CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 191:

  An administrator notices that former temporary employees' accounts are still active on a domain. Which of the following can be implemented to increase security and prevent this from happening?

  A. Implement a password expiration policy.

  B. Implement an account expiration date for permanent employees.

  C. Implement time of day restrictions for all temporary employees.

  D. Run a last logon script to look for inactive accounts.

  Correct Answer: D

  You can run a script to return a list of all accounts that haven't been used for a number of days, for example 30 days. If an account hasn't been logged into for 30 days, it's a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.

  Incorrect Answers:

  A: A password expiration policy is always a good idea as it forces users to change their passwords regularly. However, an expired password does not prevent you logging in. When you log in using an account with an expired password, you

  are prompted to change the password.

  Therefore, this answer is incorrect.

  B: Implementing an account expiration date for permanent employees is not a good idea. When the accounts expire, no one would be able to log in. Account expiration is useful for temporary employees (where you know when they will be

  leaving), not permanent employees. Therefore, this answer is incorrect.

  C: Time of day restrictions will restrict users to logging in at certain times of the day only (for example: during office hours). However this does not prevent people logging in during the allowed hours. Therefore, this answer is incorrect.

• Question 192:

  An auditor's report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors' accounts who would be returning in three months and would need to resume the activities. Which of the following would mitigate and secure the auditors finding?

  A. Disable unnecessary contractor accounts and inform the auditor of the update.

  B. Reset contractor accounts and inform the auditor of the update.

  C. Inform the auditor that the accounts belong to the contractors.

  D. Delete contractor accounts and inform the auditor of the update.

  Correct Answer: A

  A disabled account cannot be used. It is `disabled'. Whenever an employee leaves a company, the employee's user account should be disabled. The question states that the accounts are contractors' accounts who would be returning in three months. Therefore, it would be easier to keep the accounts rather than deleting them which would require that the accounts are recreated in three months time. By disabling the accounts, we can ensure that the accounts cannot be used; in three months when the contractors are back, we can simply re-enable the accounts.

  Incorrect Answers:

  B: Resetting an account is typically something you would do with a computer account rather than a user account. Resetting an account clears the security identifier associated with the account which effectively creates a different account with the same name. This would prevent any access to resources that was granted to the original account. Disabling the accounts would be a better solution. Therefore, this answer is incorrect.

  C: Informing the auditor that the accounts belong to the contractors would not prevent access to the accounts for the three months until the contractors return. This answer does not improve security and is therefore incorrect.

  D: It would be easier to keep the accounts rather than deleting them which would require that the accounts are recreated in three months time when the contractors return. By disabling the accounts, we can ensure that the accounts cannot be used; then in three months when the contractors are back, we can simply re-enable the accounts. Therefore, this answer is incorrect.

• Question 193:

  The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords.

  The company currently stores passwords as SHA hashes. Which of the following can the CTO implement requiring the LEAST change to existing systems?

  A. Smart cards

  B. TOTP

  C. Key stretching

  D. Asymmetric keys

  Correct Answer: A

  Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A "contact" smart card communicates with a PC using a smart card reader whereas a "contactless" card sends encrypted information via radio waves to the PC. Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail decryption and remote access authentication. However, smart cards are programmable and can contain programs and data for many different applications. For example smart cards may be used to store medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer. Microsoft provides two device independent APIs to insulate application developers from differences between current and future implementations: CryptoAPI and Microsoft Win32?SCard APIs. The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). There are many different cryptographic algorithms and even when implementing the same algorithm there are many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.

  Incorrect Answers:

  B: A time-based one-time password (TOTP) is a temporary code, generated by an algorithm, for use in authenticating access to computer systems. The algorithm that generates each password uses the current time of day as one of its factors, ensuring that each password is unique. Time- based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers. In two-factor authentication scenarios, a user must enter a traditional, static password and a TOTP to gain access. In this question, the company currently stores passwords as SHA hashes. This suggests that the passwords are not temporary passwords. Therefore this answer is incorrect.

  C: In cryptography, key stretching refers to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key stretching makes such attacks more difficult. Key stretching is used to make passwords stronger. One method is to apply a hash to the password. In this question, the passwords are already hashed. Therefore this answer is incorrect.

