1102 - Security Flashcards

Question 1

Q

What type of security device often incorporates RFID technology to grant personnel access to
secure areas or resources?
A. Smartcard
B. Security token
C. Access control vestibule
D. Key fob

Answer

A

A. A smartcard is a type of badge or card that gives the holder access to resources, including
buildings, parking lots, and computers. It contains information about your identity and
access privileges. Each area or computer has a card scanner or a reader in which you insert
your card. Radio frequency identification (RFID) is the wireless, no-contact technology used
with these cards and their accompanying reader. A security token is something you have that
is used to verify your identity; it can be a software or a hardware token. An access control
vestibule is an area between two doors, often with a security camera. The second door grants
access to a secure area. A key fob is a small device used in two-factor identification. It can
generate a number or have software on it that is read to gain access.

Question 2

Q

You are configuring a wireless network for a small office. What should you enable for the
best encryption possible for network transmissions?
A. WPS
B. WEP
C. WPA
D. WPA3

Answer

A

D. There are generally four wireless encryption methods available. From least to most secure,
they are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and two newer versions of WPA called WPA2 and WPA3. WPA3 is the most secure and should be used unless
strange circumstances prevent you from doing so, because WPA and WPA2 are no longer
secure. WPS is an easy way to configure Wi-Fi for devices like printers, where a number
would be generated on a printer, for example, and the number would need to be entered on
the access point, or vice versa. WPS has security flaws and is not listed in the CompTIA A+
exam objectives.

Question 3

Q

Which types of security threats involve the attacker attempting to directly contact a potential
victim? (Choose two.)
A. Spoofing
B. Phishing
C. Social engineering
D. Brute-force attacking

Answer

A

B, C. Social engineering is a process in which an attacker attempts to acquire information
about your network and system by social means, such as talking to people in the organization, shoulder surfing, tailgating, or other methods. When this is done via email or instant
messaging, it’s called phishing. Spoofing involves pretending to be a trusted resource—for
example, by using a trusted resource’s IP address to gain access to something else. A bruteforce attack usually involves software that keeps trying passwords or codes until it hits upon
the right one to gain access.

Question 4

Q

An employee uses their security badge to enter the building through a secured door. Another
person tries to enter the building behind them before the door closes without swiping a
badge. What type of behavior is the second person demonstrating?
A. Shoulder surfing
B. On-path attack
C. Brute-force
D. Tailgating

Answer

A

D. Tailgating refers to being so close to someone when they enter a building that you can
come in right behind them without needing to use a key, a card, or any other security device.
Using an access control vestibule, which are devices such as small rooms that limit access to
one or a few individuals, is a great way to stop tailgating. Revolving doors can also help prevent tailgating. Shoulder surfing is walking behind someone hoping to see passwords or other
security information they may be entering. On-path attacks occur when your data transmissions are intercepted by someone enroute, then forwarded on to their destination, sometimes
with changes, sometimes without. A brute-force attack usually involves software that keeps
trying passwords or codes until it hits upon the right one to gain access.

Question 5

Q

You have a Windows domain network and want to ensure that users are required to meet
password complexity requirements. What is the best way to implement this on the network?
A. Use a firewall.
B. Use a VPN.
C. Use Group Policy.
D. Use DLP.

Answer

A

C. In a Windows domain, password policies can be configured at the domain level using
Group Policy Objects (GPOs). There are hundreds of variables that can be configured. Variables that can be configured relating to passwords include password complexity and length
and the time between allowed changes to passwords, and a lockout policy for failed access
attempts. A firewall can be configured to block certain types of traffic based on things like IP
address, protocol, or MAC address. A VPN (virtual private network) is a secure path between
a local and a remote device. Data loss prevention (DLP) is the process of monitoring and
identifying sensitive data to make sure it is accessed only by authorized persons.

Question 6

Q

A user on your network reported that their screen went blank and a message popped up.
It’s telling them that their files are no longer accessible, and if they want them back, they
need to enter a credit card number and pay a $200 fee. Which type of malware has infected
this system?
A. Rootkit
B. Ransomware
C. Trojan
D. Spyware

Answer

A

B. With ransomware, software, often delivered through a Trojan, takes control of a system
and demands that a third party be paid. The “control” can be accomplished by encrypting
the hard drive, by changing user password information, or via any of several other creative
ways. Users are usually assured that by paying the extortion amount (the ransom), they will
be given the code needed to revert their systems to normal operations. Even among malware, ransomware is particularly nasty. A rootkit is software that gains access to a system as
administrator, giving it full control over a system. Rootkits are adept at hiding their presence
and are difficult to eradicate. A Trojan is named after the Trojan horse of mythology. Trojans
are malicious software that hides in that fun game or screen saver that you just downloaded,
and it installs when you install the innocent-looking files. Spyware is designed to watch what
you do and where you go, hoping to gain information such as logins and passwords, and
bank account numbers.

Question 7

Q

On a Windows 10 workstation, there are two NTFS volumes. The Managers group has
Modify access to the D:\mgmt directory. You move the folder to the D:\keyfiles folder,
to which the Managers group has Read access. What level of permissions will the Managers
group have to the new D:\keyfiles\mgmt directory?
A. Full Control
B. Modify
C. Read & Execute
D. Read

Answer

A

B. When you move a file or folder on the same NTFS volume, it will keep its original permissions. If you copy it or move it to a different volume, it will inherit permissions from its new
parent directory.

Question 8

Q

You are configuring a router for a small office network. The network users should be able
to access regular and secure websites and send and receive email. Those are the only connections allowed to the Internet. Which security feature should you configure to prevent additional traffic from coming through the router?
A. MAC filtering
B. Content filtering
C. Port forwarding/mapping
D. Port security/disabling unused ports

Answer

A

D. Port security involves disabling all unneeded protocols/ports. In this case, ports 80 and
443 are needed for HTTP and HTTPS access, and ports 25, 110, 143, 465 or 587 may be
needed for email. That’s it. If you don’t need them, remove the additional protocols, software,
or services, or prevent them (disable them, or block them, as the setting is typically called on
a router) from loading. Ports left open but not in use present an open door for an attacker to
enter. MAC filtering is an option on most routers that will only allow devices with specific
MAC addresses to access the router. Content filtering blocks undesirable traffic such as social
media or hate sites on a corporate network. Port forwarding/mapping will send all traffic
that comes in on a specified port number to a specific node on the network.

Question 9

Q

You have installed Windows 11 Pro on a workstation. For better security, which user account
should you ensure is disabled?
A. Administrator
B. DefaultAccount
C. Power User
D. Guest

Answer

A

D. When Windows is installed, one of the default accounts it creates is Guest, and this represents a weakness that can be exploited by an attacker. While the account cannot do much, it
can provide initial access to a system, and the attacker can use that to find another account
or acquire sensitive information about the system. To secure the system, disable all accounts
that are not needed, especially the Guest account, which is disabled by default. The Administrator account should be renamed. If a hacker knows a valid username, then they are halfway
into your system. The DefaultAccount is an account that is managed by the system and is disabled by default. Power User is not an account that is installed with Windows 11, but there is
a Power Users group that is kept for backward compatibility.

Question 10

Q

Which type of network attack involves an intermediary hardware device intercepting data
and altering it or transmitting it to an unauthorized user?
A. On-path attack
B. Non-compliant system
C. Zombie/botnet
D. Spoofing

Answer

A

A. On-path attacks clandestinely place something (such as a piece of software or a rogue
router) between a server and the user, and neither the server’s administrator nor the user is
aware of it. The on-path attack intercepts data, then sends the information to the server as if
nothing is wrong. The on-path attack software may be recording information for someone
to view later, altering it, or in some other way compromising the security of your system and
session. A noncompliant system is one that is not in line with acceptable security policies and
procedures. Zombie and botnet are attacks where the user of the computer doesn’t know
there is malware on their computer. Their computer is a zombie, and when many zombies are
used to attack a system, it’s known as a botnet attack. Spoofing occurs when another system
pretends or appears to be a trusted system.

Question 11

Q

What does NTFS use to track users and groups and their level of access to resources?
A. ACLs
B. Tokens
C. Badges
D. Control rosters

Answer

A

A. With NTFS, each file, directory, and volume can have its own security. NTFS tracks security in access control lists (ACLs) for each resource. The ACL will contain the user or group
name and the level of access they have been granted. The basic permissions to choose from
are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. There are
also special permissions and settings that can be applied. A token is software or hardware
that is used in multifactor authentication and falls under the category of something that a
user has. Badges may use RFID or other technology that is read to allow physical entry to a
secure area. Control rosters are used in areas that have security guards and contain a list of
people who are allowed to enter.

Question 12

Q

You have created a user account for a contract employee on a Windows 11 PC. The contractor will be with the company for one month. Which user group should this user’s account
be placed in?
A. Power Users
B. Administrators
C. Standard Users
D. Guest

Answer

A

D. The Guest account is created by default (and should be disabled) and is a member of the
Guests group. For the most part, members of Guests have the same rights as Users except
they can’t access log files. The best reason to make users members of the Guests group is to
access the system only for a limited time. There is no group named Standard Users by default.
There are groups created automatically called Users, Administrators, Power Users, Guests,
and a few others. The Power Users group is kept for backward compatibility, but they are the
same as someone in the Users group. Administrators have complete control over the systems
that they are an administrator on.

Question 13

Q

On your network, there are multiple systems that users need to access, such as a Windows
domain, a cloud site for storage, and order processing software. You want to configure
the network such that users do not need to remember separate usernames or passwords
for each site; their login credentials will be good for different systems. Which technology
should you use?
A. EFS
B. MDM
C. SSO
D. UAC

Answer

A

C. One of the big problems larger networks must deal with is the need for users to access
multiple systems or applications. This may require a user to remember multiple accounts and
passwords. The purpose of single sign-on (SSO) is to give users access to all the applications
and systems that they need when they log on. Some of the systems may require users to enter
their credentials again, but the username and password will be consistent between systems.
EFS is the Encrypting File System used to encrypt volumes, files, and folders in Windows OSs.
MDM is mobile device management, which allows an IT department to retain some control
even though users employ BYOD (Bring Your Own Device). UAC is user account control,
which verifies that someone has the authority to change a Windows system before making
any changes.

Question 14

Q

A user discovers a strange text file at the root of their user directory. It contains everything
they have typed over the past few days, including their credentials. What is the likely cause of
the text file?
A. System auditing enabled
B. Keylogger installed
C. Email application in debug mode
D. Backup file

Answer

A

B. A keylogger seems to be running on the system, monitoring and copying all that is typed
on the keyboard. Obviously, this malware needs to be removed and incident response
steps taken

Question 15

Q

What security solution would protect a user from unwanted network traffic probing their
workstation?
A. Software firewall
B. Antiphishing training
C. Anti-malware
D. Antivirus

Answer

A

A. A software-based firewall on the workstation would be able to stop unwanted network traffic, including port scans and probes. Antiphishing training teaches users to avoid
malicious emails. Anti-malware and antivirus are software designed to recognize and quarantine or eradicate malicious code.

