CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 991:

  When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator's request?

  A. DMZ

  B. Cloud services

  C. Virtualization

  D. Sandboxing

  Correct Answer: A

  A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

  Incorrect Answers:

  B: A private cloud is a cloud service within a corporate network and isolated from the Internet.

  The private cloud is for internal use only.

  C: D: Virtualization offers several benefits, such as being able to launch individual instances of servers or services as needed, real-time scalability, and the ability to run the exact OS version required for a certain application.

  D: Sandboxing is a means of quarantine or isolation. It's implemented to restrict new or otherwise suspicious software from being able to cause harm to production systems. It can be used against applications or entire OSs.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 37, 38, 39, 250.

• Question 992:

  Which of the following network architecture concepts is used to securely isolate at the boundary between networks?

  A. VLAN

  B. Subnetting

  C. DMZ

  D. NAT

  Correct Answer: C

  A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

  Incorrect Answers:

  A: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. VLANs can be used to isolate traffic between network segments.

  B: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections.

  D: NAT converts the IP addresses of internal systems found in the header of network packets into public IP addresses. A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 23, 39.

• Question 993:

  A security analyst needs to ensure all external traffic is able to access the company's front-end servers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended?

  A. DMZ

  B. Cloud computing

  C. VLAN

  D. Virtualization

  Correct Answer: A

  A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the

  use of a multihomed firewall.

  Incorrect Answers:

  B: Cloud computing is a popular term that refers to performing processing and storage elsewhere, over a network connection, rather than locally.

  C: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. VLANs can be used to isolate traffic between network segments.

  D: Virtualization offers several benefits, such as being able to launch individual instances of servers or services as needed, real-time scalability, and the ability to run the exact OS version required for a certain application.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 23, 37, 39.

• Question 994:

  Which of the following devices would MOST likely have a DMZ interface?

  A. Firewall

  B. Switch

  C. Load balancer

  D. Proxy

  Correct Answer: A

  The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

  Incorrect Answers:

  B: A switch is a networking device used to connect other devices together and potentially implement traffic management on their communications.

  C: A load balancer is used to spread or distribute network traffic load across several network links or network devices.

  D: A proxy server is a variation of an application-level firewall or circuit-level firewall. A proxy server is used as a proxy or middleman between clients and servers.

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 21,

• Question 995:

  A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network?

  A. VLAN

  B. Subnet

  C. VPN

  D. DMZ

  Correct Answer: D

  A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.

  Incorrect Answers:

  A: In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN. This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN.

  B: A subnet is a logical IP network. A DMZ will contain a subnet but it could also contain multiple subnets. Computers on a subnet can communicate with computers on a different subnet through a router.

  C: A VPN (Virtual Private Network) is a secure network connection over an insecure network such as the Internet. For example, two geographically separate sites could be connected by a VPN using the Internet for the physical network connection. The network described in this question is a DMZ, not a VPN.

  References: http://en.wikipedia.org/wiki/DMZ_%28computing%29 http://en.wikipedia.org/wiki/Virtual_LAN

• Question 996:

  An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to integrate the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal?

  A. Unified Threat Management

  B. Virtual Private Network

  C. Single sign on

  D. Role-based management

  Correct Answer: A

  Unified Threat Management (UTM) is, basically, the combination of a firewall with other abilities. These abilities include intrusion prevention, antivirus, content filtering, etc. Advantages of combining everything into one:

  You only have one product to learn.

  You only have to deal with a single vendor.

  IT provides reduced complexity.

  Incorrect Answers:

  B: Virtual Private Networks are for connecting LANs together across the Internet or other public networks.

  C: Single sign on allows users to access all of the resources on the network and browse multiple directories once they have been authenticated.

  D: Role-based management governs access based on a user'

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 103, 119, 149, 152.

• Question 997:

  An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to combine the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal?

  A. Unified Threat Management

  B. Virtual Private Network

  C. Single sign on

  D. Role-based management

  Correct Answer: A

  When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering, etc.), what used to be called an all-in-one appliance is now known as a unified threat management (UTM) system. The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and--typically --reduced complexity.

  Incorrect Answers:

  B: A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted.

  C: Single sign-on means that once a user (or other subject) is authenticated into a realm, they need not re-authenticate to access resources on any realm entity.

  D: Role-based management is best suited for environments with a high rate of employee turnover because access is defined against static job descriptions rather than transitive user accounts (DAC and ACL) or assigned clearances (MAC

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 119. Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 11, 280, 289.

• Question 998:

  Joe, a security administrator, believes that a network breach has occurred in the datacenter as a result of a misconfigured router access list, allowing outside access to an SSH server. Which of the following should Joe search for in the log files?

  A. Failed authentication attempts

  B. Network ping sweeps

  C. Host port scans

  D. Connections to port 22

  Correct Answer: D

  Log analysis is the art and science of reviewing audit trails, log files, or other forms of computer- generated records for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern. SSH uses TCP port 22. All protocols encrypted by SSH also use TCP port 22, such as SFTP, SHTTP, SCP, SExec, and slogin.

  Incorrect Answers:

  A: This just shows you the number of attempts at authentication that were unsuccessful.

  B: Ping sweeps are can establish a range of IP addresses which map to live hosts.

  C: This is often carried out by administrators to validate security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 26.

  http://en.wikipedia.org/wiki/Ping_sweep

  http://en.wikipedia.org/wiki/Port_scanner

• Question 999:

  A Chief Information Security Officer (CISO) is tasked with outsourcing the analysis of security logs. These will need to still be reviewed on a regular basis to ensure the security of the company has not been breached. Which of the following cloud service options would support this requirement?

  A. SaaS

  B. MaaS

  C. IaaS

  D. PaaS

  Correct Answer: B

  Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service (XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud.

  Incorrect Answers:

  A: SaaS is a software delivery method that offers remote access to software as a Web-based service.

  C: IaaS is when computer infrastructure, such as virtualization, is outsourced and clients pay for resources used.

  D: It is when a computing platform is outsourced rather than a company or data center purchasing and managing their own hardware and software layers.

  References:

  http://www.techopedia.com/definition/29430/monitoring-as-a-service-maas http://www.webopedia.com/TERM/S/SaaS.html http://www.webopedia.com/TERM/I/IaaS.html

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 17.

• Question 1000:

  Matt, the IT Manager, wants to create a new network available to virtual servers on the same hypervisor, and does not want this network to be routable to the firewall. How could this BEST be accomplished?

  A. Create a VLAN without a default gateway.

  B. Remove the network from the routing table.

  C. Create a virtual switch.

  D. Commission a stand-alone switch.

  Correct Answer: C

  A Hyper-V Virtual Switch implements policy enforcement for security, isolation, and service levels.

  Incorrect Answers:

  A: The default gateway usually connects the internal networks and the Internet. This could result in the gateway node acting as a proxy server and a firewall. The gateway is also associated with both a router, and a switch. A router makes use of headers and forwarding tables to determine where packets are sent, and a switch supplies the actual path for the packet in and out of the gateway. Therefore, a gateway is necessary.

  B: A routing table contains information about the topology of the network immediately around it. Removing the network from it would prevent the virtual servers from connecting to the network.

  D: A standalone switch is able to function independently of other hardware. This would involve cost and effort. Using a virtual switch is the best option.

  References: https://technet.microsoft.com/en-us/library/hh831823.aspx