CompTIA Security+ Get Certified Get Ahead - PRE Assessment Exam Flashcards
Your organization is planning to expand the data center to support more systems. Management wants the plan to focus on resiliency and uptime. Which of the following methods would best support these goals? (Choose TWO)
UPS
Cold site
NIC teaming
Off-site backups
UPS (Uninterruptible Power Supply)
NIC Teaming (Network Interface Card)
Explanation:
An uninterruptible power supply (UPS) and network interface card (NIC) teaming support resiliency and uptime goals. The UPS ensures the system stays up if power is lost. NIC teaming automatically recovers if one of the NICs or NIC inputs fail. Resiliency methods help systems heal themselves and recover from faults automatically.
A cold site cannot take over automatically and is not quick.
Off-site backups would need to be retrieved and applied by a person, so they aren’t automatic. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 123-124). YCDA, LLC. Kindle Edition.
You are tasked with improving the overall security of several Servers in your data center. Which of the following are preventive controls that will assist with this goal? (Choose TWO)
Disabling unnecessary services.
Adding Cable Locks
Monitoring Logs on SIEM Systems
Implementing a Backup Plan
Closing unneeded ports.
Disabling unnecessary services.
Closing unneeded ports.
Explanation:
Disabling unnecessary services and closing unneeded ports are steps you can take to harden a server. They are preventive controls because they help prevent an incident.
Cable locks are a type of physical control and are typically used on laptops, not on servers.
Monitoring logs on security information and event management (SIEM) systems is a detective control.
A backup plan is a corrective control. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 123-124). YCDA, LLC. Kindle Edition.
Your organization houses a Server room, and management wants to increase the Server room Security. You are tasked with identifying some deterrent controls that can be implemented to protect it. Which of the following choices would BEST meet this objective?
Hardware Locks
Data Encryption
a Vulnerability Assessment
Backups
Hardware Locks
Explanation:
Hardware locks are deterrent controls because they would deter someone from entering or accessing the servers in bays if bay door locks are used. They are also examples of physical controls.
None of the other answers increase the security of the server room.
Data encryption is a technical control designed to protect data on the servers.
A vulnerability assessment is a managerial control designed to discover vulnerabilities.
Backups are corrective controls designed to reverse the impact of data loss or corruption. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 124). YCDA, LLC. Kindle Edition.
You suspect that a Linux computer is establishing connections with a remote server on the Internet without any user interaction. You want to verify this by viewing a summary of protocol statistics on a Linux System. Which of the following commands would you use?
dig
nslookup
ifconfig
netstat
netstat
Explanation:
The netstat -s command will display a summary of protocol statistics on a Linux system.
You can use the dig (short for domain information groper) command on Linux systems to query Domain Name System (DNS) servers and verify if you can resolve names to IP addresses.
The nslookup (short for name server lookup) command can also be used to query DNS servers.
The ifconfig command is used to display information and configure network interfaces on Linux systems. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 124). YCDA, LLC. Kindle Edition.
You are using a Linux computer to monitor Network traffic. After connecting your computer to the mirror port of a Switch, you started logging software on the computer. However, you discover that the only traffic being collected is traffic to or from the Linux computer. You want to collect all traffic going through the Switch. Which of the following actions should you take?
Run the command ifconfig eth0 promisc
Run the command ipconfig eth0 promisc
Connect the computer to a Router
Reconfigure the Switch
Run the command ifconfig eth0 promisc
Explanation:
You should run the command ifconfig eth0 promisc to enable promiscuous mode on eth0, the network interface card (NIC). Promiscuous mode allows a NIC to process all traffic it receives, instead of only traffic addressed to it.
The ipconfig command is used on Windows systems and doesn’t support this feature.
The scenario indicates she wants to collect traffic going through the switch, so connecting to a router isn’t necessary.
Port mirroring on a switch sends a copy of all traffic received by the switch to the mirror port. The scenario indicates this is configured, so the switch doesn’t need to be reconfigured. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 124-125). YCDA, LLC. Kindle Edition.
You suspect that attackers have been performing a password spraying attack against a Linux Server. Which of the following would be the BEST method of confirming your suspicions?
Use the cat command to view the auth.log file.
Implement an Account Lockout Policy.
Salt passwords to prevent the success of the spraying attack.
Use the logger command to view unsuccessful logins.
Use the cat command to view the auth.log file.
Explanation:
The cat command (short for concatenate) displays the entire contents of a file and the auth.log file shows all unsuccessful (and successful) logins, and this is the only choice of the available answers that confirms past activity.