Question 16

Q

A user wants to use multifactor authentication at their PC but does not want to carry a key
fob and is strongly against biometrics. What method can you suggest?
A. Second password
B. Hardware token
C. Software token
D. Fingerprint reader

Answer

A

C. The software token is stored on a general-purpose device, such as the PC or a smartphone. The hardware token option would involve carrying an added key fob or device. A fingerprint reader would be unacceptable as it involves biometrics. A second password defeats
the benefit of using multifactor authentication.

Question 17

Q

What wireless protocol used in WPA compensates for the weak encryption of WEP?
A. VLAN
B. TKIP
C. VPN
D. AES

Answer

A

B. Temporal Key Integrity Protocol (TKIP) is an encryption protocol, used in WPA (Wi-Fi
Protected Access) for wireless connections. It was intended to replace WEP’s weak encryption
by creating a unique key for each for each data frame. It has since been subject to wireless
attacks and is not considered acceptable for big business. A VLAN (virtual LAN) occurs
when devices from multiple LANs are joined together virtually and can act as if they are on the same physical network even though they are not. A VPN (virtual private network) is
similar because it creates a private tunnel through a public network using encryption protocols. A VPN might be used by someone working remotely to access a corporate server. AES
(Advanced Encryption Standard) is the successor to TKIP. AES and TKIP work together in
WPA2 (WPA, version 2).

Question 18

Q

Which of the following Active Directory concepts can help enforce security settings?
(Choose two.)
A. EFS
B. Group Policy/updates
C. Port security
D. Login scripts

Answer

A

B, D. Group Policy/updates and login scripts are common ways to push and enforce security settings on Active Directory objects. EFS is the Encrypting File System, which is used to
encrypt volumes, files, and folders. Port security means opening or closing ports on a router
to control what type of packets traverse the router

Question 19

Q

What protocol was designed to authenticate remote users to a dial-in access server?
A. TKIP
B. TACACS+
C. VPN
D. RADIUS

Answer

A

D. RADIUS (Remote Authentication Dial-in User Service) was originally designed to authenticate remote users to a dial-in access server but is now used in several authentication situations. TKIP is a wireless encryption protocol used in WPA (Wi-Fi Protected Access) which
made WPA more robust/secure than WEP (Wired Equivalent Privacy). TACACS+ (Terminal
Access Controller Access-Control System) is an authentication protocol for centralized
authentication, and a VPN (virtual private network) uses encryption to create a private connection using a public network.

Question 20

Q

What 128-bit block encryption that uses an encryption key of 128, 192, or 256 bits is used in
WPA2 and is more secure than TKIP?
A. AES
B. VPN
C. RADIUS
D. Kerberos

Answer

A

A. AES (Advanced Encryption Standard) is used in WPA2 (Wi-Fi Protected Access, version 2). VPN is a virtual private network that transmits data across a public network using
encryption. RADIUS (Remote Authentication Dial-In User Service) and Kerberos are both
authentication protocols.

Question 21

Q

A user is complaining that they can no longer sign into their account because of too many
bad attempts. What basic Active Directory function is at work here?
A. Failed login attempts restrictions
B. Antivirus/anti-malware
C. A bollard
D. A rootkit

Answer

A

A. Using Active Directory settings or the Local Group Policy Editor, you can restrict the
number of failed login attempts before the user is locked out of their account. This is important to help prevent a brute-force attack, which attempts to guess passwords until it hits
upon the right one. Antivirus/anti-malware is important to have and identifies malicious software based on its signature code but is not at work here. A bollard is a physical post to block
vehicular traffic, and a rootkit is a particularly difficult malware to eradicate because it is
working with administrator rights and it’s good at hiding in a system.

Question 22

Q

What concept in Active Directory creates a directory subdivision within which may be placed
users, groups, computers and other objects?
A. User
B. Domain
C. Organizational unit
D. Home folder

Answer

A

C. The organizational unit (OU) is a subdivision within which may be placed users, groups,
more OUs, and other objects. The OU exists on a domain, which is a group of users and
resources under a single administrative control. Windows domains are managed by software called Active Directory. Active Directory is organized into organizational units, usually for security purposes. A home folder is where an individual user stores their documents
and such, and in a Windows domain, that location is usually on the domain controller or
another server

Question 23

Q

Which of the following authentication encryption protocols is older than the others and was
developed by Cisco but became an open protocol in the 1990s and can be found on Linux
distributions?
A. AES
B. TACACS+
C. Kerberos
D. RADIUS

Answer

A

B. TACACS+ is an authentication protocol developed by Cisco that is now an open standard.
It separates the AAA (authentication, authorization, and accounting) packets and encrypts
them. It was released in 1993 and RADIUS (Remote Authentication Dial-In User Service) is
an authentication protocol that was released in 1997. Kerberos is an open source authentication protocol that has been around since the 1980s. AES (Advanced Encryption Standard),
which is for wireless encryption and not authentication, has been around since 2001 and is
the successor to TKIP (Temporal Key Integrity Protocol).

Question 24

Q

Your data center recently experienced a theft of a server from the rack. Which security mechanisms would protect servers from future theft? (Choose two.)
A. Equipment locks
B. Security token
C. Alarm systems
D. Hard token

Answer

A

A, C. An equipment lock would slow down a would-be thief, and alarm systems often send
thieves looking for an easier mark. A security token is involved in multifactor authentication,
and a hard token is one of two types of security tokens, the other being a soft token.

Question 25

Q

What other security devices are often employed in an access control vestibule? (Choose two.)
A. Bollard
B. Motion sensors
C. Guards
D. Video surveillance

Answer

A

C, D. Often an access control vestibule will have either a security guard, or video surveillance, or both. Once in the vestibule the second door could be opened remotely by someone
watching through the surveillance camera or by a guard who personally clears the person trying to gain access. A bollard is a post used to block vehicular traffic. A motion sensor detects
movement and is often used to trigger an alarm, turn on a light, or turn on a camera, or a
combination of those.

Question 26

Q

Normally, a company places a user’s profile and folders on the local machine. Now, the organization would like a few users to be able to log in from other computers. What concept in
Active Directory allows a user’s profile folders to be placed in storage somewhere else on
the network?
A. Home folder
B. Folder redirection
C. Organizational unit
D. VPN

Answer

A

B. Folder redirection allows users’ profile folders to be stored off a local machine and instead
placed in a more centralized location on the network. A profile stored this way is called a
roaming profile. The home folder is the specific location where a user’s documents and such
are stored. An organizational unit is a management tool that can be used to organize Active
Directory resources and can contain users, computers, and other resources. A VPN (virtual
private network) is created across a public network by using strong encryption protocols

Question 27

Q

What wireless encryption protocol replaced WPA and uses both TKIP, for backward compatibility, and AES?
A. WEP
B. WPA2
C. WPA3
D. RADIUS

Answer

A

B. WPA2 (Wi-Fi Protected Access, version 2) replaced WPA, which had replaced WEP (Wired
Equivalency Protocol). WEP was the first wireless security protocol. WPA, which was developed next, used TKIP (Temporal Key Integrity Protocol), and WPA2 uses TKIP and the more
secure AES (Advanced Encryption Standard). WPA3 was released in 2018 to replace WPA2,
whose security had been broken. WPA3 also includes better security for the proliferation of
IoT devices. WPA, WPA2, and WPA3 all have personal and enterprise options.

Question 28

Q

When should OS and application patches be applied to a system to prevent it from becoming
vulnerable?
A. Every 6 months
B. Every 3 months
C. Once a month
D. As soon as they are available

Answer

A

D. Operating system (OS) and application patches may fix vulnerabilities in the software and
should be applied as soon as possible after they are released. In a corporate environment it
would likely be best to test them in a sandbox first to avoid any problems. On a Windows
PC, the Windows Update utility is used to manage the process for you.

Question 29

Q

Which type of security solution generally functions as a packet filter and can perform stateful
inspection?
A. VPN
B. EFS
C. Antivirus/anti-malware
D. Firewall

Answer

A

D. Firewalls are among the first lines of defense in a network. They can be hardware firewalls or software firewalls and can exist on several layers of a network. The basic purpose
of a firewall is to isolate one network from another or one network node from another.
Firewalls function as one or more of the following: packet filter, proxy firewall, or stateful
inspection firewall. VPN (virtual private network) creates a private network across a public
one by using encryption protocols. EFS (Encrypting File System) is used to encrypt files and
folders. Antivirus/anti-malware is used to detect malicious attackers by identifying signature
lines of code or actions.

Question 30

Q

A user on your network reported that they received a phone call from someone in the IT
department saying the user needed to reset their password. The caller offered to do it for
them if the user could provide the IT worker with their current password. What is this most
likely an example of?
A. The IT department helping the user to reset their password
B. A spoofing attack
C. A social engineering attack
D. A brute-force attack

Answer

A

C. A person in the IT department is not likely to ask for your password. If they want you to
reset it, they can use software to reset it that will make you choose a new password on next
login. This is a social engineering attack. Social engineering is using kindness, coercion, or
fear to get you to give up privileged information such as your password. Spoofing is when
a website or server, for example, is made to look like a trusted one but in reality there is an
attacker lurking there. A brute-force attack uses software to repeatedly try different passwords to break into a system.

Question 31

Q

Your corporate IT department has decided that to enhance security they want to draft a mobile device management (MDM) policy to require both a passcode and fingerprint scan to
unlock a mobile device for use. What is this an example of?
A. An authenticator application
B. Biometric authentication
C. Full-device encryption
D. Multifactor authentication

Answer

A

D. Any time there is more than one authentication method required, it’s multifactor authentication (MFA). In this case, it does involve using biometrics, but the passcode is not a
biometric factor. An authenticator app can provide a code and be a part of multifactor
authentication. Authenticator apps run on a device like a smartphone or PC and provide a
unique key that changes every few seconds. The key proves that you have the smartphone
or PC in your possession. Full-device encryption could be accomplished with a feature like
Microsoft’s BitLocker, which encrypts an entire drive including the boot files, or a TPM chip,
which prohibits accessing a drive if the chip is not present. Multifactor authentication usually requires two of the following four types of inputs: something you know (password),
something you have (smart token), something you are (biometrics), or somewhere you are
(GPS or other location services).

Question 32

Q

Several employees at your company have been tailgating to gain access to secure areas.
Which of the following security methods is the best choice for stopping this practice?
A. Door lock
B. Entry control roster
C. Access control vestibule
D. ID badges

Answer

A

C. Tailgating refers to being so close to someone when they enter a building that you can
come in right behind them without needing to use a key, a card, or any other security device.
Using an access control vestibule, which is a device such as a small room that limits access to
one or a few individuals, is a great way to stop tailgating. With a door lock or ID badge, the
tailgaters could still follow the other employee in. An entry control roster is merely a list of
people who are allowed access to an area, and it isn’t much use without a guard to check it.

Question 33

Q

A user has joined your company as a network administrator. Let’s assume their user account
name is AOShea. What is the recommended way to give AOShea the administrative privileges
they need?
A. Add the AOShea user account to the Administrators group.
B. Create an account called AdminAOShea. Add that account to the Administrators group.
Have the new administrator use the AOShea account unless they need administrative
rights, in which case they should use the AdminAOShea account.
C. Copy the Administrator account and rename it AOShea.
D. Add the AOShea user account to the Power Users group.

