CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 621:

  Joe Has read and write access to his own home directory. Joe and Ann are collaborating on a project, and Joe would like to give Ann write access to one particular file in this home directory. Which of the following types of access control would this reflect?

  A. Role-based access control

  B. Rule-based access control

  C. Mandatory access control

  D. Discretionary access control

  Correct Answer: D

  Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner.

  Incorrect Answers:

  A: Basically, Role-based Access Control is based on a user's job description.

  B: Rule-based access control is used for network devices that filter traffic based on filtering rules.

  C: Mandatory Access Control allows access to be granted or restricted based on the rules of classification.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 622:

  Which of the following access controls enforces permissions based on data labeling at specific levels?

  A. Mandatory access control

  B. Separation of duties access control

  C. Discretionary access control

  D. Role based access control

  Correct Answer: A

  In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label.

  Incorrect Answers:

  B: Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. It does not involve labelling at specific levels.

  C: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. It does not involve labelling at specific levels.

  D: Basically, Role-based Access Control is based on a user's job description. It does not involve labelling at specific levels.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 623:

  Which of the following common access control models is commonly used on systems to ensure a "need to know" based on classification levels?

  A. Role Based Access Controls

  B. Mandatory Access Controls

  C. Discretionary Access Controls

  D. Access Control List

  Correct Answer: B

  Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.

  Incorrect Answers:

  A: Basically, Role-based Access Control is based on a user's job description. It does not include the use of need to know.

  C: Discretionary access control (DAC) is identity based, not based on classification levels.

  D: Access Control List (ACL) specifies which users are allowed or refused the different types of available access based on the object type.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 624:

  A user reports being unable to access a file on a network share. The security administrator determines that the file is marked as confidential and that the user does not have the appropriate access level for that file. Which of the following is being implemented?

  A. Mandatory access control

  B. Discretionary access control

  C. Rule based access control

  D. Role based access control

  Correct Answer: A

  Mandatory Access Control (MAC) allows access to be granted or restricted based on the rules of classification. MAC in corporate business environments involve the following four sensitivity levels Public Sensitive Private Confidential

  MAC assigns subjects a clearance level and assigns objects a sensitivity label. The name of the clearance level must be the same as the name of the sensitivity label assigned to objects or resources. In this case the file is marked confidential, and the user does not have that clearance level and cannot access the file.

  Incorrect Answers:

  B: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner, not on its clearance level.

  C: Rule-based access control is used for network devices that filter traffic based on filtering rules.

  D: Role-based Access Control is basically based on a user's job description.

• Question 625:

  Which of the following presents the STRONGEST access control?

  A. MAC

  B. TACACS

  C. DAC

  D. RBAC

  Correct Answer: A

  A: With Mandatory Access Control (MAC) all access is predefined. This makes it the strongest access control of the options presented in the question. Incorrect Answers:

  B: TACACS refers to a client-server-oriented environment similar to that of RADIUS and is in essence an authentication service. It is an older authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system.

  C: With Discretionary Access Control (DAC) access control incorporates some flexibility.

  D: With Role-Based Access Control (RBAC) access control allows the user's role to dictate access capabilities.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 146, 150

• Question 626:

  A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following BEST describes this level of access control?

  A. Implicit deny

  B. Role-based Access Control

  C. Mandatory Access Controls

  D. Least privilege

  Correct Answer: C

  Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.

  Incorrect Answers:

  A: Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default.

  B: Basically, Role-based Access Control is based on a user's job description. It does not include the use of need to know.

  D: Least privilege states that users should only be granted the minimum necessary access, permissions, and privileges that are required for them to accomplish their work tasks. It does not include the use of need to know.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

• Question 627:

  Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern?

  A. Mandatory vacations

  B. Time of day restrictions

  C. Least privilege

  D. Separation of duties

  Correct Answer: D

  Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Joe should not be allowed to write and sign paycheques.

  Incorrect Answers:

  A: Mandatory vacations require each employee to be on vacation for a minimal amount of time each year. During this time a different employee sits at their desk and performs their work tasks. This will not solve the problem, it will determine whether the user is committing fraud, being abusive, or if they are incompetent.

  B: Time of day restrictions limits when a specific user account can log on to the network according to the time of day. This will not help solve the problem.

  C: Least privilege states that users should only be granted the minimum necessary access, permissions, and privileges that are required for them to accomplish their work tasks. This is used for normal employees, whereas Separation of duties is for administrators.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 81, 82, 280.

• Question 628:

  A network administrator has a separate user account with rights to the domain administrator group. However, they cannot remember the password to this account and are not able to login to the server when needed. Which of the following is MOST accurate in describing the type of issue the administrator is experiencing?

  A. Single sign-on

  B. Authorization

  C. Access control

  D. Authentication

  Correct Answer: D

  Authentication generally requires one or more of the following:

  ?Something you know: a password, code, PIN, combination, or secret phrase.

  ?Something you have: a smart card, token device, or key.

  ?Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter.

  ?Somewhere you are: a physical or logical location.

  ?Something you do: typing rhythm, a secret handshake, or a private knock.

  Incorrect Answers:

  A: Single sign-on is when a user is authenticated into the realm, they need not re-authenticate to access resources on any realm entity. Authentication has not occurred in this instance.

  B: Authorization occurs after authentication, and ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity. Authorization indicates who is trusted to perform specific

  operations.

  C: Access Control is defined as the control and management of users and their privileges and activities in a secure environment.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 275- 284.

• Question 629:

  Which of the following is the difference between identification and authentication of a user?

  A. Identification tells who the user is and authentication tells whether the user is allowed to logon to a system.

  B. Identification tells who the user is and authentication proves it.

  C. Identification proves who the user is and authentication is used to keep the users data secure.

  D. Identification proves who the user is and authentication tells the user what they are allowed to do.

  Correct Answer: B

  Identification is described as the claiming of an identity, and authentication is described as the act of verifying or proving the claimed identity.

  Incorrect Answers:

  A, D: Permissions enforce whether a user can logon to a system, and what a user is allowed to do.

  C: Confidentiality keeps the user's data secure.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 276.

• Question 630:

  The fundamental information security principals include confidentiality, availability and which of the following?

  A. The ability to secure data against unauthorized disclosure to external sources

  B. The capacity of a system to resist unauthorized changes to stored information

  C. The confidence with which a system can attest to the identity of a user

  D. The characteristic of a system to provide uninterrupted service to authorized users

  Correct Answer: B

  Confidentiality, integrity, and availability, which make up the CIA triad, are the three most important concepts in security. In this instance, the answer describes the Integrity part of the CIA triad.

  Incorrect Answers:

  A: This describes confidentiality.

  C: This describes identification.

  D: This describes redundancy.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 148- 152.