An account lockout policy locks an account after too many incorrect passwords within a certain time frame, but a spraying attack uses a time lapse between each password attempt to bypass an account lockout policy.
Salting passwords is often used to prevent rainbow table-based attacks, but salts aren’t effective against spraying attacks.
The logger command is used to add log entries into the syslog file but doesn’t examine log entries. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 125). YCDA, LLC. Kindle Edition.
Your Network includes dozens of Servers. Administrators in your organization are having problems aggregating and correlating the logs from these Servers. Which of the following provides the BEST solution for these problems?
SIEM
Syslog
NetFlow
sFlow
SIEM (Security Information and Event Management)
Explanation:
A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources.
Syslog is a protocol that specifies log entry formats that many SIEMs use. It is also the name of a log on Linux systems.
NetFlow is a network protocol (developed by Cisco) used to collect and monitor network traffic.
The sFlow (short for sampled flow) protocol is used to collect a sampling of network traffic for monitoring. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 125). YCDA, LLC. Kindle Edition.
You are comparing different types of Authentication. Of the following choices, which one uses Multifactor Authentication?
A system that requires users to enter a Username and Password.
A system that checks an employee’s Fingerprint and does a vein scan.
A Cipher Door Lock that requires employees to enter a code to open the door.
A system that requires users to have a Smart Card and a PIN.
A system that requires users to have a Smart Card and a PIN.
Explanation:
A system that requires users to have a smart card and a personal identification number (PIN) uses multifactor authentication or two-factor authentication. The card is in the something you have factor, and the PIN is in the something you know factor.
A username provides identification, and a password is in the something you know factor, providing single-factor authentication.
Fingerprints and vein scans are both in the something you are factor, providing single-factor authentication.
A code for a cipher door lock is in the something you know factor, providing single-factor authentication. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 125-126). YCDA, LLC. Kindle Edition.
The Chief Information Officer (CIO) at your organization suspects someone is entering the data center after normal working hours and stealing sensitive data. Which of the following actions can prevent this?
Upgrade the CCTV System.
Require Smart Cards to enter the data center.
Implement time-based logins.
Enable advanced auditing.
Implement time-based logins.
Explanation:
Time-based logins (sometimes called time-of-day restrictions) would prevent this. They would prevent anyone from logging in after normal working hours and accessing sensitive data.
All of the other answers can detect suspicious behavior, but they wouldn’t prevent the users from logging in after normal working hours and stealing the data. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 126). YCDA, LLC. Kindle Edition.
A SQL Database server was recently attacked. Cybersecurity investigators discovered the attack was self-propagating through the Network. When it found the Database Server, it used well-known credentials to access the database. Which of the following would be the BEST action to prevent this from occurring again?
Change the default application password.
This describes a worm.
Implement 2FA
Conduct a code review.
Change the default application password.
Explanation:
The default application password for the SQL server should be changed. Some SQL Server software implementations can have a default blank password for the SA account (the System Administrator account), and these default credentials are well-known.
While the scenario describes a worm because it is self-propagating, the question is asking for the best preventive action to take.
Using two-factor authentication (2FA) is a good practice for users, but it isn’t always feasible for application passwords.
A code review can detect flaws and vulnerabilities in internally developed applications, but SQL Server is Microsoft software. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 126). YCDA, LLC. Kindle Edition.
You are reviewing Security Controls and their usefulness. You notice that account lockout policies are in place. Which of the following attacks will these policies thwart? (Choose TWO)
Brute Force
DNS Poisoning
Dictionary
Replay
Buffer Overflow
Brute Force
Dictionary
Explanation:
Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times.
The other attacks are not password attacks, so they aren’t mitigated using account lockout controls.
Domain Name System (DNS) poisoning attempts to redirect web browsers to malicious URLs.
Replay attacks attempt to capture packets to impersonate one of the parties in an online session.
Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data. See Chapters 2 and 10.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 126-127). YCDA, LLC. Kindle Edition.
** IT Administrators created a VPN for employees to use while working from home. The VPN is configured to provide AAA services. Which of the following would be presented to the AAA system for identification?
Password
Permissions
Username identification
Tunneling Certificate
Hardware Token
Username identification
Explanation:
Users would typically enter a username as identification for an authentication, authorization, and accounting (AAA) system.
Users would provide a password as proof that the claimed identity (the username) is theirs. The password provides authentication.
Users are assigned permissions based on their proven identity, but the permissions do not provide authentication.
