Chapter 7 - Security Flashcards
Which type of security device requires the user to insert some type of identification card to
validate access?
A. PIN code
B. Badge reader
C. Security token
D. Biometrics
B. A protected computer or area may have a badge reader into which you insert a smartcard.
A smartcard is a type of badge or card that gives you access to resources, including build-
ings, parking lots, and computers. It contains information about your identity and access
privileges. If using radio frequency identification (RFID), the reader is a wireless, no- contact
technology and the user does not need to touch the card to the reader. A PIN (personal
identification number) code is a number that would be entered to gain access to a system. A
security token is something you have that is used to verify your identity; it can be a software
or a hardware token. Biometrics are using part of your body as identification.
Someone has configured an external server with an IP address that should belong to one of
your sister company’s servers. With this new computer, they are attempting to establish a
connection to your internal network. What type of attack is this?
A. Spoofing
B. On- path attack
C. Zombie/botnet
D. Non-compliant system
A. A spoofing attack is an attempt by someone or something to masquerade as someone
else. This type of attack is usually considered an access attack. The most popular spoofing
attacks today are IP spoofing, ARP spoofing, and DNS spoofing. This is an example of IP
spoofing, where the goal is to make the data look as if it came from a trusted host when it
What type of security device often incorporates RFID technology to grant personnel access to
secure areas or resources?
A. Smartcard
B. Security token
C. Access control vestibule
D. Key fob
A. A smartcard is a type of badge or card that gives the holder access to resources, including
buildings, parking lots, and computers. It contains information about your identity and
access privileges. Each area or computer has a card scanner or a reader in which you insert
your card. Radio frequency identification (RFID) is the wireless, no- contact technology used
with these cards and their accompanying reader. A security token is something you have that
is used to verify your identity; it can be a software or a hardware token. An access control
vestibule is an area between two doors, often with a security camera. The second door grants
access to a secure area. A key fob is a small device used in two- factor identification. It can
generate a number or have software on it that is read to gain access.
You are configuring a wireless network for a small office. What should you enable for the
best encryption possible for network transmissions?
A. WPS
B. WEP
C. WPA
D. WPA3
D. There are generally four wireless encryption methods available. From least to most secure,
they are Wired Equivalent Privacy (WEP), Wi- Fi Protected Access (WPA), and two newer ver-
sions of WPA called WPA2 and WPA3. WPA3 is the most secure and should be used unless
strange circumstances prevent you from doing so, because WPA and WPA2 are no longer
secure. WPS is an easy way to configure Wi- Fi for devices like printers, where a number
would be generated on a printer, for example, and the number would need to be entered on
the access point, or vice versa. WPS has security flaws and is not listed in the CompTIA A+
exam objectives.
You work for a company that has employees fill out and manually sign personnel documents.
Once the signed documents are scanned into a system, the paper copies are no longer needed.
What should be done with the paper documents?
A. Place them in the recycle bin.
B. Shred them.
C. Place them in the trash.
D. Keep them in a locked cabinet.
B. Companies normally generate a huge amount of paper, most of which eventually winds
up in dumpsters or recycle bins. Dumpsters may contain information that is highly sensitive
in nature, and attackers may seek it out by practicing dumpster diving. In high- security and
government environments, if sensitive papers are no longer needed, they should be either
shredded or burned.
Which types of security threats involve the attacker attempting to directly contact a potential
victim? (Choose two.)
A. Spoofing
B. Phishing
C. Social engineering
D. Brute- force attacking
B, C. Social engineering is a process in which an attacker attempts to acquire information
about your network and system by social means, such as talking to people in the organiza-
tion, shoulder surfing, tailgating, or other methods. When this is done via email or instant
messaging, it’s called phishing. Spoofing involves pretending to be a trusted resource— for
example, by using a trusted resource’s IP address to gain access to something else. A brute-
force attack usually involves software that keeps trying passwords or codes until it hits upon
the right one to gain access.
An employee uses their security badge to enter the building through a secured door. Another
person tries to enter the building behind them before the door closes without swiping a
badge. What type of behavior is the second person demonstrating?
A. Shoulder surfing
B. On- path attack
C. Brute- force
D. Tailgating
D. Tailgating refers to being so close to someone when they enter a building that you can
come in right behind them without needing to use a key, a card, or any other security device.
Using an access control vestibule, which are devices such as small rooms that limit access to
one or a few individuals, is a great way to stop tailgating. Revolving doors can also help pre-
vent tailgating. Shoulder surfing is walking behind someone hoping to see passwords or other
security information they may be entering. On- path attacks occur when your data transmis-
sions are intercepted by someone enroute, then forwarded on to their destination, sometimes
with changes, sometimes without. A brute- force attack usually involves software that keeps
trying passwords or codes until it hits upon the right one to gain access.
You have a Windows domain network and want to ensure that users are required to meet
password complexity requirements. What is the best way to implement this on the network?
A. Use a firewall.
B. Use a VPN.
C. Use Group Policy.
D. Use DLP.
C. In a Windows domain, password policies can be configured at the domain level using
Group Policy Objects (GPOs). There are hundreds of variables that can be configured. Vari-
ables that can be configured relating to passwords include password complexity and length
and the time between allowed changes to passwords, and a lockout policy for failed access
attempts. A firewall can be configured to block certain types of traffic based on things like IP
address, protocol, or MAC address. A VPN (virtual private network) is a secure path between
a local and a remote device. Data loss prevention (DLP) is the process of monitoring and
identifying sensitive data to make sure it is accessed only by authorized persons.
You are planning security protocols for your company’s new server room. What’s the sim-
plest way to help physically keep potential attackers away from your servers?
