CompTIA Security Plus Mock Test Q1001

A file on a Linux server has default permissions of rw-rw-r–. The system administrator has verified that Ann, a user, is not a member of the group owner of the file. Which of the following should be modified to assure that Ann has read access to the file?

A. User ownership information for the file in question
B. Directory permissions on the parent directory of the file in question
C. Group memberships for the group owner of the file in question
D. The file system access control list (FACL) for the file in question

Correct Answer: C
Section: Access Control and Identity Management

Explanation:
The file permissions according to the file system access control list (FACL) are rw-rw-r–.
The first ‘rw-‘ are the file owner permissions (read and write).
The second ‘rw-‘ are the group permissions (read and write) for the group that has been assigned the file.
The third ‘r–‘ is the All Users permissions; in this case read only.
To enable Ann to access the file, we should add Ann to the group that has been assigned to the file.

Incorrect Answers:
A: You should not modify the ownership of the file to give another user access to the file. Therefore, this answer is incorrect.
B: Ann only needs to access the file, not the entire directory so you should not modify the permissions of the directory. Therefore, this answer is incorrect.
C: You should not modify Group memberships for the group owner of the file to give another user access to the file. Therefore, this answer is incorrect.

References:
https://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions
Topic 6, Cryptography

CompTIA Security Plus Mock Test Q1000

A company plans to expand by hiring new engineers who work in highly specialized areas. Each engineer will have very different job requirements and use unique tools and applications in their job. Which of the following is MOST appropriate to use?

A. Role-based privileges
B. Credential management
C. User assigned privileges
D. User access


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
In this question, we have engineers who require different tools and applications according to their specialized job function. We can therefore use the Role-Based Access Control
model.
Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or
by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no
longer be available.
Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit files” and “Denise is a member of the Editors group.” This model is
always good for use in an environment in which there is high employee turnover.

Incorrect Answers:
B: Credential management is the management or storage of usernames and passwords. Credential management is not used to assign privileges or software configurations. Therefore,
this answer is incorrect.
C: We could use user assigned privileges. However, this involves configuring privileges on a per user basis. Every time a new engineer starts, you would have to configure his
privileges. Therefore, this answer is incorrect.
D: User access is a generic term, not a specific configuration. We need to configure user access but other answers define how the user access is configured. Therefore, this answer is
incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 151-152

CompTIA Security Plus Mock Test Q999

The security administrator notices a user logging into a corporate Unix server remotely as root. Which of the following actions should the administrator take?

A. Create a firewall rule to block SSH
B. Delete the root account
C. Disable remote root logins
D. Ensure the root account has a strong password


Correct Answer: C
Section: Access Control and Identity Management

Explanation:
Remote users log in to Unix or Linux servers by using SSH. Although SSH is secure, allowing remote access as root is a security risk.
One of the biggest security holes you could open on a Unix or Linux server is to allow directly logging in as root through SSH, because any cracker can attempt to brute force your root
password and potentially get access to your system if they can figure out your password.
It’s much better to have a separate account that you regularly use and simply sudo to root when necessary.
You should disable root ssh access by editing /etc/ssh/sshd_config to contain:
PermitRootLogin no

Incorrect Answers:
A: Blocking SSH would prevent all remote access to all servers using SSH. We do not want to disable all SSH access; we just want to prevent remotely logging in to the UNIX server
as root. Therefore, this answer is incorrect.
B: You should never delete the root account. The root account is required by Unix. Therefore, this answer is incorrect.
D: Ensuring the root account has a strong password is a good idea. However, this will not prevent remotely logging in to the server as root. Therefore, this answer is incorrect.

References:

Security Tip: Disable Root SSH Login on Linux

CompTIA Security Plus Mock Test Q995

The security manager wants to unify the storage of credential, phone numbers, office numbers, and address information into one system. Which of the following is a system that will support the requirement on its own?

A. LDAP
B. SAML
C. TACACS
D. RADIUS


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
A ‘directory’ contains information about users.
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and
modify Internet directories.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about
users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical
structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Incorrect Answers:
B: Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular,
between an identity provider and a service provider. SAML is not used for the storage of credential, phone numbers, office numbers, and address information into one system.
C: Terminal Access Controller Access-Control System (TACACS) is a client/server-oriented environment, and operates in a manner similar to RADIUS. TACACS is not used for the
storage of credential, phone numbers, office numbers, and address information into one system.
D: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users
who connect and use a network service. RADIUS is not used for the storage of credential, phone numbers, office numbers, and address information into one system.

References:
https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

CompTIA Security Plus Mock Test Q994

Which of the following protocols is MOST likely to be leveraged by users who need additional information about another user?

A. LDAP
B. RADIUS
C. Kerberos
D. TACACS+


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
A ‘directory’ contains information about users.
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and
modify Internet directories.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about
users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical
structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Incorrect Answers:
B: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users
who connect and use a network service. It is not used by users who need additional information about another user. Therefore, this answer is incorrect.
C: Kerberos is an authentication protocol. It is not used by users who need additional information about another user. Therefore, this answer is incorrect.
D: Terminal Access Controller Access-Control System (TACACS +) is a client/server-oriented environment, and operates in a manner similar to RADIUS. It is not used by users who
need additional information about another user. Therefore, this answer is incorrect.

References:
https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

CompTIA Security Plus Mock Test Q993

An organization’s security policy states that users must authenticate using something you do. Which of the following would meet the objectives of the security policy?

