CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 451:

  Which of the following helps to apply the proper security controls to information?

  A. Data classification

  B. Deduplication

  C. Clean desk policy

  D. Encryption

  Correct Answer: A

  Information classification is done by confidentiality and comprises of three categories, namely:

  public use, internal use and restricted use. These categories make applying the appropriate policies and security controls practical.

  Incorrect Answers:

  B: Deduplication is a specialized data compression technique for eliminating duplicate copies of repeating data. Related and somewhat synonymous terms are intelligent (data) compression and single-instance (data) storage.

  C: Clean Desk Policy Information on a desk--in terms of printouts, pads of note paper, sticky notes, and the like--can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk. This however applies only to a certain category of information.

  D: Encryption of data/information is but one type of security control and the question is more concerned about the proper security controls that needs to be applied and when data is classified it makes the type of security control to be employed more appropriate.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 404, 409

• Question 452:

  Used in conjunction, which of the following are PII? (Select TWO).

  A. Marital status

  B. Favorite movie

  C. Pet's name

  D. Birthday

  E. Full name

  Correct Answer: DE

  Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. A birthday together with a full name makes it personally identifiable information.

  Incorrect Answers:

  A: Marital status can be shared and thus is not personally identifiable information.

  B: Many people can share a like for the same movie.

  C: Pet's name is not personally identifiable information.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 404

• Question 453:

  Which of the following policies is implemented in order to minimize data loss or theft?

  A. PII handling

  B. Password policy

  C. Chain of custody

  D. Zero day exploits

  Correct Answer: A

  Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a

  profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Personally identifiable information (PII) is a catchall for any data that can be

  used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record.

  Thus a PII handling policy can be used to protect data.

  Incorrect Answers:

  B: Password policy is usually implemented to control access to resources.

  C: Chain of custody refers to a basic forensic procedure that is taken into account after an event occurred.

  D: When a hole is found in a web browser or other software and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to- two-day response time that many software providers need to put out a patch

  once the hole has been found), it is known as a zero-day exploit.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 338, 404

• Question 454:

  Which of the following concepts is a term that directly relates to customer privacy considerations?

  A. Data handling policies

  B. Personally identifiable information

  C. Information classification

  D. Clean desk policies

  Correct Answer: B

  Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. This has a direct relation to customer privacy considerations.

  Incorrect Answers:

  A: Data handling policies would refer to only those users needing to work with it should be able to access the data.

  C: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use.

  D: Clean Desk Policy Information is used to protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 404, 409, 412

• Question 455:

  End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer:

  A. Date of birth.

  B. First and last name.

  C. Phone number.

  D. Employer name.

  Correct Answer: A

  Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record.

  Date of birth is personally identifiable information.

  Incorrect Answers:

  B, C, D: First and last names, phone numbers and employer name is shared information.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 404

• Question 456:

  Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks?

  A. User Awareness

  B. Acceptable Use Policy

  C. Personal Identifiable Information

  D. Information Sharing

  Correct Answer: C

  Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Employees should be made aware of this type of attack by means of training.

  Incorrect Answers:

  A: A user-awareness program helps individuals in an organization understand how to implement policies, procedures, and technologies to ensure effective security.

  B: Acceptable use policy describes how employees are allowed to use company systems and resources, and the consequences of misuse.

  D: Information sharing is controlled using privacy policies. Privacy policies are implemented to maintain the sanctity of data privacy in the work environment.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 24-25, 404

• Question 457:

  Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information. Which of the following will accomplish this task securely?

  A. Digital Signatures

  B. Hashing

  C. Secret Key

  D. Encryption

  Correct Answer: D

  Encryption is used to prevent unauthorized users from accessing data. Data encryption will support the confidentiality of the email.

  Incorrect Answers:

  A: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message.

  B: Hashing is used to protect the integrity of the email, meaning that it will not be tampered with, not secure confidentiality.

  C: Secret keys are used in encryption. It is also referred to as a symmetric key in cryptography.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 251-258, 262, 404, 414 http://en.wikipedia.org/wiki/Email_encryption

• Question 458:

  Which of the following is the BEST reason to provide user awareness and training programs for organizational staff?

  A. To ensure proper use of social media

  B. To reduce organizational IT risk

  C. To detail business impact analyses

  D. To train staff on zero-days

  Correct Answer: B

  Ideally, a security awareness training program for the entire organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention

  You can accomplish this training either by using internal staff or by hiring outside trainers. This type of training will significantly reduce the organizational IT risk.

  Incorrect Answers:

  A: Proper use of social media would just be one aspect of risk awareness that should be provided.

  C: A business Impact analysis is part of the Business Continuity planning which is primarily a management tool and not for all users and organizational staff.

  D: Zero days refers to the type of attack impact after an incident occurred and this would be too late to provide user awareness it would be after the fact.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 399-401

• Question 459:

  Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again?

  A. Disable the wireless access and implement strict router ACLs.

  B. Reduce restrictions on the corporate web security gateway.

  C. Security policy and threat awareness training.

  D. Perform user rights and permissions reviews.

  Correct Answer: C

  BYOD (In this case Sara's smart phone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company's security policy with regard to BYOD.

  Incorrect Answers:

  A: Disabling wireless access and implementing strict router ACL's will hamper the day-to-day operations of the company and disabling these `punishes all users' and not just Sara who was responsible for the data theft that occurred. It would be best to provide training to all users regarding BYOD.

  B: Reducing restrictions on the corporate web security gateway will leave the company data more vulnerable.

  D: User rights and permissions reviews will not prevent data theft since Sara still requires permissions to perform her duties.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 399-404, 401

• Question 460:

  The method to provide end users of IT systems and applications with requirements related to acceptable use, privacy, new threats and trends, and use of social networking is:

  A. Security awareness training.

  B. BYOD security training.

  C. Role-based security training.

  D. Legal compliance training.

  Correct Answer: A

  Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.

  Incorrect Answers:

  B: BYOD security training is just part of security awareness training and involves the possibility of a personal device that is infected with malware introducing that malware to the network.

  C: Role-based security training is more geared towards specific roles.

  D: Legal compliance training would refer to keeping users up to date with new regulations and laws, not threats, trends and use of social engineering.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 399-404