A. Lock the door.
B. Use cable locks.
C. Install an access control vestibule.
D. Implement biometrics.
A. Sometimes the obvious solutions are the best ones! A key aspect of access control involves
physical barriers. One of the easiest ways to prevent those intent on creating problems from
physically entering your environment is to lock your doors and keep them out. Cable locks
are used to secure mobile devices like laptops to a table or a fixed device so they can’t be car-
ried away. An access control vestibule is a small room between two doors, where the secure
access area is beyond the second door, and biometrics are using a part of the body to iden-
tify a person.
A user on your network reported that their screen went blank and a message popped up.
It’s telling them that their files are no longer accessible, and if they want them back, they
need to enter a credit card number and pay a $200 fee. Which type of malware has infected
this system?
A. Rootkit
B. Ransomware
C. Trojan
D. Spyware
B. With ransomware, software, often delivered through a Trojan, takes control of a system
and demands that a third party be paid. The “control” can be accomplished by encrypting
the hard drive, by changing user password information, or via any of several other creative
ways. Users are usually assured that by paying the extortion amount (the ransom), they will
be given the code needed to revert their systems to normal operations. Even among mal-
ware, ransomware is particularly nasty. A rootkit is software that gains access to a system as
administrator, giving it full control over a system. Rootkits are adept at hiding their presence
and are difficult to eradicate. A Trojan is named after the Trojan horse of mythology. Trojans
are malicious software that hides in that fun game or screen saver that you just downloaded,
and it installs when you install the innocent-l ooking files. Spyware is designed to watch what
you do and where you go, hoping to gain information such as logins and passwords, and
bank account numbers.
You are setting up a new wireless router for a home office. Which of the following should
you change immediately when initially configuring the network? (Choose two.)
A. The router’s default administrator username and password
B. The default SSID
C. The radio power level
D. The guest account password
A, B. When configuring a new wireless router, always change the administrator’s username
and password first. This prevents would-b e hackers from having easy access to the router.
Then change the default SSID. These default values can easily be found online, and not
changing them immediately makes your router vulnerable to attack. The radio power level
might be changed later if you discover the signal is too weak or too strong. There is no guest
account on a router.
You are configuring a router for a small office network. The network users should be able
to access regular and secure websites and send and receive email. Those are the only connec-
tions allowed to the Internet. Which security feature should you configure to prevent addi-
tional traffic from coming through the router?
A. MAC filtering
B. Content filtering
C. Port forwarding/mapping
D. Port security/disabling unused ports
D. Port security involves disabling all unneeded protocols/ports. In this case, ports 80 and
443 are needed for HTTP and HTTPS access, and ports 25, 110, 143, 465 or 587 may be
needed for email. That’s it. If you don’t need them, remove the additional protocols, software,
or services, or prevent them (disable them, or block them, as the setting is typically called on
a router) from loading. Ports left open but not in use present an open door for an attacker to
enter. MAC filtering is an option on most routers that will only allow devices with specific
MAC addresses to access the router. Content filtering blocks undesirable traffic such as social
media or hate sites on a corporate network. Port forwarding/mapping will send all traffic
that comes in on a specified port number to a specific node on the network.
On a Windows 10 workstation, there are two NTFS volumes. The Managers group has
Modify access to the D:\mgmt directory. You move the folder to the D:\keyfiles folder,
to which the Managers group has Read access. What level of permissions will the Managers
group have to the new D:\keyfiles\mgmt directory?
A. Full Control
B. Modify
C. Read & Execute
D. Read
B. When you move a file or folder on the same NTFS volume, it will keep its original permis-
sions. If you copy it or move it to a different volume, it will inherit permissions from its new
parent directory.
For users to log on to your network from a remote location, they are required to supply
a username and password as well as a code from an RSA token. What type of security is
being used?
A. Firewall
B. Multifactor authentication
C. Access control list
D. Principle of least privilege
B. When users log on to a computer or network, they are generally required to provide cre-
dentials such as a username or password. In multifactor authentication (MFA), the user is
required to provide two or more items proving who they are. These items are generally from
two of four categories: something they know (such as a password), something they have
(such as a code from a security token), something they are (biometric screening), or some-
where they are (based on GPS location or Wi- Fi and cell tower triangulation). A firewall is a
software or hardware device that will block traffic into or out of a network based on param-
eters that the administrator specifies. An access control list exists for each resource. It defines
who has what level of access to that resource. The principle of least privilege states that you
give a user only enough access to do what they need to do and nothing more.
You want to recycle some hard drives that your company no longer uses but want to ensure
that other people will not be able to access the data. Which methods of removing the data are
acceptable for your purposes? (Choose two.)
A. Formatting the drive
B. Using an overwrite utility
C. Using a drive wipe utility
D. Using electromagnetic fields
B, C. The best methods are using either overwrite or drive wipe programs. Overwriting the
drive entails copying over the data with new data. A common practice is to replace the data
with 0s. Drive wipes do a similar thing. Formatting the drive does not guarantee that others
can’t read the data. Using electromagnetic fields (or degaussing) isn’t reliable and can damage
the hard drive, and it won’t work at all on SSDs.
You have installed Windows 11 Pro on a workstation. For better security, which user account
should you ensure is disabled?
A. Administrator
B. DefaultAccount
C. Power User
D. Guest
D. When Windows is installed, one of the default accounts it creates is Guest, and this repre-
sents a weakness that can be exploited by an attacker. While the account cannot do much, it
can provide initial access to a system, and the attacker can use that to find another account
or acquire sensitive information about the system. To secure the system, disable all accounts
that are not needed, especially the Guest account, which is disabled by default. The Adminis-
trator account should be renamed. If a hacker knows a valid username, then they are halfway
into your system. The DefaultAccount is an account that is managed by the system and is dis-
abled by default. Power User is not an account that is installed with Windows 11, but there is
a Power Users group that is kept for backward compatibility.
