CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 11:

  Which of the following is built into the hardware of most laptops but is not setup for centralized management by default?

  A. Whole disk encryption

  B. TPM encryption

  C. USB encryption

  D. Individual file encryption

  Correct Answer: B

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or

  certificates.

  Incorrect Answers:

  A Whole disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. This encryption can be provided by a hardware solution,

  such as TPM or HSM, or a software solution.

  C:

  USB encryption is provided by the vendor of the USB device or by a tool from a third party. It is not included in the hardware of a laptop.

  D.

  File encryption can be used to protect the contents of individual files. It uses randomly generated symmetric encryption keys for the file and stores the key in an encrypted form using the user's public key on the encrypted file.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 418-419 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 236, 237, 252, 255

• Question 12:

  Which of the following provides dedicated hardware-based cryptographic functions to an operating system and its applications running on laptops and desktops?

  A. TPM

  B. HSM

  C. CPU

  D. FPU

  Correct Answer: A

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  B: Hardware Security Module (HSM) hardware-based encryption solution that is usually used in conjunction with PKI to enhance security with certification authorities (CAs). It is available as an expansion card and can cryptographic keys, passwords, or certificates. However, the HSM secures communication between devices rather than the data on the device.

  C: A Central Processing Unit (CPU) does not provide cryptographic functions.

  D: A Floating-point Unit (FPU) is a math coprocessor designed to carry out operations on floating point numbers. IT does not provide cryptographic functions.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 237, 238

• Question 13:

  Which of the following is a hardware-based security technology included in a computer?

  A. Symmetric key

  B. Asymmetric key

  C. Whole disk encryption

  D. Trusted platform module

  Correct Answer: D

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or

  certificates.

  Incorrect Answers:

  A, B: Symmetrical and Asymmetrical keys are used in hardware- or software-based cryptography.

  C: Whole disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. This encryption can be provided by a software or a hardware solution.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 418-419 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 236,

• Question 14:

  Which of the following should be enabled in a laptop's BIOS prior to full disk encryption?

  A. USB

  B. HSM

  C. RAID

  D. TPM

  Correct Answer: D

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  A: USB support can be enabled or disabled in a system's BIOS but it is not required for full-disk encryption.

  B: Hardware Security Module (HSM) hardware-based encryption solution that is usually used in conjunction with PKI to enhance security with certification authorities (CAs). It is available as an expansion card and can cryptographic keys,

  passwords, or certificates. As HSM is not embedded in the motherboards, it is not enabled or disable in BIOS.

  C: Random Array of Independent Disks (RAID) is a fault-tolerant storage solution that consists of two or more hard disks. It is not required for full-disk encryption.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 237, 238

• Question 15:

  A company wants to ensure that all aspects if data are protected when sending to other sites within the enterprise. Which of the following would ensure some type of encryption is performed while data is in transit?

  A. SSH

  B. SHA1

  C. TPM

  D. MD5

  Correct Answer: C

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  A: Secure Shell (SSH) is a tunneling protocol that uses encryption to establish a secure shell connection to a remote system. This allows a user to run commands on the remote machine without being physically present at the machine.

  B: SHA-1 is a version of Secure Hash Algorithm (SHA) and is a 160-bit (20-byte) hash algorithm that can be used for hashing. Hashing is not an encryption algorithm but the hash can be used to verify that the data has not been altered. Cryptographic weaknesses were discovered in SHA-1 in 2005.

  D: Message Digest 5 (MD5) is a 128-bit hash algorithm that can be used for hashing. Hashing is not an encryption algorithm but the hash can be used to verify that the data has not been altered. This, however, is only one aspect of data protection.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 237, 271, 315-316 http://en.wikipedia.org/wiki/SHA-1

• Question 16:

  Which of the following is a hardware based encryption device?

  A. EFS

  B. TrueCrypt

  C. TPM

  D. SLE

  Correct Answer: C

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  A: Encrypting File System (EFS) is a software-based encryptions solution that is used to encrypt files or entire volumes in a Windows computer. It is not a hardware-based encryption solution.

  B: TrueCrypt is an open source software-based encryption solution.

