CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 591:

  Users report that they are unable to access network printing services. The security technician checks the router access list and sees that web, email, and secure shell are allowed. Which of the following is blocking network printing?

  A. Port security

  B. Flood guards

  C. Loop protection

  D. Implicit deny

  Correct Answer: D

  Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. The scenario does not state that network printing is allowed in the router access list, therefore, it must be denied by default.

  Incorrect Answers:

  A: Port security in IT can mean the physical control of all connection points, the management of TCP and User Datagram Protocol (UDP) ports, or Port knocking. The issue in this case, however, is that network printing is not explicitly allowed in the ACL.

  B: A flood guard protects a private network against flooding or massive-traffic DoS attacks. The issue in this case, however, is that network printing is not explicitly allowed in the ACL.

  C: Loop protection is the resolving of a transmission pathway that repeats itself. It includes the use of Spanning Tree Protocol (STP) for Ethernet and the IP header TTL value. The issue in this case, however, is that network printing is not explicitly allowed in the ACL.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 24, 25, 284.

• Question 592:

  Which of the following is best practice to put at the end of an ACL?

  A. Implicit deny

  B. Time of day restrictions

  C. Implicit allow

  D. SNMP string

  Correct Answer: A

  An implicit deny clause is implied at the end of each ACL. This implies that if you aren't specifically granted access or privileges for a resource, you're denied access by default. The implicit deny clause is set by the system.

  Incorrect Answers:

  B: Time of day restrictions limit when users can access specific systems based on the time of day or week. They do not appear at the end of an ACL.

  C: Implicit allow does not appear at the end of an ACL.

  D: An SNMP string is similar to a user id or password that permits access to a router's or other device's statistics. They do not appear at the end of an ACL.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 26, 280.

  http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

• Question 593:

  Which of the following allows a network administrator to implement an access control policy based on individual user characteristics and NOT on job function?

  A. Attributes based

  B. Implicit deny

  C. Role based

  D. Rule based

  Correct Answer: A

  Attribute-based access control allows access rights to be granted to users via policies, which combine attributes together. The policies can make use of any type of attributes, which includes user attributes, resource attributes and environment attributes.

  Incorrect Answers:

  B: Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. An access control policy is not required for Implicit deny.

  C: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. The question states that the access control policy should not be based on job function.

  D: Rule-based access control is used for network devices, such as firewalls and routers, which filter traffic based on filtering rules. The question states that the access control policy should based on individual user characteristics, not devices.

  References:

  http://en.wikipedia.org/wiki/Attribute-based_access_control Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 280, 284.

• Question 594:

  A user attempting to log on to a workstation for the first time is prompted for the following information before being granted access: username, password, and a four-digit security pin that was mailed to him during account registration. This is an example of which of the following?

  A. Dual-factor authentication

  B. Multifactor authentication

  C. Single factor authentication

  D. Biometric authentication

  Correct Answer: C

  Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

  knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics

  In this question a username, password, and a four-digit security pin knowledge are all knowledge factors (something the user knows). Therefore, this is single- factor authentication.

  Incorrect Answers:

  A: Dual factor authentication uses two factors of authentication. There are three main factors of authentication: knowledge factors, possession factors and inherence factors. In this question, only one factor (knowledge factor) is being used.

  B: Multi-factor authentication uses more than one factor of authentication. There are three main factors of authentication: knowledge factors, possession factors and inherence factors. In this question, only one factor (knowledge factor) is being used.

  D: Biometric authentication is an inherence factor something specific to the user such as a fingerprint or a retina scan. Neither are being used in this question.

  References: http://en.wikipedia.org/wiki/Multi-factor_authentication

• Question 595:

  A company wants to ensure that all credentials for various systems are saved within a central database so that users only have to login once for access to all systems. Which of the following would accomplish this?

  A. Multi-factor authentication

  B. Smart card access

  C. Same Sign-On

  D. Single Sign-On

  Correct Answer: D

  Single sign-on means that once a user (or other subject) is authenticated into a realm, re- authentication is not required for access to resources on any realm entity. Single sign-on is able to internally translate and store credentials for the various mechanisms, from the credential used for original authentication.

  Incorrect Answers:

  A: Multifactor authentication requires a user to provide two or more authentication factors for authentication purposes. It does not guarantee that users only have to login once for access to all systems.

