CompTIA Security+ Get Certified Get Ahead - POST Assessment Exam Flashcards
Your organization hosts an e-commerce Web Server. The Server randomly experiences a high volume of sales and usage from mid-November to the End of December, causing spikes in resource usage. These spikes have resulted in outages during the past year. Which of the following should be implemented to prevent these outages?
Stored Procedures
Scalability
Version Control
Memory Management
Scalability
Explanation:
Scalability is the best choice because it allows administrators to manually scale the server up or out as needed in response to this predictable high resource usage.
Stored procedures are a group of SQL statements that execute as a whole and help prevent SQL injection attacks.
Version control tracks software versions as it is updated and is unrelated to this question.
Memory management techniques help ensure that applications don’t cause memory problems such as memory leaks or integer overflows. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1096). YCDA, LLC. Kindle Edition.
Employees currently log in with their Usernames and Passwords but management wants to increase login Security by implementing Smart Cards. However, the IT department anticipates it will take a long time to purchase the necessary equipment and issue Smart Cards for everyone. You need to identify a solution that will provide comparable Security until the Smart Cards are implemented. Which of the following is compensating control that will meet these needs?
Implement an Account Lockout Policy.
Increase Password Policy requirements.
Implement a TOTP solution.
Require users to change their Passwords more often.
Implement a TOTP Solution (Time-based One Time Password)
Explanation:
A Time-based One-Time Password (TOTP) solution can be implemented as a compensating control. It can be implemented with hardware tokens or with an app on a smartphone. The smart cards provide two-factor authentication, so the compensating control should provide two-factor control, and TOTP fills that need. None of the other answers provides an additional factor of authentication.
An account lockout policy locks out users after entering an incorrect password too many times.
The password policy can be used to increase password security.
Requiring users to change their password more often is in the password policy as password expiration. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1096). YCDA, LLC. Kindle Edition.
You have configured a Firewall in your Network to block ICMP traffic. You want to verify that it is working as expected. Which of the following commands would you use?
arp
ipconfig
route
ping
ping
Explanation:
The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies.
The Address Resolution Protocol (ARP) resolves IP addresses to media access control (MAC) addresses, and the arp command is used to view and manipulate the ARP cache.
The ipconfig command displays the configuration of a NIC.
The route command can be used to display and manipulate the routing table on computing systems. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.
You need to reboot a database Server. Before doing so, you need to verify it doesn’t have any active Network connections. Which of the following commands will BEST meet your needs?
arp
ipconfig
hping3
netstat
netstat
Explanation:
The netstat command displays active connections on a system.
Arp displays information related to media access control (MAC) addresses.
Ipconfig displays TCP/IP configuration information for wired and wireless network interface cards.
The hping3 command is used to identify open and closed ports on remote systems. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.
You are troubleshooting an issue with the ycda Application hosted on a Linux System. You suspect that the issue is caused when performing a specific function. You execute the function and see a generic error message. You want to view the detailed error logged in the messages file. Which of the following commands would be the BEST choice to use?
head
tail
chmod
logger
tail
Explanation:
The tail command shows the last 10 lines (by default) of a log file and, in this scenario, is the best choice to show a recent error message.
The head command shows the beginning lines in a log file and is unlikely to display recent error messages.
You would use the chmod command (short for change mode) to change permissions on files and directories.
The logger command is used to add entries into the syslog file. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.
Lisa is installing an Application named gcga.exe on a Linux Server. The documentation indicates that the Application should be installed with the following permissions:
- the owner of the application should have Read, Write, and Execute
- the owner group of the application should have Read, and Execute
- all other users should NOT have any permissions of the application.
Which of the following commands should be used to meet these requirements?
chmod 067 gcga.exe
chmod 661 gcga.exe
chmod 760 gcga.exe
chmod 770 gcga.exe
chmod 760 gcga.exe
Explanation:
The chmod 760 gcga.exe should be used. The 7 (in 760) gives read, write, and execute permissions to the owner. The 6 (in 760) gives read and execute permissions to the owner group. The 0 (in 760) ensures that everyone else has no permissions.
The 0 (in 067) denies read, write, and execute permissions for the owner, and the 7 (in 067) grants read, write, and execute permissions for everyone.
The first 6 (in 661) grants only read and write permissions but not execute permissions to the owner.