A. Fingerprint analysis
B. Signature analysis
C. Swipe a badge
D. Password


Correct Answer: B
Section: Access Control and Identity Management

Explanation:
Authentication systems or methods are based on one or more of these five factors:
Something you know, such as a password or PIN
Something you have, such as a smart card, token, or identification device
Something you are, such as your fingerprints or retinal pattern (often called biometrics)
Something you do, such as an action you must take to complete authentication
Somewhere you are (this is based on geolocation)
Writing your signature on a document is ‘something you do’. Someone can then analyze the signature to see if it matches one stored on record.

Incorrect Answers:
A: Authenticating using a fingerprint is classed as ‘something you are’, not ‘something you do’. A fingerprint is part of you. Therefore, this answer is incorrect.
C: Swiping a badge is classed as ‘something you have, not ‘something you do’. You ‘have’ the badge. Therefore, this answer is incorrect.
D: Authenticating using a password is classed as ‘something you know, not ‘something you do’. You ‘know’ the password. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 131

CompTIA Security Plus Mock Test Q992

Ann has recently transferred from the payroll department to engineering. While browsing file shares, Ann notices she can access the payroll status and pay rates of her new coworkers. Which of the following could prevent this scenario from occurring?

A. Credential management
B. Continuous monitoring
C. Separation of duties
D. User access reviews


Correct Answer: D
Section: Access Control and Identity Management

Explanation:
In addition to assigning user access properly, it is important to review that access periodically. Access review is a process to determine whether a user’s access level is still
appropriate. People’s roles within an organization can change over time. It is important to review user accounts periodically and determine if they still require the access they currently
have. An example of such a scenario would be a network administrator who was responsible for the domain controller but then moved over to administer the remote access servers.
The administrator’s access to the domain controller should now be terminated. This concept of access review is closely related to the concept of least privileges. It is important that
users do not have “leftover” privileges from previous job roles.

Incorrect Answers:
A: Credential management is the management or storage of usernames and passwords. Credential management would not prevent Ann from accessing the payroll files. Therefore,
this answer is incorrect.
B: Continuous monitoring implies an ongoing audit of what resources a user actually accesses. Continuous monitoring would enable you to see that Ann can access the payroll files. It
does not prevent access though. Therefore, this answer is incorrect.
C: Separation of duties policies are designed to reduce the risk of fraud and to prevent other losses in an organization by requiring more than one person to accomplish key processes.
Separation of duties would not prevent Ann from accessing the payroll files. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 154

CompTIA Security Plus Mock Test Q989

A network administrator, Joe, arrives at his new job to find that none of the users have changed their network passwords since they were initially hired. Joe wants to have everyone change their passwords immediately. Which of the following policies should be enforced to initiate a password change?

A. Password expiration
B. Password reuse
C. Password recovery
D. Password disablement


Correct Answer: A
Section: Access Control and Identity Management

Explanation:
The Maximum password age policy setting determines the number of days that a password can be used before the system requires the user to change it. The password expiration
setting determines that a user will not be able to log into a system without changing their password after the maximum password age has been reached.

Incorrect Answers:
B: Password reuse policies (also known as password history) determine the number of previous passwords that cannot be used when a user changes his password. For example, a
password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. This does not force a user to change their password. Therefore, this
answer is incorrect.
C: Password recovery is the process of recovering a lost or forgotten password. This usually involves an administrator resetting the password as most passwords are stored as hash
values so the actual password cannot be determined. This does not force a user to change their password. Therefore, this answer is incorrect.
D: Password disablement (also known as account disablement) is the process of locking or disabling a user account. A disabled account cannot be logged into but can be re-enabled
when required. When a user will be gone from a company for a while (maternity leave, for example), their account should be disabled until they return. This does not force a user to
change their password. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 140-141.

CompTIA Security Plus Mock Test Q988

Ann is a member of the Sales group. She needs to collaborate with Joe, a member of the IT group, to edit a file. Currently, the file has the following permissions:
Ann: read/write
Sales Group: read
IT Group: no access
If a discretionary access control list is in place for the files owned by Ann, which of the following would be the BEST way to share the file with Joe?

A. Add Joe to the Sales group.
B. Have the system administrator give Joe full access to the file.
C. Give Joe the appropriate access to the file directly.
D. Remove Joe from the IT group and add him to the Sales group.


Correct Answer: C
Section: Access Control and Identity Management

Explanation:
Joe needs access to only one file. He also needs to ‘edit’ that file. Editing a file requires Read and Write access to the file. The best way to provide Joe with the minimum required
permissions to edit the file would be to give Joe the appropriate access to the file directly.

Incorrect Answers:
A: The Sales group only has read access to the file. Joe needs Read and Write access to the file. Adding Joe to the Sales group will not provide him with the required access to the
file. Therefore, this answer is incorrect.
B: Joe needs Read and Write access to the file; he does not need full access to the file. It is best practice from a security perspective to provide the minimum permissions required.
Therefore, this answer is incorrect.
D: Something to watch out for with these questions: ‘No access’ means the group has not been granted ‘or denied’ access to the file. “Access Denied” is different. It means access has
been explicitly denied. Access Denied would override all other access granted permissions.
The Sales group only has read access to the file. Joe needs Read and Write access to the file. Adding Joe to the Sales group will not provide him with the required access to the file.
Therefore, this answer is incorrect.