CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 141:

  Which of the following is the MOST intrusive type of testing against a production system?

  A. White box testing

  B. War dialing

  C. Vulnerability testing

  D. Penetration testing

  Correct Answer: D

  Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat

  attacks because in a pen test, the good guys are attempting to break in.

  Pen test strategies include:

  Targeted testing

  Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

  External testing

  This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can

  get in once they've gained access.

  Internal testing

  This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

  Blind testing

  A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company.

  Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

  Double blind testing

  Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an

  organization's security monitoring and incident identification as well as its response procedures.

  Incorrect Answers:

  A: White box testing is a software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data. Unlike black box testing, white box testing uses specific knowledge of

  programming code to examine outputs. The test is accurate only if the tester knows what the program is supposed to do. He or she can then see if the program diverges from its intended goal. White box testing does not account for errors

  caused by omission, and all visible code must also be readable. White box testing is used to test the code of an application. It is not used to test the security controls of a production system.

  Therefore, this answer is incorrect.

  B: War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. It is not used to test the

  security controls of a production system. Therefore, this answer is incorrect.

  C: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and

  vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is considered passive in that it doesn't actually attempt to circumvent the security controls of a system to gain

  access (unlike a penetration test). Therefore, this answer is incorrect.

  References:

  http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://www.webopedia.com/TERM/W/White_Box_Testing.html http://en.wikipedia.org/wiki/War_dialing

• Question 142:

  Which of the following assessments would Pete, the security administrator, use to actively test that an application's security controls are in place?

  A. Code review

  B. Penetration test

  C. Protocol analyzer

  D. Vulnerability scan

  Correct Answer: B

  Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be

  performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

  The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and

  respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

  Pen test strategies include:

  Targeted testing

  Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

  External testing

  This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can

  get in once they've gained access.

  Internal testing

  This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

  Blind testing

  A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company.

  Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

  Double blind testing

  Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an

  organization's security monitoring and incident identification as well as its response procedures.

  Incorrect Answers:

  A: A code review is the process of reviewing the code of a software application. This is generally performed during development of the application before the application is released. A penetration test would test the security of the application after it has been released. Therefore, this answer is incorrect.

  C: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. A protocol analyzer is not used to test an application's security controls. Therefore, this answer is incorrect.

  D: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan does not actively test that an application's security controls are in place. Therefore, this answer is incorrect.

  References: http://searchsoftwarequality.techtarget.com/definition/penetration-testing

• Question 143:

  A financial company requires a new private network link with a business partner to cater for realtime and batched data flows.

  Which of the following activities should be performed by the IT security staff member prior to establishing the link?

  A. Baseline reporting

  B. Design review

  C. Code review

  D. SLA reporting

  Correct Answer: B

  This question is asking about a new private network link (a VPN) with a business partner. This will provide access to the local network from the business partner. When implementing a VPN, an important step is the design of the VPN. The VPN should be designed to ensure that the security of the network and local systems is not compromised. The design review assessment examines the ports and protocols used, the rules, segmentation, and access control in the systems or applications. A design review is basically a check to ensure that the design of the system meets the security requirements.

  Incorrect Answers:

  A: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline). In this question, we are implementing a VPN. We need to ensure

  that the design of the VPN meets the security requirements BEFORE the VPN is implemented. Therefore, this answer is incorrect.

  C: A code review is the process of reviewing the code of a software application. This question is asking about the design and implementation of a VPN. Therefore, this answer is irrelevant and incorrect.

  D: SLA (Service Level Agreement) reporting is the process of comparing (and reporting on) current performance in terms of system uptime or deliverables delivered on time to the metrics defined in the SLA. This question is asking about the

  design and implementation of a VPN.

  Therefore, this answer is irrelevant and incorrect.

• Question 144:

  Which of the following assessment techniques would a security administrator implement to ensure that systems and software are developed properly?

  A. Baseline reporting

  B. Input validation

  C. Determine attack surface

  D. Design reviews

  Correct Answer: D

  When implementing systems and software, an important step is the design of the systems and software. The systems and software should be designed to ensure that the system works as intended and is secure.

  The design review assessment examines the ports and protocols used, the rules, segmentation, and access control in the system or application. A design review is basically a check to ensure that the design of the system meets the security

  requirements.