Which type of network attack involves an intermediary hardware device intercepting data
and altering it or transmitting it to an unauthorized user?
A. On- path attack
B. Non-compliant system
C. Zombie/botnet
D. Spoofing
A. On- path attacks clandestinely place something (such as a piece of software or a rogue
router) between a server and the user, and neither the server’s administrator nor the user is
aware of it. The on- path attack intercepts data, then sends the information to the server as if
nothing is wrong. The on-p ath attack software may be recording information for someone
to view later, altering it, or in some other way compromising the security of your system and
session. A noncompliant system is one that is not in line with acceptable security policies and
procedures. Zombie and botnet are attacks where the user of the computer doesn’t know
there is malware on their computer. Their computer is a zombie, and when many zombies are
used to attack a system, it’s known as a botnet attack. Spoofing occurs when another system
pretends or appears to be a trusted system.
You are implementing new password policies for your network, and you want to follow
guidelines for password best practices. Which of the following will best help improve the
security of your network? (Choose two.)
A. Require passwords to expire every 180 days.
B. Require passwords to be a minimum of 8 characters.
C. Require passwords to have a special character.
D. Require passwords to be no more than 10 characters long.
B, C. Setting strong passwords is critical to network security. They should be as long as
possible. Eight or 10 characters is a good minimum. Users should also be required to use a
combination of uppercase and lowercase letters, a number, and a special character such as #,
@, &, or others. Passwords should also expire, but 180 days is too long. Having a 45- day or
90- day requirement would be better.
What does NTFS use to track users and groups and their level of access to resources?
A. ACLs
B. Tokens
C. Badges
D. Control rosters
A. With NTFS, each file, directory, and volume can have its own security. NTFS tracks secu-
rity in access control lists (ACLs) for each resource. The ACL will contain the user or group
name and the level of access they have been granted. The basic permissions to choose from
are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. There are
also special permissions and settings that can be applied. A token is software or hardware
that is used in multifactor authentication and falls under the category of something that a
user has. Badges may use RFID or other technology that is read to allow physical entry to a
secure area. Control rosters are used in areas that have security guards and contain a list of
people who are allowed to enter.
You have created a user account for a contract employee on a Windows 11 PC. The con-
tractor will be with the company for one month. Which user group should this user’s account
be placed in?
A. Power Users
B. Administrators
C. Standard Users
D. Guest
D. The Guest account is created by default (and should be disabled) and is a member of the
Guests group. For the most part, members of Guests have the same rights as Users except
they can’t access log files. The best reason to make users members of the Guests group is to
access the system only for a limited time. There is no group named Standard Users by default.
There are groups created automatically called Users, Administrators, Power Users, Guests,
and a few others. The Power Users group is kept for backward compatibility, but they are the
same as someone in the Users group. Administrators have complete control over the systems
that they are an administrator on.
On your network, there are multiple systems that users need to access, such as a Windows
domain, a cloud site for storage, and order processing software. You want to configure
the network such that users do not need to remember separate usernames or passwords
for each site; their login credentials will be good for different systems. Which technology
should you use?
A. EFS
B. MDM
C. SSO
D. UAC
C. One of the big problems larger networks must deal with is the need for users to access
multiple systems or applications. This may require a user to remember multiple accounts and
passwords. The purpose of single sign-o n (SSO) is to give users access to all the applications
and systems that they need when they log on. Some of the systems may require users to enter
their credentials again, but the username and password will be consistent between systems.
EFS is the Encrypting File System used to encrypt volumes, files, and folders in Windows OSs.
MDM is mobile device management, which allows an IT department to retain some control
even though users employ BYOD (Bring Your Own Device). UAC is user account control,
which verifies that someone has the authority to change a Windows system before making
any changes.
A user discovers a strange text file at the root of their user directory. It contains everything
they have typed over the past few days, including their credentials. What is the likely cause of
the text file?
A. System auditing enabled
B. Keylogger installed
C. Email application in debug mode
D. Backup file
B. A keylogger seems to be running on the system, monitoring and copying all that is typed
on the keyboard. Obviously, this malware needs to be removed and incident response
steps taken.
What security solution would protect a user from unwanted network traffic probing their
workstation?
A. Software firewall
B. Antiphishing training
C. Anti-malware
D. Antivirus
A. A software- based firewall on the workstation would be able to stop unwanted net-
work traffic, including port scans and probes. Antiphishing training teaches users to avoid
malicious emails. Anti-malware and antivirus are software designed to recognize and quaran-
tine or eradicate malicious code.
A user wants to use multifactor authentication at their PC but does not want to carry a key
fob and is strongly against biometrics. What method can you suggest?
A. Second password
B. Hardware token
C. Software token
D. Fingerprint reader
C. The software token is stored on a general- purpose device, such as the PC or a smart-
phone. The hardware token option would involve carrying an added key fob or device. A fin-
gerprint reader would be unacceptable as it involves biometrics. A second password defeats
the benefit of using multifactor authentication.
What wireless protocol used in WPA compensates for the weak encryption of WEP?
A. VLAN
B. TKIP
C. VPN
D. AES
B. Temporal Key Integrity Protocol (TKIP) is an encryption protocol, used in WPA (Wi- Fi
Protected Access) for wireless connections. It was intended to replace WEP’s weak encryption
by creating a unique key for each for each data frame. It has since been subject to wireless
attacks and is not considered acceptable for big business. A VLAN (virtual LAN) occurs
when devices from multiple LANs are joined together virtually and can act as if they are
Which of the following Active Directory concepts can help enforce security settings?
