CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 271:

  Several bins are located throughout a building for secure disposal of sensitive information. Which of the following does this prevent?

  A. Dumpster diving

  B. War driving

  C. Tailgating

  D. War chalking

  Correct Answer: A

  The bins in this question will be secure bins designed to prevent someone accessing the `rubbish' to learn sensitive information. Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross- cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

  Incorrect Answers:

  B: War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can

  be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office

  building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to company records and other resources.

  Secure bins are not used to prevent war driving. Therefore, this answer is incorrect.

  C: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock

  the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. Secure bins are not used to prevent tailgating. Therefore, this answer is incorrect.

  D: War chalking is the act of making chalk marks on outdoor surfaces (walls, sidewalks, buildings, sign posts, trees) to indicate the existence of an open wireless network connection, usually offering an Internet connection so that others can

  benefit from the free wireless access. The open connections typically come from the access points of wireless networks located within buildings to serve enterprises. The chalk symbols indicate the type of access point that is available at that

  specific spot. Secure bins are not used to prevent war chalking. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/dumpster-diving http://searchmobilecomputing.techtarget.com/definition/war-driving http://www.webopedia.com/ TERM/W/warchalking.html

• Question 272:

  Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from which of the following attacks?

  A. Shoulder surfing

  B. Dumpster diving

  C. Tailgating

  D. Spoofing

  Correct Answer: B

  Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross- cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

  Incorrect Answers:

  A: Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand. This is not what is described in this question. Therefore, this answer is incorrect.

  C: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock

  the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. This is not what is described in this question. Therefore, this answer is incorrect.

  D: There are several kinds of spoofing including email, caller ID, MAC address, and uniform resource locator (URL) spoof attacks. All types of spoofing are designed to imitate something or someone.

  Email spoofing (or phishing), used by dishonest advertisers and outright thieves, occurs when email is sent with falsified "From:" entry to try and trick victims that the message is from a friend, their bank, or some other legitimate source. Any

  email that claims it requires your password or any personal information could be a trick.

  In a caller ID attack, the spoofer will falsify the phone number he/she is calling from. This is not what is described in this question. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/dumpster-diving http://searchsecurity.techtarget.com/definition/shoulder-surfing

• Question 273:

  All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate?

  A. Dumpster Diving

  B. Impersonation

  C. Shoulder Surfing

  D. Whaling

  Correct Answer: C

  Viewing confidential information on someone's monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by `shoulder surfing'.

  Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

  Incorrect Answers:

  A: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an

  attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or

  organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. This is not what is described in this question.

  Therefore, this answer is incorrect.

  B: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non- maliciously used in client/server applications. However, it can also be used as a

  security threat. This is not what is described in this question. Therefore, this answer is incorrect.

  D: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users.

  In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of

  scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up

  keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the

  possibility of cyber threats. This is not what is described in this question. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/shoulder-surfing http://searchsecurity.techtarget.com/definition/dumpster-diving http://www.techopedia.com/ definition/28643/whaling

• Question 274:

  An investigator recently discovered that an attacker placed a remotely accessible CCTV camera in a public area overlooking several Automatic Teller Machines (ATMs). It is also believed that user accounts belonging to ATM operators may have been compromised. Which of the following attacks has MOST likely taken place?

  A. Shoulder surfing

  B. Dumpster diving

  C. Whaling attack

  D. Vishing attack

  Correct Answer: A

  The CCTV camera has recorded people entering their PINs in the ATMs. This is known as shoulder surfing.

  Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

  Incorrect Answers:

  B: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an

  attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or

  organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. This is not what is described in this question.

  Therefore, this answer is incorrect.

  C: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users.

  In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of

  scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up

  keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the

  possibility of cyber threats. This is not what is described in this question. Therefore, this answer is incorrect.

  D: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the

  Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.

  The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is

  told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source,

  such as a bank or a government agency. This is not what is described in this question.

  Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/shoulder-surfing http://www.techopedia.com/definition/28643/whaling http://searchunifiedcommunications.techtarget.com/definition/vishing

• Question 275:

  Ann an employee is visiting Joe, an employee in the Human Resources Department. While talking to Joe, Ann notices a spreadsheet open on Joe's computer that lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation?

  A. Impersonation

  B. Dumpster diving

  C. Tailgating

  D. Shoulder surfing

  Correct Answer: D

  Ann was able to see the Spreadsheet on Joe's computer. This direct observation is known as shoulder surfing.

  Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

  Incorrect Answers:

  A: Impersonation is where a person, computer, software application or service pretends to be someone it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.

  This is not what is described in this question.

  Therefore, this answer is incorrect.

  B: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an

  attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or

  organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. This is not what is described in this question.

  Therefore, this answer is incorrect.

  C: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock

  the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. This is not what is described in this question. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/shoulder-surfing http://searchsecurity.techtarget.com/definition/dumpster-diving

• Question 276:

  Using proximity card readers instead of the traditional key punch doors would help to mitigate:

  A. Impersonation

  B. Tailgating

  C. Dumpster diving

  D. Shoulder surfing

  Correct Answer: D

  Using a traditional key punch door, a person enters a code into a keypad to unlock the door. Someone could be watching the code being entered. They would then be able to open the door by entering the code. The process of watching the key code being entered is known as shoulder surfing.

  Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

  Incorrect Answers:

  A: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non- maliciously used in client/server applications. However, it can also be used as a

  security threat. Using proximity card readers instead of the traditional key punch doors would not prevent impersonation.

  Therefore, this answer is incorrect.

  B: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock

  the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. Using proximity card readers instead of the traditional key punch doors would not prevent tailgating.

  Therefore, this answer is incorrect.

  C: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an

  attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or

  organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company

  establish a disposal policy where all paper, including print-outs, is shredded in a cross- cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash. Using proximity card

  readers instead of the traditional key punch doors would not prevent dumpster diving. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/shoulder-surfing http://searchsecurity.techtarget.com/definition/dumpster-diving

• Question 277:

  A recent spike in virus detections has been attributed to end-users visiting www.compnay.com. The business has an established relationship with an organization using the URL of www.company.com but not with the site that has been causing the infections. Which of the following would BEST describe this type of attack?

  A. Typo squatting

  B. Session hijacking

  C. Cross-site scripting

  D. Spear phishing

  Correct Answer: A

  Typosquatting, also called URL hijacking or fake url, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).

  The typosquatter's URL will usually be one of four kinds, all similar to the victim site address: (In the following, the intended website is "example.com") ?A common misspelling, or foreign language spelling, of the intended site: exemple.com ?A misspelling based on typing errors: xample.com or examlpe.com ?A differently phrased domain name: examples.com ?A different top-level domain: example.org Once in the typosquatter's site, the user may also be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.

  Incorrect Answers:

  B: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session--sometimes also called a session key--to gain unauthorized access to information or services in a computer

  system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be

  easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. In this question, the users went to www.compnay.com instead of www.company.com. Therefore, this is not a case of

  hijacking a valid session; it's a case of users going to the wrong URL.

  Therefore, this answer is incorrect.

  C: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

  Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug- in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised

  site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts

  into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. The question is not describing an XSS attack.

  Therefore, this answer is incorrect.

  D: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear

  to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent

  source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority. The attack described in the question is not an example of spear phishing. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Typosquatting http://en.wikipedia.org/wiki/Session_hijacking http://searchsecurity.techtarget.com/definition/spear-phishing

• Question 278:

  A security administrator must implement all requirements in the following corporate policy:

  Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate

  policy? (Select THREE).

  A. Account lockout

  B. Account expiration

  C. Screen locks

  D. Password complexity

  E. Minimum password lifetime

  F. Minimum password length

  Correct Answer: ADF

  A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.

  The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:

  F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.

  D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. This will ensure that passwords don't consist of dictionary words which are easy to crack using brute force techniques.

  A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.

  Incorrect Answers:

  B: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a password as the attacker could make as many attempts as he wants until the time or date of the account expiration. Therefore, this answer is incorrect.

  C: A screen lock will cause the screen of a computer or mobile device to lock after a period of inactivity. It is not used to prevent brute force attacks. Therefore, this answer is incorrect.

  E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to the original password. This is where the minimum password age (minimum password lifetime) comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days. A minimum password age would not protect against brute force attacks. Therefore, this answer is incorrect.

  References: https://technet.microsoft.com/enus/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh

• Question 279:

  Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file?

  A. Cognitive password

  B. Password sniffing

  C. Brute force

  D. Social engineering

  Correct Answer: C

  One way to recover a user's forgotten password on a password protected file is to guess it. A brute force attack is an automated attempt to open the file by using many different passwords.

  A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers. An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack;" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm.

  Incorrect Answers:

  A: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question to verify their identity. To open the password protected file, we need the password that was used to protect the file. Therefore, this answer is incorrect.

  B: Password sniffing is the process of capturing a password as it is transmitted over a network. As no one knows what the password for the protected file is, it won't be transmitted over a network. Therefore, this answer is incorrect.

  D: Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network's security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. Appealing to vanity, appealing to authority, appealing to greed, and old-fashioned eavesdropping are other typical social engineering techniques. As no one knows what the password for the protected file is, we can't use social engineering to reveal the password. Therefore, this answer is incorrect.

  References:

  http://www.techopedia.com/definition/18091/brute-force-attack http://searchsecurity.techtarget.com/definition/social-engineering

• Question 280:

  Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine?

  A. Account expiration settings

  B. Complexity of PIN

  C. Account lockout settings

  D. PIN history requirements

  Correct Answer: C

  Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. For example, an account can be configured to lock if three incorrect passwords (or in this case PIN's) are entered. The account can then be configured to automatically unlock after a period of time or stay locked until someone manually unlocks it.

  Incorrect Answers:

  A: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a PIN as the attacker could make as many

  attempts as he wants until the time or date of the account expiration. Therefore, this answer is incorrect.

  B: Complexity of PIN: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. The question states that access is gained by

  using a 4-digit PIN number. The "complexity" of the PIN is 4 numbers. There's not much you can do to make a 4 digit PIN more complex other than require that no numbers are repeated. You could only change the length of the PIN to make it

  more difficult to guess. PIN complexity will not prevent an attacker trying to brute force a PIN.

  Therefore, this answer is incorrect.

  D: PIN history requirements are used when people change their PINs. PIN history requirements could state that you cannot use any of your five previously used PINs. PIN history will not prevent an attacker trying to brute force a PIN.

  Therefore, this answer is incorrect.

  References:

  https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx