CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 601:

  Speaking a passphrase into a voice print analyzer is an example of which of the following security concepts?

  A. Two factor authentication

  B. Identification and authorization

  C. Single sign-on

  D. Single factor authentication

  Correct Answer: A

  Two-factor authentication is when two different authentication factors are provided for authentication purposes.

  Speaking (Voice) something they are.

  Passphrase something they know.

  Incorrect Answers:

  B: Identification is the act of claiming an identity using a single authentication factor, and authorization controls what a subject can and can't do, access, use, or view.

  C: Single sign-on (SSO) is to give users access to all the applications and systems they need when they log on.

  D: Single factor authentication only requires one authentication factor for authentication purposes.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 602:

  One of the most basic ways to protect the confidentiality of data on a laptop in the event the device is physically stolen is to implement which of the following?

  A. File level encryption with alphanumeric passwords

  B. Biometric authentication and cloud storage

  C. Whole disk encryption with two-factor authentication

  D. BIOS passwords and two-factor authentication

  Correct Answer: C

  Whole-disk encryption only provides reasonable protection when the system is fully powered off. to make the most of the defensive strength of whole-disk encryption, a long, complex passphrase should be used to unlock the system on bootup. Combining whole-disk encryption with two factor authentication would further increase protection.

  Incorrect Answers:

  A: configuring file level encryption with alphanumeric passwords would still allow thieves access to the system, and time to crack the password.

  B: Biometric authentication and cloud storage would work, but the question requires a basic solution.

  D: BIOS passwords are easily removed by removing the CMOS battery, allowing a thief to power up the laptop. Once powered on, the thief can crack passwords at their leisure.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 252, 282.

  https://www.technibble.com/how-to-bypass-or-remove-a-bios-password/

• Question 603:

  A company requires that a user's credentials include providing something they know and something they are in order to gain access to the network. Which of the following types of authentication is being described?

  A. Biometrics

  B. Kerberos

  C. Token

  D. Two-factor

  Correct Answer: D

  Two-factor authentication is when two different authentication factors are provided for authentication purposes. In this case, "something they know and something they are". Incorrect Answers:

  A: Biometrics refers to a collection of physical attributes of the human body that can be used for authentication. It is an authentication factor type. Something they are.

  B: Kerberos is used for the security and protection of authentication credentials.

  C: Tokens is an authentication factor type. Something they have.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 272, 280, 281, 282.

• Question 604:

  A company with a US-based sales force has requested that the VPN system be configured to authenticate the sales team based on their username, password and a client side certificate. Additionally, the security administrator has restricted the VPN to only allow authentication from the US territory. How many authentication factors are in use by the VPN system?

  A. 1

  B. 2

  C. 3

  D. 4

  Correct Answer: C

  Three different types of authentication factors have been used in this question:

  Something you know username and password.

  Something you have - client side certificate.

  Somewhere you are - authentication to the VPN is only allowed from the U.S. territory.

  Incorrect Answers:

  A: This option refers to single factor authentication, which only makes use of one authentication factor.

  B: This option refers to two-factor authentication, which makes use of two different authentication factors.

  D: This option refers to four-factor authentication, which makes use of four different authentication factors.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 280, 282.

• Question 605:

  Which of the following protocols provides for mutual authentication of the client and server?

  A. Two-factor authentication

  B. Radius

  C. Secure LDAP

  D. Biometrics

  Correct Answer: C

  C: The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory. Because it is a client-server model it makes provision for mutual authentication between the two parties.

  Incorrect Answers:

  A: Two-factor authentication refers to an authentication method used to gain access, not a protocol.

  B: Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of remote and other network connections. You should use RADIUS when you want to improve network security by implementing a single

  service to authenticate users who connect remotely to the network.

  D: Biometrics is a physical security measure which makes use of some kind of unique biological trait as a means of identification. It is not a protocol.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 154, 147, 375.

  https://msdn.microsoft.com/en-us/library/aa367008%28v=vs.85%29.aspx

• Question 606:

  Which of the following is an example of multifactor authentication?

  A. Credit card and PIN

  B. Username and password

  C. Password and PIN

  D. Fingerprint and retina scan

  Correct Answer: A

  A credit card is a memory card that functions a type of two-factor authentication. The card is something you have, and its PIN is something you know. Multifactor authentication requires a user to provide two or more different types of

  authentication factors to prove their identity.

  Incorrect Answers:

  B, C, D: Each of these options offers 2 authentication factors. Each authentication factor pair is, however, of the same type.

  Username and password something you know.

  Password and PIN something you know.

  Fingerprint and retina scan something you are.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 280, 282.

• Question 607:

  A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage?

  A. Biometrics

  B. Mandatory access control

  C. Single sign-on

  D. Role-based access control

  Correct Answer: A

  This question is asking about "authorization", not authentication.

  Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications.

  MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to most sensitive):

  Public Sensitive Private Confidential

  A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label--in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels). MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can't be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization. MAC isn't a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they're compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they're denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC

  Incorrect Answers:

  A: Biometrics is used in authentication. Biometrics includes fingerprints and retina scans. This question is asking about "authorization", which generally comes after authentication.

  C: Single sign-on is used to access multiple systems with a single login. Single sign-on is used for authentication, not authorization.

  D: Role-based access control (RBAC) defines access to resources based on job role. We need to authorize access to sensitive systems on a need-to-know basis. Therefore, the default access should be "no access" unless the person can prove a `need to know'. RBAC would give everyone performing a role access to the sensitive system.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 608:

  A Chief Information Security Officer (CISO) wants to implement two-factor authentication within the company. Which of the following would fulfill the CISO's requirements?

  A. Username and password

  B. Retina scan and fingerprint scan

  C. USB token and PIN

  D. Proximity badge and token

  Correct Answer: C

  Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

  knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics

  In this question, a USB token is a possession factor (something the user has) and a PIN is a knowledge factor (something the user knows).

  Incorrect Answers:

  A: A username and password are both knowledge factors (something the user knows). Therefore, this answer only provides single-factor authentication.

  B: A retina scan and fingerprint scan are both inherence factors (something only that user has). Therefore, this answer only provides single-factor authentication.

  D: A proximity badge and token are both possession factors (something the user has). Therefore, this answer only provides single-factor authentication.

  References: http://en.wikipedia.org/wiki/Multi-factor_authentication

• Question 609:

  Employee badges are encoded with a private encryption key and specific personal information. The encoding is then used to provide access to the network. Which of the following describes this access control type?

  A. Smartcard

  B. Token

  C. Discretionary access control

  D. Mandatory access control

  Correct Answer: A

  Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that can include data regarding the authorized bearer. This data can then be used for identification and/or authentication purposes.

  Incorrect Answers:

  B: A token is a type of authentication factor, usually a hardware device.

  C: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. DAC does not involve badges.

  D: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC does not involve badges.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 282.

• Question 610:

  Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks?

  A. Malicious code on the local system

  B. Shoulder surfing

  C. Brute force certificate cracking

  D. Distributed dictionary attacks

  Correct Answer: A

  Once a user authenticates to a remote server, malicious code on the user's workstation could then infect the server.

  Incorrect Answers:

  B: Shoulder surfing is when a malicious user can watch your keyboard or view your display to figure out your password. This would not work as you are using a smart card.

  C: Brute force attacks are designed to try every possible valid combination of characters to construct possible passwords in the attempt to discover the specific passwords used by user accounts. This would not work as you are using a smart card.

  D: Dictionary attacks create hashes to compare via prebuilt lists of potential passwords. This would not work as you are using a smart card.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 282.