Answer

A

B. Adding AOShea to the Administrators group will certainly work, but it’s not the recommended approach. Since members of the Administrators group have such power, they can
inadvertently do harm (such as accidentally deleting a file that a regular user could not). To
protect against this, the practice of logging in with an Administrators group account for daily
interaction is strongly discouraged. Instead, system administrators should log in with a user
account (lesser privileges) and change to the Administrators group account (elevated privileges) only when necessary.

Question 34

Q

You are designing a security policy for mobile phones on your network. Which of the following is a common method of biometric authentication used with mobile devices?
A. Fingerprint scan
B. Retina scan
C. Swipe lock
D. DNA lock

Answer

A

A. Biometric authentication requires identification of a physical feature of the user, such as
a fingerprint or palmprint. Mobile devices commonly use your fingerprint to prove who you
are. Most modern laptops can also use a facial scan to identify you. DNA and retina scanners are considered a form of biometric authentication, but they’re not commonly used today
with mobile devices. (Imagine your phone needing to collect blood or saliva to authenticate
you—no thanks!) DNA and facial scans aren’t on the CompTIA A+ objectives yet, but retina
scanners, fingerprint, and palmprint scanners are. A swipe lock is not a type of biometrics.

Question 35

Q

An administrator is transferring confidential files from one Windows Pro workstation to
another, using a flash drive. Policy dictates that the files on the flash drive must be encrypted.
Which technology should be used?
A. BitLocker
B. BitLocker To Go
C. EFS
D. AES

Answer

A

B. BitLocker allows you to use drive encryption to protect files—including those needed for
startup and logon. For removable drives, BitLocker To Go provides the same encryption technology to help prevent unauthorized access to the files stored on them. EFS is the Encrypting File System, used to encrypt volumes, files, and folders on a drive. AES is the Advanced
Encryption Standard, an encrypting protocol for Wi-Fi.

Question 36

Q

Which type of security system uses physical characteristics to allow or deny access to locations or resources?
A. ID badges
B. Bollards
C. Biometrics
D. Tokens

Answer

A

C. Biometric devices use physical characteristics to identify the user. Biometric systems
include fingerprint/palm/hand scanners, retinal scanners, face scanners, and soon, possibly,
DNA scanners. To gain access to resources, you must pass a physical screening process.
Bollards are vertical posts to block vehicular traffic. ID badges often use RFID (radio frequency identification) to communicate with a reader and verify your identity. Tokens can be
either hard (like a key fob) or soft (software on a system) and are often used in multifactor
authentication.

Question 37

Q

You have just transformed a Windows workgroup into a small domain and are configuring user accounts. Which of the following is considered a best practice for managing user
account security?
A. Require every user to log on as a Guest user.
B. Allow all users Read and Write access to all server files.
C. Follow the principle of least privilege.
D. Place all user accounts in the Administrators group.

Answer

A

C. When assigning user permissions, follow the principle of least privilege; give users only
the bare minimum that they need to do their job, nothing more. Another best practice is
to assign permissions to groups rather than users, and make users members of groups (or
remove them from groups) as they change roles or positions.

Question 38

Q

A security consultant for your company recommended that you begin shredding or burning
classified documents before disposing of them. What security risk is the consultant trying to
protect the company from?
A. Shoulder surfing
B. Dumpster diving
C. Social engineering
D. Brute-force attack

Answer

A

B. Companies normally generate a huge amount of paper, most of which eventually winds
up in dumpsters or recycle bins. Dumpsters may contain information that is highly sensitive
in nature, and attackers may seek it out by practicing dumpster diving. In high-security and
government environments, sensitive papers should be either shredded or burned. Shoulder
surfing is literally looking over someone’s shoulder to try to see passwords or other sensitive
information. Social engineering happens any time someone tries to coerce, threaten, or cajole
someone into giving up privileged security information. A brute-force attack is repeatedly
trying passwords in an effort to guess the correct one.

Question 39

Q

On the Internet, you get a news flash that the developer of one of your core applications
found a security flaw. They will issue a patch for it in two days. Before you can install the
patch, it’s clear that the flaw has been exploited and someone has illegally accessed your network. What type of attack is this?
A. Zombie/botnet
B. Non-compliant system
C. Zero-day attack
D. Brute-force attack

Answer

A

C. When a hole is found in a web browser or other software and attackers begin exploiting
it the very day it is discovered by the developer (bypassing the one- to two-day response time
that many software providers need to put out a patch once the hole has been found), it is
known as a zero-day attack (or exploit). Zombie and botnet are attacks where the user of the
computer doesn’t know there is malware on their computer. Their computer is a zombie, and
when many zombies are used to attack a system, it’s known as a botnet attack. Noncompliant systems are those whose software is not up-to-date or they are not following best practices or corporate restrictions and rules. A brute-force attack usually involves software that
keeps trying passwords or codes until it hits upon the right one to gain access.

Question 40

Q

UserA is a member of the Dev group and the HR group. They are trying to access a local
resource on an NTFS volume. The HR group has Full Control permission for the payroll
folder, and the Dev group has Deny Read permission for the same folder. What is UserA’s
effective access to the payroll folder?
A. Full Control
B. Read
C. Write
D. Deny

Answer

A

D. When there are conflicting NTFS permissions, generally they are combined, and the most
liberal is granted. The exception to that is when there is an explicit Deny. That overrides any
allowed permissions

Question 41

Q

Several workstations on your network have not had their operating systems updated in more
than a year, and your antivirus software is also out-of-date. What type of security threat does
this represent?
A. Non-compliant systems
B. Zombie/botnet
C. Brute-force attack
D. Zero-day attack

Answer

A

A. The systems are not up-to-date and therefore are more vulnerable to attacks. These systems are considered noncompliant systems. It’s a violation of security best practices to fail
to keep all software on your network up-to-date. Zombie and botnet are attacks where the
user of the computer doesn’t know there is malware on their computer. Their computer is a
zombie, and when many zombies are used to attack a system, it’s known as a botnet attack. A
brute-force attack usually involves software that keeps trying passwords or codes until it hits
upon the right one to gain access. A zero-day attack happens when a hole is found in a web
browser or other software and attackers begin exploiting it the very day it is discovered by
the developer, before they have time to plug the hole.

Question 42

Q

Which default Windows group was designed to have more power than normal users but not
as much power as administrators, and is now kept for backward compatibility only?
A. Superuser
B. Standard Users
C. Power Users
D. Advanced Users

Answer

A

C. Microsoft wanted to create a group in Windows that was powerful but not as powerful
as the Administrators group, which is how the Power Users group came into being. The idea
was that membership in this group would be given Read/Write permission to the system,
allowing members to install most software but keeping them from changing key operating
system files or accessing other users’ data. However, for many current Windows versions, the
Power Users group now is assigned permissions equivalent to the Standard user, a member
of the Users group. There is no group called Superuser, or Standard Users, or Advanced Users.

Question 43

Q

You’re at home using a digital security method to connect to your corporate network. This
security method wraps data in encryption (encapsulating it) to transfer the data across a
public network (the Internet), and your connection gets a corporate IP address just as if you
were sitting in the office. What type of connection is this?
A. VPN
B. Firewall
C. BitLocker
D. EFS

Answer

A

A. A virtual private network (VPN) is a private network connection that occurs through a
public network. VPNs make use of tunneling, which sends private data across a public network by placing (encapsulating) that data into other packets. Even though a VPN is created
through the Internet or other public networks, the connection logically appears to be part of
the local network, although the connection will likely be a bit slower than sitting at a PC in
the office. A firewall is used to filter packets, blocking or accepting them based on the port
number they use, MAC address, or other criteria. BitLocker is a full-drive encryption utility.
EFS (Encrypting File System) is used to encrypt volumes, individual files, and folders.

Question 44

Q

Which of the following are advantages of using NTFS permissions over using share permissions? (Choose two.)
A. NTFS permissions will override share permissions if there is a conflict.
B. NTFS permissions affect users at the local computer, but share permissions do not.
C. NTFS permissions are more restrictive in their access levels than share permissions.
D. NTFS permissions can be set at the file level, but share permissions cannot.

Answer

A

B, D. NTFS permissions affect users regardless of whether they are at the local computer or
accessing the resource across a network. They can also be applied to individual files, whereas
share permissions can be applied only to folders. One set of permissions is not inherently
more restrictive than the other, as either type can be used to deny access in a given situation
(at least when accessing across the network). When NTFS and share permissions affect the
same folders, the most restrictive permission applies.

Question 45

Q

Someone has placed an unauthorized wireless router on your network and configured it
with the same SSID as your network. Users can access the network through that router, even
though it’s not supposed to be there. What type of security threat could this lead to?
A. Zombie/botnet
B. Spoofing
C. Non-compliant system
D. On-path attack

Answer

A

D. An unauthorized router with a seemingly legitimate configuration is specifically known
as an evil twin. Those can lead to on-path attacks, which involve clandestinely placing
something (such as a piece of software or a rogue router) between a server and the user, and
neither the server’s administrator nor the user is aware of it. The unauthorized device in the
middle intercepts data and then sends the information to the server as if nothing is wrong.
The unauthorized device software may be recording information for someone to view later,
altering it, or in some other way compromising the security of your system and session.

Question 46

Q

You’re working at a high-security server farm and must ensure that vehicles stay a certain
distance away from the building. What physical security methods can be used for this
purpose? (Choose two.)
A. Bollards
B. Motion sensors
C. Fences
D. Lighting

Answer

A

A, C. Bollards are vertical posts that are short and sturdy, sometimes made of cement or
steel. They can be placed closely enough together so that a vehicle can’t go through an area
but people can. Fences can also be erected to keep vehicles and people out of an area. Motion
sensors can be used to trigger alarms but won’t actually keep anyone out, and good lighting
is always a deterrent, but again it won’t physically keep anyone out.

Question 47

Q

Between you and your family members, there are several mobile devices, including phones,
laptops and smart watches. Someone generally forgets where they put their phone, or it
may be stolen, and it would be nice to easily find it. In addition, you want to see where
other family members are when they are around town. Which type of app will allow you
to do this?
A. Trusted source app
B. Remote control app
C. Locator app
D. Firewall app

Answer

A

C. A locator app is what you need. Apple supplies a free app called Find My, and Google has
Find My Device that, together with their respective websites, allow multiple mobile devices
and to be located if powered on and attached to the Internet (via 5G, 4G, 3G, Wi-Fi, Ethernet, and so on). For Apple devices, if not attached to the Internet, nearby devices can identify
your device and tell you where it is. Both Find My and Find My Device allow the device to
be controlled remotely to lock it, play a sound (even if audio is off), display a message, or
wipe the device clean.

Question 48

Q

You need to know which files have been modified in a folder. Which of the following is not a
way to see when files have been modified?
A. Right-click each file and choose Properties, and then Advanced to see whether the
archive bit is set.
B. Open the folder in File Explorer and click Date Modified to sort the files by the date
they were last modified.
C. Type archive at a command prompt.
D. Type attrib at a command prompt.