The virtual private network (VPN) would encrypt traffic sent via the VPN tunnel, and this traffic may be encrypted with the use of a certificate. However, this is not called a tunneling certificate, and the certificate used for encryption does not provide identification.
A hardware token is often used as an additional method of authentication, but it does not provide identification. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 127). YCDA, LLC. Kindle Edition.
After a recent attack, Security investigators discovered that attackers logged on with an Administrator account. They recommend implementing a solution that will thwart this type of attack in the future. The solution must support the following requirements:
Allow authorized users to access the
Administrator account without knowing the password.
Allow authorized users to check out the credentials when needed.
Log each time the credentials are used. Automatically change the password.
Which of the following answers would meet these requirements?
Privileged Access Management
OpenID Connect
MAC Scheme
MFA
Privileged Access Management
Explanation:
A privileged access management system protects and limits access to privileged accounts such as administrator accounts.
OpenID Connect is used for authentication and authorization on the Internet, not internal networks.
A mandatory access control (MAC) scheme uses labels to control access, but it isn’t used to control access to administrator accounts.
Multifactor authentication (MFA) uses more than one factor of authentication, but it doesn’t meet any of the requirements of this scenario. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 127). YCDA, LLC. Kindle Edition.
** Lisa wants to implement a Secure Authentication system on a website. However, instead of collecting and storing user passwords, she wants to use a third-party system. Which of the following is the BEST choice to meet this goal?
SAML
Kerberos
SSH
OAuth
SAML (Security Assertion Markup Language)
Explanation:
Security Assertion Markup Language (SAML) is a single sign-on SSO solution that can use third-party websites, and it provides authentication.
Kerberos is an SSO solution used on internal networks such as in Microsoft Active Directory domains.
Secure Shell (SSH) is used for remote administration.
OAuth (think of this as Open Authorization) is used for authorization, but the scenario wants a solution for authentication. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 127-128). YCDA, LLC. Kindle Edition.
Your organization is implementing an SDN. Management wants to use an access control scheme that controls access based on attributes. Which of the following is the BEST solution?
DAC
MAC
Role-BAC
ABAC
ABAC (Attribute-based Access Control)
Explanation:
A software-defined network (SDN) typically uses an attribute-based access control (ABAC) scheme. The ABAC scheme is based on attributes that identify subjects and objects within a policy.
A discretionary access control (DAC) scheme has an owner, and the owner establishes access for the objects.
A mandatory access control (MAC) scheme uses labels assigned to subjects and objects.
A role-based access control scheme uses roles or groups to assign rights and permissions. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 128). YCDA, LLC. Kindle Edition.
Lisa uses a Linux system to regularly connect to a remote Server named gcga with a Secure SSH connection. However, the SSH account has a complex password, and she wants to avoid using it without sacrificing Security. Which of the following commands would she use as a FIRST step when creating a password-less login with the remote system?
ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga
chmod 644 ~/.ssh/id_rsa
ssh-keygen -t rsa
ssh root@gcga
ssh-keygen -t rsa
Explanation:
The first step would be to enter ssh-keygen -t rsa at the terminal. This creates an RSA-based key pair (a private key and a public key). The public key’s location and the name is ~.ssh/id_rsa.pub, and the private key’s location and the name is ~/.ssh/id_rsa. The second step is to copy the public key to the remote server using the command ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga.
The private key should always stay private, but the chmod 644 command makes it readable by everyone, so it shouldn’t be used.
The ssh command connects to the remote server using Secure Shell (SSH). If the key pair is in place, it would use the key pair for authentication and not require the complex password.
The ssh-keygen command is a utility within the OpenSSH suite of tools. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 128). YCDA, LLC. Kindle Edition.
Your organization plans to deploy a Server in the screened subnet that will perform the following functions:
Identify Mail Servers
Provide Data Integrity
Prevent Poisoning Attacks
Respond to requests for A and AAAA records
Which of the following will BEST meet these requirements?
DNS
DNSSEC
TLS
ESP
DNSSEC (Domain Name System Security Extensions)
Explanation:
Domain Name System Security Extensions (DNSSEC) add security to DNS systems and can prevent DNS poisoning attacks by adding data integrity to DNS records.
The functions in the list indicate that the server in the screened subnet (sometimes called a demilitarized zone or DMZ) is a DNS server but for the DNS server to provide data integrity and prevent DNS poisoning, it needs DNSSEC. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies.
RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn’t provide the required protection.