(Choose two.)
A. EFS
B. Group Policy/updates
C. Port security
D. Login scripts
B, D. Group Policy/updates and login scripts are common ways to push and enforce secu-
rity settings on Active Directory objects. EFS is the Encrypting File System, which is used to
encrypt volumes, files, and folders. Port security means opening or closing ports on a router
to control what type of packets traverse the router.
What 128- bit block encryption that uses an encryption key of 128, 192, or 256 bits is used in
WPA2 and is more secure than TKIP?
A. AES
B. VPN
C. RADIUS
D. Kerberos
A. AES (Advanced Encryption Standard) is used in WPA2 (Wi- Fi Protected Access, ver-
sion 2). VPN is a virtual private network that transmits data across a public network using
encryption. RADIUS (Remote Authentication Dial- In User Service) and Kerberos are both
authentication protocols.
What protocol was designed to authenticate remote users to a dial- in access server?
A. TKIP
B. TACACS+
C. VPN
D. RADIUS
D. RADIUS (Remote Authentication Dial- in User Service) was originally designed to authen-
ticate remote users to a dial- in access server but is now used in several authentication situ-
ations. TKIP is a wireless encryption protocol used in WPA (Wi- Fi Protected Access) which
made WPA more robust/secure than WEP (Wired Equivalent Privacy). TACACS+ (Terminal
Access Controller Access- Control System) is an authentication protocol for centralized
authentication, and a VPN (virtual private network) uses encryption to create a private con-
nection using a public network.
A user is complaining that they can no longer sign into their account because of too many
bad attempts. What basic Active Directory function is at work here?
A. Failed login attempts restrictions
B. Antivirus/anti-malware
C. A bollard
D. A rootkit
A. Using Active Directory settings or the Local Group Policy Editor, you can restrict the
number of failed login attempts before the user is locked out of their account. This is impor-
tant to help prevent a brute- force attack, which attempts to guess passwords until it hits
upon the right one. Antivirus/anti-malware is important to have and identifies malicious soft-
ware based on its signature code but is not at work here. A bollard is a physical post to block
vehicular traffic, and a rootkit is a particularly difficult malware to eradicate because it is
working with administrator rights and it’s good at hiding in a system.
What concept in Active Directory creates a directory subdivision within which may be placed
users, groups, computers and other objects?
A. User
B. Domain
C. Organizational unit
D. Home folder
C. The organizational unit (OU) is a subdivision within which may be placed users, groups,
more OUs, and other objects. The OU exists on a domain, which is a group of users and
resources under a single administrative control. Windows domains are managed by soft-
ware called Active Directory. Active Directory is organized into organizational units, usu-
ally for security purposes. A home folder is where an individual user stores their documents
and such, and in a Windows domain, that location is usually on the domain controller or
another server.
Which of the following authentication encryption protocols is older than the others and was
developed by Cisco but became an open protocol in the 1990s and can be found on Linux
distributions?
A. AES
B. TACACS+
C. Kerberos
D. RADIUS
B. TACACS+ is an authentication protocol developed by Cisco that is now an open standard.
It separates the AAA (authentication, authorization, and accounting) packets and encrypts
them. It was released in 1993 and RADIUS (Remote Authentication Dial- In User Service) is
an authentication protocol that was released in 1997. Kerberos is an open source authenti-
cation protocol that has been around since the 1980s. AES (Advanced Encryption Standard),
which is for wireless encryption and not authentication, has been around since 2001 and is
the successor to TKIP (Temporal Key Integrity Protocol).
Your data center recently experienced a theft of a server from the rack. Which security mech-
anisms would protect servers from future theft? (Choose two.)
A. Equipment locks
B. Security token
C. Alarm systems
D. Hard token
A, C. An equipment lock would slow down a would-b e thief, and alarm systems often send
thieves looking for an easier mark. A security token is involved in multifactor authentication,
and a hard token is one of two types of security tokens, the other being a soft token.
What other security devices are often employed in an access control vestibule? (Choose two.)
A. Bollard
B. Motion sensors
C. Guards
D. Video surveillance
C, D. Often an access control vestibule will have either a security guard, or video surveil-
lance, or both. Once in the vestibule the second door could be opened remotely by someone
watching through the surveillance camera or by a guard who personally clears the person try-
ing to gain access. A bollard is a post used to block vehicular traffic. A motion sensor detects
movement and is often used to trigger an alarm, turn on a light, or turn on a camera, or a
combination of those.
Normally, a company places a user’s profile and folders on the local machine. Now, the orga-
nization would like a few users to be able to log in from other computers. What concept in
Active Directory allows a user’s profile folders to be placed in storage somewhere else on
the network?
A. Home folder
B. Folder redirection
C. Organizational unit
D. VPN
B. Folder redirection allows users’ profile folders to be stored off a local machine and instead
placed in a more centralized location on the network. A profile stored this way is called a
roaming profile. The home folder is the specific location where a user’s documents and such
are stored. An organizational unit is a management tool that can be used to organize Active
Directory resources and can contain users, computers, and other resources. A VPN (virtual
private network) is created across a public network by using strong encryption protocols.
What wireless encryption protocol replaced WPA and uses both TKIP, for backward compat-
ibility, and AES?
A. WEP
B. WPA2
C. WPA3
D. RADIUS
B. WPA2 (Wi-F i Protected Access, version 2) replaced WPA, which had replaced WEP (Wired
Equivalency Protocol). WEP was the first wireless security protocol. WPA, which was devel-
oped next, used TKIP (Temporal Key Integrity Protocol), and WPA2 uses TKIP and the more
secure AES (Advanced Encryption Standard). WPA3 was released in 2018 to replace WPA2,
whose security had been broken. WPA3 also includes better security for the proliferation of
IoT devices. WPA, WPA2, and WPA3 all have personal and enterprise options.
