CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 131:

  A company hires outside security experts to evaluate the security status of the corporate network. All of the company's IT resources are outdated and prone to crashing. The company requests that all testing be performed in a way which minimizes the risk of system failures. Which of the following types of testing does the company want performed?

  A. Penetration testing

  B. WAF testing

  C. Vulnerability scanning D. White box testing

  Correct Answer: C

  Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and

  vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  A: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration is considered `active' because you are actively trying to circumvent the system's security controls to gain access to the system as opposed to vulnerability scanning which is considered passive. A passive scan would minimize the risk of system failures. Therefore, this answer is incorrect.

  B: WAF Testing is the process of testing web application firewalls. This is a specific test; it does not test general network resources for security flaws. Therefore, this answer is incorrect.

  D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. White-box testing is used for testing applications. It is not used to identify security issues in a network. Therefore, this answer is incorrect.

  References:

  http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/ wiki/White-box_testing

• Question 132:

  Jane has recently implemented a new network design at her organization and wishes to passively identify security issues with the new network. Which of the following should Jane perform?

  A. Vulnerability assessment

  B. Black box testing

  C. White box testing

  D. Penetration testing

  Correct Answer: A

  Vulnerability scanning has minimal impact on network resources due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and

  vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  B: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Black-box testing is used for testing applications. It is not used to identify security issues in a network. Therefore, this answer is incorrect.

  C: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. White-box testing is used for testing applications. It is not used to identify security issues in a network. Therefore, this answer is incorrect.

  D: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration is considered `active' because you are actively trying to circumvent the system's security controls to gain access to the system as opposed to vulnerability scanning which is considered passive. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://en.wikipedia.org/wiki/Black-box_testing http://en.wikipedia.org/wiki/White-box_testing http://searchsoftwarequality.techtarget.com/definition/penetration-testing

• Question 133:

  A security administrator wants to perform routine tests on the network during working hours when certain applications are being accessed by the most people. Which of the following would allow the security administrator to test the lack of security controls for those applications with the least impact to the system?

  A. Penetration test

  B. Vulnerability scan

  C. Load testing

  D. Port scanner

  Correct Answer: B

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and

  vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  A: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. A vulnerability scan has less impact on the system than a penetration test. Therefore, this answer is incorrect.

  C: Load testing is the process of adding `load' to a system to test or measure how much load the system can take and continue to function. An example of a load test would be using software to simulate many users (possibly thousands) simultaneously accessing the corporate website to ensure that the web server can continue to function under the load. Load testing is not used to test the lack of security controls for applications. Therefore, this answer is incorrect.

  D: A port scanner is typically a software application used to scan a system such as a computer or firewall for open ports. A malicious user would attempt to access a system through an open port. A security administrator would compare the list of open ports against a list of ports that need to be open so that unnecessary ports can be closed thus reducing the vulnerability of the system. A port scanner is not used to test the lack of security controls for applications. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html

• Question 134:

  Which of the following BEST represents the goal of a vulnerability assessment?

  A. To test how a system reacts to known threats

  B. To reduce the likelihood of exploitation

  C. To determine the system's security posture

  D. To analyze risk mitigation strategies

  Correct Answer: C

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and

  vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  A: A vulnerability scan is used to determine whether a system is vulnerable to known threats. It is not used to test how a system reacts to the known threats. Therefore, this answer is incorrect.

  B: A vulnerability scan is used to determine whether a system is vulnerable to known threats. By determining the existence of vulnerabilities, we can reduce the likelihood of the system being exploited. However, we first need to determine the existence of the vulnerabilities. Therefore, this answer is incorrect.

  D: A vulnerability scan is used to determine whether a system is at risk from known threats. After determining the risk, we can develop a risk mitigation strategy. However it is not the purpose of the vulnerability scan to analyze the risk mitigation strategies. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html

• Question 135:

  Ann, a security analyst, is preparing for an upcoming security audit. To ensure that she identifies unapplied security controls and patches without attacking or compromising the system, Ann would use which of the following?