Answer

A

C. On any individual file or folder you can right-click and choose Properties to see the Readonly and Hidden attributes, then click Advanced to see whether the file is ready for archiving
(needs to be backed up). You can also open a folder in File Explorer and click Date Modified to sort the files by the last date modified. Simply typing attrib at a command prompt
will show the file attributes for everything in that folder. Attributes are information such as
whether the file is a system file (S), hidden (H), read only (R), or ready to be archived (A). To
see the attributes for a single file, type attrib filename. The attrib command is not in the
CompTIA A+ objectives, but file attributes are.

Question 49

Q

Which security mechanism specifies permissions for users and groups as well as the type of
activities the users or groups can perform?
A. ACL
B. EFS
C. VPN
D. PIN

Answer

A

A. File systems such as NTFS, and security devices such as firewalls, can specify security
by using access control lists (ACLs). ACLs can hold permissions for local users and groups,
and each entry in the ACL can also specify what type of access is given. This allows a great
deal of flexibility in setting up a network. EFS is the Encrypting File System used to encrypt
volumes, files, and folders, but not entire drives. VPN is a type of network connection that
uses encryption to create a private network that traverses a public one. PINs (personal
identification numbers) are used in many applications to identify a user.

Question 50

Q

You want to create a new policy to encrypt all company drives using BitLocker. Which
operating system will need to be upgraded?
A. Windows 10 Pro
B. Windows 11 Home
C. Windows 11 Pro
D. Windows 10 for Workstations

Answer

A

B. Professional and higher operating system editions in either Windows 10 or Windows
11 will support BitLocker. Home editions will not, regardless of what version of the Windows operating system they are.

Question 51

Q

Software was installed on a laptop without the user’s knowledge. The software has been
tracking the user’s keystrokes and has transmitted the user’s credit card information to an
attacker. What type of threat is this?
A. Zombie/botnet
B. Spoofing
C. Spyware
D. Ransomware

Answer

A

C. Spyware differs from other malware in that it works—often actively—on behalf of a third
party. Rather than self-replicating, like viruses and worms, spyware is spread to machines
by users who inadvertently ask for it. The users often don’t know they have asked for it but
have done so by downloading other programs, visiting infected sites, and so on. The spyware
program monitors the user’s activity and responds by offering unsolicited pop-up advertisements (sometimes known as adware), gathers information about the user to pass on to
marketers, or intercepts personal data such as credit card numbers. Zombies and botnets are
innocent computers that are used to perpetrate an attack on someone else without the user’s
knowledge. An example of spoofing is using an IP address that should be someone else and
pretending to be them to gain access to a system. Ransomware locks a system in some way or
encrypts data and won’t allow access until the system’s owner pays a ransom.

Question 52

Q

A new user has joined your company as a network administrator. Which of the following
statements is most correct regarding their network access?
A. They should have just one user account, with administrator-level permissions.
B. They should have just one user account, with standard user-level permissions.
C. They should have two user accounts: one with user-level permissions and one with
administrator-level permissions.
D. They should have three user accounts: one with user-level permissions, one with
administrator-level permissions, and one with remote access administrator permissions.

Answer

A

C. The new administrator should have a nonadministrative account to use for day-to-day
tasks. They also need an account with administrative privileges to perform the administrative
duties. When creating user accounts, follow the principle of least privilege: give users only the
permissions they need to do their work and no more. This is especially true with administrators. Those users should be educated on how each of the accounts should be used.

Question 53

Q

Which types of security threats are direct attacks on user passwords? (Choose two.)
A. Brute-force
B. Zombie/botnet
C. Dictionary attack
D. Spoofing

Answer

A

A, C. Password attacks occur when an account is attacked repeatedly with the intent of
determining the password that will gain access. This is accomplished by using applications
designed to break the password by sending possible passwords to the account in a systematic
manner. Two types of password attacks are brute-force and dictionary attacks. Zombie and
botnet are attacks where the user of the computer doesn’t know there is malware on their
computer. Their computer is a zombie, and when many zombies are used to attack a system,
it’s known as a botnet attack. A spoofing attack is an attempt by someone or something to
masquerade as someone else

Question 54

Q

You read corporate email on your smartphone and do not want others to access the phone if
you leave it somewhere. What is the first layer of security that you should implement to keep
others from using your phone?
A. Multifactor authentication
B. Full-device encryption
C. Screen lock
D. Remote wipe software

Answer

A

C. All the options will increase the security of a smartphone. For just the basic level of security, though, enable a screen lock. A user will need to enter a code to gain access to the device.
It’s typically enough to thwart casual snoops and would-be hackers. Multifactor authentication occurs whenever you need two or more ways to prove who you are (something you
know, something you have, something you are, or someplace you are). Full-device encryption
would mean encoding the data and requiring a key to decrypt it. Remote wipe is a feature
that can be used to remove all the personal or corporate data from a phone even though it is
lost or stolen.

Question 55

Q

You use your smartphone for email and extensive Internet browsing. You want to add an
additional level of security to always verify your identity online when accessing various
accounts. Which type of app do you need?
A. Authenticator app
B. Trusted source app
C. Biometric authenticator app
D. Account encryption app

Answer

A

A. An authenticator app can help securely verify your identity online, regardless of the
account you want to log into. Different apps work in different ways, but the general
procedure is that the app will generate a random code for you to type along with your
username and password. The random code helps identify you and tells the site you are logging into that you really are who you say you are. The other options are not actual application types.

Question 56

Q

Which type of malware is designed to look like a different program and, when installed, creates a back door for an attacker to access the target system?
A. Trojan
B. Spyware
C. Virus
D. Whaling

Answer

A

A. Trojans are programs that enter a system or network under the guise of another program.
A Trojan may be included as an attachment or as part of an installation program. The Trojan
can create a back door or replace a valid program during installation. It then accomplishes
its mission under the guise of another program. A Trojan is named after the Trojan horse of
mythology. Spyware watches what you do and reports back to someone. A virus is spread
from computer to computer because of some contact between the machines, often through
email. Whaling is phishing for “big fish,” such as very wealthy or influential people. Phishing
gets its name from fishing for information.

Question 57

Q

You have instructed users on your network to not use common words for their passwords.
What type of attack are you trying to prevent?
A. Brute-force
B. Dictionary attack
C. Social engineering
D. Shoulder surfing

Answer

A

B. A dictionary attack uses a dictionary of common words to attempt to find the user’s password. Dictionary attacks can be automated, and several tools exist in the public domain
to execute them. As an example of this type of attack, imagine guessing words and word
combinations found in a standard English-language dictionary. The policy you have recommended could also help thwart those who may try to look over a shoulder (shoulder surfing)
to see a user’s password because even with a quick glance they can see whether or not it’s a
common word. Brute-force is trying repeatedly to guess a user’s password. Social engineering
is using kindness, coercion, or fear to get you to give up privileged information such as
your password.

Question 58

Q

You have been asked to dispose of several old magnetic hard drives. What are you doing if
you use a large magnet to clear the data off a hard drive?
A. Overwriting
B. Zero writing
C. Degaussing
D. Incineration

Answer

A

C. A large electromagnet can be used to destroy any magnetic media, such as a hard drive
or backup tape set. The most common of these is the degaussing tool. Degaussing involves
applying a strong magnetic field to initialize the media. This process helps ensure that
information doesn’t fall into the wrong hands. Overwriting and zero writing write random
binary (or all zeros) on a magnetic hard drive using software. The process must be done several times by the software to be effective. Incineration means simply burning the drive.

Question 59

Q

You’re setting up a Windows 11 Pro machine and want to encrypt the entire hard drive,
including startup files. Which technology best meets your needs?
A. Windows OSs do not allow full-drive encryption.
B. BitLocker
C. BitLocker to Go
D. EFS

Answer

A

B. BitLocker Drive Encryption allows you to use drive encryption to protect files—including
those needed for startup and logon. This is available only with Windows Pro and higher editions. For removable drives, BitLocker To Go provides the same encryption technology to
help prevent unauthorized access to the files stored on them. EFS (Encrypting File System) is
used to encrypt volumes, files, and folders but is not capable of encrypting the entire drive.

Question 60

Q

A computer user wants to encrypt a few files on an NTFS volume on their Windows Pro
workstation. They do not have administrative rights to the computer. Which of the following
statements is correct?
A. They can only use device encryption.
B. They can use BitLocker.
C. They can use BitLocker To Go.
D. They can use EFS.

Answer

A

D. Encrypting File System (EFS) is available in most editions of Windows, and it allows for
encryption/decryption of files stored in NTFS volumes. All users can use EFS, whereas only
administrators can turn on BitLocker. It does not require any special hardware, while BitLocker benefits from having the Trusted Platform Module (TPM). As an additional distinction, EFS can encrypt just one file, if so desired, while BitLocker encrypts the whole volume
and whatever is stored on it.

Question 61

Q

Which type of security threat gains administrative-level access for an attacker to perform
another attack, and then hides its presence from system management tools?
A. Virus
B. Whaling
C. Rootkit
D. Ransomware

Answer

A

C. Rootkits are software programs that can hide certain things from the operating system;
they do so by obtaining (and retaining) administrative-level access. With a rootkit, there may
be several processes running on a system that don’t show in Task Manager, or connections
that don’t appear in a netstat display may be established or available—the rootkit masks
the presence of these items. Rootkits are known for being particularly difficult to eradicate.
A virus is spread from computer to computer because of some contact between the machines,
often through email. Whaling is phishing for “big fish,” such as very wealthy or influential
people. Phishing gets its name from fishing for information. Ransomware holds a machine or
network hostage, making it and its data inaccessible, until a ransom is paid.

Question 62

Q

Which type of digital security is designed to protect your network from malicious software
programs by both preventing them from entering the system and removing them if they
are found?
A. Firewall
B. Anti-malware
C. EFS
D. UAC

Answer

A

B. Anti-malware software will help protect computers from malicious programs. Typically,
anti-malware does everything that antivirus software does as well as identify threats beyond
just viruses. In fact, viruses are a type of malware. A lot of anti-malware software is marketed
as antivirus software. A firewall is a hardware or software device designed to prevent certain
types of traffic from entering or leaving a network. EFS (Encrypting File System) allows
a user to encrypt individual volumes, files, or folders, and UAC (User Account Control) is
designed to prevent users from making changes that they are not authorized to make.

Question 63

Q

Your company has hired a consultant to intentionally send emails asking for login
information from your employees. What is your company engaging in?
A. Phishing
B. Whaling
C. Zero-day attack
D. Anti-phishing training

Answer

A

D. Educating users to recognize phishing is one of the most important steps in preventing
hackers from acquiring login credentials. One way to do this is to hire a consulting company
to send phishing emails and see which employees respond when they should not and need
additional training. Phishing is usually done through email and is an attempt to “fish” for
information from an authorized network user such as logon information. Whaling is phishing
for high-profile or wealthy targets. A zero-day attack is one that happens the same day a vulnerability is discovered, so there has not been time to rectify the vulnerability.