When should OS and application patches be applied to a system to prevent it from becoming
vulnerable?
A. Every 6 months
B. Every 3 months
C. Once a month
D. As soon as they are available
D. Operating system (OS) and application patches may fix vulnerabilities in the software and
should be applied as soon as possible after they are released. In a corporate environment it
would likely be best to test them in a sandbox first to avoid any problems. On a Windows
PC, the Windows Update utility is used to manage the process for you.
You have a Windows workstation and want to prevent a potential hacker from booting to a
USB drive. What should you do to help prevent this?
A. Require strong Windows passwords.
B. Restrict with user permissions.
C. Set a BIOS/UEFI password.
D. Change the default administrator password.
C. A strong Windows password, restricting with user permissions, and changing the default
administrator password will help protect Windows but does not protect the computer in
general. If a user can get into the BIOS/UEFI (Basic Input Output System/Unified Exten-
sible Firmware Interface), then they can change the boot sequence, boot to a USB drive,
and do some damage to the system. The way to protect against this is to implement a BIOS/
UEFI password.
Which type of security solution generally functions as a packet filter and can perform stateful
inspection?
A. VPN
B. EFS
C. Antivirus/anti-malware
D. Firewall
D. Firewalls are among the first lines of defense in a network. They can be hardware fire-
walls or software firewalls and can exist on several layers of a network. The basic purpose
of a firewall is to isolate one network from another or one network node from another.
Firewalls function as one or more of the following: packet filter, proxy firewall, or stateful
inspection firewall. VPN (virtual private network) creates a private network across a public
one by using encryption protocols. EFS (Encrypting File System) is used to encrypt files and
folders. Antivirus/anti-m alware is used to detect malicious attackers by identifying signature
lines of code or actions.
Which of the following are examples of physical security methods? (Choose two.)
A. Biometric locks
B. Multifactor authentication
C. Keys
D. Firewalls
A, C. Biometric locks use a part of your body as identification. They are considered physical
security, as are simple door keys. Multifactor authentication is security that requires
identification and two or more methods of authentication, such as a password and key fob.
A user on your network reported that they received a phone call from someone in the IT
department saying the user needed to reset their password. The caller offered to do it for
them if the user could provide the IT worker with their current password. What is this most
likely an example of?
A. The IT department helping the user to reset their password
B. A spoofing attack
C. A social engineering attack
D. A brute- force attack
C. A person in the IT department is not likely to ask for your password. If they want you to
reset it, they can use software to reset it that will make you choose a new password on next
login. This is a social engineering attack. Social engineering is using kindness, coercion, or
fear to get you to give up privileged information such as your password. Spoofing is when
a website or server, for example, is made to look like a trusted one but in reality there is an
attacker lurking there. A brute- force attack uses software to repeatedly try different pass-
words to break into a system.
Your corporate IT department has decided that to enhance security they want to draft a mo-
bile device management (MDM) policy to require both a passcode and fingerprint scan to
unlock a mobile device for use. What is this an example of?
A. An authenticator application
B. Biometric authentication
C. Full- device encryption
D. Multifactor authentication
D. Any time there is more than one authentication method required, it’s multifactor authen-
tication (MFA). In this case, it does involve using biometrics, but the passcode is not a
biometric factor. An authenticator app can provide a code and be a part of multifactor
authentication. Authenticator apps run on a device like a smartphone or PC and provide a
unique key that changes every few seconds. The key proves that you have the smartphone
or PC in your possession. Full- device encryption could be accomplished with a feature like
Microsoft’s BitLocker, which encrypts an entire drive including the boot files, or a TPM chip,
which prohibits accessing a drive if the chip is not present. Multifactor authentication usu-
ally requires two of the following four types of inputs: something you know (password),
something you have (smart token), something you are (biometrics), or somewhere you are
(GPS or other location services).
Several employees at your company have been tailgating to gain access to secure areas.
Which of the following security methods is the best choice for stopping this practice?
A. Door lock
B. Entry control roster
C. Access control vestibule
D. ID badges
C. Tailgating refers to being so close to someone when they enter a building that you can
come in right behind them without needing to use a key, a card, or any other security device.
Using an access control vestibule, which is a device such as a small room that limits access to
one or a few individuals, is a great way to stop tailgating. With a door lock or ID badge, the
tailgaters could still follow the other employee in. An entry control roster is merely a list of
people who are allowed access to an area, and it isn’t much use without a guard to check it.
A user has joined your company as a network administrator. Let’s assume their user account
name is AOShea. What is the recommended way to give AOShea the administrative privileges
they need?
A. Add the AOShea user account to the Administrators group.
B. Create an account called AdminAOShea. Add that account to the Administrators group.
Have the new administrator use the AOShea account unless they need administrative
rights, in which case they should use the AdminAOShea account.
C. Copy the Administrator account and rename it AOShea.
D. Add the AOShea user account to the Power Users group.
B. Adding AOShea to the Administrators group will certainly work, but it’s not the recom-
mended approach. Since members of the Administrators group have such power, they can
inadvertently do harm (such as accidentally deleting a file that a regular user could not). To
protect against this, the practice of logging in with an Administrators group account for daily
interaction is strongly discouraged. Instead, system administrators should log in with a user
account (lesser privileges) and change to the Administrators group account (elevated privi-
leges) only when necessary.
You are designing a security policy for mobile phones on your network. Which of the follow-
ing is a common method of biometric authentication used with mobile devices?