The second 7 (in 770) grants read, write, and execute permissions for the owner group, but the scenario says that only read and execute permissions should be granted for this group. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.
Homer is not able to access any Network resources from his Linux-based Computer. Which of the following commands would he use to view the Network configuration of his system?
ifconfig
ipconfig
netstat
tracert
ifconfig
Explanation:
The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC).
The ipconfig command performs similar checks on Windows computers but not on Linux systems.
Netstat shows network statistics and active connections but not the network settings.
The tracert command traces the route between systems on a network and can help determine which network devices are failing. See Chapter 1.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.
Management wants to increase Security for any users accessing the Network with a VPN. They plan to implement a method that will require users to install an application on their Smartphones. This application will generate a Key that they’ll have to enter in addition to their username and password. What is the BEST description of this added authentication method?
Something you know.
Something you have.
Something you are.
Something you can do.
Something you have.
Explanation:
This is in the something you have factor of authentication. Users are required to have a smartphone with the authentication application installed.
The application generates a key of numbers, users don’t know this key until the application generates it.
Biometrics are in the something you are factor, but biometric methods aren’t mentioned.
Something you can do refers to a user’s actions, such as making gestures on a screen. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.
Users normally log on using a Smart Card, a username, and a password. Management wants administrators to use a third factor of authentication. Which of the following will meet this need?
PIN
Token
Fingerprints
Push Notifications
Fingerprints
Explanation:
Fingerprints are in the something you are factor of authentication and will meet this need. All the other answers are in either the something you have factor (already used by the smart card) or the something you know factor (already used by the password).
A personal identification number (PIN) is in the something you know factor.
Tokens and push notifications are in the something you have factor. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.
Developers are planning to develop an application using Role-based Access Control. Which of the following would they MOST likely include in their planning?
A listing of labels reflecting classification levels.
A listing of rules that the application must be able to trigger.
A listing of owners.
A matrix of functions matched with required privileges.
A matrix of functions matched with required privileges.
Explanation:
A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role-based access control model.
The mandatory access control (MAC) model uses sensitivity labels and classification levels.
Rule-based access control models use rules, but role-based access control models don’t use rules.
The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.
Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. Which of the following does this describe?
Federation
SAML
SSO
OAuth
SSO (Single-Sign On)
Explanation:
This describes a single sign-on (SSO) solution in which users only log on once.
Although a federation supports SSO, not all SSO systems use a federation.
Security Assertions Markup Language (SAML) is an SSO solution used for web-based applications, but not all SSO solutions use SAML.
OAuth (Open Authorization) is an authorization protocol used with HTTP-based apps, not internal organizations. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.
The Mapple organization is creating a Help-Desk Team to assist employees with account issues. Members o this team need to create and modify user accounts and occasionally reset user passwords. Which of the following is the BEST way to accomplish this goal?
Give each Help-Desk employee appropriate privileges individually.
Add each member of the Help-Desk team to the administrator group within the domain.
Add members of the Help-Desk team to a Security group that has the appropriate privileges.
Assign attributes to members of the Help-Desk team and give these attributes appropriate privileges.
Add members of the Help-Desk team to a Security group that has the appropriate privileges.
Explanation:
The best solution of the available choices is to add members of the help-desk team to a security group that has the appropriate privileges.
Assigning permissions to users individually adds to the administrative workload.
Giving members administrator privileges violates the principle of least privilege by giving them too many privileges.
An attribute-based access control model can use attributes to grant access but would add to the administrative workload if done individually. See Chapter 2.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.
Your organization’s Security policy states that administrators should follow the principle of Least Privilege. Which of the following tools can ensure that administrators are following the Policy?
Account Audits
Risk Assessment
Vulnerability Assessment
Threat Assessment
Account Audits
Explanaiton:
Account audits verify users have the permissions they need for their job, and no more, which verifies the principle of least privilege is being followed.
Risk, vulnerability, and threat assessments assess current risks. While they might verify the principle of least privilege is being followed, they do much more. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.
Lisa is responsible for managing and monitoring Network devices, such as Routers and Switches, in your Network. Which of the following protocols is she MOST likely to use?