Internet Protocol security (IPsec) uses Encapsulating Security Payload (ESP) to encrypt data. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 129). YCDA, LLC. Kindle Edition.
Bart incorrectly wired a Switch in your organization’s Network. It effectively disabled the Switch as though it was a victim of a Denial-of-Service Attack. Which of the following should be done to prevent this situation in the future?
Install an IDS
Only use Layer 2 Switches
Install SNMPv3 on the Switches
Implement STP or RSTP
Implement STP or RSTP (Spanning Tree Protocol or Rapid Spanning Tree Protocol)
Explanation:
Spanning Tree Protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. It’s rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch.
An intrusion detection system (IDS) will not prevent a switching loop.
Layer 2 switches are susceptible to this problem.
Administrators use Simple Network Management Protocol version 3 (SNMPv3) to manage and monitor devices, but it doesn’t prevent switching loops. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 129). YCDA, LLC. Kindle Edition.
Maggie is a sales rep for a software company. While in a coffee shop, she uses her laptop to connect to the public WIFI, check her work emails, and upload details of a recent sale. Which of the following would she use to prevent other devices on the public Network from accessing her laptop? (Choose the BEST TWO Choices)
TPM
HSM
Firewall
DLP
VPN
Firewall
VPN (Virtual Private Network)
Explanation:
A firewall and a virtual private network (VPN) would prevent other devices from accessing her laptop. A host-based firewall provides primary protection. The VPN encrypts all of her Internet-based traffic going over the public Wi-Fi.
A Trusted Platform Module (TPM) provides full drive encryption and would protect the data if someone accessed the laptop, but it doesn’t prevent access.
A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers.
A data loss prevention (DLP) device helps prevent unauthorized data from leaving a network, but it doesn’t prevent access. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 129-130). YCDA, LLC. Kindle Edition.
Your organization wants to combine some of the Security Controls used to control incoming and outgoing Network traffic. At a minimum, the solution should include Stateless Inspection, Malware Inspection, and a Content Filter. Which of the following BEST meets this goal?
VLAN
NAT
UTM
DNSEC
WAF
UTM (Unified Threat Management)
Explanation:
A unified threat management (UTM) device is an advanced firewall and combines multiple security controls into a single device such as stateless inspection, malware inspection, and a content filter. None of the other answers include these components.
You can configure a virtual local area network (VLAN) on a switch to provide network segmentation.
Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public IP addresses.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions for DNS that provides validation for DNS responses.
A web application firewall (WAF) protects a web server from Internet-based attacks. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 130). YCDA, LLC. Kindle Edition.
Administrators are deploying a new Linux Server in the screened subnet. After it is installed, they want to manage it from their desktop Computers located within the organization’s Private Network. Which of the following would be the BEST choice to meet this need?
Forward Proxy Server
Reverse Proxy Server
Web Application Firewall
Jump Server
Jump Server
Explanation:
A jump server is a server placed between different security zones, such as an internal network and a screened subnet (sometimes called a demilitarized zone or DMZ) and is used to manage devices in the other security zone. In this scenario, administrators could connect to the jump server with Secure Shell (SSH) and then connect to the Linux server using SSH forwarding on the jump server.
A forward proxy server (often called a proxy server) is used by internal clients to access Internet resources, not resources in the screened subnet.
Reverse proxy servers accept traffic from the Internet, not the internal network, and forward the traffic to one or more internal web servers.
A web application firewall (WAF) protects a web server from Internet-based attacks but isn’t used to control traffic between an internal network and the screened subnet. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 130-131). YCDA, LLC. Kindle Edition.
Attackers have recently launched several attacks against Servers in your organization’s DMZ. You are tasked with identifying a solution that will have the best chance at preventing these attacks in the future. Which of the following is the BEST choice?
Anomaly-based IDS
Inline IPS
Passive IDS
Signature-based IDS
Inline IPS (Intrusion Prevention System)
Explanation:
The best solution of the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS, and the IPS can prevent attacks from reaching internal systems.
An intrusion detection system (IDS) is passive and not inline, so it can only detect and react to the attacks, not block them.
A signature-based IDS can detect known attacks based on the attack’s signature, but there isn’t any indication that the past attacks were known. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.
A coffee shop recently stopped broadcasting the SSID (coffeewifi) for its Wireless Network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s Wireless Network. Today, Lisa turned on her laptop computer, saw the SSID (coffewifi), and connected to it. Which of the following attacks is MOST likely occurring?
