CompTIA JK0-022 Online Practice
Questions and Exam Preparation
JK0-022 Exam Details
Exam Code
:JK0-022
Exam Name
:CompTIA Security+ Certification
Certification
:CompTIA Security+
Vendor
:CompTIA
Total Questions
:1149 Q&As
Last Updated
:Feb 05, 2025
CompTIA JK0-022 Online Questions &
Answers
Question 231:
Which of the following is an important step in the initial stages of deploying a host-based firewall?
A. Selecting identification versus authentication B. Determining the list of exceptions C. Choosing an encryption algorithm D. Setting time of day restrictions
B. Determining the list of exceptions A host-based firewall is installed on a client system and is used to protect the client system from the activities of the user as well as from communication from the network or Internet. These firewalls manage network traffic using filters to block certain ports and protocols while allowing others to pass through the system. Incorrect Answers: A: A host-based firewall is used to filter network traffic; it does not perform identification or authentication. C: A host-based firewall is used to filter network traffic; it does not provide encryption functions. D: A host-based firewall is used to filter and restrict network traffic based on ports and protocols, not on time of day. References: Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 246
Question 232:
Which of the following is true about PKI? (Select TWO).
A. When encrypting a message with the public key, only the public key can decrypt it. B. When encrypting a message with the private key, only the private key can decrypt it. C. When encrypting a message with the public key, only the CA can decrypt it. D. When encrypting a message with the public key, only the private key can decrypt it. E. When encrypting a message with the private key, only the public key can decrypt it.
D. When encrypting a message with the public key, only the private key can decrypt it. E. When encrypting a message with the private key, only the public key can decrypt it. E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. D: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: 1. You want to send an encrypted message to Jordan, so you request his public key. 2. Jordan responds by sending you that key. 3. You use the public key he sends you to encrypt the message. 4. You send the message to him. 5. Jordan uses his private key to decrypt the message. Incorrect Answers: A: The private and the public key are mathematically linked and make a key pair. You cannot use two public keys to encrypt and decrypt the data. B: The private and the public key are mathematically linked and make a key pair. You cannot use two private keys to encrypt and decrypt the data. C: If you encrypt the data with the public key, the data must be decrypted with the private key. The CA would not be able to decrypt the data by itself. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285
Question 233:
During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).
A. SSL 1.0 B. RC4 C. SSL 3.0 D. AES E. DES F. TLS 1.0
A. SSL 1.0 E. DES TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0". TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0. Incorrect Answers: B: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). Whilst some argue that RC4 does have a weakness, it is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers. Therefore, this answer is incorrect. C: Although TLS 1.2 has been created to replace SSL 3.0, SSL 3.0 is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers. Therefore, this answer is incorrect. D: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is not considered to be a weak cipher. Therefore, this answer is incorrect. F: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Although DES has been superseded by 3DES and AES, DES is still used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers. Therefore, this answer is incorrect. References: http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/Triple_DES
Question 234:
A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO).
A. Password age B. Password hashing C. Password complexity D. Password history E. Password length
A. Password age D. Password history D: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. A: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days. Incorrect Answers: B: Hashing is a one-way function that creates a fixed-length output from an input of any length. C, E: Password complexity combined with password length helps produce strong passwords, but can be recycled if password age and history is not configured. References: https://technet.microsoft.com/enus/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 292, 293, 315.
Question 235:
A company has recently allowed employees to take advantage of BYOD by installing WAPs throughout the corporate office. An employee, Joe, has recently begun to view inappropriate material at work using his personal laptop. When confronted, Joe indicated that he was never told that he could not view that type of material on his personal laptop. Which of the following should the company have employees acknowledge before allowing them to access the corporate WLAN with their personal devices?
A. Privacy Policy B. Security Policy C. Consent to Monitoring Policy D. Acceptable Use Policy
D. Acceptable Use Policy
Question 236:
A certificate authority takes which of the following actions in PKI?
A. Signs and verifies all infrastructure messages B. Issues and signs all private keys C. Publishes key escrow lists to CRLs D. Issues and signs all root certificates
D. Issues and signs all root certificates A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is part of a public key infrastructure (PKI) scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA). Note: In cryptography and computer security, a root certificate is an unsigned public key certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA). Incorrect Answers: A: A CA does not sign or verify infrastructure messages. B: The CA issues and sign public keys, not private keys. In cryptography, a PKI(Public key infrastructure) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The primary role of the CA is to digitally sign and publish the public key bound to a given user. C: A CA would not publish key escrow lists. Key escrow is the process of storing keys or certificates for use by law enforcement. Law enforcement has the right, under subpoena, to conduct investigations using these keys. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 278-290
Question 237:
Which of the following is required to allow multiple servers to exist on one physical server?
A. Software as a Service (SaaS) B. Platform as a Service (PaaS) C. Virtualization D. Infrastructure as a Service (IaaS)
C. Virtualization Virtualization allows a single set of hardware to host multiple virtual machines. Incorrect Answers: A, B, D: These are models of Cloud Computing. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 17, 19.
Question 238:
Concurrent use of a firewall, content filtering, antivirus software and an IDS system would be considered components of:
A. Redundant systems. B. Separation of duties. C. Layered security. D. Application control.
C. Layered security. Layered security is the practice of combining multiple mitigating security controls to protect resources and data. Incorrect Answers: A: Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe. B: Separation of duties is the division of administrator or privileged tasks into distinct groupings, which are individually assigned to unique administrators. The application of separation of duties prevents a single user having complete access or power over an entire network, server, or system. D: Application control is a device-management solution that limits which applications can be installed onto a device. References: http://en.wikipedia.org/wiki/Layered_security http://en.wikipedia.org/wiki/Redundancy_(engineering) Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 82, 272.
Question 239:
Which of the following protocols is used to validate whether trust is in place and accurate by returning responses of either "good", "unknown", or "revoked"?
A. CRL B. PKI C. OCSP D. RA
C. OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code. Incorrect Answers: A: CRL is not a protocol. CRL is a database which contains revoked certificates and keys. B: A PKI is not a protocol. A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. D: A registration authority (RA) is not a protocol. An RA offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285 http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Question 240:
A merchant acquirer has the need to store credit card numbers in a transactional database in a high performance environment. Which of the following BEST protects the credit card data?
A. Database field encryption B. File-level encryption C. Data loss prevention system D. Full disk encryption
A. Database field encryption Database encryption makes use of cryptography functions that are built into the database software to encrypt the data stored in the data base. This often offers granular encryption options which allows for the encryptions of the entire database, specific database tables, or specific database fields, such as a credit card number field. Incorrect Answers: B: File-level encryption would involve encrypting the entire database file. This would mean that accessing any data in the database would involve the overhead of decrypting the data. C: A data loss prevention system is a system designed to detect a potential data breach. It is not used to encrypt data. D: Full disk encryption would involve encrypting the entire hard disk. This would mean that accessing any data in the hard disk would involve the overhead of decrypting the data. References: http://docs.oracle.com/cd/B28359_01/network.111/b28530/asotrans.htm#g1011122 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 252
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your JK0-022 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.