Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given a limited budget, which of the following would BEST assist Joe with detecting this activity?
A. Place a full-time guard at the entrance to confirm user identity.
B. Install a camera and DVR at the entrance to monitor access.
C. Revoke all proximity badge access to make users justify access.
D. Install a motion detector near the entrance.
Correct Answer: B
Tailgating is a favorite method of gaining entry to electronically locked systems by following someone through the door they just unlocked. With a limited budget installing a camera and DVR at the entrance to monitor access to the restricted areas is the most feasible solution. The benefit of a camera (also known as closed- circuit television, or CCTV) is that it is always running and can record everything it sees, creating evidence that can be admissible in court if necessary.
Incorrect Answers: A: A full-time guard at the entrance of the restricted areas will also work, but would be more costly and guards can also be impersonated. Guards are also more costly in the sense that, guards in combination with security cameras will be more effective which means that you still need both.
C: Revoking proximity badges will just give free access to all if no other measures are in place.
D: A motion detector will inevitable be triggered even when legitimate users enter the restricted area.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 357, 367, 372
Question 482:
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used?
A. Detective
B. Deterrent
C. Corrective
D. Preventive
Correct Answer: C
A corrective control would be any corrective action taken to correct any existing control that were faulty or wrongly installed as in this case the cameras were already there, it just had to be adjusted to perform its function as intended.
Incorrect Answers:
A: A detective control is used to uncover a violation and only becomes relevant when preventive control has failed.
B: A deterrent control would be anything that is intended to warn a would be attacker that they should not attack, like a warning that they may be prosecuted in the shape of a banner.
D: A preventive control would be to stop something from happening like a locked door or user training on potential harm.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 384
Question 483:
A security technician wishes to gather and analyze all Web traffic during a particular time period. Which of the following represents the BEST approach to gathering the required data?
A. Configure a VPN concentrator to log all traffic destined for ports 80 and 443.
B. Configure a proxy server to log all traffic destined for ports 80 and 443.
C. Configure a switch to log all traffic destined for ports 80 and 443.
D. Configure a NIDS to log all traffic destined for ports 80 and 443.
Correct Answer: B
A proxy server is in essence a device that acts on behalf of others and in security terms all internal user interaction with the Internet should be controlled through a proxy server. This makes a proxy server the best tool to gather the required data.
Incorrect Answers:
A: The VPN concentrator creates an encrypted tunnel session between hosts, and many use two- factor authentication for additional security. A proxy server would still be the best tool to gather the required information.
C: A switch can provide a monitoring port for troubleshooting and diagnostic purposes in addition to the virtual circuit that they can create between systems in a network. This helps to reduce network trafffic, but a proxy server would be a
better tool to gather the required data.
D: A network-based IDS (NIDS) approach to IDS attaches the system to a point in the network where it can monitor and report on all network traffic. However a proxy server would be the best tool to gather the required data.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 105, 111
Question 484:
A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive?
A. cp /dev/sda /dev/sdb bs=8k
B. tail -f /dev/sda > /dev/sdb bs=8k
C. dd in=/dev/sda out=/dev/sdb bs=4k
D. locate /dev/sda /dev/sdb bs=4k
Correct Answer: C
dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files. dd can duplicate data across files, devices, partitions and volumes On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings. An attempt to copy the entire disk using cp may omit the final block if it is of an unexpected length; whereas dd may succeed. The source and destination disks should have the same size.
Incorrect Answers:
A: Using cp in the command line may omit the final block.
To ensure proper evidence collection, which of the following steps should be performed FIRST?
A. Take hashes from the live system
B. Review logs
C. Capture the system image
D. Copy all compromised files
Correct Answer: C
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. This is essential since the collection of evidence process may result in some mishandling and changing the exploited state.
Incorrect Answers:
A: Hashes helps to be able to illustrate the situation and should be done prior to an incident where evidence is to be collected. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library
(NSRL). One of the purposes of the NSRL is to collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies,
and businesses to determine which files are important as evidence in criminal investigations. However, according to the order of volatility the first task should be to capture the system image.