NAT
SRTP
SNMPv3
DNSSEC
SNMPv3 (Simple Network Management Protocol v3)
Explanation:
Simple Network Management Protocol version 3 (SNMPv3) is used to securely manage and monitor network devices. None of the other choices is related to managing and monitoring network devices.
Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public.
The Secure Real-time Transport Protocol (SRTP) secures voice and other streaming media transmissions.
Domain Name System Security Extensions (DNSSEC) helps prevent DNS cache poisoning attacks. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1099-1100). YCDA, LLC. Kindle Edition.
** Your organization’s Network has the following setup:
Subnet 1:
HQ - 10.0.1.0/24
Firewall 1
Subnet 2:
HQ - 10.0.2.0/24
Firewall 2
Subnet 3:
Hot Site - 10.0.3.0/24
Firewall 3
All Firewalls should enforce the following Requirements:
- Use only Secure Protocols for Remote Management
- Block Cleartext Web Traffic
The following shows the Current Rules configured in Firewall 1:
HTTPS Outbound – Any – 10.0.1.0/24 – HTTPS – Allow
HTTP Outbound —- Any – 10.0.1.0/24 – HTTP —- Allow
DNS ——————–Any – 10.0.1.0/24 – DNS ——Allow
HTTPS Inbound —10.0.1.0/24 — Any — HTTPS —Allow
HTTP Inbound —- 10.0.1.0/24 — Any — HTTP —– Block
Telnet —————- 10.0.3.0/24 — Any – Telnet —– Allow
SSH —————— 10.0.1.0/24 — Any – SSH ——- Allow
You’re asked to verify the rules are configured correctly. Which rule - if any, should be changed to ensure Firewall 1 meets the stated requirements?
HTTPS Outbound
HTTP Outbound
DNS
Telnet
SSH
None. All rules are Correct
Telnet
Explanation:
The Telnet rule should be changed to block Telnet traffic. Telnet sends credentialed and other data in cleartext and should not be used.
Secure Shell (SSH) encrypts traffic and should be used instead of Telnet.
All other rules are correct. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1100). YCDA, LLC. Kindle Edition.
Your organization recently landed a contract with the Federal Government. Developers are fine-tuning an application that will process sensitive data. The contract mandates that all computers using this application must be isolated. Which of the following would BEST meet this need?
Create a bastion host in a screened subnet.
Implement a Boundary Firewall.
Create an Air-Gapped Network
Implement an IPS
Create and Air-Gapped Network
Explanation:
An air-gapped network would best meet this need. An air gap indicates that the network is isolated from other networks with space or air. The application would be developed and compiled in this isolated network. All the other answers have a level of connectivity with the Internet and don’t provide the best protection.
A bastion host is a hardened server that can be accessed via the Internet and it may be directly on the Internet or within a screened subnet (sometimes called a demilitarized zone or DMZ).
A boundary firewall (sometimes called a perimeter firewall) is placed at the edge of the network between the Internet and the internal network or within the screened subnet.
An intrusion prevention system (IPS) is typically placed inline with traffic between the Internet and the internal network and attempts to detect and block attacks. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1100). YCDA, LLC. Kindle Edition.
Your organization wants to increase Security for VoIP and Video Teleconferencing applications used within the Network. Which of the following protocols will BEST support this goal?
S/MIME
TLS
SFTP
SRTP
SRTP (Secure Real Time Protocol)
Explanation:
The Secure Real-Time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for Voice over Internet Protocol (VoIP), video teleconferencing, and other streaming media applications. None of the other answers are related to VoIP or video teleconferencing.
Secure/Multipurpose Internet Mail Extensions (S/MIME) secures email.
The Transport Layer Security (TLS) protocol is used to encrypt data in transit but isn’t the best choice for streaming media.
Secure File Transfer Protocol (SFTP) is a secure implementation of FTP to transfer files. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1100-1101). YCDA, LLC. Kindle Edition.
** Your organization hosts a Web Server accessed from employees within the Network, and via the Internet. Management wants to increase its Security. You are tasked with separating all Web-facing traffic from internal Network traffic. Which of the following provides the BEST solution?
Screened Subnet
VLAN
Firewall
WAF
Screened Subnet
Explanation:
A screened subnet (sometimes called a demilitarized zone, DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network.
You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created in the internal network.
A firewall does provide protection for the web server but doesn’t necessarily separate the web-facing traffic from the internal network.
