CompTIA JK0-022 Online Practice
Questions and Exam Preparation
JK0-022 Exam Details
Exam Code
:JK0-022
Exam Name
:CompTIA Security+ Certification
Certification
:CompTIA Security+
Vendor
:CompTIA
Total Questions
:1149 Q&As
Last Updated
:Feb 05, 2025
CompTIA JK0-022 Online Questions &
Answers
Question 1131:
A network administrator has been tasked with securing the WLAN. Which of the following cryptographic products would be used to provide the MOST secure environment for the WLAN?
A. WPA2 CCMP B. WPA C. WPA with MAC filtering D. WPA2 TKIP
A. WPA2 CCMP CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information Authentication; provides proof of genuineness of the user Access control in conjunction with layer management Because CCMP is a block cipher mode using a 128-bit key, it is secure against attacks to the 264 steps of operation. Incorrect Answers: B: The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard. The WPA protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal Key Integrity Protocol (TKIP) was adopted for WPA. WEP used a 40-bit or 104- bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP. WPA also includes a message integrity check. This is designed to prevent an attacker from capturing, altering and/or resending data packets. This replaces the cyclic redundancy check (CRC) that was used by the WEP standard. CRC's main flaw was that it did not provide a sufficiently strong data integrity guarantee for the packets it handled. Well tested message authentication codes existed to solve these problems, but they required too much computation to be used on old network cards. WPA uses a message integrity check algorithm called Michael to verify the integrity of the packets. Michael is much stronger than a CRC, but not as strong as the algorithm used in WPA2. C: WPA even with the added security of MAC filtering is still inherently less secure than WPA2. D: CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the TKIP protocol of WPA. References: http://en.wikipedia.org/wiki/CCMP http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
Question 1132:
A small company wants to employ PKI. The company wants a cost effective solution that must be simple and trusted. They are considering two options: X.509 and PGP. Which of the following would be the BEST option?
A. PGP, because it employs a web-of-trust that is the most trusted form of PKI. B. PGP, because it is simple to incorporate into a small environment. C. X.509, because it uses a hierarchical design that is the most trusted form of PKI. D. X.509, because it is simple to incorporate into a small environment.
B. PGP, because it is simple to incorporate into a small environment.
Question 1133:
A financial company requires a new private network link with a business partner to cater for realtime and batched data flows.
Which of the following activities should be performed by the IT security staff member prior to establishing the link?
A. Baseline reporting B. Design review C. Code review D. SLA reporting
B. Design review This question is asking about a new private network link (a VPN) with a business partner. This will provide access to the local network from the business partner. When implementing a VPN, an important step is the design of the VPN. The VPN should be designed to ensure that the security of the network and local systems is not compromised. The design review assessment examines the ports and protocols used, the rules, segmentation, and access control in the systems or applications. A design review is basically a check to ensure that the design of the system meets the security requirements. Incorrect Answers: A: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline). In this question, we are implementing a VPN. We need to ensure that the design of the VPN meets the security requirements BEFORE the VPN is implemented. Therefore, this answer is incorrect. C: A code review is the process of reviewing the code of a software application. This question is asking about the design and implementation of a VPN. Therefore, this answer is irrelevant and incorrect. D: SLA (Service Level Agreement) reporting is the process of comparing (and reporting on) current performance in terms of system uptime or deliverables delivered on time to the metrics defined in the SLA. This question is asking about the design and implementation of a VPN. Therefore, this answer is irrelevant and incorrect.
Question 1134:
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed?
A. The request needs to be sent to the incident management team. B. The request needs to be approved through the incident management process. C. The request needs to be approved through the change management process. D. The request needs to be sent to the change management team.
C. The request needs to be approved through the change management process. Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. Thus the actual switch configuration should first be subject to the change management approval. Incorrect Answers: A: Incident management refers to the steps followed WHEN events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets). The scenario want to know what must be done prior to the incident. B: Incident management refers to the process that has to be followed WHEN an event occurred not prior to the event. D: Immediately prior to the actual switch configuration the request should be approved through the change management process. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 10
Question 1135:
The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail?
A. cd ../../../../bin/bash B. whoami C. ls /root D. sudo -u root
A. cd ../../../../bin/bash On modern UNIX variants, including Linux, you can define the root directory on a perprocess basis. The chroot utility allows you to run a process with a root directory other than /. The root directory appears at the top of the directory hierarchy and has no parent: A process cannot access any files above the root directory (because they do not exist). If, for example, you run a program (process) and specify its root directory as /home/sam/jail, the program would have no concept of any files in /home/sam or above: jail is the program's root directory and is labeled / (not jail). By creating an artificial root directory, frequently called a (chroot) jail, you prevent a program from accessing or modifying--possibly maliciously--files outside the directory hierarchy starting at its root. You must set up a chroot jail properly to increase security: If you do not set up the chroot jail correctly, you can actually make it easier for a malicious user to gain access to a system than if there were no chroot jail. The command cd.. takes you up one level in the directory structure. Repeated commands would take you to the top level the root which is represented by a forward slash /. The command /bin/bash is an attempt to run the bash shell from the root level. Incorrect Answers: B: The whoami command is used to display the username that the user is working under. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect. C: The ls / command is used to list the directories at the root level of the directory structure. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect. D: The sudo -u root command is used to change the security context to that of the root user. The root user is equivalent to the Administrator account in Windows. It does not signify an attempt to break out of a rootjail. Therefore, this answer is incorrect. References: http://searchitchannel.techtarget.com/feature/Secure-your-Linux-server-with-a-chroot-jail-or- TCP-wrappers
Question 1136:
A system administrator has noticed that users change their password many times to cycle back to the original password when their passwords expire. Which of the following would BEST prevent this behavior?