  A. Vulnerability scanning

  B. SQL injection

  C. Penetration testing

  D. Antivirus update

  Correct Answer: A

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.

  Incorrect Answers:

  B: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must

  exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly

  executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection is not a method used to test for unapplied security controls and patches. Therefore, this answer is

  incorrect.

  C: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets.

  The difference between a vulnerability scan and a penetration test is that by performing a penetration test, you are actually trying to access a system by exploiting a weakness in the system. This question states that you need to test for

  unapplied security controls and patches without attacking or compromising the system.

  Therefore, this answer is incorrect.

  D: An antivirus update is the process of updating the virus definition files used by antivirus software. It is not used to test for unapplied security controls and patches. Therefore, this answer is incorrect.

  References:

  http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://en.wikipedia.org/wiki/SQL_injection

• Question 136:

  A security administrator is aware that a portion of the company's Internet-facing network tends to be non-secure due to poorly configured and patched systems. The business owner has accepted the risk of those systems being compromised, but the administrator wants to determine the degree to which those systems can be used to gain access to the company intranet. Which of the following should the administrator perform?

  A. Patch management assessment

  B. Business impact assessment

  C. Penetration test

  D. Vulnerability assessment

  Correct Answer: C

  Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. It is also used to determine the degree to which the systems can be used to gain

  access to the company intranet (the degree of access to local network resources). Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker

  could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry

  points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy

  compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break

  in.

  Pen test strategies include:

  Targeted testing

  Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

  External testing

  This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can

  get in once they've gained access.

  Internal testing

  This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

  Blind testing

  A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company.

  Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

  Double blind testing

  Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an

  organization's security monitoring and incident identification as well as its response procedures.

  Incorrect Answers:

  A: Patch management is the process of managing the installation of security patches and updates on computer systems. An assessment of the patch management process is not performed to determine the degree to which computer systems

  can be used to gain access to the company intranet. Therefore, this answer is incorrect.

  B: A Business impact assessment is the assessment an event will have on the business; for example, a server failure. You could even perform a business impact assessment to assess the impact of a network intrusion. However, to test the

  possible extent of an intrusion, you need to perform a penetration test. Therefore, this answer is incorrect.

  D: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and

  vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is considered passive in that it doesn't actually attempt to circumvent the security controls of a system to gain

  access (unlike a penetration test). It can therefore not be used to determine the degree to which computer systems can be used to gain access to the company intranet.

  Therefore, this answer is incorrect.

  References: http://searchsoftwarequality.techtarget.com/definition/penetration-testing

• Question 137:

  Which of the following is BEST utilized to actively test security controls on a particular system?

  A. Port scanning

  B. Penetration test

  C. Vulnerability scanning

  D. Grey/Gray box

  Correct Answer: B

  Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. Penetration testing (also called pen testing) is the practice of testing a computer

  system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about

  the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A

  pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat

  attacks because in a pen test, the good guys are attempting to break in.

  Pen test strategies include:

  Targeted testing

  Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

  External testing

  This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can

  get in once they've gained access.

  Internal testing

  This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

  Blind testing

  A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company.

  Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

  Double blind testing

  Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an

  organization's security monitoring and incident identification as well as its response procedures.

  Incorrect Answers:

  A: A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine. Port scanning does not actively test security controls on a system. Therefore, this answer is incorrect.

  C: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is considered passive in that it doesn't actually attempt to circumvent the security controls of a system to gain access (unlike a penetration test). Therefore, this answer is incorrect.

  D: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing does not actively test security controls on a system. Therefore, this answer is incorrect.

  References:

  http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/wiki/Port_scanner http://searchsoftwarequality.techtarget.com/definition/gray-box

• Question 138:

  Mike, a security professional, is tasked with actively verifying the strength of the security controls on a company's live modem pool. Which of the following activities is MOST appropriate?

