CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 101:

  Which of the following is the below pseudo-code an example of?

  IF VARIABLE (CONTAINS NUMBERS = TRUE) THEN EXIT

  A. Buffer overflow prevention

  B. Input validation

  C. CSRF prevention

  D. Cross-site scripting prevention

  Correct Answer: B

  Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  A: Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.

  C: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge.

  XSRF can be prevented by adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for spoofing.

  D: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 257, 338 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 192, 197, 319, 320

• Question 102:

  Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization?

  A. It should be enforced on the client side only.

  B. It must be protected by SSL encryption.

  C. It must rely on the user's knowledge of the application.

  D. It should be performed on the server side.

  Correct Answer: D

  Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks.

  Incorrect Answers:

  A: Client side validation is recommended to improve the user experience. However, it can be easily bypassed and should never be used for security purposes.

  B: SSL encryption is used for sending data securely between a client and a server. However, it is not used for input validation.

  C: Input validation must NOT rely on the user's knowledge of the application. If fact, it should assume a lack of knowledge on the user's part.

  References: http://web.securityinnovation.com/appsec-weekly/blog/bid/67936/Do-Not-Rely-on-Client-Side- Validation

• Question 103:

  Which of the following is a best practice for error and exception handling?

  A. Log detailed exception but display generic error message

  B. Display detailed exception but log generic error message

  C. Log and display detailed error and exception messages

  D. Do not log or display error or exception messages

  Correct Answer: A

  A detailed explanation of the error is not helpful for most end users but might provide information that is useful to a hacker. It is therefore better to display a simple but helpful message to the end user and log the detailed information to an

  access-restricted log file for the administrator and programmer who would need as much information as possible about the problem in order to rectify it.

  Incorrect Answers:

  B, C, D: The programmer would need as much information as possible about the problem in order to rectify it. However, a detailed explanation of the error should not be displayed to the end user as this information might be useful to a hacker.

  Therefore, a detailed explanation should be logged and a generic message should be displayed to the end user.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 219 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 230

• Question 104:

  A program displays:

  ERROR: this program has caught an exception and will now terminate. Which of the following is MOST likely accomplished by the program's behavior?

  A. Operating system's integrity is maintained

  B. Program's availability is maintained

  C. Operating system's scalability is maintained

  D. User's confidentiality is maintained

  Correct Answer: A

  The purpose of error handling is to maintain the security and integrity of the system. Integrity is compromised when unauthorized modification occurs.

  Incorrect Answers:

  B: Availability is the process of ensuring that authorized users have access to the data and systems that they require. Data backups, redundant systems, and disaster recovery plans can be used to support availability, not error and exception handling.

  C: Scalability is the ability of a system to adapt to increased demand. Error handling does not contribute to a system's scalability.

  D: Confidentiality is maintained when unauthorized users do not have access to sensitive information. Error and Exception handling is not related to this.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 259, 413-414

• Question 105:

  Which of the following techniques can be used to prevent the disclosure of system information resulting from arbitrary inputs when implemented properly?

  A. Fuzzing

  B. Patch management

  C. Error handling

  D. Strong passwords

  Correct Answer: C

  Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.

  Incorrect Answers:

  A: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  B: Patch management is the process of maintaining the latest source code for applications and operating systems. This helps protect a systems from known attacks and vulnerabilities.

  D: Passwords are used to control access to systems as part of a user authentication process. Strong passwords make it harder for attackers to guess or crack the passwords.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 218, 220 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 229, 230, 231-232

• Question 106:

  Sara, an application developer, implemented error and exception handling alongside input validation. Which of the following does this help prevent?

  A. Buffer overflow

  B. Pop-up blockers

  C. Cross-site scripting

  D. Fuzzing

  Correct Answer: A

  Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.

  Incorrect Answers:

  B: Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for advertisements but can also be used to distribute malicious code. This does not entail error and exception handling alongside input validation.

  C: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

  D: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 338, 218 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 192, 197, 229, 246

• Question 107:

  Which of the following is an application security coding problem?

  A. Error and exception handling

  B. Patch management

  C. Application hardening

  D. Application fuzzing

  Correct Answer: A

  Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.

  Incorrect Answers:

  B: Patch management is the process of maintaining the latest source code for applications and operating systems. This helps protect a systems from known attacks and vulnerabilities, and is provided by the vendor in response to newly discovered vulnerabilities in the software.

  C: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

  D: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 218, 220 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 229, 230, 231-232

• Question 108:

  Which of the following pseudocodes can be used to handle program exceptions?

  A. If program detects another instance of itself, then kill program instance.

  B. If user enters invalid input, then restart program.

  C. If program module crashes, then restart program module.

  D. If user's input exceeds buffer length, then truncate the input.

  Correct Answer: C

  Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture all errors and exceptions that could cause the application or its modules to crash. Restarting the application or module would ensure that the application reverts back to a secure state.

  Incorrect Answers:

  A: Checking whether a program is running already is not a form of error or exception handling. B, D: These are examples of input validation.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 230,

• Question 109:

  Which of the following would Jane, an administrator, use to detect an unknown security vulnerability?

  A. Patch management

  B. Application fuzzing

  C. ID badge

  D. Application configuration baseline

  Correct Answer: B

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: Patch management is the process of maintaining the latest source code for applications and operating systems. This helps protect a systems from known attacks and vulnerabilities, but not from unknown vulnerabilities.

  C: An ID badge is an aspect of physical security. It is used to control physical access to facilities and areas in a facility.

  D: An Application configuration baseline defines the level of security that will be implemented and maintained for the application. A low baseline implements almost no security while a high baseline does not allow users to make changes to the application.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 220 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 129, 229, 231-232

• Question 110:

  An IT security technician is actively involved in identifying coding issues for her company.

  Which of the following is an application security technique that can be used to identify unknown weaknesses within the code?

  A. Vulnerability scanning

  B. Denial of service

  C. Fuzzing

  D. Port scanning

  Correct Answer: C

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. It does not identify unknown weaknesses in code.

  B: Denial of Service (DoS) attacks web-based attacks that exploit flaws in the operating system, applications, services, or protocols. These attacks can be mitigated by means of firewalls, routers, and intrusion detection systems (IDSs) that detect DoS traffic, disabling echo replies on external systems, disabling broadcast features on border systems, blocking spoofed packets on the network, and proper patch management.

  D: Port scanning is used by hackers to detect the presence of active services that are assigned to a TCP/UDP port. This is a network-based attack rather than an attack that exploits coding weaknesses, which are aspects of application development.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 342 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 24, 170-172, 211, 229