A. Assign users passwords based upon job role. B. Enforce a minimum password age policy. C. Prevent users from choosing their own passwords. D. Increase the password expiration time frame.
B. Enforce a minimum password age policy. A minimum password age policy defines the period that a password must be used for before it can be changed. Incorrect Answers: A: Assigning users passwords based upon job role is not a secure password solution. C: Preventing users from choosing their own passwords could make remembering passwords difficult. This could lead to a user having to record a generated password somewhere that is not secure. D: This will cause a password to be retained for a longer period. References: https://technet.microsoft.com/en-us/library/cc779758(v=ws.10).aspx Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 291- 293.
Question 1137:
A new security analyst is given the task of determining whether any of the company's servers are vulnerable to a recently discovered attack on an old version of SSH. Which of the following is the quickest FIRST step toward determining the version of SSH running on these servers?
A. Passive scanning B. Banner grabbing C. Protocol analysis D. Penetration testing
B. Banner grabbing B: Banner grabbing looks at the banner, or header information messages sent with data to find out about the system(s). Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it. Banners can be snagged with Telnet as well as tools like netcat or Nmap. In other words Banner grabbing looks at the banner, or header, information messages sent with data to find out about the system(s). Thus a quick way to check which version of SSH is running on your server. Incorrect Answers: A: Passive scanning is implemented to allow you to identify specific vulnerabilities on your network and is not the quickest way to determine which version of SSH is running on your servers. C: Protocol analysis is similar to packet sniffing and is a tool used for network monitoring, the data that is being transmitted across a network - especially in real- time. D: A penetration test will use the same techniques a hacker would use to find any flaws in your system's security. This means bypassing whatever security controls that might have been implemented. This is not the quickest way to check which version of SSH was running on your servers. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 344, 458, 459.
Question 1138:
Which of the following protocols encapsulates an IP packet with an additional IP header?
A. SFTP B. IPSec C. HTTPS D. SSL
B. IPSec Authentication Header (AH) is a member of the IPsec protocol suite. AH operates directly on top of IP, using IP protocol number 51. Incorrect Answers: A: The SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) does not encapsulate IP packets with an additional IP header. SFTP is a network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream. C: HTTPS does not add an extra IP header to IP packages. Technically, HTTPS is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL or TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. D: SSL does not encapsulate IP packets with an additional IP header. Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 75, 76, 268-269, 274, 274-275
Question 1139:
Which of the following would be used to identify the security posture of a network without actually exploiting any weaknesses?
A. Penetration test B. Code review C. Vulnerability scan D. Brute Force scan
C. Vulnerability scan A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise. Incorrect Answers: A: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. The difference between a vulnerability scan and a penetration test is that by performing a penetration test, you are actually trying to access a system by exploiting a weakness in the system. Therefore, this answer is incorrect. B: A code review is the process of reviewing the programming code in an application. It is not used to identify the security posture of a network. Therefore, this answer is incorrect. D: A brute force scan is similar to a penetration test in that you are actually trying to access a system by exploiting a weakness in the system. Therefore, this answer is incorrect. References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html
Question 1140:
Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine?
A. Account expiration settings B. Complexity of PIN C. Account lockout settings D. PIN history requirements
C. Account lockout settings Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. For example, an account can be configured to lock if three incorrect passwords (or in this case PIN's) are entered. The account can then be configured to automatically unlock after a period of time or stay locked until someone manually unlocks it. Incorrect Answers: A: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a PIN as the attacker could make as many attempts as he wants until the time or date of the account expiration. Therefore, this answer is incorrect. B: Complexity of PIN: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. The question states that access is gained by using a 4-digit PIN number. The "complexity" of the PIN is 4 numbers. There's not much you can do to make a 4 digit PIN more complex other than require that no numbers are repeated. You could only change the length of the PIN to make it more difficult to guess. PIN complexity will not prevent an attacker trying to brute force a PIN. Therefore, this answer is incorrect. D: PIN history requirements are used when people change their PINs. PIN history requirements could state that you cannot use any of your five previously used PINs. PIN history will not prevent an attacker trying to brute force a PIN. Therefore, this answer is incorrect. References: https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your JK0-022 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.