  Incorrect Answers:

  A: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline). Baseline reporting should take place after the systems and

  software have been designed, the design reviewed and the systems and software have been implemented. Therefore, this answer is incorrect.

  B: Input validation can improve application performance by catching malformed input in the application that could cause problems with the output. For example, if a user is expected to enter a number into a field in the application, input

  validation can be used to ensure that the input is numeric and not text. Input validation is a part of application design. It can also be used to prevent attacks such as cross-site scripting and SQL injection. However, it is not part of general

  system design.

  Therefore, this answer is incorrect.

  C: Determining attack surface is a security practice that is performed after a system or software application has been implemented. However, this question is asking about the development of systems and software. The `development' is

  performed before the systems are implemented.

  Therefore, this answer is incorrect.

• Question 145:

  Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release?

  A. Product baseline report

  B. Input validation

  C. Patch regression testing

  D. Code review

  Correct Answer: D

  The problems listed in this question can be caused by problems with the application code.

  Reviewing the code will help to prevent the problems.

  The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code--most likely in the form of a finished application--may make: configuration files, libraries, and

  the like. During this examination, look for threats such as opportunities for injection to occur (SQL, LDAP, code, and so on), cross-site request forgery, and authentication. Code review is often conducted as a part of gray box testing. Looking

  at source code can often be one of the easiest ways to find weaknesses within the application. Simply reading the code is known as manual assessment, whereas using tools to scan the code is known as automated assessment.

  Incorrect Answers:

  A: A product baseline report is a report that compares the current state of the product to the original product specification. It is not used to prevent race conditions, buffer overflows, and other similar vulnerabilities in an application. Therefore, this answer is incorrect.

  B: Input validation can improve application performance by catching malformed input in the application that could cause problems with the output. For example, if a user is expected to enter a number into a field in the application, input validation can be used to ensure that the input is numeric and not text. It can also be used to prevent attacks such as cross-site scripting and SQL injection. It is not used to prevent race conditions, buffer overflows, and other similar vulnerabilities in an application. Therefore, this answer is incorrect.

  C: Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and non-functional areas of a system after changes such as enhancements, patches or configuration changes, have been made to them. The intent of regression testing is to ensure that changes such as those mentioned above have not introduced new faults. One of the main reasons for regression testing is to determine whether a change in one part of the software affects other parts of the software. Application patches may be released after the original application has been released. However, a code review should be performed before the application is released in the first place. Therefore, this answer is incorrect.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 345 http://en.wikipedia.org/wiki/Regression_testing

• Question 146:

  One of the servers on the network stops responding due to lack of available memory. Server administrators did not have a clear definition of what action should have taken place based on the available memory. Which of the following would have BEST kept this incident from occurring?

  A. Set up a protocol analyzer

  B. Set up a performance baseline

  C. Review the systems monitor on a monthly basis

  D. Review the performance monitor on a monthly basis

  Correct Answer: B

  A performance baseline provides the input needed to design, implement, and support a secure network. The performance baseline would define the actions that should be performed on a server that is running low on memory.

  Incorrect Answers:

  A: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It is not used to provide guidance on the actions that should be performed on a server that is running low on memory. Therefore, this answer is incorrect.

  C: Reviewing the systems monitor on a monthly basis may help to determine that the server is running low on memory. However, the server could run out of memory in between reviews. The system monitor also does not provide guidance on the actions that should be performed on a server that is running low on memory. Therefore this is not the best answer and is therefore incorrect.

  D: Reviewing the performance monitor on a monthly basis may help to determine that the server is running low on memory. However, the server could run out of memory in between reviews. The performance monitor also does not provide guidance on the actions that should be performed on a server that is running low on memory. Therefore this is not the best answer and is therefore incorrect.

• Question 147:

  Several users report to the administrator that they are having issues downloading files from the file server. Which of the following assessment tools can be used to determine if there is an issue with the file server?

  A. MAC filter list

  B. Recovery agent

  C. Baselines

  D. Access list

  Correct Answer: C

  The standard configuration on a server is known as the baseline. In this question, we can see if anything has changed on the file server by comparing its current configuration with the baseline. The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).

  Incorrect Answers:

  A: A MAC filter list is a list of allowed or disallowed MAC addresses on a device that uses MAC filtering, for example, a network switch or a wireless access point. It is not used to determine if there is an issue with a file server. Therefore, this answer is incorrect.