A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1101). YCDA, LLC. Kindle Edition.
Developers recently configured a new service on a Server called GCGA1. GCGA1 is in a screened subnet and accessed by employees in the internal Network, and by others via the Internet. Network administrators modified Firewall rules to access the service. Testing shows the service works when accessed from internal systems. However, it does not work when accessed from the Internet. Which of the following is MOST likely configured incorrectly?
The new service.
An ACL
The GCGA1 Server
A VLAN
An ACL (Access Control List)
Explanation:
The most likely problem of the available choices is that an access control list (ACL) is configured incorrectly. The server is in a screened subnet (sometimes called a demilitarized zone or DMZ) and the most likely problem is an incorrectly configured ACL on the border firewall (between the Internet and the screened subnet).
The service is working when accessed by internal systems, so it isn’t likely that it is the problem.
Also, the GCGA1 server works for internal systems indicating it is working correctly.
There isn’t any indication a virtual local area network (VLAN) is in use. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1101). YCDA, LLC. Kindle Edition.
Bart recently hooked up a Switch incorrectly causing a Switching Loop problem, which took down part of an organization’s Network. Management wants to implement a solution that will prevent this from occurring in the future. Which of the following is the BEST choice to meet this need?
Flood Guard
SNMPv3
SRTP
RSTP
RSTP (Rapid Spanning Tree Protocol)
Explanation:
Rapid Spanning Tree Protocol (RSTP) prevents switching loop problems and should be enabled on the switches to meet this need. While not available as a possible answer, the older Spanning Tree Protocol (STP) also provides loop protection.
A flood guard on a switch helps prevent a media access control (MAC) flood attack.
Simple Network Management Protocol version 3 (SNMPv3) is used to manage and monitor network devices.
The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1102). YCDA, LLC. Kindle Edition.
A penetration tester has been hired to perform an assessment on the greatadministrator.com site. He used the nslookup command to perform some reconnaissance and received the following output:
C:>nslookup -querytype-mx greatadministrator.com
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
gcgapremium.com MX preference = 20, mail exchanger = mx1.emailsrvr.com
gcgapremium.com MX preference = 90, mail exchanger = mx2.emailsrvr.com
Of the following choices, what BEST describes this output?
Server named mx2.emailsrvr.com is the Primary email Server for this domain.
Server named mx1.emailsrvr.com is the Primary email Server for this domain.
The AAAA Record is misconfigured for this domain.
The SOA Record is hiding the IP address of the domain.
DNSSEC has not been enabled on this domain.
Server named mx1.emailsrvr.com is the Primary email Server for this domain.
Explanation:
The server named mx1.emailsrvr.com is the primary email server for this domain. The MX record indicates it is a mail server and the preference of 20 (compared with the preference of 90 for mx2) indicates it is the primary email server.
A preference of 90 for mx2.emailsrvr.com is higher than 20 (the preference for mx1.emailsrvr.com) and indicates that mx2.emailsrvr.com is the backup email server.
An AAAA record maps the IPv6 address to the hostname, but IPv6 is not indicated at all in this question.
The start of authority (SOA) record includes information about the DNS zone and some of its settings, but it does not hide the domain’s IP address.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions to DNS that helps prevent DNS cache poisoning, but the existence (or non-existence) of a DNSSEC record is not indicated in this question. See Chapter 3.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1102-1103). YCDA, LLC. Kindle Edition.
Which of the following is an example of a Detective Control?
An IPS reconfigured to monitor traffic instead of blocking it.
A backup solution that includes off-site backups.
Security Guards
A Cable Lock
An IPS reconfigured to monitor traffic instead of blocking it. (Intrusion Protection System)
Explanation:
An intrusion prevention system (IPS) is normally placed in line with traffic to block malicious traffic. However, it can be reconfigured to monitor traffic, effectively operating as an intrusion detection system (IDS).
A backup solution is a corrective or recovery control.
Security guards are preventive and deterrent controls.
Cable locks are physical controls that prevent the theft of devices such as laptops. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1102-1103). YCDA, LLC. Kindle Edition.
Your organization is planning to implement a Wireless Network using WPA2 Enterprise. Of the following choices, what is required?