  D: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. Asymmetric keys are not used to further secure hashed passwords. Therefore this answer is incorrect.

  References: https://msdn.microsoft.com/en-us/library/ms953432.aspx http://searchconsumerization.techtarget.com/definition/time-based-one-time-password-TOTP http://en.wikipedia.org/wiki/Key_stretching

• Question 194:

  Joe analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts?

  Host 192.168.1.123

  [00:

  00: 01]Successful Login: 015 192.168.1.123 : local

  [00:

  00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124

  [00:

  00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124

  [00:

  00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124

  [00:

  00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124

  A.

  Reporting

  B.

  IDS

  C.

  Monitor system logs

  D.

  Hardening

  Correct Answer: D

  We can see a number of unsuccessful login attempts using a Remote Desktop Connection (using the RDP protocol) from a computer with the IP address 192.168.1.124. Someone successfully logged in locally. This is probably an authorized login (for example, Joe logging in). Hardening is the process of securing a system. We can harden (secure) the system by either disallowing remote desktop connections altogether or by restricting which IPs are allowed to initiate remote desktop connections.

  Incorrect Answers:

  A: Reporting is not used to prevent unauthorized login attempts. Therefore, this answer is incorrect.

  B: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. An IDS could detect the attempted logins but it would not prevent them. "Hardening" is a basic security principle which should be applied to every system. Therefore, this answer is incorrect.

  C: Monitoring system logs will keep you informed about any potential problems with the computer system. However, it will not prevent unauthorized login attempts. Therefore, this answer is incorrect.

• Question 195:

  A new web server has been provisioned at a third party hosting provider for processing credit card transactions. The security administrator runs the netstat command on the server and notices that ports 80, 443, and 3389 are in a `listening' state. No other ports are open. Which of the following services should be disabled to ensure secure communications?

  A. HTTPS

  B. HTTP

  C. RDP

  D. TELNET

  Correct Answer: B

  HTTP uses port 80. HTTP does not provide encrypted communications. Port 443 is used by HTTPS which provides secure encrypted communications. Port 3389 is used by RDP (Remote Desktop Protocol) which does provide encrypted communications.

  Incorrect Answers:

  A: HTTPS uses port 443. HTTPS uses SSL or TLS certificates to secure HTTP communications. HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTP is secure so this answer is incorrect.

  C: RDP (Remote Desktop Protocol) is used to remotely connect to a Windows computer. RDP uses encrypted communications and is therefore considered secure. This answer is therefore incorrect.

  D: Telnet uses port 23. This is not one of the ports listed as open in the question. This answer is therefore incorrect.

  References:

  http://searchsoftwarequality.techtarget.com/definition/HTTPS http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

• Question 196:

  During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).

  A. SSL 1.0

  B. RC4

  C. SSL 3.0

  D. AES

  E. DES

  F. TLS 1.0

  Correct Answer: AE

  TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer

  (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating,

  and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product,

  message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws

  which ultimately led to the design of SSL version 3.0". TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but

  they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.

  TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.

  Incorrect Answers:

  B: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). Whilst some argue that RC4 does have a weakness, it is still commonly used today.

  SSL 1.0 and TLS 1.0 are considered to be weaker ciphers. Therefore, this answer is incorrect.

  C: Although TLS 1.2 has been created to replace SSL 3.0, SSL 3.0 is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.

  Therefore, this answer is incorrect.

  D: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a

  symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is not considered to be a weak cipher.

  Therefore, this answer is incorrect.

  F: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Although

  DES has been superseded by 3DES and AES, DES is still used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.

  Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/Triple_DES

• Question 197:

  A vulnerability assessment indicates that a router can be accessed from default port 80 and default port 22. Which of the following should be executed on the router to prevent access via these ports? (Select TWO).

  A. FTP service should be disabled

  B. HTTPS service should be disabled

  C. SSH service should be disabled

  D. HTTP service should disabled

  E. Telnet service should be disabled

  Correct Answer: CD

  Port 80 is used by HTTP. Port 22 is used by SSH. By disabling the HTTP and Telnet services, you will prevent access to the router on ports 80 and 22.

