CompTIA Security+ Get Certified Get Ahead - CH10 Review

Question 1

GCGA, a software development company, occasionally updates its software with major updates and minor patches. Administrators load these updates to the company website along with a Hash associated with each update. Which of the following BEST describes the purpose of the Hash?

Availability of updates and patches.
Integrity of updates and patches.
Confidentiality of updates and patches.
Integrity of the application.

Answer 1

Integrity of updates and patches.

Explanation:
The hash provides integrity for the updates and patches so that users can verify they have not been modified.

Installing updates and patches increases the availability of the application. Confidentiality is provided by encryption.
The hashes are for the updates and patches, so they do not provide integrity for the application.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 978). YCDA, LLC. Kindle Edition.

Question 2

Users in your organization sign their emails with digital signatures. Which of the following provides integrity of these digital signatures?

Hashing
Encryption
Non-repudiation
Private Key

Answer 2

Hashing

Explanation:
Hashing provides integrity for digital signatures and other data.

A digital signature is a hash of the message encrypted with the sender’s private key, but the encryption doesn’t provide integrity.
The digital signature provides non-repudiation, but non-repudiation does not provide integrity.
The private key and public key are both needed, but the private key does not provide integrity.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 978-979). YCDA, LLC. Kindle Edition.

Question 3

While reviewing logs on a web Server hosted by your organization, you notice multiple logon failures to an FTP account, but they’re only happening about once every 30 minutes. You also see that the same password is being tried against the SSH account right after the FTP account login failure. What BEST describes what is happening?

Brute Force Attack
Dictionary Attack
Plaintext Attack
Spraying Attack

Answer 3

Spraying Attack

Explanation:
This indicates a password spraying attack. It loops through a list of accounts, guessing a password for one account at a time, and then guessing the same password for a different account. In this scenario, the attack may be guessing passwords for other servers before it returns to the web server.

A brute force attack attempts to guess all possible character combinations for a password, and a dictionary attack uses a dictionary of words trying to discover the correct password. A spraying attack could use either a brute force method or a dictionary method when guessing the password; however, these methods do not loop through a list of user accounts.
In a plaintext attack (also called a known plaintext attack), an attacker has samples of known plaintext and can use these samples to decrypt ciphertext that includes this plaintext.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 979). YCDA, LLC. Kindle Edition.

Question 4

An online application requires users to log on with their email address and a password. The application encrypts the passwords in a hashed format. Which of the following can be added to decrease the likelihood that attackers can discover these passwords?

Rainbow Tables
Salt
Digital Signatures
Input Validation

Answer 4

Salt

Explanation:
A password salt is additional random characters added to a password before hashing the password, and it decreases the success of password attacks.

Rainbow Rainbow tables are used by attackers and contain precomputed hashes, and salting is intended to specifically thwart rainbow table attacks.
A digital signature provides authentication, non-repudiation, and integrity, but it doesn’t protect passwords.
Input validation techniques verify data is valid before using it, and they are unrelated to protecting hashed passwords.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 979). YCDA, LLC. Kindle Edition.

Question 5

** What is the primary difference between a block cipher and a stream cipher?

A Stream Cipher encrypts data 1 bit or 1 byte at a time.

A Block Cipher encrypts data 1 bit or 1 byte at a time.

Stream Ciphers are used for Symmetric Encryption, but Block Ciphers are used for Asymmetric Encryption.

Block Ciphers are used for Symmetric Encryption, but Steam Ciphers are used for Asymmetric Encryption.

Answer 5

A Stream Cipher encrypts data 1 bit or 1 byte at a time.

Explanation:
A stream cipher encrypts data a single bit or a single byte at a time and is more efficient when the size of the data is unknown, such as streaming audio or video.

A block cipher encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks.
Both are used with symmetric encryption algorithms.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 979-980). YCDA, LLC. Kindle Edition.

Question 6

A developer is creating an application that will encrypt and decrypt data on mobile devices. These devices don’t have a lot of processing power. Which of the following cryptographic methods has the LEAST overhead and can provide encryption for these mobile devices?

Elliptic Curve Cryptography
Perfect Forward Secrecy
Salting
Digital Signatures

Answer 6

Elliptic Curve Cryptography (ECC)

Explanation:
Elliptic curve cryptography (ECC) has minimal overhead and is often used with mobile devices for encryption.

Perfect forward secrecy refers to session keys and provides assurances that session keys will not be compromised even if a private key is later compromised.
Salting adds random characters to a password before hashing it to thwart rainbow table attacks.
Digital signatures provide integrity, authentication, and non-repudiation, but not encryption.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 980). YCDA, LLC. Kindle Edition.