Question 64

Q

On a Windows workstation, there is one volume formatted with NTFS. The Developers
group has Modify access to the C:\dev directory. You copy the folder to the C:\
operations folder, to which the Developers group has Read access. What level of permissions will the Developers group have to the new C:\operations\dev directory?
A. Read & Execute
B. Read
C. Full Control
D. Modify

Answer

A

B. When a file or folder is copied on NTFS volumes, the new file or folder will inherit its
NTFS permissions from its new parent folder. The old permissions will be discarded. However, when files and folders are moved versus copying them, the original permissions are
retained at the new location.

Answer 65

A

B. Only NTFS permissions can be applied to individual files. Both NTFS and share permissions can be applied to volumes and folders. Share permissions are only effective when
the resource is accessed via a network. NTFS permissions are effective whether the person
accesses the resource locally or via a network. NTFS permissions are inherited from a parent
folder. Share permissions do not have inheritance

Answer 66

A

A. Spyware differs from other malware in that it works—often actively—on behalf of a third
party. Rather than self-replicating, like viruses and worms, spyware is spread to machines
by users who inadvertently ask for it. The users often don’t know they have asked for it but
have done so by downloading other programs, visiting infected sites, and so on. The spyware
program monitors the user’s activity and responds by offering unsolicited pop-up advertisements (sometimes known as adware), gathers information about the user to pass on to marketers, or intercepts personal data such as credit card numbers. Ransomware is software that
takes over a computer and won’t allow access to the data until a ransom is paid. Zombies
are computers that have been taken over by another party and are used to perform malicious
acts. When there are many zombies acting together, they form a botnet. The computer user
is generally unaware of the presence of the attacker. A Trojan is software that is downloaded
when the user downloads an innocent-looking software program or digital image. Once
downloaded, the Trojan loads into the computer system.

Answer 67

A

A. Encrypting File System (EFS) allows for encryption/decryption of individual volumes,
files, and folders stored in NTFS volumes, whereas BitLocker encrypts entire drives, but
neither of them is available in Home editions of Windows. If there is supporting hardware
(Trusted Platform Module [TPM] enabled in BIOS/UEFI and Secure Boot enabled), then
device encryption can be used instead. With device encryption, only someone with authorization to use the device will be able to decrypt it. You must be logged in as an administrator to turn on device encryption; go to Start, choose Settings, then select Update & Security, and
then select Device Encryption. If the option isn’t there, then device encryption isn’t available on the device. You can also see if the hardware supports it by launching the System
Information utility as an administrator, then scrolling down to Device Encryption Support.

Answer 68

A

C, D. File attributes are accessed in the same manner whether you are using Windows 10 or
Windows 11. In the GUI, attributes are accessed by right-clicking the object and choosing
Properties and then selecting the General tab. For some attributes, such as compression and
encryption, you need to click Advanced in the Attributes section of the General tab. Compression uses algorithms to remove repeated characters and excess spaces, making files take
up less space. The user does not need to be an administrator to change attributes. In addition
to right-clicking the object, attributes can be changed using the attrib command.

Answer 69

A

A. Antivirus software needs continual updates of virus signatures as new viruses are
unleashed daily. The updates are known as definition files and ensure that the antivirus
engine will recognize new viruses. Firewalls can be software or hardware and are designed
to block or allow network traffic based on certain criteria. Once established, settings are not
often changed. ACLs (access control lists) are tied to objects in a system and are compared
to an authenticated user’s information to determine whether to grant access. These too are
seldom changed once they are configured. NTFS permissions are part of what creates ACLs.
NTFS permissions for an object are granted to a user and can include Full Control, Modify,
Read & Execute, List Folder Contents, Read, and Write. Share permissions also affect access
to a resource but only when a user accesses it via a network.

Answer 70

A

C. Because the user is accessing the NTFS-based resource over the network, both NTFS
and share permissions are applied. If there is a difference between the two of them, the most
restrictive permissions are used. Therefore, the user has Read access only.

Answer 71

A

B. Impersonation is an attempt by someone or something to masquerade as someone else.
You might think of impersonation attacks as affecting network systems, but they can affect
phone systems as well. A zombie is a computer system that a hacker has a back door into and
can use to perpetrate attacks, unknown to the computer system’s legitimate user. A botnet is a
system of zombie computers engaged in an orchestrated attack on a target. A zero-day attack
occurs when a vulnerability is used to attack a system on the very day that the vulnerability
is discovered, before preventive measures to block the vulnerability have been able to be created. In a phishing attack, the attacker uses coercion or other means to attempt to gain passwords or other privileged information.

Answer 72

A

B. Regardless of what other permissions may be granted, Deny will override all of them and
the effective permission will be Deny

Answer 73

A

C. Disable AutoRun and AutoPlay should be selected on computers connected to the network. (It is never a good idea to put any media in a workstation if you don’t know where it
came from or what it is). The simple reason is that the media (CD, DVD, USB, SD) could
contain malware. Compounding matters, the malware could be referenced in the autorun
.inf file, causing it to be summoned when the media is inserted in the machine and
requiring no other action. User permissions are not effective on optical drives whose content
changes all the time. A BIOS/UEFI password would prevent the computer from being booted,
and enabling data encryption can’t be done on media that is subject to change.

Answer 74

A

B. An unauthorized router with a seemingly legitimate configuration is specifically known
as an evil twin. Those can lead to on-path attacks, which involve clandestinely placing
something (such as a piece of software or a rogue router) between a server and the user, and
neither the server’s administrator nor the user is aware of it. The on-path attacker intercepts
data and then sends the information to the server as if nothing is wrong. The on-path attacker’s software may be recording information for someone to view later, altering it, or in some
other way compromising the security of your system and session. A zombie is a computer
system that a hacker has a back door into and can use to perpetrate attacks, unknown to the
computer system’s legitimate user. A botnet is a system of zombie computers engaged in an
orchestrated attack on a target. A noncompliant system is one that is not updated or not following company protocols regarding security

Answer 75

A

C. Kerberos was developed and named by computer scientists at MIT. It is an open source
authentication protocol that uses a third party to verify user credentials and symmetric key
cryptography to encode transmissions between parties. TACACS+ is an authentication protocol developed by Cisco that is now an open standard. RADIUS (Remote Authentication
Dial-In User Service) is an authentication protocol that was originally used for dial-in access.
It has morphed into a protocol used for authenticating remote Wi-Fi or on premises users.
AES (Advanced Encryption Standard), which is for wireless encryption and not authentication, has been around since 2001 and is the successor to TKIP (Temporal Key Integrity
Protocol).

Answer 76

A

A. A magnetometer measures magnetic fields and can be used to locate a person’s position
on Earth. As a part of multifactor authentication, that location is compared to an allow or
block list, and if the device to be accessed is in an allowed location, access may be granted. A
retina scanner is a biometric device that scans a person’s eye to determine if access should be
granted. A key fob will generate a code that changes every few seconds. A key fob is a type of
hard token used for authentication.

Answer 77

A

A, C. Both smartcards and key fobs are hard tokens. Hard tokens are a physical security
device that can be carried about by the user. A smartcard has a chip whose data can be
accessed by a reader to allow a user access to a secure area or computer system. A key fob
generates a random number every few seconds that can be entered into a system as part of
multifactor authentication. Retina scanners are biometric devices, because they use part of
your body as authentication/identification, and while motion sensors are a part of physical
security, they’re generally used in conjunction with alarm systems.

Answer 78

A

B. MDM (mobile device management) is a software technology that allows an IT department
to retain control over corporate data while allowing users to use their personal devices.
BYOD (Bring Your Own Device) can save companies money on hardware but presents a
security risk. Using MDM, an IT administrator can restrict the type of data and applications
that are used with company information. They can also wipe all corporate information off
a device that is lost or stolen, or if an employee leaves the company. EFS (Encrypting File
System) is used to encrypt files and folders in Windows OSs, excluding Home editions. The
purpose of single sign-on (SSO) is to give users access to all the applications and systems that
they need when they log on. Some of the systems may require users to enter their credentials again, but the username and password will be consistent between systems. UAC (User
Account Control) verifies that someone has the authority to change a system before making
any changes by requiring them to enter an administrator password for certain operations.

Answer 79

A

C. Bollards are a method of physical security that can be used to keep vehicles out of a
particular area. Voice calls, email, and SMS (short message service) can all be used to deliver
a one-time code for multifactor authentication

Answer 80

A

D. A soft token is a logical, rather than a physical, security measure. An example of a soft
token would be an authenticator app on your cell phone used to generate a code to access
a website. Proper lighting can often deter would-be attackers, as can equipment and door
locks, and motion sensors that trigger alarms.

Answer 81

A

C. A hard token is a security device that a computer user has in their possession, such as a
key fob or smartcard. Biometric devices are those that use a part of your body to identify you
and either deny or allow access to a system based on your identity.

Answer 82

A

C. To prevent shoulder surfing, a user could install a display privacy filter. Privacy filters are
either film or glass add-ons that are placed over a monitor or laptop screen to prevent the
data on the screen from being readable when viewed from the sides. Only the user sitting
directly in front of the screen can read the data. In shoulder surfing, a potential attacker is literally looking over someone’s shoulder to try to read what is on their screen. An access control vestibule is an area between two doors that helps to prevent tailgating. Video surveillance
occurs when there are security cameras watching a secure area and a person observing the
output of those cameras. Smartcards are devices that a user can carry that will authenticate
them to a system as a part of multifactor login.

Answer 83

A

B. Many viruses will announce that you’re infected as soon as they gain access to your
system. They may take control of your system and flash annoying messages on your screen
or destroy your hard disk. When this occurs, you’ll know that you’re a victim. Other
viruses will cause your system to slow down, cause files to disappear from your computer,
or take over your disk space. Many viruses today are spread using email. The infected
system attaches a file to any email that you send to another user. The recipient opens this
file, thinking it’s something that you legitimately sent them. When they open the file, the
virus infects the target system. A botnet is a group of computers that are used to perpetrate
an attack without the knowledge of the authorized user of that computer. The computer is
called a zombie and is controlled by some third-party attacker. A Trojan is malicious software that hides in that fun game or screen saver that you just downloaded, and it installs
when you install the innocent-looking files. A rootkit is malware that gains access to a
system as administrator, giving it full control over a system. Rootkits are adept at hiding
their presence and so are difficult to eradicate.

Answer 84

A

B. Vishing, phishing, and whaling are variations of the same type of attack. In all of these,
someone attempts to gain usernames and passwords or other information by intimidation,
coercion, or other means. Then they’ll use that information to attack your company’s systems. They’re all play-on-words for fishing. The attacker is casting a line and hoping you
will bite on it. Vishing is using voice calls, phishing uses email, and whaling is phishing for
powerful or wealthy fish (people). An evil twin attack happens when someone plugs an
unauthorized WAP (wireless access point) into your network and gives it the same SSID
(service set identifier) that your valid network has.

Answer 85

A

A. Bring Your Own Device (BYOD) can save companies money on hardware and make
users happy, but BYOD presents a security risk. Mobile device management (MDM) is a
software technology that allows an IT department to retain control over corporate data
while allowing users to use their personal devices. Using MDM, an IT administrator can
restrict the type of data and applications that are used with company information. They
can also wipe all corporate information off a device that is lost or stolen, or if an employee
leaves the company. The purpose of single sign-on (SSO) is to give users access to all the
applications and systems that they need when they log on. Some of the systems may require
users to enter their credentials again, but the username and password will be consistent
between systems. User Account Control (UAC) verifies that someone has the authority to
change a system before making any changes by requiring them to enter an administrator
password for certain operations.