  Incorrect Answers:

  A: FTP uses ports 20 and 21. Disabling this service will not prevent access to the router on ports 80 or 22. Therefore, this answer is incorrect.

  B: HTTPS uses port 443. Disabling this service will not prevent access to the router on ports 80 or 22. Therefore, this answer is incorrect.

  E: Telnet uses port 23. Disabling this service will not prevent access to the router on ports 80 or

  22. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

• Question 198:

  A security technician is attempting to improve the overall security posture of an internal mail server. Which of the following actions would BEST accomplish this goal?

  A. Monitoring event logs daily

  B. Disabling unnecessary services

  C. Deploying a content filter on the network

  D. Deploy an IDS on the network

  Correct Answer: B

  One of the most basic practices for reducing the attack surface of a specific host is to disable unnecessary services. Services running on a host, especially network services provide an avenue through which the system can be attacked. If a service is not being used, disable it.

  Incorrect Answers:

  A: Monitoring event logs daily is good practice to view events that have happened. However, it does not improve the security posture of the system. The event logs record things that have happened. They don't prevent things such as an attack from happening.

  C: Content filtering is the process of inspecting the content of a web page as it is downloaded. The content can then be blocked if it doesn't comply with the company's web policy. Content- control software determines what content will be available or perhaps more often what content will be blocked. Content filtering will not improve the overall security posture of a server.

  D: An IDS (Intrusion Detection System) is used to detect attempts to access a computer systems on a network. An IDS is a good idea to improve the security posture of the network. However, this question is asking about improving the security posture of a specific computer (the email server). Therefore disabling unnecessary services is a better answer.

• Question 199:

  The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail?

  A. cd ../../../../bin/bash

  B. whoami

  C. ls /root

  D. sudo -u root

  Correct Answer: A

  On modern UNIX variants, including Linux, you can define the root directory on a perprocess basis. The chroot utility allows you to run a process with a root directory other than /. The root directory appears at the top of the directory hierarchy and has no parent: A process cannot access any files above the root directory (because they do not exist). If, for example, you run a program (process) and specify its root directory as /home/sam/jail, the program would have no concept of any files in /home/sam or above: jail is the program's root directory and is labeled / (not jail). By creating an artificial root directory, frequently called a (chroot) jail, you prevent a program from accessing or modifying--possibly maliciously--files outside the directory hierarchy starting at its root. You must set up a chroot jail properly to increase security: If you do not set up the chroot jail correctly, you can actually make it easier for a malicious user to gain access to a system than if there were no chroot jail.

  The command cd.. takes you up one level in the directory structure. Repeated commands would take you to the top level the root which is represented by a forward slash /. The command /bin/bash is an attempt to run the bash shell from the root level.

  Incorrect Answers:

  B: The whoami command is used to display the username that the user is working under. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect.

  C: The ls / command is used to list the directories at the root level of the directory structure. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect.

  D: The sudo -u root command is used to change the security context to that of the root user. The root user is equivalent to the Administrator account in Windows. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect.

  References:

  http://searchitchannel.techtarget.com/feature/Secure-your-Linux-server-with-a-chroot-jail-or- TCP-wrappers

• Question 200:

  A security administrator needs to determine which system a particular user is trying to login to at various times of the day. Which of the following log types would the administrator check?

  A. Firewall

  B. Application

  C. IDS

  D. Security

  Correct Answer: D

  The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.

  Incorrect Answers:

  A: A firewall is a hardware device or a software application designed to restrict what data traffic can enter or leave the network. A firewall log logs which traffic has been allowed through the firewall and which traffic it has blocked. It does not record attempted logon events. Therefore, this answer is incorrect.

  B: The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events to log. It does not record attempted logon events. Therefore, this answer is incorrect.

  C: An IDS (Intrusion Detection System) is used to detect attempts to access computer systems on a network. The IDS log will log intrusion attempts to access the systems. It does not record attempted logon events specifically as a security event log does. Therefore, this answer is incorrect.

  References: https://technet.microsoft.com/en-us/library/cc722404.aspx?f=255andMSPPError=-2147217396