CompTIA JK0-022 Online Practice
Questions and Exam Preparation
JK0-022 Exam Details
Exam Code
:JK0-022
Exam Name
:CompTIA Security+ Certification
Certification
:CompTIA Security+
Vendor
:CompTIA
Total Questions
:1149 Q&As
Last Updated
:Feb 05, 2025
CompTIA JK0-022 Online Questions &
Answers
Question 141:
Which of the following security strategies allows a company to limit damage to internal systems and provides loss control?
A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies
C. Containment strategies Containment strategies is used to limit damages, contain a loss so that it may be controlled, much like quarantine, and loss incident isolation. Incorrect Answers: A: Restorative and recovery strategies are used to replace the lost and damaged systems to ensure business continuity. B: A deterrent control is anything intended to warn a would-be attacker that they should not attack. This could be a posted warning notice that they will be prosecuted to the fullest extent of the law, locks on doors, barricades, lighting, or anything can delay or discourage an attack. A deterrent strategy is preventative and not limitation to damage. D: Detection strategies would be used to uncover a violation/damage. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 384, 444
Question 142:
Which of the following security concepts identifies input variables which are then used to perform boundary testing?
A. Application baseline B. Application hardening C. Secure coding D. Fuzzing
D. Fuzzing Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks. Incorrect Answers: A: An application baseline defines the level of security that will be implemented and maintained for the application. A low baseline implements almost no security while a high baseline does not allow users to make changes to the application. B: Application Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services. C: Proper and secure coding can prevent many attacks, including cross-site scripting, SQL injection and buffer overflows. References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218-219, 226 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 229
Question 143:
An IT director is looking to reduce the footprint of their company's server environment. They have decided to move several internally developed software applications to an alternate environment, supported by an external company. Which of the following BEST describes this arrangement?
A. Infrastructure as a Service B. Storage as a Service C. Platform as a Service D. Software as a Service
A. Infrastructure as a Service Cloud users install operating-system images and their application software on the cloud infrastructure to deploy their applications. In this model, the cloud user patches and maintains the operating systems and the application software. Incorrect Answers: B: Storage as a Service (SaaS) is a business model in which third-party providers rent space on their storage to end users that lack the capital budget and/or technical personnel to implement and maintain their own storage infrastructure. C: This entails cloud providers deliver a computing platform, typically including operating system, programming language execution environment, database, and web server. D: Software as a Service (SaaS) is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis or using a subscription fee. References: http://en.wikipedia.org/wiki/Cloud_computing http://searchstorage.techtarget.com/definition/Storage-as-a-Service-SaaS
Question 144:
Which of the following is the BEST method for ensuring all files and folders are encrypted on all corporate laptops where the file structures are unknown?
A. Folder encryption B. File encryption C. Whole disk encryption D. Steganography
C. Whole disk encryption Full-disk encryption encrypts the data on the hard drive of the device or on a removable drive. This feature ensures that the data on the device or removable drive cannot be accessed in a useable form should it be stolen. Furthermore, full-disk encryption is not dependant on knowledge of the file structure. Incorrect Answers: A, B: File and Folder encryption encrypts the content of individual files and folders respectively. To implement file or folder encryption effectively, the file structure has to be known. D: Steganography is a process of hiding one communication inside another communication. It can use passwords to prevent unauthorized extraction of the hidden communication and can also use encryption to mitigate against brute-force attempts at extraction. Steganography can also be used to detect theft, fraud, or modification when the hidden communication is a watermark. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 251- 252, 323
Question 145:
Which of the following provides the BEST application availability and is easily expanded as demand grows?
A. Server virtualization B. Load balancing C. Active-Passive Cluster D. RAID 6
B. Load balancing Load balancing is a way of providing high availability by splitting the workload across multiple computers. Incorrect Answers: A: Virtualization is the foundation for cloud computing. You cannot have cloud computing without virtualization. It makes it possible by abstracting the hardware and making it available to the virtual machines. The abstraction is done through the use of a hypervisor, which can be either Type I (bare metal) or Type II (hosted). C: Active-Passive cluster will provide application availability, but is not as easily expanded as load balancing. D: RAID or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 234-235
Question 146:
Which of the following is true about an email that was signed by User A and sent to User B?
A. User A signed with User B's private key and User B verified with their own public key. B. User A signed with their own private key and User B verified with User A's public key. C. User A signed with User B's public key and User B verified with their own private key. D. User A signed with their own public key and User B verified with User A's private key.
B. User A signed with their own private key and User B verified with User A's public key. The sender uses his private key, in this case User A's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver (User B) uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender--the public key--to decrypt the message. Incorrect Answers: A: User A must sign with his own private key, not with User B's private key. C: User A must sign with his own private key, not with User B's public key. D: User A must sign with his own private key, not with his public key. User B's cannot use the private (secret) key of User A. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285
Question 147:
Users require access to a certain server depending on their job function. Which of the following would be the MOST appropriate strategy for securing the server?
A. Common access card B. Role based access control C. Discretionary access control D. Mandatory access control
B. Role based access control Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. Incorrect Answers: A: Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip. Common Access Cards (CACs) are the U.S. government and military version of a smart card. C: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. It does not rely on job function. D: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. It does not rely on job function. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.
Question 148:
Which of the following assessments would Pete, the security administrator, use to actively test that an application's security controls are in place?
A. Code review B. Penetration test C. Protocol analyzer D. Vulnerability scan
B. Penetration test Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. Pen test strategies include: Targeted testing Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out. External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access. Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause. Blind testing A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive. Double blind testing Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures. Incorrect Answers: A: A code review is the process of reviewing the code of a software application. This is generally performed during development of the application before the application is released. A penetration test would test the security of the application after it has been released. Therefore, this answer is incorrect. C: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. A protocol analyzer is not used to test an application's security controls. Therefore, this answer is incorrect. D: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan does not actively test that an application's security controls are in place. Therefore, this answer is incorrect. References: http://searchsoftwarequality.techtarget.com/definition/penetration-testing
Question 149:
Which of the following is a requirement when implementing PKI if data loss is unacceptable?
A. Web of trust B. Non-repudiation C. Key escrow D. Certificate revocation list
C. Key escrow Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question. Incorrect Answers: A: Web of trust is not used within the PKI domain. It is an alternative approach. A web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). B: Nonrepudiation is a means of ensuring that transferred data is valid. Nonrepudiation is not used to store data. D: A certification list is just a database of revoked keys and certificates, and does not store any other information. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-289, 285
Question 150:
Which of the following can result in significant administrative overhead from incorrect reporting?
A. Job rotation B. Acceptable usage policies C. False positives D. Mandatory vacations
C. False positives False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives. Incorrect Answers: A: Job rotation is a strategy employed to provide redundancy in employees' abilities in addition to being an access control method. B: Acceptable use policies describe how employees are allowed to use company systems and resources. D: Mandatory vacations are strategies employed to that the company can fill in any gaps in skills and satisfies the need to have replication and duplication of skills, not necessarily administrative overhead but rather redundancy in human resources. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 28, 413 http://www.networkworld.com/article/2327896/lan-wan/what-is-a-false-positive-.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your JK0-022 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.