A password history value of three means which of the following?
A. Three different passwords are used before one can be reused.
B. A password cannot be reused once changed for three years.
C. After three hours a password must be re-entered to continue.
D. The server stores passwords in the database for three days.
Correct Answer: A
Password History defines the number of unique new passwords a user must use before an old password can be reused.
Incorrect Answers:
B: Password history is not defined in time, but the number of unique new passwords.
C: Password History tracks previous passwords so as to prevent password reuse, not for the re- entering of a password.
D: Password History tracks previous passwords so as to prevent password reuse, it does not deal with password storage.
References:
https://technet.microsoft.com/en-us/library/cc956938.aspx Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 293.
Question 562:
A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO).
A. Password age
B. Password hashing
C. Password complexity
D. Password history
E. Password length
Correct Answer: AD
D: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
A: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
Incorrect Answers:
B: Hashing is a one-way function that creates a fixed-length output from an input of any length. C, E: Password complexity combined with password length helps produce strong passwords, but can be recycled if password age and history is not configured.
Account lockout is a mitigation strategy used by Jane, the administrator, to combat which of the following attacks? (Select TWO).
A. Spoofing
B. Man-in-the-middle
C. Dictionary
D. Brute force
E. Privilege escalation
Correct Answer: CD
Account lockout is a useful method for slowing down online password-guessing attacks. A dictionary attack performs password guessing by making use of a pre- existing list of likely passwords. A brute-force attack is intended to try every possible valid combination of characters to create possible passwords in the attempt to discover the specific passwords used by user accounts.
Incorrect Answers:
A: Spoofing is the act of falsifying data by changing the source addresses of network packets.
B: A man-in-the-middle attack is a type of communications eavesdropping attack.
E: Privilege escalation is a breach of authorization restrictions and may be a breach of authentication.
A hacker has discovered a simple way to disrupt business for the day in a small company which relies on staff working remotely. In a matter of minutes the hacker was able to deny remotely working staff access to company systems with a script. Which of the following security controls is the hacker exploiting?
A. DoS
B. Account lockout
C. Password recovery
D. Password complexity
Correct Answer: B
B: Account lockout automatically disables an account due to repeated failed log on attempts. The hacker must have executed a script to repeatedly try logging on to the remote accounts, forcing the account lockout policy to activate.
Incorrect Answers:
A: Denial of service (DoS) is a form of attack whose principal objective is preventing the victimized system from performing valid actions or responding to valid traffic.
C: The users did not forget their passwords, they were locked out. Furthermore, most times users would be required to change their passwords instead of recovering them as it is not a secure solution.
D: since the hacker did not gain access to the system, password complexity would not be exploited as it forms part of the company's password policy.
During an audit, the security administrator discovers that there are several users that are no longer employed with the company but still have active user accounts. Which of the following should be performed?
A. Account recovery
B. Account disablement
C. Account lockouts
D. Account expiration
Correct Answer: B
Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account.
Incorrect Answers:
A: Account recovery is usually done in cases where users have forgotten their password which they use to access their accounts. In this case the users have left the employment of the company.
C: The need to lock an account occurs when a user is attempting to log in but giving incorrect values; locking this account is necessary to prevent a would-be attacker from repeatedly guessing at password values until they find a match.
D: Account expiration is implemented when you want to force users to change their password to access their accounts on a regular basis. References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 140, 141.
Question 566:
Which of the following security benefits would be gained by disabling a terminated user account rather than deleting it?
A. Retention of user keys
B. Increased logging on access attempts
C. Retention of user directories and files
D. Access to quarantined files
Correct Answer: A
Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system.
Incorrect Answers:
B: You will not be able to log on to a disabled account.
C: The user directories and files being retained would only be beneficial for data recovery purposes.
D: Disabling a terminated user account does not make its contents quarantined. Quarantine means isolating infected files.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 141.
Question 567:
Which of the following controls mitigates the risk of Matt, an attacker, gaining access to a company network by using a former employee's credential?
A. Account expiration
B. Password complexity
C. Account lockout
D. Dual factor authentication
Correct Answer: A
Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
Incorrect Answers:
B: Implementing password complexity would not work, as the user is a former employee and would not be there to change their password to a more complex one.
C: Account lockout automatically disables an account due to repeated failed log on attempts. Matt could get the password before reaching the log on attempt threshold.
D: Matt could still discover both authentication factors to gain access. With the account disabled, there is no chance of that happening.
ABC company has a lot of contractors working for them. The provisioning team does not always get notified that a contractor has left the company. Which of the following policies would prevent contractors from having access to systems in the event a contractor has left?
A. Annual account review
B. Account expiration policy
C. Account lockout policy
D. Account disablement
Correct Answer: B
Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
Incorrect Answers:
A: An account review would conclude if users have been suitably completing their work tasks or whether there have been failed and/or successful attempts at violating company policies or the law. It would not prevent contractors from having access to systems in the event a contractor has left.
C: Account lockout automatically disables an account due to repeated failed log on attempts. It would not prevent contractors from having access to systems in the event a contractor has left.
D: The question states: "The provisioning team does not always get notified that a contractor has left the company". Therefore, disabling an account needs to happen automatically. The account expiration policy meets the requirements.
Which of the following is a BEST practice when dealing with user accounts that will only need to be active for a limited time period?
A. When creating the account, set the account to not remember password history.
B. When creating the account, set an expiration date on the account.
C. When creating the account, set a password expiration date on the account.
D. When creating the account, set the account to have time of day restrictions.
Correct Answer: B
Disablement is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
Incorrect Answers:
A: Disabling password history will allow password reuse. The account will remain active.
C: Password expiration compels users to change passwords after a specified period. The account will remain active.
D: Time of day restrictions limit when users can access specific systems based on the time of day or week. The account will remain active.
A user has forgotten their account password. Which of the following is the BEST recovery strategy?
A. Upgrade the authentication system to use biometrics instead.
B. Temporarily disable password complexity requirements.
C. Set a temporary password that expires upon first use.
D. Retrieve the user password from the credentials database.
Correct Answer: C
Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator to change the value for a user who has forgotten theirs. This new value allows the user to log in and then immediately change it to another value that they can (ideally) remember. Also setting a temporary password to expire upon first use will not allow a hacker the opportunity or time to use it.
Incorrect Answers:
A: Using a biometric system is not going to recover a forgotten password.
B: Disabling password complexity requirements is not a recovery strategy rather it would be compromising your password policy.
D: This is not sound practice to keep user passwords on a credentials database since most operating systems store user passwords hashed and the administrator will be able to change the value for a user who has forgotten theirs.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp. 140-141
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.