Answer 86

A

A. When an operating system is at end of life (EOL), it means that the company will no
longer be supporting the software. That might not be a problem if you’re an expert with
the software and it meets your needs. The security problem arises because an EOL software
will no longer receive security updates, making your network vulnerable to attack. The
operating system won’t magically stop working on the EOL date, and while you won’t get
any new features, that isn’t a threat to security.

Answer 87

A

C. Keyloggers, viruses, and spyware are all types of malware, although anti-malware and
antivirus are often used interchangeably. Windows Recovery Environment (WinRE) is a
tool used to repair problems with the operating system (OS). In addition to other tools such
as startup repair and refreshing the OS, it provides access to a command prompt utility that
can be used to correct problems without booting into the Windows operating system.

Answer 88

A

C. When a virus infects the boot sector, Master Boot Record (MBR), or partition table of
a hard drive, it is called a boot sector virus. Boot sector viruses load before the operating
system and security software can load. They may delete or modify files needed to boot
the system, or the system may show no signs of being infected until an antivirus program
is run. Removing the boot sector virus from a system may require booting to a different OS or drive. Spyware is designed to watch what you do and where you go, hoping to gain
information such as logins, passwords, and bank account numbers. Ransomware locks a
system in some way or encrypts data and won’t allow access until the system’s owner pays
a ransom. A keylogger is malware that records every keystroke and reports it back to a
third party. This information might include user IDs and passwords, or even bank account
numbers and login information.

Answer 89

A

A. The Windows Recovery Environment (WinRE) in Windows 10/11 provides a commandline tool (among other tools) that allows the administrator the ability to copy or remove
directories, enable or disable services, write a new Master Boot Record (MBR), format
volumes, and much more. If you have a virus that has infected the boot sector of the hard
drive, the only way to access the system before the boot sector virus loads is to boot to
another drive, either a DVD or a USB that contains either the Windows installation media
or an antivirus. Using the installation media is one way to enter the WinRE. Typically the
system will automatically enter the WinRE if booting into Windows has failed three times
in a row. You can force this to happen by turning the power off as soon as Windows starts
to load, and repeating that until the system boots into WinRE. From the recovery environment main screen, choose Troubleshoot ➢ Advanced Options ➢ Command Prompt to get to
the command prompt. Here you can enter commands or run antivirus software to remove
a boot sector virus on the other hard drive. RADIUS is an authentication encryption protocol. Administrative Tools can be found in Control Panel of Windows 10 and is a collection of commonly used tools. Administrative Tools is not available in Windows 11. Active
Directory is the database and software used to control and manage a Windows domain

Answer 90

A

B. This is a type of denial-of-service (DoS) attack. Someone spoofs your IP address (making it look like you) and sends out requests all at once to multiple hosts who respond to
your IP address. Your server is flooded with those responses and crashes. It’s called a DoS
attack because users who want to use the server for legitimate purposes such as placing an
order are unable to due to all the malicious traffic. Whaling is using phishing to go after
a big target. Distributed denial-of-service (DDoS) attacks happen when many computers
are used, as in a botnet. An evil twin attack happens when someone plugs an unauthorized
wireless access point (WAP) into your network and gives it the same service set identifier
(SSID) that your valid network has.

Answer 91

A

A. When someone who is an authorized user on your system attempts to gain access to
something they should not or attempts a malicious act on your computer system, an insider
threat has occurred. An evil twin is when an unauthorized wireless access point (WAP)
appears on your network, using your service set identifier (SSID) and users are able to connect to the network using the unauthorized access point. Whaling is going after a big target
using vishing or phishing. Social engineering is an attempt to acquire information about
your network and system by social means, such as talking to people in the organization,
shoulder surfing, tailgating, or other methods.

Answer 92

A

A. In this case, the user has Full Control. When there are conflicting NTFS permissions,
generally they are combined and the most liberal is granted. This holds true for conflicting
permissions between groups or between a user’s account and group memberships. The
exception is Deny, which overrides all other permissions.

Answer 93

A

C. This system is vulnerable to attack because it is unprotected. The remedy is to turn on
the system’s software firewall and antivirus protection. Zero-day attacks happen the same
day a vulnerability is discovered and attackers are able to evade antivirus programs because
the antivirus companies have not had the time to respond to the vulnerability yet. A Structured Query Language (SQL) injection occurs when an attacker puts code into a database
instead of data and the code is executed, giving the attacker access to the data in the database. Cross-site scripting (XSS) is similar to a SQL injection, except it uses a website and
Hypertext Markup Language (HTML) or JavaScript instead of a database. Code is injected
into the website and used to gather data from legitimate-website users because their systems don’t see the normally trusted website as a threat.

Answer 94

A

A. Using a home folder on an Active Directory server to store the user’s files adds a level of
security because the user’s data is not on the local drive and is less subject to being stolen.
A security group is used to grant permissions to a shared resource. Organizational units are
groupings that can include people, computers, and resources. Group Policies can be applied
to organizational units, ensuring that all computers and users in that group are given the
proper access to resources. A login script is used to automate activities when a user or computer logs into a domain.

Answer 95

A

D. Cryptominers are malware that want to use your computing power rather than steal
your data. You may notice that the computer is performing more slowly than usual. Spyware is designed to watch what you do and where you go, hoping to gain information such
as logins, passwords, and bank account numbers. Ransomware locks a system in some way
or encrypts data and won’t allow access until the system’s owner pays a ransom. A keylogger is malware that records every keystroke and reports it back to a third party.

Answer 96

A

B. Installing a keylogger would be installing malware, and exactly the opposite of what
you need to do to keep a system safe. Educating users about the types of malware,
including recognizing them, avoiding them, and what to do with suspicious emails, phone
calls, and so on, is one of the best things you can do to protect a system. Keeping antivirus/anti-malware software up-to-date so that new malware can be detected and keeping
operating systems and applications up-to-date to patch vulnerabilities are key to keeping
malware out

Answer 97

A

C. This is an untrusted source. Not only have you never used it before, but there is a
problem with the website’s certificate that caused the warning message the user received.
There is no evidence that is it a spoofed site, and clearly it does not have a valid digital certificate. Digital certificates are issued by certificate authorities who confirm that a website,
person, or company is who they say they are

Answer 98

A

A. User Account Control (UAC) settings is where you can change when the operating
system requests an administrator password before making changes to the system. The
options range from Always Notify to Never Notify, with Notify Me Only If Apps Try To
Make Changes To My Computer the default. UAC can be found in Windows 11 by going to Control Panel and selecting System and Security, then Security and Maintenance, and
finally Change User Account Control Settings, and in Windows 10 by going to Control
Panel, clicking Security and Maintenance, and clicking Change User Account Control Settings. In either version of Windows, it’s easier to simply search for UAC. Windows Defender
Firewall is a software firewall included in Windows operating systems. Facial recognition is
a logon option, and Personalization in Settings allows you to change items such as themes,
colors, and backgrounds.

Answer 99

A

B. In both Windows 10 and 11, a quick search for Virus & threat protection will bring you
to the Windows Settings for that feature. Windows Defender Firewall is a built-in firewall
found in Control Panel. Windows Update, which is in the Settings app, is for keeping the
operating system files patched. Device Security is also found in the Settings app and has settings and information for the security features of your computer, such as the TPM (Trusted
Platform Module) chip.

Answer 100

A

C. A DDoS (distributed denial-of-service) attack is caused by a botnet attack. It is a denial
of service because legitimate users are unable to access resources. The distributed part of
the name comes from the fact that there was traffic from many infected computers (zombies) in different locations attacking your server at the same time, known as a botnet. Bots,
by themselves, are but a form of software that runs automatically and autonomously and
are not harmful. Botnet, however, has come to be the word used to describe malicious
software running on a zombie and under the control of a bot-herder. Denial-of-service
attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). A brute-force attack uses software to repeatedly try to discover a password. Zero-day attacks happen the same day a vulnerability is discovered and
are able to evade antivirus programs because the antivirus companies have not had the time
to respond to the vulnerability yet. A noncompliant system is one that is not updated or
complying with corporate security policies.

Answer 101

A

D. Cross-site scripting (XSS) is similar to a SQL injection, except that it uses a website and
Hypertext Markup Language (HTML) or JavaScript instead of a database. Code is injected
into the website and used to gather data from legitimate-website users because their systems don’t see the normally trusted website as a threat. Zero-day attacks happen the same
day a vulnerability is discovered and are able to evade antivirus programs because the
antivirus companies have not had the time to respond to the vulnerability yet. A Structured
Query Language (SQL) injection occurs when an attacker puts code into a database instead
of data and the code is executed, giving the attacker access to the data in the database. An
unprotected system is one that lacks normal measures of security such as a software firewall on the system and antivirus/anti-malware.

Answer 102

A

B. A domain is a grouping of resources, including people, computers, servers, printers, and
so on, into a single centrally controlled unit. A domain is managed by Active Directory
software. A best practice is to group the users into security groups and establish access to
resources on the group level, which will then give that access to members of the group.
Home folders provide a central place for users’ documents, each with their own home
folder, which gets the documents off the local computer, consolidating security for those
folders into one place.

Answer 103

A

D. Active Directory is the name given to the software and large database that is used to
manage resources on a Windows domain. Using a home folder on an Active Directory
server to store the user’s files adds a level of security because the user’s data is not on the
local drive and is less subject to being stolen. A security group is a grouping of computers
or users that need the same access to resources. Permissions are granted to the security
group and passed on to the members of the group. Organizational units are groupings that
can include people, computers, and resources. Group Policies can be applied to organizational units, ensuring that all computers and users in that group are given the proper access
to resources.

Answer 104

A

C. Whaling is an attack on a powerful or wealthy fish (person). Phishing uses email, and
vishing is using voice calls to gain information. Vishing, phishing, and whaling are variations of the same type of attack. In all of these, someone attempts to gain usernames and
passwords or other information by intimidation, coercion, or other means. Then they’ll use
that information to attack your company’s systems. They’re all play-on-words for fishing.
The attacker is casting a line and hoping you will bite. An evil twin attack happens when
someone plugs an unauthorized wireless access point (WAP) into your network and gives it
the same service set identifier (SSID) that your valid network has.

Answer 105

A

A. Virus & Threat Protection can be found in the Settings app. There you can see when the
last update was done and run a system scan, among other options.

Answer 106

A

A, D. The Windows built-in firewall can be configured either in the Setting app using
Firewall & Network Protection or in Windows Defender Firewall, which is found in Control Panel.

Answer 107

A

A, C. The firewall can be configured to allow an application through (or block one)
in both the Firewall & Network Protection settings of the Settings app or in Windows
Defender Firewall’s Advanced settings in Control Panel. The Virus & Threat Protection settings are for configuring antivirus. Administrative Tools is found in Windows 10, not Windows 11, and it doesn’t have settings for the firewall, although it does contain a shortcut to
the Windows Defender Firewall.