A. Fingerprint scan
B. Retina scan
C. Swipe lock
D. DNA lock
A. Biometric authentication requires identification of a physical feature of the user, such as
a fingerprint or palmprint. Mobile devices commonly use your fingerprint to prove who you
are. Most modern laptops can also use a facial scan to identify you. DNA and retina scan-
ners are considered a form of biometric authentication, but they’re not commonly used today
with mobile devices. (Imagine your phone needing to collect blood or saliva to authenticate
you— no thanks!) DNA and facial scans aren’t on the CompTIA A+ objectives yet, but retina
scanners, fingerprint, and palmprint scanners are. A swipe lock is not a type of biometrics.
An administrator is transferring confidential files from one Windows Pro workstation to
another, using a flash drive. Policy dictates that the files on the flash drive must be encrypted.
Which technology should be used?
A. BitLocker
B. BitLocker To Go
C. EFS
D. AES
B. BitLocker allows you to use drive encryption to protect files— including those needed for
startup and logon. For removable drives, BitLocker To Go provides the same encryption tech-
nology to help prevent unauthorized access to the files stored on them. EFS is the Encrypt-
ing File System, used to encrypt volumes, files, and folders on a drive. AES is the Advanced
Encryption Standard, an encrypting protocol for Wi- Fi.
Which type of security system uses physical characteristics to allow or deny access to loca-
tions or resources?
A. ID badges
B. Bollards
C. Biometrics
D. Tokens
C. Biometric devices use physical characteristics to identify the user. Biometric systems
include fingerprint/palm/hand scanners, retinal scanners, face scanners, and soon, possibly,
DNA scanners. To gain access to resources, you must pass a physical screening process.
Bollards are vertical posts to block vehicular traffic. ID badges often use RFID (radio fre-
quency identification) to communicate with a reader and verify your identity. Tokens can be
either hard (like a key fob) or soft (software on a system) and are often used in multifactor
authentication.
You have just transformed a Windows workgroup into a small domain and are config-
uring user accounts. Which of the following is considered a best practice for managing user
account security?
A. Require every user to log on as a Guest user.
B. Allow all users Read and Write access to all server files.
C. Follow the principle of least privilege.
D. Place all user accounts in the Administrators group.
C. When assigning user permissions, follow the principle of least privilege; give users only
the bare minimum that they need to do their job, nothing more. Another best practice is
to assign permissions to groups rather than users, and make users members of groups (or
remove them from groups) as they change roles or positions.
A security consultant for your company recommended that you begin shredding or burning
classified documents before disposing of them. What security risk is the consultant trying to
protect the company from?
A. Shoulder surfing
B. Dumpster diving
C. Social engineering
D. Brute- force attack
B. Companies normally generate a huge amount of paper, most of which eventually winds
up in dumpsters or recycle bins. Dumpsters may contain information that is highly sensitive
in nature, and attackers may seek it out by practicing dumpster diving. In high- security and
government environments, sensitive papers should be either shredded or burned. Shoulder
surfing is literally looking over someone’s shoulder to try to see passwords or other sensitive
information. Social engineering happens any time someone tries to coerce, threaten, or cajole
someone into giving up privileged security information. A brute- force attack is repeatedly
trying passwords in an effort to guess the correct one.
Several workstations on your network have not had their operating systems updated in more
than a year, and your antivirus software is also out- of- date. What type of security threat does
this represent?
A. Non-compliant systems
B. Zombie/botnet
C. Brute- force attack
D. Zero- day attack
A. The systems are not up-t o- date and therefore are more vulnerable to attacks. These sys-
tems are considered noncompliant systems. It’s a violation of security best practices to fail
to keep all software on your network up-t o- date. Zombie and botnet are attacks where the
user of the computer doesn’t know there is malware on their computer. Their computer is a
zombie, and when many zombies are used to attack a system, it’s known as a botnet attack. A
brute- force attack usually involves software that keeps trying passwords or codes until it hits
upon the right one to gain access. A zero- day attack happens when a hole is found in a web
browser or other software and attackers begin exploiting it the very day it is discovered by
the developer, before they have time to plug the hole.
On the Internet, you get a news flash that the developer of one of your core applications
found a security flaw. They will issue a patch for it in two days. Before you can install the
patch, it’s clear that the flaw has been exploited and someone has illegally accessed your net-
work. What type of attack is this?
A. Zombie/botnet
B. Non-compliant system
C. Zero- day attack
D. Brute- force attack
C. When a hole is found in a web browser or other software and attackers begin exploiting
it the very day it is discovered by the developer (bypassing the one- to two- day response time
that many software providers need to put out a patch once the hole has been found), it is
known as a zero- day attack (or exploit). Zombie and botnet are attacks where the user of the
computer doesn’t know there is malware on their computer. Their computer is a zombie, and
when many zombies are used to attack a system, it’s known as a botnet attack. Noncompli-
ant systems are those whose software is not up- to- date or they are not following best prac-
tices or corporate restrictions and rules. A brute- force attack usually involves software that
keeps trying passwords or codes until it hits upon the right one to gain access.
UserA is a member of the Dev group and the HR group. They are trying to access a local
resource on an NTFS volume. The HR group has Full Control permission for the payroll
folder, and the Dev group has Deny Read permission for the same folder. What is UserA’s
effective access to the payroll folder?
A. Full Control
B. Read
C. Write
D. Deny
D. When there are conflicting NTFS permissions, generally they are combined, and the most
liberal is granted. The exception to that is when there is an explicit Deny. That overrides any
allowed permissions.
Which default Windows group was designed to have more power than normal users but not
as much power as administrators, and is now kept for backward compatibility only?