Question 7

** You are configuring a web Server that will be used by salespeople via the Internet. Data transferred to and from the Server needs to be encrypted, so you are tasked with requesting a certificate for the Server. Which of the following would you MOST likely use to request the certificate?

CA
CRL
CSR
OCSP

Answer 7

CSR (Certificate Signing Request)

Explanation:
You would request a certificate with a certificate signing request (CSR). It uses a specific format to request a certificate.

You submit the CSR to a certificate authority (CA), but the request needs to be in the CSR format.
A certificate revocation list (CRL) is a list of revoked certificates.
The Online Certificate Status Protocol (OCSP) is an alternate method of validating certificates and indicates if a certificate is good, revoked, or unknown.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 980). YCDA, LLC. Kindle Edition.

Question 8

** Users within an organization frequently access public web Servers using HTTPS. Management wants to ensure that users can verify that Certificates are valid even if the public CAs are temporarily unavailable. Which of the following should be implemented to meet this need?

OCSP
CRL
Private CA
CSR

Answer 8

CRL (Certificate Revocation List)

Explanation:
A certificate revocation list (CRL) can meet this need because CRLs are cached. If the public certificate authority (CA) is not reachable due to any type of connection outage or CA outage, the cached CRL can be used if the cache time has not expired.

The Online Certificate Status Protocol (OCSP) works in real time where the client queries the CA with the serial number of the certificate. If the CA is unreachable, the certificate cannot be validated.
A private CA is used within an organization and cannot validate certificates from a public CA.
You request a certificate with a certificate signing request (CSR), but the CSR doesn’t validate an issued certificate.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 980). YCDA, LLC. Kindle Edition.

Question 9

** Your organization hosts an internal website used only by employees. The website uses a certificate issued by a Private CA and the Network downloads a CRL from the CA once a week. However, after a recent compromise, Security administrators to use a real-time alternative to the CRL. Which of the following will BEST meet this need?

SAN
CSR
RA
OCSP

Answer 9

OCSP (Online Certificate Status Protocol)

Explanation:
The Online Certificate Status Protocol (OCSP) provides real-time responses to validate certificates issued by a certificate authority (CA). A certificate revocation list (CRL) includes a list of revoked certificates, but if it is only downloaded once a week, it can quickly be out of date. None of the other answers validates certificates.

In the context of certificates, a subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization.
A certificate signing request (CSR) is used to request a certificate.
A registration authority (RA) accepts CSRs for a CA.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 981). YCDA, LLC. Kindle Edition.

Question 10

** An organization hosts several Web Servers in a web farm used for e-commerce. Due to recent attacks, management is concerned that attackers might try to redirect website traffic, allowing the attackers to impersonate their e-commerce site. Which of the following methods will address this issue?

Stapling
Perfect Forward Secrecy
Pinning
Key Stretching

Answer 10

Pinning

Explanation:
Public key pinning provides clients with a list of public key hashes that clients can use to detect web site impersonation attempts.

Stapling reduces Online Certificate Status Protocol (OCSP) traffic by appending a timestamped, digitally signed OCSP response to a certificate.
Perfect forward secrecy ensures that the compromise of one session key does not compromise other session keys used in the past.
Key stretching techniques add additional bits (salts) to passwords, making them harder to crack.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 981). YCDA, LLC. Kindle Edition.

Question 11

Management has mandated the use of digital signatures by all personnel within your organization. Which of the following use cases does this support?

Supporting Confidentiality
Supporting Availability
Supporting Obfuscation
Supporting Non-Repudiation

Answer 11

Supporting Non-Repudiation

Explanation:
Digital signatures will support a use case of supporting non-repudiation. Digital signatures also provide integrity and authentication, but these weren’t available answers.

Digital signatures don’t encrypt data, so they do not support a use case of supporting confidentiality.
Redundancy and fault-tolerance solutions will increase availability. Steganography is one way of supporting obfuscation.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 981). YCDA, LLC. Kindle Edition.

Question 12

A DLP system detected confidential data being sent out via email from Bart’s account. However, he denied sending the email. Management wants to implement a method that would prevent Bart from denying accountability in the future. Which of the following are they trying to enforce?

Confidentiality
Encryption
Access Control
Non-Repudiation

Answer 12

Non-Repudiation

Explanation:
Non-repudiation methods such as digital signatures prevent users from denying they took an action. In this scenario, if a data loss protection (DLP) system detected the outgoing email and it was signed with Bart’s account using a digital signature, he couldn’t believably deny sending it.

Encryption methods protect confidentiality.
Access control methods protect access to data.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 982). YCDA, LLC. Kindle Edition.