Answer 108

A

A, B. A laptop cable lock uses a special slot on the side of the laptop and a very strong
cable wrapped around something solid, like a desk leg, to secure the laptop to the work
area. A key is used to free the laptop from the cable when you want to take it somewhere.
Mobile device management (MDM) software can be used to wipe a laptop remotely if it is
stolen. Placing a laptop in a desk drawer might get it out of sight, but it is still vulnerable,
and you should never let a laptop out of your sight when you’re in a public place.

Answer 109

A

C, D. Fingerprints and facial recognition are both biometric logins and require a fingerprint reader and camera, respectively. Many laptops come equipped with this hardware,
but not all. Both could be added to a laptop or desktop that is missing the hardware by
connecting them via a USB port. Username and password can also be used, and a personal
identification number (PIN) is used. Windows gives you the option to include letters and
symbols in your PIN, or just numbers.

Answer 110

A

D. Passwords should be a bare minimum of eight characters long, and complexity
should be required using at least one upper- and one lowercase letter, number, and special
character. If you must choose between a longer password or a more complex password,
then longer is better.

Answer 111

A

A, C. Password complexity should be enforced. Passwords that are created by the user
are better than randomly generated passwords because the user can remember them easily
without having to write them down, but they should not be something that is easy for
someone else to guess, like the dog’s name or someone’s birthday. Passwords should expire
after a reasonable time, making it more difficult for someone to use a compromised password. One hundred and eighty days (6 months!) is too long of a time between password
expiration; 45–90 days would be more reasonable.

Answer 112

A

C. A domain is a grouping of resources including people, computers, servers, printers, and
so on, into a single centrally controlled unit. A domain is managed by Active Directory software. A best practice is to group the users into security groups and assign permissions to
the security groups. Members of the security group will have the access that was assigned
to the group. Home folders provide a central place for the users’ documents, each with
their own home folder on the server. This removes the documents from the local computer,
consolidating security for those folders into one place.

Answer 113

A

D. Password policies such as history, password age, length, and complexity can be found
in Local Security Policy ➢ Password Policy. User Accounts in Control Panel is for adding and managing users. You can set the password there, but not the password policies.
Administrative Tools is available in Windows 10, but not Windows 11. Local Security
Policy is in Pro editions of Windows 10 and 11 only, not Home editions.

Answer 114

A

B. One of the features of the domain controller and Active Directory is that there is a
central place to control and manage security, including users’ passwords. You can easily
reset their password and allow them to create a new one at next login. Resetting it on the
local computer would not work because they log into the domain. Reinstalling the OS and
making a new username are simply not necessary

Answer 115

A

A. When setting up a Windows 11 Home PC for the first time, you are required to use a
Microsoft account. The setup will allow you to create one during setup. Pressing F10 does
not change the type of account you need to set up Windows 11 Home. A local account can
be used whether they have Windows 11 Home or Pro, but when setting up the Home version, it must be set up with a Microsoft account. It is possible to add a local account later
and use it to log in to either Windows 11 Home or Pro.

Answer 116

A

C. You will be able to use your computer if you log in using your Microsoft account, even
if the Internet is down. It will just use cached versions of files. All the other options are true

Answer 117

A

A. Administrators have access to everything in the system, but a standard user account is
limited in what they can do. They are not able to add or manage another user’s account, for
example. Nor are they able to access another user’s files. Local Users and Groups is available in Pro or greater editions, but a standard user still won’t be able to manage users there.

Answer 118

A

C. What is known as a low-level format now (also called a zero-fill) is drastically different
than it was years ago. The intent is the same, though, and that is to erase all data on the
hard drive so it’s not recoverable. Technically, the low-level format needs to happen first.
Then the drive is partitioned, creating one or more sections, and a standard format is used
to create the file allocation table and root directory.

Answer 119

A

D. A certificate of destruction (or certificate of recycling) may be required for audit purposes. Such a certificate, usually issued by the organization carrying out the destruction, is
intended to verify that the asset was properly destroyed and usually includes serial numbers, type of destruction done, and so on.

Answer 120

A

C. Zero-filling a drive will make data that was once on the drive unreadable, but it is not
a physical destruction method. Methods of physical destruction include drilling, shredding,
degaussing, and incinerating.

Answer 121

A

D. A password manager is software that uses algorithms to generate secure passwords.
The passwords are encrypted in the software manager. The user only needs to remember a
single password to access the password manager, not all the other passwords. Most password managers will use two-factor authentication to allow the user to log in and change
any passwords. Websites that you access are stored in a cache on your computer so that the
next time you visit the website, it will only download the changes and make websites load
much more quickly. If a website you visit isn’t updating properly, clearing the cache should
resolve the issue. Certificates are issued by a certificate authority and prove that the website
(or person) is who they say they are. A browser may warn you or block your access to a
website whose certificate is expired or invalid.

Answer 122

A

A, B. Before you give a computer to someone else, you will certainly want to remove
all of your data from it. The best way to do this is to zero-write (also called a low-level
format) the drive, then restore it to its factory default condition. This can often be accomplished with a utility provided by the computer manufacturer, or in Windows, by using
options in WinRE.

Answer 123

A

A. Option A, use the Local Users and Groups app to create groups, set up permissions for
each group on shared files, then add users to the group as needed, is considered a best practice. By arranging security in this way, when someone changes jobs, leaves the company, or
joins the company, all you need to do is remove the user from the group and/or add them
to the group with the security access that they need. This process saves on human error as
there is just one place that security is set up (for the group) instead of establishing the settings for each individual user. Local Users and Groups is available in Pro or better versions
of modern Windows operating systems.

Answer 124

A

B. Choosing Reset Your PC will give you two options. You can choose to keep your
personal files but remove apps and settings, or remove everything, including your files, and
perform a fresh installation.

Answer 125

A

B, D. One of the best things you can do to protect a network is to train employees on how
to handle IT information and events. All too often users put their passwords where they are
easy for them to find, but they are also too easy for someone with malicious intent to find.
Passwords need to meet complexity requirements but be simple enough for a user to understand. Other tools for securing passwords are to use password management software and
multifactor authentication. Windows Credential Manager and macOS Keychain are two
utilities that can manage passwords for users. Credential Manager is not on the CompTIA
A+ objectives, but Keychain is.

Answer 126

A

A, B. Following the principle of least privilege, users should be given only the access that
they need and nothing more. If a user needs to read files but not change them, then they
should be restricted to reading those files only. Sometimes even the most careful users can
make changes that they did not intend. If a user works only Monday to Friday, then they
should not be able to log in on the weekend. Having their login available gives a hacker
one more way to get into your system. The Guest account is disabled by default and should
remain disabled. Even administrators should have a standard user account that they will
use unless they are doing something that requires administrative access. Then they would
only log on as an administrator while doing that activity.

Answer 127

A

B, C. Configuring all the computers to lock the screen saver after a short period of inactivity would help to mitigate the problem. If a user was still at their desk but doing
something else, they could easily enter their password and log in again. Training employees
on network and data safety is always helpful. Firing them would be a very drastic measure,
but depending on the environment, it might be the company policy. Setting the PC to shut
down after 2 minutes of inactivity is also a bit drastic, and you wouldn’t want to risk losing
whatever the employee was working on. Locking the screen saver can be just as effective.

Answer 128

A

A. Data-at-rest is any data that is sitting on a drive somewhere. It’s not moving between
network locations, but it needs to be protected. Letting the employee choose what to
encrypt with EFS is not a good solution because it opens too much possibility for human
error. There are third-party companies that specialize in protecting data-at-rest. Other solutions are to use MDM (mobile device management) software. Using MDM, the IT administrator can enforce encryption on remote devices, even those owned by employees who are
using their personal devices for company business. If the device is lost or stolen, company
data can be wiped from it using MDM software. BitLocker is a solution for encrypting
entire hard drives, but it requires Pro or higher editions of both Windows 10 and 11 and a
TPM (Trusted Platform Module) chip or module on the motherboard. BitLocker stores an
encryption key in the TPM, and the TPM will only allow access to the key when the computer started as expected.

Answer 129

A

D. Facial recognition and fingerprint readers are available on an increasing number of
smartphones and mobile devices. Facial recognition uses your cell phone’s camera, sensors,
and a dot projector to make a 3D map of your face. The phone then uses that 3D map to
recognize you for future transactions. Pin codes are a number that you enter to gain access.
Fingerprint scanners require that you touch a spot repeatedly to set up. Once the device has
a map of your fingerprint, you can use your finger to log in or authorize certain transactions. Device encryption is not a method of identifying the user.

Answer 130

A

C. Most mobile devices will lock after a period of inactivity. For some, merely swiping
across the device will unlock it. Since this can be done by anyone, it isn’t secure. Facial recognition is a biometric (something that you are) type of identification, so it is quite secure
depending on the software that is used to recognize the face. PIN codes and patterns are
something that the user must know, and although a hacker may figure them out, they’re
still more secure than merely swiping across the device.

Answer 131

A

C. Some mobile devices allow the user to draw a pattern on the screen that is recognized
by the device, then the user is allowed access. The problem with using this security device
is that, because the pattern is repeatedly drawn on the screen, someone may see the oils left
behind by your skin and be able to figure out the pattern that is drawn. Facial recognition
uses the mobile device’s camera to make and store a 3D map of your face. To gain access to
the device, the camera reads your face again and compares it to the stored image. Fingerprint readers compare your fingerprint to one stored on the device for access. With a swipe
lock, the user merely swipes across the screen to unlock it.

Answer 132

A

A. Since the camera communicates over port 4150, the port would need to be open and
port forwarding configured so that your remote connection can access the camera, through
the router, using that port. You know that the camera is properly connected to the router
because you can access the video stream on it from a computer connected to the same
router. Disabling the firewall should not be done because the firewall is a vital part of your
network’s security.

Answer 133

A

A. Content filtering is the process of blocking objectionable content from either websites
or email. Many routers and firewalls will provide content filtering services. In many cases,
a reference service is used to block websites, and filters can be implemented to scan emails
for prohibited content. Disabling ports stops traffic from entering the network. It does not
filter for content. VPN access means that a user can access the network remotely just as if
they were sitting in the office. Port forwarding/mapping is used when you need traffic on a
particular port to go to a particular network device. It is often used for gaming and security cameras.

Answer 134

A

C. One method of “protecting” the network that is often recommended is to turn off the
SSID (service set identifier) broadcast. The SSID is the name of your network. The access
point is still there and can still be accessed by those who know of it, but it prevents those
who are looking at a list of available networks from finding it. This should be considered
a weak form of security because there are still ways, albeit a bit more complicated, to discover the presence of the access point besides the SSID broadcast. WPA3 is a secure Wi-Fi
encryption standard. MAC (Media Access Control) filtering allows or denies access to the
network based on the MAC address associated with a NIC (Network Interface Card).

Answer 135

A

D. Just like computers, routers occasionally need their software updated to add new features or correct security holes. On a router this is called a firmware update because it is
updating software that is embedded in chips on the router’s circuit board (i.e., the router’s
firmware). Port forwarding will send traffic for a specified port number to a specified computer. Content filtering inspects packets for specified content and rejects or allows packets
to enter or leave the network based on those criteria. The SSID (service set identifier) is the
name of the network.

Answer 136

A

B, D. Facial recognition and fingerprint readers are available on an increasing number of
smartphones and mobile devices, and they can identify you faster than you can enter numbers on a screen. Facial recognition uses your cell phone’s camera, sensors, and a dot projector to make a 3D map of your face. The phone then uses that 3D map to recognize you
for future transactions. Fingerprint readers can use capacitive, optical, or ultrasonic sensors,
but regardless of the method, they make a map of your fingerprint and, like facial recognition, compare that map to your body. With either one you can gain access to a device
or authorize a transaction in about one second. PIN codes are a number that you enter to
gain access. They can be entered quickly but can also be guessed, so they’re not as secure as
biometrics (fingerprint scanning and facial recognition). Using a swipe to unlock a mobile
device is fast but not secure.

Answer 137

A

B. Configuring a DHCP (Dynamic Host Configuration Protocol) reservation means that
you’re setting aside a particular IP address to be used only with a specific device. That IP
address is then not one of the addresses that the DHCP server can assign to workstations
attempting to connect to it and be given an IP address. The DHCP scope is the range of
IP addresses that can be assigned, such as 192.168.1.100 to 192.168.1.199, which would
yield 100 private class C IP addresses. There is no such thing as an APIPA scope. An APIPA
(Automatic Private IP Addressing) address is not configured on a router, or anywhere. It
is an address in the 169.254.x.x range and is generated by an operating system when it is
unable to reach a DHCP server. The loopback address, 127.0.0.1 for IPv4 or ::1 for IPv6, is
a number used to test TCP/IP on the local machine.

Answer 138

A

A. PIN codes are a number that you enter to gain access to a mobile device. Fingerprint
scanners and facial recognition systems are biometrics, meaning that they use a part of your
body to identify you. Once a 3D map of the face or finger is made, that map is compared
to a new one generated when you touch the screen or look into the camera. If they match,
access is granted. Drawing a pattern on the screen is sometimes used.

Answer 139

A

A, C. Oils on your skin can be left behind on the screen and cause it to not recognize a
pattern or fingerprint. Cleaning the phone may help. If that doesn’t work, another quick
solution is to restart the phone, then try the pattern again. The other two options will
take longer. If it is an Android phone and you still can’t access it, you may be able to use
your Google credentials to access the phone if you are logged into Google on the phone.
Performing a factory reset would be akin to giving up and starting over.

Answer 140

A

B. On your router you would configure a static WAN (wide area network) IP address. That
is the address that the ISP (Internet service provider) has assigned to you. Usually the ISP
uses dynamic addressing, and your WAN setting would be Dynamic WAN IP, so having a
static WAN IP generally involves higher fees paid to the ISP. UPnP (Universal Plug and Play)
is a protocol that lets devices find and communicate with each other on your LAN (local
area network) such as your laptop and your printer. Unfortunately, UPnP could also be
used by malware to spread to other devices on your network. A screened subnet uses one
or more routers to create a separate area on a network where servers, such as a web server,
can be accessed from either inside the LAN or from the Internet. It provides greater security
and protects the LAN.

Answer 141

A

D. UPnP (Universal Plug and Play) is a protocol that lets devices find and communicate
with each other on your LAN (local area network), such as your laptop and your printer.
Unfortunately, UPnP could also be used by malware to spread to other devices on your
network. WPA3 (Wi-Fi Protected Access version 3) and WPA2 are wireless networking
encryption protocols. A PIN is a personal identification number used to authenticate to a
computer system.

Answer 142

A

C. WPA3 (Wi-Fi Protected Access version 3) is the newest and most secure wireless encryption protocol for your SOHO router, but the devices that you’ve had for a few years might
not be able to work with it. For the time being, until those legacy devices can be replaced,
it’s best to use the WPA2/WPA3 mixed mode so that all your devices can connect to the
network as securely as possible. WEP (Wired Equivalent Privacy) should no longer be used
because it is not secure. Also, it is not listed in the CompTIA A+ exam objectives.

Answer 143

A

A. Configuring IP filtering enables you to set which IP addresses are allowed to communicate through your router and which are not. Untrusted sources are websites that your
browser has deemed suspicious or dangerous, and it warns you of such. Hashing is the act
of translating a character string into code. Port filtering is a way of allowing or denying
access to a network based on the port number in the packet. Filtering router traffic by port
is also an excellent security practice.

Answer 144

A

A. A company may have many policies and procedures that employees must agree to as a
condition of employment. Two of the most common ones are an acceptable use agreement
(AUP) and bring-your-own-device (BYOD) policies. Acceptable use policies define what
you can and can’t do with company technology, and the consequences if the policy is
violated. The BYOD policy describes the conditions for an employee using their own
device for company business. This likely includes that the company will use mobile device
management (MDM) software to secure the company information on the user’s device.

Answer 145

A

D. Exactly how to wipe your device depends on the device. If you have configured failed
login restrictions on your device, then after the prescribed number of failed attempts, the
device will either lock or, in the case of an iOS device, 10 failed tries will cause the device
to be erased. For Android devices you can use Google Find My Device to remotely wipe it, and for iOS devices you can use the Find iPhone app using a different iOS device. MDM
software can also be used to wipe Apple, Android, or Windows devices. Disabling guest
access is a good security practice, but it won’t wipe the device’s data.

Answer 146

A

A. A kitchen is one of the worst places for a router to be. First, there will be EMI
(electromagnetic interference) from appliances like refrigerators and microwaves, which
will interfere with the wireless signal and if they’re too close to the router or wires, they
could interfere with the wired signal, too. Second, having easy access to the router might be
good for the IT person, but it’s a terrible idea for security. For physical security, place the
router in a room or an enclosure that can be locked and out of reach of people passing by.
Any guest access or guest accounts should be disabled. If your company is one that needs
to have Wi-Fi available for visitors, put it on a separate VLAN (virtual LAN) so that your
network isn’t exposed to those connections. For Wi-Fi routers, take a walk around with a
Wi-Fi meter and ensure that the signal doesn’t extend into areas where it should not be. If it
extends too far, you may need to turn the power down or possibly move the router.

Answer 147

A

A, C, D. While the interference is usually more of an annoyance than a problem, having your wireless network easily accessed by others is a security issue. If you change the
channel so that your Wi-Fi and theirs are on different channels, there will be less interference. Turn your signal power down to keep your Wi-Fi signal inside your office. If the
offending network is already interfering with your Wi-Fi signal, turning up the power on
your router’s Wi-Fi signal might make it worse because there would be more crossover between your network and theirs. You could also try moving the router to an area with less
interference. Finally, try using a different band to avoid interference. If you’re using the
5 GHz band, try using the 2.4 GHz band instead if devices support it. Some environments
employ a process called channel hopping (changing channels frequently) to avoid packet
sniffing and signal jamming on their wireless networks.

Answer 148

A

A. Social engineering is a process in which an attacker attempts to acquire information
about your network and system by social means, such as talking to people in the organization. A social engineering attack may occur over the phone, by email, or in person. When
the attempt is made through email or instant messaging, it is known as phishing, and it’s
often made to look as if a message is coming from sites where users are likely to have accounts (banks, eBay, and PayPal are popular). Ransomware is software that holds your
computer hostage in a logical way, such as encrypting your hard drive and refusing to give
you the key until you pay a ransom. Spoofing is when someone or something pretends to
be something else, such as an attacker’s server using a familiar look and feel of a website,
even a similar IP. Whaling is phishing for a wealthy or influential target

Answer 149

A

C. There are trusted software sources that you know and work with all the time (such
as Microsoft, HP, or other manufacturers’ websites) and there are untrusted sources, and
you should differentiate between them. Don’t use or let your users use untrusted software
sources. Generally, common sense can be your guide, but there are “safe lists” of trusted
software vendors from authoritative watchdog companies such as Comodo.

Answer 150

A

C. There isn’t any one universal solution to wireless access point placement; it depends a
lot on the environment. As a general rule, the greater the distance the signal must travel,
the more it will attenuate, but you can lose a signal quickly in a short space as well if the
building materials reflect or absorb it. You should try to avoid placing access points near
metal (which includes appliances) or near the ground. They should be placed in the center
of the area to be served and high enough to get around most obstacles. Note that of all
current 802.11 standards, only 802.11ac and 802.11ax offer directional antennae. All other
standards are omnidirectional, meaning that the signal transmits in all directions.

Answer 151

A

A. It doesn’t take much to perpetrate a DoS (denial-of-service) attack on a wireless network. Someone nearby could use a Wi-Fi analyzer to determine what channel you’re using
and bombard that channel with interference, bringing your network to a halt. Changing
the channel would provide a temporary fix. Use a Wi-Fi analyzer to find a less crowded
channel and switch to that one. You don’t want to reset your router to factory defaults.
That wouldn’t solve the problem and would just make more work for you.

Answer 152

A

A. Using a swipe to unlock a mobile device does not protect your device or your data. At
the very least, using a PIN (personal identification number) is far safer than using a swipe
to unlock a mobile device. Keeping operating systems up-to-date to plug any vulnerabilities
is very important. All devices should have some form of antivirus, even if it is one that is
built into the operating system. Make sure that you are using a remote backup application
to ensure that if your mobile device is lost or stolen and you must remotely wipe all the
data, you will be able to download it to a new device.

Answer 153

A

B. It’s a bold move to try to steal a server. But a server lock or locks on the rack door
would stall future theft attempts. A key fob is a type of hard security token. A security
token is something you have that authenticates who you are. A firewall can be a software
or hardware device that is used to filter traffic on a network.

Answer 154

A

B. Pop-up blockers are available in virtually every browser to stop those annoying ads
from taking over your screen. Look in the settings for the browser. Private-browsing mode,
or incognito mode, will avoid keeping your browsing history or cookies, and keep your
activities from being seen by others on the same Wi-Fi or later by another user of the
device. Password managers provide a single login for you and are able to generate unique
and complex passwords for all the sites that you use.

Answer 155

A

A. Data destruction contractors (third-party vendors) can be certified by groups such as
NAID (National Association for Information Destruction) or can show that they follow
government rules (such as HIPAA, in the United States) for data destruction. They can provide proof of destruction, which would be difficult to do on your own. Once you drop a
drive off at a recycling center, you have no idea where that drive or its data may end up.
While you could destroy the data on your own either physically or logically, it would be
better to have a third-party vendor certify to the data destruction.

Answer 156

A

D. Radio frequency identification (RFID) devices use a reader to access information on
a special tag that can be on a smartcard. The information can be used to allow or deny
access to a secured area or device. RFID is also often used for inventory and fixed asset
management. An access control vestibule is an area between two doors that is often used to
prevent tailgaiting. A key fob is a type of hardware token; a hardware device that a person
carries to identify the user. Biometrics are devices that use a part of a person’s body to identify that person such as a face, palm, or fingerprint reader.

Brainscape's Knowledge GenomeTM

1102 - Security Flashcards

Brainscape's Knowledge Genome^TM