A. Superuser
B. Standard Users
C. Power Users
D. Advanced Users
C. Microsoft wanted to create a group in Windows that was powerful but not as powerful
as the Administrators group, which is how the Power Users group came into being. The idea
was that membership in this group would be given Read/Write permission to the system,
allowing members to install most software but keeping them from changing key operating
system files or accessing other users’ data. However, for many current Windows versions, the
Power Users group now is assigned permissions equivalent to the Standard user, a member
of the Users group. There is no group called Superuser, or Standard Users, or Advanced Users.
You have assigned a Windows workstation to a workgroup. Which of the following are
recommended best practices for maximizing security regarding the Administrator account?
(Choose two.)
A. Disable the Administrator account.
B. Rename the Administrator account.
C. Remove the Administrator account from the Administrators group.
D. Require a strong password.
B, D. You should rename the default Administrator account and always require strong
passwords.
You’re at home using a digital security method to connect to your corporate network. This
security method wraps data in encryption (encapsulating it) to transfer the data across a
public network (the Internet), and your connection gets a corporate IP address just as if you
were sitting in the office. What type of connection is this?
A. VPN
B. Firewall
C. BitLocker
D. EFS
A. A virtual private network (VPN) is a private network connection that occurs through a
public network. VPNs make use of tunneling, which sends private data across a public net-
work by placing (encapsulating) that data into other packets. Even though a VPN is created
through the Internet or other public networks, the connection logically appears to be part of
the local network, although the connection will likely be a bit slower than sitting at a PC in
the office. A firewall is used to filter packets, blocking or accepting them based on the port
number they use, MAC address, or other criteria. BitLocker is a full- drive encryption utility.
EFS (Encrypting File System) is used to encrypt volumes, individual files, and folders.
Which of the following are advantages of using NTFS permissions over using share permis-
sions? (Choose two.)
A. NTFS permissions will override share permissions if there is a conflict.
B. NTFS permissions affect users at the local computer, but share permissions do not.
C. NTFS permissions are more restrictive in their access levels than share permissions.
D. NTFS permissions can be set at the file level, but share permissions cannot.
B, D. NTFS permissions affect users regardless of whether they are at the local computer or
accessing the resource across a network. They can also be applied to individual files, whereas
share permissions can be applied only to folders. One set of permissions is not inherently
more restrictive than the other, as either type can be used to deny access in a given situation
(at least when accessing across the network). When NTFS and share permissions affect the
same folders, the most restrictive permission applies.
Someone has placed an unauthorized wireless router on your network and configured it
with the same SSID as your network. Users can access the network through that router, even
though it’s not supposed to be there. What type of security threat could this lead to?
A. Zombie/botnet
B. Spoofing
C. Non-compliant system
D. On- path attack
D. An unauthorized router with a seemingly legitimate configuration is specifically known
as an evil twin. Those can lead to on-p ath attacks, which involve clandestinely placing
something (such as a piece of software or a rogue router) between a server and the user, and
neither the server’s administrator nor the user is aware of it. The unauthorized device in the
middle intercepts data and then sends the information to the server as if nothing is wrong.
The unauthorized device software may be recording information for someone to view later,
altering it, or in some other way compromising the security of your system and session.
Which type of security method is worn by employees and usually has a picture on it?
A. Key fobs
B. ID badges
C. Smartcards
D. Biometrics
B. An ID badge is worn by employees to identify them. Some companies use different colored
badges to indicate different functions or security privileges. Most ID badges have a picture of
the user on them to prevent unauthorized use. Key fobs are small devices that generate a code
that changes every few seconds and are often used in multifactor authentication. Smartcards
will have either an RFID tag or a chip that can be read by a reader device to allow or deny
entrance to an area. Biometrics are any type of identification that uses a part of your body to
identify you.
You’re working at a high- security server farm and must ensure that vehicles stay a certain
distance away from the building. What physical security methods can be used for this
purpose? (Choose two.)
A. Bollards
B. Motion sensors
C. Fences
D. Lighting
A, C. Bollards are vertical posts that are short and sturdy, sometimes made of cement or
steel. They can be placed closely enough together so that a vehicle can’t go through an area
but people can. Fences can also be erected to keep vehicles and people out of an area. Motion
sensors can be used to trigger alarms but won’t actually keep anyone out, and good lighting
is always a deterrent, but again it won’t physically keep anyone out.
Between you and your family members, there are several mobile devices, including phones,
laptops and smart watches. Someone generally forgets where they put their phone, or it
may be stolen, and it would be nice to easily find it. In addition, you want to see where
other family members are when they are around town. Which type of app will allow you
to do this?
A. Trusted source app
B. Remote control app
C. Locator app
D. Firewall app
C. A locator app is what you need. Apple supplies a free app called Find My, and Google has
Find My Device that, together with their respective websites, allow multiple mobile devices
and to be located if powered on and attached to the Internet (via 5G, 4G, 3G, Wi- Fi, Ether-
net, and so on). For Apple devices, if not attached to the Internet, nearby devices can identify
your device and tell you where it is. Both Find My and Find My Device allow the device to
be controlled remotely to lock it, play a sound (even if audio is off), display a message, or
wipe the device clean.
Which security mechanism specifies permissions for users and groups as well as the type of
activities the users or groups can perform?
A. ACL
B. EFS
C. VPN
D. PIN
A. File systems such as NTFS, and security devices such as firewalls, can specify security
by using access control lists (ACLs). ACLs can hold permissions for local users and groups,
and each entry in the ACL can also specify what type of access is given. This allows a great
deal of flexibility in setting up a network. EFS is the Encrypting File System used to encrypt
volumes, files, and folders, but not entire drives. VPN is a type of network connection that
uses encryption to create a private network that traverses a public one. PINs (personal
identification numbers) are used in many applications to identify a user.
You need to know which files have been modified in a folder. Which of the following is not a
way to see when files have been modified?