  A. War dialing

  B. War chalking

  C. War driving

  D. Bluesnarfing

  Correct Answer: A

  War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry- point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.

  Incorrect Answers:

  B: War chalking is the act of making chalk marks on outdoor surfaces (walls, sidewalks, buildings, sign posts, trees) to indicate the existence of an open wireless network connection, usually offering an Internet connection so that others can

  benefit from the free wireless access. The open connections typically come from the access points of wireless networks located within buildings to serve enterprises. The chalk symbols indicate the type of access point that is available at that

  specific spot. War chalking is not used to test the security controls of modems.

  Therefore, this answer is incorrect.

  C: War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can

  be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office

  building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to company records and other resources. War driving is not used to test the security controls of modems. Therefore,

  this answer is incorrect.

  D: Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal

  digital assistants (PDAs), and other devices. By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some

  devices, but others are vulnerable as long as Bluetooth is enabled. Bluesnarfing is not used to test the security controls of modems. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/War_dialing http://www.webopedia.com/TERM/W/warchalking.html http://searchmobilecomputing.techtarget.com/definition/war-driving http://searchmobilecomputing.techtarget.com/definition/bluesnarfing

• Question 139:

  During a penetration test from the Internet, Jane, the system administrator, was able to establish a connection to an internal router, but not successfully log in to it. Which ports and protocols are MOST likely to be open on the firewall? (Select FOUR).

  A. 21

  B. 22

  C. 23

  D. 69

  E. 3389

  F. SSH

  G. Terminal services

  H. Rlogin

  I. Rsync

  J. Telnet

  Correct Answer: BCFJ

  The question states that Jane was able to establish a connection to an internal router. Typical ports and protocols used to connect to a router include the following:

  B, F: Port 22 which is used by SSH (Secure Shell).

  C, J: Port 23 which is used by Telnet.

  SSH and Telnet both provide command line interfaces for administering network devices such as routers and switches.

  Incorrect Answers:

  A: Port 21 is used by FTP (File Transfer Protocol). It is used for downloading and uploading files over a network using a TCP connection. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  D: Port 69 is used by TFTP (Trivial File Transfer Protocol). It is used for downloading and uploading files over a network using a UDP connection. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  E: Port 3389 is used by Remote Desktop Protocol (RDP). RDP is used for connecting to Windows computers. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  G: Terminal Services is an earlier name for Remote Desktop Services. Terminal Services uses Remote Desktop Protocol (RDP) on port 3389. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  H: Rlogin (Remote Login) uses port 513 and is used for connecting to Linux or Unix computers. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  I: RSync is a file synchronization protocol that uses port 873. It is used for synchronizing files between Linux or Unix computers. It is not used for connecting to network devices such as routers or switches. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

• Question 140:

  During an anonymous penetration test, Jane, a system administrator, was able to identify a shared print spool directory, and was able to download a document from the spool. Which statement BEST describes her privileges?

  A. All users have write access to the directory.

  B. Jane has read access to the file.

  C. All users have read access to the file.

  D. Jane has read access to the directory.

  Correct Answer: C

  The question states that Jane was able to download a document from the spool directory. To view and download the document, Jane must have at least Read access to the file. The fact that the document belonged to someone else suggests that all users have read access to the file.

  Incorrect Answers:

  A: You need Read access to read and download a document from a spool directory. Write access would enable you to create documents in the spool directory but doesn't mean you can download documents from the directory. Therefore, this answer is incorrect.

  B: Jane was able to view and download the document so she does have Read access to it. However, the fact that the document belonged to someone else suggests that other users have read access to the file rather than only Jane having read access to the file. Therefore, this answer is incorrect.

  D: Read access to the directory would allow Jane to view the directory and view the contents of the directory. However, to view and download a file from the directory, Jane would need read access to the file itself, not just the directory. Therefore, this answer is incorrect.