A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company?
A. Account lockout policy
B. Account password enforcement
C. Password complexity enabled
D. Separation of duties
Correct Answer: D
Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices. Incorrect Answers:
A: An account lockout policy only needs to be implemented when you need to deny a user access. The user in this case does not have to be locked out.
B: The account policy determines the security parameters regarding who can and cannot access the system. In this scenario the user must have access.
C: Password complexity only means to make it more difficult for a miscreant to break in and use someone else's account.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139, 141, 153
Question 542:
A company uses PGP to ensure that sensitive email is protected. Which of the following types of cryptography is being used here for the key exchange?
A. Symmetric
B. Session-based
C. Hashing
D. Asymmetric
Correct Answer: A
PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.
Incorrect Answers:
B: They key is a session key, but it is calculated using symmetric encryption.
C: PGP using hashing to create a digital signature from the plaintext, not for the key exchange.
D: PGP uses symmetric-key encryption, not asymmetric.
References: http://en.wikipedia.org/wiki/Pretty_Good_Privacy Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 272-273
Question 543:
Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session?
A. SFTP
B. HTTPS
C. TFTP
D. TLS
Correct Answer: D
SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.
Incorrect Answers:
A: SFTP, Secure File Transfer Protocol, does not provide authentication and security; it expects the underlying protocol to secure this.
B: HTTPS, "HTTP over SSL/TLS", it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL or TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
C: TFTP, Trivial File Transfer Protocol, includes no login or access control mechanisms.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 76, 268-269, 274
Question 544:
Which of the following techniques enables a highly secured organization to assess security weaknesses in real time?
A. Access control lists
B. Continuous monitoring
C. Video surveillance
D. Baseline reporting
Correct Answer: B
Continuous monitoring point toward the never-ending review of what resources a user actually accesses, which is critical for preventing insider threats. Because the process is never-ending, assessments happen in real time.
Incorrect Answers:
A: Access Control List (ACL) specifies which users are allowed or refused the different types of available access based on the object type. It does not to assess security weaknesses in real time.
C: Video surveillance provides real time monitoring of physical threats.
D: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards. It does not to assess security weaknesses in real time.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 154, 156, 372.
In order for network monitoring to work properly, you need a PC and a network card running in what mode?
A. Launch
B. Exposed
C. Promiscuous
D. Sweep
Correct Answer: C
Promiscuous mode allows the network card to look at any packet that it sees on the network. This even includes packets that are not addressed to that network card.
Incorrect Answers:
A, B, D: These options are not valid modes for network cards. For network monitoring to work properly you require a PC that includes a NIC running in promiscuous mode and monitoring software.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 46.
Question 546:
A recent audit of a company's identity management system shows that 30% of active accounts belong to people no longer with the firm. Which of the following should be performed to help avoid this scenario? (Select TWO).
A. Automatically disable accounts that have not been utilized for at least 10 days.
B. Utilize automated provisioning and de-provisioning processes where possible.
C. Request that employees provide a list of systems that they have access to prior to leaving the firm.
D. Perform regular user account review / revalidation process.
E. Implement a process where new account creations require management approval.
Correct Answer: BD
Provisioning and de-provisioning processes can occur manually or automatically. Since the manual processes are so time consuming, the automated option should be used as it is more efficient. Revalidating user accounts would determine which users are no longer active.
Incorrect Answers:
A: Disabling the accounts would work for users who would return, but these users will not be returning. Therefore, they must be removed.
C: This this option will tell which systems you need to access to manually remove users. This would take a long time, and might allow users to access those systems after they have left.
E: Account creation is not the problem in this case. It is the fact that accounts aren't being removed when users have left.
Privilege creep among long-term employees can be mitigated by which of the following procedures?
A. User permission reviews
B. Mandatory vacations
C. Separation of duties
D. Job function rotation
Correct Answer: A
Privilege creep is the steady build-up of access rights beyond what a user requires to perform his/her task. Privilege creep can be decreased by conducting sporadic access rights reviews, which will confirm each user's need to access specific roles and rights in an effort to find and rescind excess privileges.
Incorrect Answers:
B: Mandatory vacations require each employee to be on vacation for a minimal amount of time each year. During this time a different employee sits at their desk and performs their work tasks.
C: Separation of duties divides administrator or privileged tasks into separate groupings.
D: Job function rotation allows for employees to be knowledgeable about another employee's job function in the event that an employee is sick or on vacation.
A security analyst implemented group-based privileges within the company active directory. Which of the following account management techniques should be undertaken regularly to ensure least privilege principles?
A. Leverage role-based access controls.
B. Perform user group clean-up.
C. Verify smart card access controls.
D. Verify SHA-256 for password hashes.
Correct Answer: B
Active Directory (AD) has no built-in clean-up feature. This can result in obsolete user, group and computer objects accumulating over time and placing security and compliance objectives in jeopardy. You would therefore need to regularly clean-up these settings.
Incorrect Answers:
A: Reusing role-based access controls would not ensure least privilege principles.
C: Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that allows you to physically access secure facilities. This would not ensure least privilege principles.
D: Hashing is used to detect violations of data integrity. This would not ensure least privilege principles.
A supervisor in the human resources department has been given additional job duties in the accounting department. Part of their new duties will be to check the daily balance sheet calculations on spreadsheets that are restricted to the accounting group. In which of the following ways should the account be handled?
A. The supervisor should be allowed to have access to the spreadsheet files, and their membership in the human resources group should be terminated.
B. The supervisor should be removed from the human resources group and added to the accounting group.
C. The supervisor should be added to the accounting group while maintaining their membership in the human resources group.
D. The supervisor should only maintain membership in the human resources group.
Correct Answer: C
You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the human resources supervisor's user account to the group means the supervisor will inherit the permissions of that group, and allow him to carry out the new duties. Because the new duties are being added to his normal duties, maintaining membership in the human resources group will allow the supervisor to continue performing his normal duties.
Incorrect Answers:
A: Because the new duties are being added to his normal duties, terminating the supervisor's membership in the human resources group will prevent the supervisor from carrying out his normal duties as he will no longer have the required permissions.
B: Because the new duties are being added to his normal duties, removing the supervisor from the human resources group will prevent the supervisor from carrying out his normal duties as he will no longer have the required permissions.
D: Maintaining the supervisor's membership in the human resources group only, will prevent the supervisor from carrying out his additional duties in the accounting department as the supervisor will not have the required permissions.
References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 294.
Question 550:
Which of the following practices reduces the management burden of access management?
A. Password complexity policies
B. User account audit
C. Log analysis and review
D. Group based privileges
Correct Answer: D
Granting permissions to all members of a group is quicker than individually assigning them to each user. This means an administrator will spend less time on assigning permissions to users who require the same access privileges. Incorrect Answers:
A: Password complexity determines what a password should include. It will not reduce the management burden of access management.
B: User account auditing can be used to establish whether users have been suitably carrying out their work tasks or if there have been failed and/or successful attempts at violating company policies or the law. This helps to detect unauthorized access after it has occurred.
C: Log analysis is used for reviewing audit trails and log files for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern. This helps to detect unauthorized access after it has occurred.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.