Rogue AP
Evil Twin
Jamming
Bluejacking
Evil Twin
Explanation:
An evil twin is a rogue access point (AP) with the same or similar service set identifier (SSID) as a legitimate access point. The actual SSID coffeewifi has broadcasting turned off, but the evil twin SSID of coffewifi is broadcasting, allowing users to see it.
While it is also a rogue AP, evil twin is a more accurate answer since it is similar to the actual SSID.
Jamming typically prevents anyone from connecting to a wireless network.
Bluejacking is related to Bluetooth, not wireless networks. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.
** Before personnel can enter a Secure area, they must first place their smartphones in one of several conductive metal lockboxes. The company implemented this policy because management is concerned about risks related to intellectual property. Which of the following represents the GREATEST risk to intellectual property that this policy will mitigate?
Bluesnarfing
Theft of the Smartphones
Data exfiltration over a Mobile Hotspot
To enable Geofencing
Bluesnarfing
Explanation:
This policy will prevent bluesnarfing, which is the unauthorized access of information from a wireless device through a Bluetooth connection.
The conductive metal lockboxes act as a small Faraday cage and will block Bluetooth signals.
While the lockboxes will help prevent theft, there’s no need to pay extra for conductive lockboxes if theft is the greatest risk.
Hotspots are typically in public locations. A company would set up a network providing Wi-Fi access, not a hotspot.
Geofencing creates a virtual fence using GPS, but devices within a Faraday cage wouldn’t be able to reach GPS. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.
Administrators are designing a site-to-site VPN between offices in two different cities. Management mandated the use of Certificates for mutual Authentication. Additionally, they want to ensure that internal IP Addresses are not revealed. Which of the following is the BEST choice to meet these requirements?
IPsec VPN using Tunnel Mode
IPsec VPN using Transport Mode
L2TP VPN
VLAN VPN
IPsec VPN using Tunnel Mode
Explanation:
Internet Protocol security (IPsec) using Tunnel mode is the best choice of the available answers. IPsec provides mutual authentication, and Tunnel mode will encrypt both the payload and the packet headers, hiding the internal IP addresses.
Transport mode will encrypt the payload only, leaving the internal IP addresses exposed.
A VPN using Layer 2 Tunneling Protocol (L2TP) only doesn’t provide any encryption.
Virtual local area networks (VLANs) provide network segmentation but can’t be used as a VPN. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.
** Network Administrators are considering adding an HSM to a Server in your Network. What functions will this add to the Server?
Provide full drive Encryption
Reduce the Risk of employees emailing confidential information outside the organization.
Provide Webmail to Clients
Generate and store Keys used with Servers.
Generate and store Keys used with Servers
Explanation:
A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers.
The keys can be used to encrypt data sent to and from the server, but they wouldn’t be used for full drive encryption.
A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops.
A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization.
Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.
** Bart needs to send an email to his supervisor with an attachment that includes sensitive information. He wants to maintain the confidentiality of this information. Which of the following choices is the BEST choice to meet this need?
Digital Signature
Encryption
Data Masking
Hashing
Encryption
Explanation:
Encryption is the best choice to provide confidentiality of any type of information, including sensitive information.
A digital signature provides integrity, non-repudiation, and authentication.
Data masking modifies the original data, producing data that looks valid but is not authentic.
Hashing provides integrity. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.
The Springfield school system stores some data in the Cloud using its own resources. The Shelbyville Nuclear Power Plant also stores some data in the Cloud using its own resources. Later, the two organizations decide to share some data in both Clouds for educational purposes. Which of the following BEST describes the Cloud created by these two organizations?
Community
Private
Public
XaaS
Community
Explanation:
They created a community cloud. In the scenario, the two organizations have a common goal of sharing educational materials.
The individual clouds created by each organization are private clouds, but the shared community cloud resources are not private.
A public cloud would be available to anyone, but the scenario wants to restrict access to just two organizations.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 132-133). YCDA, LLC. Kindle Edition.
Your organization is planning to implement a CYOD deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?
SCADA Access
Storage Segmentation
Database Security
Embedded RTOS
Storage Segmentation
Explanation:
Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model where users own their devices.
None of the other answers are directly related to mobile devices.
A supervisory control and data acquisition (SCADA) system controls industrial control systems (ICSs), such as those used in nuclear power plants or water treatment facilities, and SCADA systems should be isolated.
Database security includes the use of permissions and encryption to protect data in a database but is unrelated to mobile device deployment.
Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 133). YCDA, LLC. Kindle Edition.