exam questions

Exam SY0-701 All Questions

View all questions & answers for the SY0-701 exam

Exam SY0-701 topic 1 question 315 discussion

Actual exam question from CompTIA's SY0-701
Question #: 315
Topic #: 1
[All SY0-701 Questions]

A company's online shopping website became unusable shortly after midnight on January 30, 2023. When a security analyst reviewed the database server, the analyst noticed the following code used for backing up data:



Which of the following should the analyst do next?

  • A. Check for recently terminated DBAs.
  • B. Review WAF logs for evidence of command injection.
  • C. Scan the database server for malware.
  • D. Search the web server for ransomware notes.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Cee007
Highly Voted 6 months, 1 week ago
Selected Answer: A
A. Check for recently terminated DBAs. The code indicates that the database was intentionally dropped based on a specific date, which suggests that someone with access and knowledge of the database setup (such as a database administrator) may have executed or scheduled this command. Checking for recently terminated DBAs could help identify if an insider threat or an ex-employee had a role in this incident.
upvoted 8 times
...
myazureexams
Highly Voted 5 months, 4 weeks ago
Selected Answer: B
The answer is B. Based on the provided scenario, the security analyst should prioritize reviewing Web Application Firewall (WAF) logs for evidence of command injection. The unusual database command suggests an unauthorized change, possibly through an injection attack. Checking for recently terminated DBAs is less relevant in this situation.
upvoted 5 times
...
Commando9800
Most Recent 4 days, 16 hours ago
Selected Answer: B
The best action is to check WAF logs first to determine its not an external command injection attack. After that A is the go-to
upvoted 1 times
...
CSue
1 month ago
Selected Answer: A
Why not B? Review WAF logs for evidence of command injection: This is unnecessary in this case because the malicious code is already in the database, indicating insider action rather than external exploitation via command injection.
upvoted 1 times
...
dbrowndiver
1 month, 3 weeks ago
Selected Answer: A
The given SQL code (DROP DATABASE) appears to be intentionally destructive, as it specifies a condition (IF DATE() = "01/30/2023") to delete the primary database on a specific date. Such activity is often indicative of an insider threat, particularly by someone who had privileged access to the database, such as a Database Administrator (DBA). The first step is to investigate whether a disgruntled employee or recently terminated DBA inserted this malicious code into the backup process.
upvoted 1 times
...
bluekb
2 months, 1 week ago
Selected Answer: A
Answer should be A. The analyst found a logic bomb in the database backup code most likely in a job running on the sever on schedule. Most likely this job was created by the DBA. SQL injection code typically uses special command characters to comment out the normally run code.
upvoted 2 times
...
laternak26
2 months, 3 weeks ago
Selected Answer: B
he WAF logs could provide valuable information on malicious requests or attempts to exploit such vulnerabilities, especially command injection.
upvoted 1 times
...
PAWarriors
6 months ago
Selected Answer: B
B. Review WAF logs for evidence of command injection. The code provided (DROP DATABASE WebShopOnline) suggests that the database was deliberately dropped on a specific date (January 30, 2023). This could potentially be the result of a command injection attack, where an attacker inserts malicious code to manipulate or destroy the database.
upvoted 2 times
...
17f9ef0
6 months, 1 week ago
Selected Answer: B
Answer is B
upvoted 1 times
...
a4e15bd
6 months, 1 week ago
Selected Answer: B
While insider threats are always a possibility, the structure of the code suggest an automated or external trigger, rather than an action by a disgruntled employee. A terminate DBA would likely have direct access to drop the database rather than making such as time specific command. Attackers use SQL injection to execute commands like DROP Database remotely through vulnerable interfaces. So B. Reviewing the WAF logs for evidence of command injection makes the correct answer.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago