifically designed to prepare you to take and pass the real CompTIA Security+ SY0-601 exam.
If you’d like to attempt them before seeing the answers, then don’t scroll any further. Go through them first and then come back here for explanations!
Question #1
This first question is asking about RAID configurations.
Answers
- RAID 0 must have a minimum of 2 drives, offers striping: yes, offers mirroring: no, offers parity: no
- RAID 1 must have a minimum of 2 drives, offers striping: no, offers mirroring: yes, offers parity: no
- RAID 5 must have a minimum of 3 drives, offers striping: yes, offers mirroring: no, offers parity: yes
Explanation
Our lesson titled “Disk Redundancy” from our Security+ course covers RAID in a lot of detail, so if you’re not familiar with RAID, I definitely recommend going through that lesson. Otherwise, here’s a cheat sheet to help you memorize and remember so that you can answer this first question:
- RAID (Redundant Array of Independent/Inexpensive Disks)
- What is it? It’s storage virtualization technology that combines multiple physical disk drive components into one or more logical units
- What’s the benefit? It’s used to increase data redundancy, performance, capacity, or a combination of those
- Key terms to know:
- Striping – spreads blocks of data across multiple disks. Great for increased performance but provides zero data redundancy or protection by itself
- Mirroring – copies the same data across disks. Provides data redundancy and protection from failure, but requires more disks which increases cost
- Parity – calculated value that gets used to restore data from multiple drives if one of the drives were to fail. This prevents the need to mirror using separate drives since parity is spread among disks. (Unless using RAID 4, in which case parity is stored on one disk)
- RAID configurations and stats you need to know for the exam:
- RAID 0 – striping
- Needs 2 drives minimum
- RAID 0 is an example of a RAID level that only cares about performance and capacity. It provides zero data redundancy because it stripes data across every disk.
- RAID 1 – mirroring
- Needs 2 drives minimum
- RAID 1 can continue to operate as long as at least one member drive is operational, but if we are only left with 1 drive, we lose data redundancy.
- RAID 4 – striping and parity
- Needs 3 drives minimum
- The benefit of RAID 4 as compared to RAID 1 is that parity requires far less disk space than mirroring, since it’s not storing an exact copy of the data — just the calculated parity information. So you can scale RAID 4 cheaper than you could RAID 1. The downside is that it requires at least 3 drives and write performance suffers
- RAID 5 – striping and parity
- Needs 3 drives minimum
- RAID 5 is typically considered to be a better option than RAID 4, because it provides both striping and parity, similar to RAID 4, but unlike RAID 4, parity information is distributed between the drives instead of just being stored on one drive. This gives RAID 5 better write performance while still getting good redundancy benefits
- RAID 6 – striping and parity
- Needs 4 drives minimum
- RAID 6 is similar to RAID 5, but it uses an additional parity block. The reason that’s important is because it provides higher data redundancy. While RAID 5 can sustain a single drive failure, RAID 6 can sustain two drive failures. This does mean that RAID 6 requires 4 disks at a minimum. RAID 6 has the highest drive count requirement out of all other levels, but it also provides the highest data redundancy and failure tolerance. It also causes write performance to go down compared to RAID 5 since it now has more parity calculations to perform. Read speeds are comparable, however.
- RAID 10 – striping and mirroring
- Needs 4 drives minimum
- Nested RAID makes it possible to combine RAID levels, which is what RAID 10 is (it’s RAID 1 + RAID 0). By combining both benefits, we not only get the performance benefits of RAID 0, but we also get the data redundancy of RAID 1. RAID 10 won’t be nearly as fast as RAID 0, but it is faster than all of the other RAID levels we discussed. So RAID 10 is great for use cases where you need very high performance with some data redundancy, but this level does require a minimum of 4 drives which makes it more expensive than RAID 0 and RAID 1.
- RAID 0 – striping
Question #2
The second question is asking you to match protocols to their commonly used ports.