  B: A recovery agent is a `master' account that can recover access to files or other encrypted data in the event of a lost or corrupted digital certificate. In the example of EFS (Encrypted File System), the recovery agent can unencrypt encrypted files if the user's certificate that was used to encrypt the files is unavailable. A recovery agent is not used to determine if there is an issue with a file server. Therefore, this answer is incorrect.

  D: An access list is a list of authorized users or computers allowed to access a resource. It is not used to determine if there is an issue with a file server. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/IT_baseline_protection

• Question 148:

  Which of the following would a security administrator implement in order to identify change from the standard configuration on a server?

  A. Penetration test

  B. Code review

  C. Baseline review

  D. Design review

  Correct Answer: C

  The standard configuration on a server is known as the baseline. The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).

  Incorrect Answers:

  A: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. By performing a penetration test on a server, you are actively trying to circumvent its security controls to gain unauthorized or privileged access to the server. A penetration test is not used to identify change from the standard configuration on a server. Therefore, this answer is incorrect.

  B: A code review is the process of reviewing the code in an application. It is not used to identify change from the standard configuration on a server. Therefore, this answer is incorrect.

  D: A design review is the process of reviewing the design of something; examples include reviewing the design of the network or the design of a software application. It is not used to identify change from the standard configuration on a server. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/IT_baseline_protection

• Question 149:

  A security specialist has been asked to evaluate a corporate network by performing a vulnerability assessment. Which of the following will MOST likely be performed?

  A. Identify vulnerabilities, check applicability of vulnerabilities by passively testing security controls.

  B. Verify vulnerabilities exist, bypass security controls and exploit the vulnerabilities.

  C. Exploit security controls to determine vulnerabilities and misconfigurations.

  D. Bypass security controls and identify applicability of vulnerabilities by passively testing security controls.

  Correct Answer: A

  We need to determine if vulnerabilities exist by passively testing security controls. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

  Incorrect Answers:

  B: Verifying vulnerabilities exist, bypassing security controls and exploiting the vulnerabilities describes an attack on the system or a penetration test. Penetration testing evaluates an organization's ability to protect its networks, applications,

  computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. A penetration test can test one method at a time of accessing one system at a time. A vulnerability scan can

  scan for all vulnerabilities on multiple systems and is therefore a better answer.

  Therefore, this answer is incorrect.

  C: Exploiting security controls to determine vulnerabilities and misconfigurations would be a slow and manual way of performing a vulnerability assessment. A vulnerability scan is an automated process of scanning for all vulnerabilities on

  multiple systems and is therefore a better answer. Therefore, this answer is incorrect.

  D: We need to first identify any vulnerabilities before we can check the applicability of the vulnerabilities. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html

• Question 150:

  A system administrator has noticed vulnerability on a high impact production server. A recent update was made available by the vendor that addresses the vulnerability but requires a reboot of the system afterwards. Which of the following steps should the system administrator implement to address the vulnerability?

  A. Test the update in a lab environment, schedule downtime to install the patch, install the patch and reboot the server and monitor for any changes

  B. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the patch, and monitor for any changes

  C. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the update, reboot the server, and monitor for any changes

  D. Backup the server, schedule downtime to install the patch, installs the patch and monitor for any changes

  Correct Answer: C

  We have an update to apply to fix the vulnerability. The update should be tested first in a lab environment, not on the production server to ensure it doesn't cause any other problems with the server. After testing the update, we should backup the server to enable us to roll back any changes in the event of any unforeseen problems with the update. The question states that the server will require a reboot. This will result in downtime so you should schedule the downtime before installing the patch. After installing the update, you should monitor the server to ensure it is functioning correctly.

  Incorrect Answers:

  A: This answer is almost complete but is omits the step of backing up the server. We should backup the server to enable us to roll back any changes in the event of any unforeseen problems with the update. Therefore, this answer is incorrect.

  B: This answer is almost complete but is omits the step of rebooting the server. The question states that the update requires a reboot of the server. Therefore, this answer is incorrect.

  D: This answer omits the important step of testing the update. Updates should always be testing in a lab environment before being deployed to productions servers. Therefore, this answer is incorrect.