CompTIA JK0-022 Online Practice
Questions and Exam Preparation
JK0-022 Exam Details
Exam Code
:JK0-022
Exam Name
:CompTIA Security+ Certification
Certification
:CompTIA Security+
Vendor
:CompTIA
Total Questions
:1149 Q&As
Last Updated
:Feb 05, 2025
CompTIA JK0-022 Online Questions &
Answers
Question 191:
An organization has three divisions: Accounting, Sales, and Human Resources. Users in the Accounting division require access to a server in the Sales division, but no users in the Human Resources division should have access to resources in any other division, nor should any users in the Sales division have access to resources in the Accounting division. Which of the following network segmentation schemas would BEST meet this objective?
A. Create two VLANS, one for Accounting and Sales, and one for Human Resources. B. Create one VLAN for the entire organization. C. Create two VLANs, one for Sales and Human Resources, and one for Accounting. D. Create three separate VLANS, one for each division.
D. Create three separate VLANS, one for each division.
Question 192:
Which of the following can use RC4 for encryption? (Select TWO).
A. CHAP B. SSL C. WEP D. AES E. 3DES
B. SSL C. WEP B: In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular Internet protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). C: WEP also uses RC4, however WEP is still unsecure. Incorrect Answers: A: the Challenge-Handshake Authentication Protocol (CHAP) does not use RC4. D: The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. AES make no use of RC4. E: Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data. DES make no use of RC4. Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 143, 250, 258, 268-269
Question 193:
Which of the following BEST describes a demilitarized zone?
A. A buffer zone between protected and unprotected networks. B. A network where all servers exist and are monitored. C. A sterile, isolated network segment with access lists. D. A private network that is protected by a firewall and a VLAN.
A. A buffer zone between protected and unprotected networks. A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. Incorrect Answers: B: The location and monitoring of servers would not occur in a DMZ as it is exposed to the public. C: This describes a VLAN. D: This describes a VPN. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 39. http://en.wikipedia.org/wiki/Virtual_private_network
Question 194:
Joe, a newly hired employee, has a corporate workstation that has been compromised due to several visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibits the use of such web sites. Which of the following is the BEST method to deter employees from the improper use of the company's information systems?
A. Acceptable Use Policy B. Privacy Policy C. Security Policy D. Human Resource Policy
A. Acceptable Use Policy Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware. Incorrect Answers: B: Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. C: Security policies define what controls are required to implement and maintain the security of systems, users, and networks. D: Human resources policy does not address issues regarding which website are prohibited. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 24 http://en.wikipedia.org/wiki/Acceptable_use_policy
Question 195:
Which of the following should a security technician implement to identify untrusted certificates?
A. CA B. PKI C. CRL D. Recovery agent
C. CRL Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. Incorrect Answers: A: A certificate authority (CA) is an organization, not a static record containing certificates. A CA is responsible for issuing, revoking, and distributing certificates. B: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Within a PKI you can use CRL to meet the requirements in this question. D: A recovery agent cannot be used to check if certificates are still valid. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 279-285, 285
Question 196:
Which of the following is used to verify data integrity?
A. SHA B. 3DES C. AES D. RSA
A. SHA SHA stands for "secure hash algorithm". SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity. Note: A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity. Incorrect Answers: B: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. 3DES is used to encrypt data, not to verify data integrity. C: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is used to encrypt data, not to verify data integrity. D: RSA encryption is used for encrypting data in transit. RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. RSA is used to encrypt data, not to verify data integrity. References: http://en.wikipedia.org/wiki/SHA-1 Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 250, 251, 255-256
Question 197:
Which of the following network design elements allows for many internal devices to share one public IP address?
A. DNAT B. PAT C. DNS D. DMZ
B. PAT Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses. Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address. Incorrect Answers: A: Destination network address translation (DNAT) is a technique for transparently changing the destination IP address of an end route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet. DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This use of DNAT is also called port forwarding. DNAT does not allow for many internal devices to share one public IP address. C: DNS (Domain Name System) is a service used to translate hostnames or URLs to IP addresses. DNS does not allow for many internal devices to share one public IP address. D: A DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. A DMZ does not allow for many internal devices to share one public IP address. References: http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT http://en.wikipedia.org/wiki/Network_address_translation#DNAT http:// en.wikipedia.org/wiki/Domain_Name_System http://en.wikipedia.org/wiki/DMZ_(computing)
Question 198:
After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO).
A. Recovery B. User assigned privileges C. Lockout D. Disablement E. Group based privileges F. Password expiration G. Password complexity
F. Password expiration G. Password complexity Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days. Incorrect Answers: A: Recovery of a password requires that the password storage mechanism be reversible or that passwords be stored in multiple ways. Requiring passwords to be changed is more secure than recovering them. B: User assigned privileges can be assigned by the user. It will not ensure that all credentials must be changed within 90 days. C: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. The question states: "All credentials will remain enabled regardless of the number of attempts made." D: Disablement automatically disables a user account or causes the account to expire at a specific time and on a specific day. It will not ensure that all credentials must be changed within 90 days. E: Group-based privileges grants each group member the same level of access to a certain object. It will not ensure that all credentials must be changed within 90 days. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 292- 294.
Question 199:
A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform?
A. Remove all previous smart card certificates from the local certificate store. B. Publish the new certificates to the global address list. C. Make the certificates available to the operating system. D. Recover the previous smart card certificates.
B. Publish the new certificates to the global address list. CAs can be either private or public, with VeriSign being one of the best known of the public variety. Many operating system providers allow their systems to be configured as CA systems. These CA systems can be used to generate internal certificates that are used within a business or in large external settings. The process provides certificates to the users. Since the user in question has been re-issued a smart card, the user must receive a new certificate by the CA to allow the user to send digitally signed email. This is achieved by publishing the new certificates to the global address list. Incorrect Answers: A: Removing all previous smart card certificates from the local certificate store will affect all the other users as well and then no one will be able to log in and send digitally signed email. C: Making certificates available to the operating system will not allow the user to send digitally signed email. The other users all have access to this service because of the CA having published their certificates on the global address list, which means that the re-issued smart card's certificate should also be published on the global address list. D: The previous smart card certificates are no longer valid. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-280
Question 200:
Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts for multicast packets from the switches on the network. After investigation, she discovers that this is normal activity for her network. Which of the following BEST describes these results?
A. True negatives B. True positives C. False positives D. False negatives
C. False positives False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. Incorrect Answers: A: True negatives would be non-events. B: True positives would be real alerts and alarms. D: With a false negative, you are not alerted to a situation when you should be alerted - The opposite of false negatives. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 28
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your JK0-022 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.