A. Right- click each file and choose Properties, and then Advanced to see whether the
archive bit is set.
B. Open the folder in File Explorer and click Date Modified to sort the files by the date
they were last modified.
C. Type archive at a command prompt.
D. Type attrib at a command prompt.
C. On any individual file or folder you can right-c lick and choose Properties to see the Read-
only and Hidden attributes, then click Advanced to see whether the file is ready for archiving
(needs to be backed up). You can also open a folder in File Explorer and click Date Modi-
fied to sort the files by the last date modified. Simply typing attrib at a command prompt
will show the file attributes for everything in that folder. Attributes are information such as
whether the file is a system file (S), hidden (H), read only (R), or ready to be archived (A). To
see the attributes for a single file, type attrib filename. The attrib command is not in the
CompTIA A+ objectives, but file attributes are.
You want to create a new policy to encrypt all company drives using BitLocker. Which
operating system will need to be upgraded?
A. Windows 10 Pro
B. Windows 11 Home
C. Windows 11 Pro
D. Windows 10 for Workstations
B. Professional and higher operating system editions in either Windows 10 or Windows
11 will support BitLocker. Home editions will not, regardless of what version of the Win-
dows operating system they are.
Software was installed on a laptop without the user’s knowledge. The software has been
tracking the user’s keystrokes and has transmitted the user’s credit card information to an
attacker. What type of threat is this?
A. Zombie/botnet
B. Spoofing
C. Spyware
D. Ransomware
C. Spyware differs from other malware in that it works— often actively— on behalf of a third
party. Rather than self-r eplicating, like viruses and worms, spyware is spread to machines
by users who inadvertently ask for it. The users often don’t know they have asked for it but
have done so by downloading other programs, visiting infected sites, and so on. The spyware
program monitors the user’s activity and responds by offering unsolicited pop- up adver-
tisements (sometimes known as adware), gathers information about the user to pass on to
marketers, or intercepts personal data such as credit card numbers. Zombies and botnets are
innocent computers that are used to perpetrate an attack on someone else without the user’s
knowledge. An example of spoofing is using an IP address that should be someone else and
pretending to be them to gain access to a system. Ransomware locks a system in some way or
encrypts data and won’t allow access until the system’s owner pays a ransom.
A new user has joined your company as a network administrator. Which of the following
statements is most correct regarding their network access?
A. They should have just one user account, with administrator-level permissions.
B. They should have just one user account, with standard user-level permissions.
C. They should have two user accounts: one with user- level permissions and one with
administrator-l evel permissions.
D. They should have three user accounts: one with user- level permissions, one with
administrator- level permissions, and one with remote access administrator permissions.
C. The new administrator should have a nonadministrative account to use for day- to- day
tasks. They also need an account with administrative privileges to perform the administrative
duties. When creating user accounts, follow the principle of least privilege: give users only the
permissions they need to do their work and no more. This is especially true with administra-
tors. Those users should be educated on how each of the accounts should be used.
Which types of security threats are direct attacks on user passwords? (Choose two.)
A. Brute- force
B. Zombie/botnet
C. Dictionary attack
D. Spoofing
A, C. Password attacks occur when an account is attacked repeatedly with the intent of
determining the password that will gain access. This is accomplished by using applications
designed to break the password by sending possible passwords to the account in a systematic
manner. Two types of password attacks are brute- force and dictionary attacks. Zombie and
botnet are attacks where the user of the computer doesn’t know there is malware on their
computer. Their computer is a zombie, and when many zombies are used to attack a system,
it’s known as a botnet attack. A spoofing attack is an attempt by someone or something to
masquerade as someone else.
You read corporate email on your smartphone and do not want others to access the phone if
you leave it somewhere. What is the first layer of security that you should implement to keep
others from using your phone?
A. Multifactor authentication
B. Full- device encryption
C. Screen lock
D. Remote wipe software
C. All the options will increase the security of a smartphone. For just the basic level of secu-
rity, though, enable a screen lock. A user will need to enter a code to gain access to the device.
It’s typically enough to thwart casual snoops and would-b e hackers. Multifactor authenti-
cation occurs whenever you need two or more ways to prove who you are (something you
know, something you have, something you are, or someplace you are). Full- device encryption
would mean encoding the data and requiring a key to decrypt it. Remote wipe is a feature
that can be used to remove all the personal or corporate data from a phone even though it is
lost or stolen.
You use your smartphone for email and extensive Internet browsing. You want to add an
additional level of security to always verify your identity online when accessing various
accounts. Which type of app do you need?
A. Authenticator app
B. Trusted source app
C. Biometric authenticator app
D. Account encryption app
A. An authenticator app can help securely verify your identity online, regardless of the
account you want to log into. Different apps work in different ways, but the general
procedure is that the app will generate a random code for you to type along with your
username and password. The random code helps identify you and tells the site you are log-
ging into that you really are who you say you are. The other options are not actual applica-
tion types.
You have instructed users on your network to not use common words for their passwords.
What type of attack are you trying to prevent?
A. Brute- force
B. Dictionary attack
C. Social engineering
D. Shoulder surfing
B. A dictionary attack uses a dictionary of common words to attempt to find the user’s pass-
word. Dictionary attacks can be automated, and several tools exist in the public domain
to execute them. As an example of this type of attack, imagine guessing words and word
combinations found in a standard English- language dictionary. The policy you have recom-
mended could also help thwart those who may try to look over a shoulder (shoulder surfing)
to see a user’s password because even with a quick glance they can see whether or not it’s a
common word. Brute-f orce is trying repeatedly to guess a user’s password. Social engineering
is using kindness, coercion, or fear to get you to give up privileged information such as
your password.