  D: SLE (Single Loss Expectancy) is a risk management concept that measures the potential dollar value loss from a single risk-realization incident. It is not related to cryptography.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 5-7, 237, 290

• Question 17:

  Which of the following would be used when a higher level of security is desired for encryption key storage?

  A. TACACS+

  B. L2TP

  C. LDAP

  D. TPM

  Correct Answer: D

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  A: Terminal Access Controller Access-Control System (TACACS) is an authentication and authorization system that accepts credentials from multiple methods, including Kerberos. It is used in client/server network environments to control access. It does not provide higher levels of security for encryption key storage.

  B: Layer 2 Tunneling Protocol (L2TP) is a used to create a channel for netwrk communication between two systems. However, it does not secure the data transmitted over the channel. It does not provide higher levels of security for encryption key storage.

  C: Lightweight Directory Access Protocol (LDAP) is a directory access protocol that allows queries to run against the directory's database. It does not provide higher levels of security for encryption key storage.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 144, 146, 147, 237

• Question 18:

  Which of the following has a storage root key?

  A. HSM

  B. EFS

  C. TPM

  D. TKIP

  Correct Answer: C

  Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or

  certificates on non-volatile (NV) memory. Data stored on NV memory is retained unaltered when the device has no power. The storage root key is embedded in the TPM to protect TPM keys created by applications, so that these keys cannot

  be used without the TPM.

  Incorrect Answers:

  A: Hardware Security Module (HSM) hardware-based encryption solution that is usually used in conjunction with PKI to enhance security with certification authorities (CAs). It is available as an expansion card and can cryptographic keys, passwords, or certificates. However, the HSM does not have a storage root key.

  B: Encrypting File System (EFS) is used to encrypt files or entire volumes in a Windows computer. It uses certificates to encrypt the data but do not have a storage root key.

  D: TKIP (Temporal Key Integrity Protocol) is an encryption protocol used in Wireless networks. It was designed to provide more secure encryption than the relatively weak Wired Equivalent Privacy (WEP) and does not have a storage root key.

  References: http://www.cs.bham.ac.uk/~mdr/teaching/modules/security/lectures/TrustedComputingTCG.htm l http://en.wikipedia.org/wiki/Hardware_security_module http://searchmobilecomputing.techtarget.com/definition/TKIP Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 171, 237

• Question 19:

  An SSL/TLS private key is installed on a corporate web proxy in order to inspect HTTPS requests. Which of the following describes how this private key should be stored so that it is protected from theft?

  A. Implement full disk encryption

  B. Store on encrypted removable media

  C. Utilize a hardware security module

  D. Store on web proxy file system

  Correct Answer: C

  Hardware Security Module (HSM) hardware-based encryption solution that is usually used in conjunction with PKI to enhance security with certification authorities (CAs). It is available as an expansion card and can cryptographic keys, passwords, or certificates.

  Incorrect Answers:

  A: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.

  B: The SSL/TLS private key needs to be installed on the web proxy in order to inspect HTTPS requests. Moving it to removable media would not improve its security as the removable media would need to be attacked to the web proxy if the SSL/TLS private keys are to be used effectively.

  D: The SSL/TLS private key needs to be installed on the web proxy in order to inspect HTTPS requests. However, simply installing it on the file system does not improve it's security.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 418-419 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 236,

• Question 20:

  Which of the following is a way to implement a technical control to mitigate data loss in case of a mobile device theft?

  A. Disk encryption

  B. Encryption policy

  C. Solid state drive

  D. Mobile device policy

  Correct Answer: A

  Disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. Incorrect Answers:

  B: An encryption policy provides guidelines that limit the use of encryption to algorithms that have been proven to work effectively. The policy still needs to be applied and enforced.

  C: Solid state drives are hard drives that have memory chips to store data rather than magnetic disks. These are much faster than traditional hard disks but have no effect on data loss due to device theft.

  D: A mobile device policy provides guidelines the acceptable use of mobile devices within an organization, and means of securing the devices and the data on those devices. However, the policy still needs to be applied and enforced.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 418-419 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 236, http://

  www.sans.org/security-resources/policies/general/pdf/ acceptable-encryption-policy