A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access.
Which of the following is the BEST approach to implement this process?
A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site.
B. Require the customer to physically come into the company's main office so that the customer can be authenticated prior to their password being reset.
C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password.
D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.
Correct Answer: D
People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.
Incorrect Answers:
A: Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security
code. But in this case the problem stems from a forgotten password.
B: Requiring customers to physically come in to the company's main office is not a viable option what if the customer is on a different continent?
C: Emailing customers their forgotten password is risky as the email can be intercepted, a forgotten password is best being eliminated from the system as a forgotten password if still active can compromise your business as well as your
customers.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp. 139, 142
Question 572:
An insurance company requires an account recovery process so that information created by an employee can be accessed after that employee is no longer with the firm. Which of the following is the BEST approach to implement this process?
A. Employee is required to share their password with authorized staff prior to leaving the firm
B. Passwords are stored in a reversible form so that they can be recovered when needed
C. Authorized employees have the ability to reset passwords so that the data is accessible
D. All employee data is exported and imported by the employee prior to them leaving the firm
Correct Answer: C
Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator (or authorized person in this case) to change the value then the information/files/documents can be accessed. This is the safest way of recovery by an authorized person and is not dependent on those who leave the firm.
Incorrect Answers:
A: No user should be expected to share their password, regardless of the circumstances. Shared passwords goes against normal security procedures.
B: Storing passwords in a reversible form is not best practice and thus not risk avoidance.
D: This may not always be possible as the circumstances can differ vastly when employees leave the firm.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp.140-142
Question 573:
The IT department has setup a website with a series of questions to allow end users to reset their own accounts. Which of the following account management practices does this help?
A. Account Disablements
B. Password Expiration
C. Password Complexity
D. Password Recovery
Correct Answer: D
People tend to forget their own passwords and because a user's password in not stored on the operating system, only a hash value is kept and most operating systems allows the administrator to change the value meaning that the password can then be recovered. If you allow end users to reset their own accounts then the password recovery process is helped along.
Incorrect Answers:
A: Account disablements is akin to locking an account when users may be going on leave, or leave the company, etc. this is not aided in any way when you allow end users to reset their own accounts.
B: Password expiration is a practice that should be implemented to mitigate security risks since the longer a password is in use, the easier it can be broken. This has nothing to do with resetting account passwords.
C: Password complexity refers to the difficulty degree in the password. The more difficult/complex, the more difficult is will be for miscreant to guess the passwords. This is not allowing end users to reset their own accounts.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139-140
Question 574:
Which of the following should be done before resetting a user's password due to expiration?
A. Verify the user's domain membership.
B. Verify the user's identity.
C. Advise the user of new policies.
D. Verify the proper group membership.
Correct Answer: B
When resetting a password, users have to establish their identity by answering a series of personal questions, using a hardware authentication token, or responding to a password notification e-mail. Users can then either specify a new,
unlocked password, or ask that a randomly generated one be provided. This can be done from their workstation login prompt, or through a telephone call.
Incorrect Answers:
A, D: Domain membership and group membership depend on the user's identity. Therefore, there identity has to be verified.
C: Advising the user of new policies will not help reset their password. Their identity will though.
A security administrator is concerned about the strength of user's passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords?
A. Increase the password length requirements
B. Increase the password history
C. Shorten the password expiration period
D. Decrease the account lockout time
Correct Answer: C
Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion. This will give online password attackers less time to crack the weak passwords.
Incorrect Answers:
A: Increasing the password length will not make the new passwords less susceptible to online password attackers.
B: Password history tracks previous passwords to prevent password reuse. It will not make the new passwords less susceptible to online password attackers.
D: Account lockout automatically disables an account due to repeated failed log on attempts. When the account is unlocked it will still have the same weak password, and still susceptible to online password attacks.
Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning?
A. A recent security breach in which passwords were cracked.
B. Implementation of configuration management processes.
C. Enforcement of password complexity requirements.
D. Implementation of account lockout procedures.
Correct Answer: A
A password only needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion.
Incorrect Answers:
B: Configuration management provides visibility and control of a system's performance, as well as its functional and physical attributes.
C: Password complexity normally requires a minimum of three out of four standard character types to be represented in the password. It would not require forcing expiration of all company passwords by the close of business day.
D: Account lockout automatically disables an account due to repeated failed log on attempts. It would not require forcing expiration of all company passwords by the close of business day.
The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk?
A. Enforce password rules requiring complexity.
B. Shorten the maximum life of account passwords.
C. Increase the minimum password length.
D. Enforce account lockout policies.
Correct Answer: A
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.
Incorrect Answers:
B: Reducing the maximum life of account passwords will require passwords to be changed at the end of that period. This will not make the new passwords less susceptible to brute force attacks.
C: Increasing the password length will not make the new passwords less susceptible to brute force attacks.
D: Account lockout automatically disables an account due to repeated failed log on attempts. It will not make the new passwords less susceptible to brute force attacks.
An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal?
A. Add reverse encryption
B. Password complexity
C. Increase password length
D. Allow single sign on
Correct Answer: B
Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password's length and complexity.
Incorrect Answers:
A: Typical protocol components, like encryption and hash functions, can be reverse-engineered automatically by tracing the execution of protocol implementations and trying to identify buffers in memory holding unencrypted packets. It will not strengthen the password policy to support special characters.
C: Increasing the password length will not necessarily support special characters.
D: Single sign-on means that once a user (or other subject) is authenticated into a realm, they need not re-authenticate to access resources on any realm entity. It will not strengthen the password policy to support special characters.
After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO).
A. Recovery
B. User assigned privileges
C. Lockout
D. Disablement
E. Group based privileges
F. Password expiration
G. Password complexity
Correct Answer: FG
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days.
Incorrect Answers:
A: Recovery of a password requires that the password storage mechanism be reversible or that passwords be stored in multiple ways. Requiring passwords to be changed is more secure than recovering them.
B: User assigned privileges can be assigned by the user. It will not ensure that all credentials must be changed within 90 days.
C: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. The question states: "All credentials will remain enabled regardless of the number of attempts made."
D: Disablement automatically disables a user account or causes the account to expire at a specific time and on a specific day. It will not ensure that all credentials must be changed within 90 days.
E: Group-based privileges grants each group member the same level of access to a certain object. It will not ensure that all credentials must be changed within 90 days.
When Ann an employee returns to work and logs into her workstation she notices that, several desktop configuration settings have changed. Upon a review of the CCTV logs, it is determined that someone logged into Ann's workstation. Which of the following could have prevented this from happening?
A. Password complexity policy
B. User access reviews
C. Shared account prohibition policy
D. User assigned permissions policy
Correct Answer: A
The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Since changes were made to Ann's desktop configuration settings while she was not at work, means that her password was compromised.
Incorrect Answers:
B: User access reviews are performed to conclude whether users have been performing their work tasks correctly or if there have been failed and/or successful attempts at violating company policies or the law. It would not have prevented Ann's password being compromised.
C: Shared account prohibition aids in providing user accountability. It would not have prevented Ann's password being compromised.
D: User assigned permissions can be assigned by the user. Since Ann's workstation was accessed using her password, the intruder would also have her permissions.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.