Question 13

Your organization recently updated the Security policy and mandated that emails sent by all upper-level executives include a digital signature. Which Security goal does this policy address?

Confidentiality
Hashing
Obfuscation
Authentication

Answer 13

Authentication

Explanation:
A digital signature is an encrypted hash of a message and it can be used to provide authentication, integrity, and non-repudiation. Authentication identifies the sender of the email.

Encryption provides confidentiality and prevents unauthorized disclosure.
Obfuscation methods attempt to make something harder to read, but a digital signature doesn’t provide obfuscation.
Hashing is a method used to provide integrity, but hashing by itself isn’t a security goal.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 982). YCDA, LLC. Kindle Edition.

Question 14

** You are tasked with getting prices for Certificates. You need to find a source that will provide a Certificate that can be used for multiple domains that have different names. Which of the following certificates is the BEST choice?

SAN
Domain Validation
Extended Validation
Wildcard

Answer 14

SAN (Subject Alternative Name)

Explanation:
A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization.

A domain-validated certificate indicates that the certificate requestor has some control over a Domain Name System (DNS) domain.
Extended validation certificates use additional steps beyond domain validation.
A wildcard certificate starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 982). YCDA, LLC. Kindle Edition.

Question 15

Your organization recently lost access to some decryption keys, resulting in loss of some encrypted data. The chief information office (CIO) mandated the creation of a key escrow. Which of the following cryptographic keys are MOST likely to be stored in key escrow?

Public
Private
Ephemeral
Session

Answer 15

Private

Explanation:
Copies of private keys are typically stored in a key escrow so that data encrypted with a private key can be retrieved if the original private key is no longer accessible.

Public keys are available to anyone so there is no need to store them in a key escrow.
An ephemeral key has a short lifetime and is re-created for each session.
A session key is only used for a single session so wouldn’t be stored in a key escrow.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 982). YCDA, LLC. Kindle Edition.

Question 16

Which of the following is a Symmetric Encryption algorithm that encryps data 1 bit at a time?

Block Cipher
Stream Cipher
AES
DES
MD5

Answer 16

Stream Cipher

Explanation:
A stream cipher encrypts data a single bit or a single byte at a time and is more efficient when the size of the data is unknown, such as streaming audio or video.

A block cipher encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks.
Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are block ciphers.
Message Digest 5 (MD5) is a hashing algorithm.

Question 17

An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it couldn’t meet the requirements of the contract. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid?

Digital Signature
Integrity
Repudiation
Encryption

Answer 17

Digital Signature

Explanation:
If Acme submitted the bid via email using a digital signature, it would provide proof that the bid was submitted by Acme. Digital signatures provide verification of who sent a message, non-repudiation preventing them from denying it, and integrity verifying the message wasn’t modified.

Integrity verifies the message wasn’t modified.
Repudiation isn’t a valid security concept.
Encryption protects the confidentiality of data, but it doesn’t verify who sent it or provide non-repudiation.

Question 18

An organization recently updated its Security policy. One change is a requirement for all internal web Servers to only support HTTPS traffic. However, the organization doesn’t have the funds to pay for this. Which of the following is the BEST solution?

Create code signing Certificates for the Web Servers.
Create one Wildcard Certificate for all the Web Servers.
Create a Public CA and issue Certificates from it.
Create Certificates signed by an Internal Private CA.

Answer 18

Create Certificates signed by an Internal Private CA (Certificate Authority)

Question 19

A Supply Company has several legacy systems connected within a warehouse. An external Security audit discovered the company using DES for data-at-rest. It mandated the company upgrade from DES to meet minimum Security requirements. The company plans to replace the legacy systems next year, but needs to meet the requirements from the audit. Which of the following is MOST likely to be the simplest upgrade for these systems?

S/MIME
HMAC
3DES
TLS

Answer 19

3DES (Triple Data Encryption Standard)

Explanation:
The best choice is Triple Data Encryption Standard (3DES). None of the other answers are valid replacements for the symmetric encryption algorithm Data Encryption Standard (DES).

Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to digitally sign and encrypt email.
Hash-based Message Authentication Code (HMAC) is a hashing algorithm used to verify the integrity and authenticity of messages.
Transport Layer Security (TLS) uses both symmetric and asymmetric encryption to encrypt data-in-transit, not data-at- rest.

Question 20

Application developers are creating an application that requires users to log on with strong passwords. The developers want to store the passwords in such a way that it will thwart Brute Force Attacks. Which of the following is the BEST solution?

3DES
MD5
PBKDF2
Database Fields

Answer 20

PBKDF2 (Password-Based Key Derivation Function v2)