CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 651:

  Ann has taken over as the new head of the IT department. One of her first assignments was to implement AAA in preparation for the company's new telecommuting policy. When she takes inventory of the organizations existing network infrastructure, she makes note that it is a mix of several different vendors. Ann knows she needs a method of secure centralized access to the company's network resources. Which of the following is the BEST service for Ann to implement?

  A. RADIUS

  B. LDAP

  C. SAML

  D. TACACS+

  Correct Answer: A

  The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service.

  Incorrect Answers:

  B: The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

  C: Security Assertion Markup Language (SAML) is an open-standard data format based on XML.

  D: TACACS+ makes use of the authentication, authorization, and accounting (AAA) architecture. However, unlike RADIUS, these separate components of the protocol can be segregated and handled on separate servers.

  References:

  http://en.wikipedia.org/wiki/RADIUS

  http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 275.

  http://en.wikipedia.org/wiki/TACACS

• Question 652:

  Which of the following relies on the use of shared secrets to protect communication?

  A. RADIUS

  B. Kerberos

  C. PKI

  D. LDAP

  Correct Answer: A

  Obfuscated passwords are transmitted by the RADIUS protocol via a shared secret and the MD5 hashing algorithm.

  Incorrect Answers:

  B: Kerberos works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

  C: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

  D: The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

  References: http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://en.wikipedia.org/wiki/Public_key_infrastructure http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

• Question 653:

  Which of the following types of security services are used to support authentication for remote users and devices?

  A. Biometrics

  B. HSM

  C. RADIUS

  D. TACACS

  Correct Answer: C

  RADIUS authentication phase takes place when a network client connects to a network access server (NAS) and provides authentication credentials. The NAS will then make use of the authentication credentials to issue a RADIUS authentication request to the RADIUS server, which will then exchange RADIUS authentication messages with the NAS.

  Incorrect Answers:

  A: Biometrics refers to a collection of physical attributes of the human body that can be used as identification or an authentication factor. Devices cannot use this.

  B: HSM is a physical computing device that protects and oversees digital keys for strong authentication and provides cryptoprocessing. It is not used for the authentication of remote users and devices?

  D: TACACS was used for communicating with an authentication server, not the actual authentication.

  References:

  http://cloudessa.com/products/cloudessa-radius-service/what-is-a-radius-server/ Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 285.

  http://en.wikipedia.org/wiki/Hardware_security_module

  http://en.wikipedia.org/wiki/TACACS

• Question 654:

  RADIUS provides which of the following?

  A. Authentication, Authorization, Availability

  B. Authentication, Authorization, Auditing

  C. Authentication, Accounting, Auditing

  D. Authentication, Authorization, Accounting

  Correct Answer: D

  The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service. It is for this reason that A, B, and C: are incorrect.

  References: http://en.wikipedia.org/wiki/RADIUS

• Question 655:

  Pete, a security auditor, has detected clear text passwords between the RADIUS server and the authenticator. Which of the following is configured in the RADIUS server and what technologies should the authentication protocol be changed

  to?

  A. PAP, MSCHAPv2

  B. CHAP, PAP

  C. MSCHAPv2, NTLMv2

  D. NTLM, NTLMv2

  Correct Answer: A

  PAP transmits the username and password to the authentication server in plain text. MSCHAPv2 is utilized as an authentication option for RADIUS servers that are used for Wi-Fi security using the WPA-Enterprise protocol.

  Incorrect Answers:

  B, C: The scenario mentions that passwords between the RADIUS server and the authenticator are transmitted in clear text. Then the first part of the question asks what is configured for the RADIUS server. The first part of these two options

  is CHAP and MSCHAPv2, which do not transmit in clear text.

  D: NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 139.

  http://en.wikipedia.org/wiki/MS-CHAP

  http://en.wikipedia.org/wiki/NT_LAN_Manager

• Question 656:

  Which of the following is an authentication service that uses UDP as a transport medium?

  A. TACACS+

  B. LDAP

  C. Kerberos

  D. RADIUS

  Correct Answer: D

  RADIUS runs in the application layer and makes use of UDP as transport.

  Incorrect Answers:

  A: TACACS+ makes use of TCP.

  B: LDAP makes use of TCP.

  C: Kerberos Makes use of both UDP and TCP.