Answers
- LDAP 389
- LDAPS 636
- SMB 139
- Kerberos 88
- HTTPS 443
- HTTP 80
- SSH 22
- RDP 3389
Explanation
There’s not much to explain here beyond the fact that you just need to memorize common protocols and ports, because you will be quizzed on them in the exam. Make some flashcards!
Question #3
The third question provides a scenario and asks you to match the BEST matching threat/attack.
Answers
- One of your colleagues received an email with an interesting attachment, so they opened it to see what it was. Whatever was in the attachment started to immediately spread to the Intranet at a rapid pace. Worm.
- An employee downloaded software from the Internet, and a short while later, your monitoring systems started picking up strange inbound and outbound connections. RAT.
- A customer support employee at your organization reported that they received a strange call earlier in the day. The caller was asking personal questions about another user’s account. Vishing.
- A political party publicly launched a website landing page to accept donations for their campaign. Within hours, a large number of random requests begin to overwhelm the landing page. Botnet.
Explanation
Worm
Best match: One of your colleagues received an email with an interesting attachment, so they opened it to see what it was. Whatever was in the attachment started to immediately spread to the Intranet at a rapid pace
Explanation: A worm is malware that has one main purpose: to spread. By introducing a worm to the Intranet, it can exploit vulnerabiliuties (in the OS, network devices or configurations, or even in applications installed on systems) to spread very quickly. For that reason, devices infected with worms should be quarantined to avoid further infection.
Source: Worm lesson
RAT
Best match: An employee downloaded software from the Internet, and a short while later, your monitoring systems started picking up strange inbound and outbound connections.
Explanation: RAT stands for Remote Access Trojan, which is a trojan malware designed to provide the attacker with remote access to the target’s system. Once the RAT has infected the machine, unless something prevents the connection from being made, the attacker will have access until it is revoked.
Source: RAT lesson
Vishing
Best Match: A customer support employee at your organization reported that they received a strange call earlier in the day. The caller was asking personal questions about another user’s account.
Explanation: Vishing is a type of social engineering attack that tries to gain information over the phone, or other voice communication.
Source: Vishing lesson
Botnet
Best Match: A political party publicly launched a website landing page to accept donations for their campaign. Within hours, a large number of random requests begin to overwhelm the landing page.
Explanation: Botnets are networks of bots that have been infected and that can be centrally and remotely controlled. Botnets are used for many purposes, including performing DDoS (Distributed Denial of Service) attacks, which are designed to cause public services to stop serving legitimate requests.
Source: DDoS and Botnet lessons
Question #4
The fourth questions asks you to rank in order of volatility (from most to least) in order to collect evidence after an incident has occurred.
Answer
- CPU registers
- Routing table
- Temporary file system
- SSDs
Explanation
These are not the only options the exam might include, so you need to familiarize yourself with these (in that order):
- registers, cache - routing table, arp cache, process table, kernel statistics, memory - temporary file systems - disk - remote logging and monitoring data that is relevant to the system in question - physical configuration, network topology - archival media
Source: https://datatracker.ietf.org/doc/html/rfc3227#section-2.1
Question #5
An incident has occurred — what do you first? second? third? etc…
Answer
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Explanation
Source: https://cybersecurity.att.com/blogs/security-essentials/incident-response-steps-comparison-guide
Note: this is the SANS process. The NIST process is a tad different in its wording (but essentially the same):
- Preparation
- Detection & Analysis
- Containment
- Eradication & Recovery
- Post-Incident Activity
- Coordination
Get ready to pass the CompTIA Security+ Exam
We spent months developing our CompTIA Security+ certification preparation course to make it high-quality and highly engaging. Check out sample lessons here.
when do these get updated? Took Security+ and simulations are different
Hi, did you take the 701? If so, that could be why. If not, please explain what you mean by different. Not all of the PBQs will follow the exact same format or questions, since we can’t break NDA