  B: Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that can include data regarding the authorized bearer. This data can then be used for identification and/or authentication purposes. It does not guarantee that users only have to login once for access to all systems.

  C: Same Sign-On means that users will have to re-enter their credentials, but they can use the exact same credentials they use to sign on locally.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 282, 284. http://blogs.technet.com/b/jeff_stokes/archive/2013/07/08/today-s-cloud-tip-same-sign-on-vs- single-sign-on.aspx

• Question 596:

  After Ann, a user, logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. Which of the following is being described?

  A. Trusted OS

  B. Mandatory access control

  C. Separation of duties

  D. Single sign-on

  Correct Answer: D

  Single sign-on means that once a user (or other subject) is authenticated into a realm, re- authentication is not required for access to resources on any realm entity. The question states that when Ann logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. This describes an SSO scenario.

  Incorrect Answers:

  A: Trusted OS requires a particular OS to be present in order to gain access to a resource.

  B: Mandatory Access Control allows access to be granted or restricted based on the rules of classification.

  C: Separation of duties divides administrator or privileged tasks into separate groupings.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 82, 246, 278, 284.

• Question 597:

  LDAP and Kerberos are commonly used for which of the following?

  A. To perform queries on a directory service

  B. To store usernames and passwords for Federated Identity

  C. To sign SSL wildcard certificates for subdomains

  D. To utilize single sign-on capabilities

  Correct Answer: D

  Single sign-on is usually achieved via the Lightweight Directory Access Protocol (LDAP), although Kerberos can also be used.

  Incorrect Answers:

  A: This refers to LDAP only.

  B: Federated Identity links a subject's accounts from several sites, services, or entities in a single account. It does not make use of LDAP and Kerberos.

  C: SSL wildcard certificates are public key certificates, which can be used with multiple subdomains of a domain, for securing web sites with HTTPS.

  References: http://en.wikipedia.org/wiki/Single_sign-on http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol http://en.wikipedia.org/wiki/Federated_identity http://en.wikipedia.org/wiki/Wildcard_certificate

• Question 598:

  A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time interval. Which of the following should the security technician recommend?

  A. CHAP

  B. TOTP

  C. HOTP

  D. PAP

  Correct Answer: B

  Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. Therefore, the password will only be valid for a predefined time interval.

  Incorrect Answers:

  A: The Challenge-Handshake Authentication Protocol (CHAP) is used primarily over dial-up connections to provide a secure transport mechanism for logon credentials.

  C: HMAC-based one-time password (HOTP) tokens are devices that generate passwords based on a nonrepeating one-way function. It is not restricted to time.

  D: PAP allows for two entities to share a password in advance and use the password as the basis of authentication. It is not dependant on time. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 282, 283. http://en.wikipedia.org/wiki/Password_authentication_protocol#Working_cycle

• Question 599:

  An organization has introduced token-based authentication to system administrators due to risk of password compromise. The tokens have a set of numbers that automatically change every 30 seconds. Which of the following type of authentication mechanism is this?

  A. TOTP

  B. Smart card

  C. CHAP

  D. HOTP

  Correct Answer: A

  Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. In this case, it's every 30 seconds.

  Incorrect Answers:

  B: A smart card is sometimes referred to as an identity token containing integrated circuits. It does not generate passwords based on time.

  C: The Challenge-Handshake Authentication Protocol (CHAP) is used primarily over dial-up connections to provide a secure transport mechanism for logon credentials. It does not generate passwords based on time.

  D: HMAC-based one-time password (HOTP) tokens are devices that generate passwords based on a nonrepeating one-way function.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 282,283.

• Question 600:

  Which of the following BEST describes using a smart card and typing in a PIN to gain access to a system?

  A. Biometrics

  B. PKI

  C. Single factor authentication

  D. Multifactor authentication

  Correct Answer: D

  Multifactor authentication requires a user to provide two or more authentication factors for authentication purposes. In this case, a smart card (something they have) is one and a PIN (something they know) is the second.

  Incorrect Answers:

  A: Biometrics refers to a collection of physical attributes of the human body that can be used for authentication. It is an authentication factor type. Something they are.

  B: Public Key Infrastructure (PKI) centers on proving the identity of communication partners. PKI makes use of asymmetric cryptographic solutions to securely exchange session-based symmetric encryption keys. PKI also makes use of hashing to protect message integrity.

  C: Single factor authentication only requires one authentication factor for authentication purposes.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 282, 285, 350.