B: Review logs are part of collection of evidence, but in order of volatility it comes into the equation after system images have been captured.
D: You first need to know which files were compromised to be able to copy compromised files.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454
Question 486:
Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the following does this illustrate?
A. Taking screenshots
B. System image capture
C. Chain of custody
D. Order of volatility
Correct Answer: B
A system image would be a snapshot of what exists at the moment. Thus capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Incorrect Answers:
A: Taking screenshots is akin to video and screenshots would be to capture all relevant screenshots for later analysis.
C: Chain of custody is observed to ensure that each step taken with evidence is documented and accounted for from the point of collection.
D: Order of volatility helps when dealing with multiple issues and volatility refers to the time that you have to collect certain data before that window of opportunity is closed because some data will exist longer than others.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 453
Question 487:
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?
A. Identify user habits
B. Disconnect system from network
C. Capture system image
D. Interview witnesses
Correct Answer: C
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.
Incorrect Answers:
A: User habits involves password behavior, data handling, clean desk issues, tail gating and personally owned devices that they bring to the workplace. Not useful to analyze a hard drive with forensic tools.
B: Disconnecting the system from the network will change the state that the hard drive is in at present and as such disconnecting will defeat the purpose of the analysis with forensic tools.
D: Interviewing witnesses would be the users and not the hard drive which is to be forensically analyzed. Though important, it just refers to the fact that the sooner you learn about what happened from witnesses the better since over time, details and reflections can change and you would want to collect their thoughts before such changes occur.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454
Question 488:
An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence?
A. Using a software file recovery disc
B. Mounting the drive in read-only mode
C. Imaging based on order of volatility
D. Hashing the image after capture
Correct Answer: B
Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence using the drive in question.
Incorrect Answers:
A: A software file recovery disk will restore whatever was changed or modified to its operational saved state and thus tamper with evidence which is contrary to what is required from the team member.
C: Images are used to restore operating systems and applications because it involves snapshots of what exists on the hardware. The team member is supposed to perform a forensic procedure with that very same hardware.
D: Hashing the image after capture will preserve that which exists at the moment and in this case the team member must run a forensic procedure using the very same hardware.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454, 461
Question 489:
Which of the following is a best practice when a mistake is made during a forensics examination?
A. The examiner should verify the tools before, during, and after an examination.
B. The examiner should attempt to hide the mistake during cross-examination.
C. The examiner should document the mistake and workaround the problem.
D. The examiner should disclose the mistake and assess another area of the disc.
Correct Answer: C
Every step in an incident response should be documented, including every action taken by end users and the incident-response team.
Incorrect Answers:
A: Verifying the tools may help prevent the occurrence of a mistake during a forensic examination by does not address the actions to be taken should a mistake be made.
B: Hiding the mistake is not advisable as it would compromise the examination and would most likely be detected during the writing of the incident report.
D: Rather than changing area of examination once the mistake has been acknowledged, ways of working around and overcoming the mistake should be taken.
A customer service department has a business need to send high volumes of confidential information to customers electronically. All emails go through a DLP scanner. Which of the following is the BEST solution to meet the business needs and protect confidential information?
A. Automatically encrypt impacted outgoing emails
B. Automatically encrypt impacted incoming emails
C. Monitor impacted outgoing emails
D. Prevent impacted outgoing emails
Correct Answer: A
Encryption is done to protect confidentiality and integrity of data. It also provides authentication, nonrepudiation and access control to the data. Since all emails go through a DLP scanner and it is outgoing main that requires protection then the best option is to put a system in place that will encrypt the outgoing emails automatically.
Incorrect Answers:
B: Incoming email is not the issue at hand. The outgoing email is the confidential information being sent that requires protection.
C: Monitoring outgoing mail is already being done by the DLP system in place.
D: You cannot prevent these emails from being sent out as it is part of the business procedure.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 248
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.