  References: http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/TACACS Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 273. https://tools.ietf.org/html/rfc6251

• Question 657:

  Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective?

  A. CHAP

  B. SAML

  C. Kerberos

  D. Diameter

  Correct Answer: D

  Diameter is an authentication, authorization, and accounting protocol that replaces the RADIUS protocol. Diameter Applications extend the base protocol by including new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).

  Incorrect Answers:

  A: CHAP is a non-EAP authentication mechanism.

  B: Security Assertion Markup Language (SAML) is an open-standard data format based on XML, it is not an authentication protocol.

  C: Kerberos makes use of encryption keys as tickets with time stamps to prove identity and grant access to resources. Kerberos does not make use of EAP.

  References:

  http://en.wikipedia.org/wiki/Diameter_(protocol)

  http://tools.ietf.org/html/rfc3748

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 275.

• Question 658:

  Jane, a security administrator, needs to implement a secure wireless authentication method that uses a remote RADIUS server for authentication.

  Which of the following is an authentication method Jane should use?

  A. WPA2-PSK

  B. WEP-PSK

  C. CCMP

  D. LEAP

  Correct Answer: D

  A RADIUS server is a server with a database of user accounts and passwords used as a central authentication database for users requiring network access. The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.

  Incorrect Answers:

  A: WPA2-PSK (Wireless Protected Access 2 Pre-shared Key) uses a pre-shared key for authentication. The pre-shared key is a `password' sometimes called the `network security key' that you enter when you connect to the wireless access point. It does not use a RADIUS server for authentication.

  B: WEP-PSK (Wireless Equivalent Privacy Pre-shared Key) uses a pre-shared key for authentication in the same way that WPA2-PSK does. The pre-shared key is a `password' sometimes called the `network security key' that you enter when you connect to the wireless access point. It does not use a RADIUS server for authentication.

  C: Counter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode CBC-MAC Protocol or simply CCMP (CCM mode Protocol) is an encryption protocol. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to address the vulnerabilities presented by WEP, a dated, insecure protocol. However, it does not use a RADIUS server for authentication. References: http://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol

• Question 659:

  When considering a vendor-specific vulnerability in critical industrial control systems which of the following techniques supports availability?

  A. Deploying identical application firewalls at the border

  B. Incorporating diversity into redundant design

  C. Enforcing application white lists on the support workstations

  D. Ensuring the systems' anti-virus definitions are up-to-date

  Correct Answer: B

  If you know there is a vulnerability that is specific to one vendor, you can improve availability by implementing multiple systems that include at least one system from a different vendor and so is not affected by the vulnerability.

  Incorrect Answers:

  A: An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. We don't know what the vulnerability is but it's unlikely that a firewall will prevent the vulnerability or ensure availability.

  C: Application whitelisting is a form of application security which prevents any software from running on a system unless it is included on a preapproved exception list. It does not prevent vendor-specific vulnerability already inherent in the application, nor does it ensure availability. D. Antivirus software is used to protect systems against viruses, which are a form of malicious code designed to spread from one system to another, consuming network resources. Ensuring the systems' anti-virus definitions are up-to-date is always a good idea. However, a vendor specific vulnerability is usually not caused by a virus.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 161-162, 340

• Question 660:

  Which of the following can be implemented in hardware or software to protect a web server from cross-site scripting attacks?

  A. Intrusion Detection System

  B. Flood Guard Protection

  C. Web Application Firewall

  D. URL Content Filter

  Correct Answer: C

  Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

  Incorrect Answers:

  A: An Intrusion Detection System (IDS) is used to detect attempts to access a system. It cannot be used to detect cross-site scripting attacks where a malicious user is injecting malicious content into content being downloaded by a user.

  B: Flood Guard Protection is used to prevent a network being flooded by data such as DoS, SYN floods, ping floods etc. The flood of data saturates the network and prevents the successful transmission of valid data across the network. Flood Guard Protection is not used to prevent cross-site scripting attacks. D. A URL Content Filter is used to permit access to allowed URLs (Websites) only or to block access to URLs that are not allowed according to company policy. For example, a company might use a URL Content Filter to block access to social networking sites. A URL Content Filter is not used to prevent cross-site scripting attacks.

  References: http://en.wikipedia.org/wiki/Cross-site_scripting https://www.owasp.org/index.php/Web_Application_Firewall