An Authentication Server with a Digital Certificate installed on the Authentication Server
An Authentication Server with DHCP installed on the Authentication Server
An Authentication Server with DNS installed on the Authentication Server
An Authentication Server with WPS running on the Access Point.
An Authentication Server with a Digital Certificate installed on the Authentication Server.
Explanation:
WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server.
The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn’t necessary to install them on the authentication server.
Wi-Fi Protected Setup (WPS) makes it easier to set up wireless devices, but it isn’t related to WPA2 Enterprise. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.
Bart was in a coffee shop going through emails and messages on his smartphone. He then started receiving several text messages promoting a political party and encouraging him to visit websites. After he left the coffee shop, he didn’t receive any more messages. What does this describe?
Bluesnarfing
Bluejacking
Malware
WPS Attack
Bluejacking
Explanation:
Bluejacking is the practice of sending unsolicited messages to other Bluetooth devices. It has a limited range of about 30 feet when sent from one mobile phone to another so the attacker couldn’t send additional messages after he left.
Bluesnarfing allows attackers to access data (including email contact lists) on a smartphone but the scenario only indicates the user is receiving unwanted messages.
Malware would not stop after a person leaves a coffee shop.
A Wi-Fi Protected Setup (WPS) attack attempts to discover an access point WPS PIN by guessing PIN numbers, but this is not related to smartphone messages. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.
Management within your organization wants employees to be able to access internal Network resources from remote locations, including from their homes. Which of the following is the BEST choice to meet this need?
NAC
VPN
IDS
IPS
VPN (Virtual Private Network)
Explanation:
A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice to meet this requirement.
Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide the access.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks but do not provide remote access. See Chapter 4.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.
Security experts want to reduce risks associated with updating critical operating systems. Which of the following will BEST meet this goal?
Implement patches when they are released.
Implement a Change Management Policy.
Use only trusted operating systems.
Implement operating systems with Secure configurations.
Implement a Change Management Policy
Explanation:
A change management policy helps reduce risk associated with making any changes to systems, including updating them.
Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences.
The use of a trusted operating system or operating systems with secure configurations doesn’t address how they are updated. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.
Your organization has a segmented Network used to process highly classified material. Management wants to prevent users from copying documents to USB flash drives from any computer in this Network. Which of the following can be used to meet his goal?
DLP
HSM
COPE
SED
DLP (Data Loss Prevention)
Explanation:
A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives.
A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys.
COPE (corporate-owned, personally enabled) is a mobile device deployment model.
A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.
Your organization hosts an e-commerce website using a back-end database. The database stores product data and customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data?
Full Database Encryption
Full Disk Encryption
Database Column Encryption
File-Level Encryption
Database Column Encryption
Explanation:
Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted.
Full database encryption and full disk encryption aren’t appropriate because of the resources needed to encrypt everything compared with the security desire of protecting only the credit card data.
File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.
The Springfield Nuclear Power Plan has created and maintains an online application used to teach the basics of nuclear physics. Only students and teachers in the Springfield Elementary School can access this application via the Cloud. What type of Cloud Service model is this?
IaaS
PaaS
SaaS
XaaS
SaaS (Software as a Service)
Explanation:
This is a Software as a Service (SaaS) model. The software is the online application and the cloud provider (the Springfield Nuclear Power Plant in this example) maintains it.
Infrastructure as a Service (IaaS) provides customers with the hardware via the cloud. Customers are responsible for installing the operating system and any applications.
Platform as a Service (PaaS) is a computing platform.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS but this scenario clearly describes a SaaS model. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1104-1105). YCDA, LLC. Kindle Edition.
Your organization has implemented a CYOD Security Policy. The policy mandates the use of Security Controls to protect the devices, and any data on them if they are lost or stolen. Which of the following would BEST meet this goal?
Screen locks and GPS tagging.
Patch Management and Change Management
Screen Locks and Device Encryption
Full Device Encryption and XaaS
Screen Locks and Device Encryption
Explanation:
Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the confidentiality of the data even if someone gets past the screen lock.
Global Positioning System (GPS) tagging includes location information on pictures and other files but won’t help protect a lost or stolen device.
Patch management keeps devices up to date, and change management helps prevent outages from unauthorized changes.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. See Chapter 5.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1105). YCDA, LLC. Kindle Edition.