Joe a system architect wants to implement appropriate solutions to secure the company’s distributed database. Which of the following concepts should be considered to help ensure data security? (Select TWO)
A. Data at rest B. Data in use C. Replication D. Wiping E. Retention F. Cloud Storage
A company wishes to prevent unauthorized employee access to the data center. Which of the following is the MOST secure way to meet this goal?
A. Use Motion detectors to signal security whenever anyone entered the center B. Mount CCTV cameras inside the center to monitor people as they enter C. Install mantraps at every entrance to the data center in conjunction with their badges D. Place biometric readers at the entrances to verify employees’ identity
Joe, a company’s network engineer, is concerned that protocols operating at the application layer of the OSI model are vulnerable to exploitation on the network. Which of the following protocols should he secure?
A new client application developer wants to ensure that the encrypted passwords that are stored in their database are secure from cracking attempts. To implement this, the developer implements a function on the client application that hashes passwords thousands of times prior to being sent to the database. Which of the following did the developer MOST likely implement?
A. RIPEMD B. PBKDF2 C. HMAC D. ECDHE
Correct Answer: B Section: Cryptography
Password-Based Key Derivation Function 2 (PBKDF2) makes use of a hashing operation, an encryption cipher function, or an HMAC operation) on the input password, which is
combined with a salt and is repeated thousands of times.
A: RIPEMD is a hashing function, but does not hash passwords thousands of times sending it to the database.
C: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. It does not, however, hash passwords thousands of times sending it to
D: ECDHE provides both CRC integrity checks and RCA encryption.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 249, 254, 260, 343
Which of the following must be kept secret for a public key infrastructure to remain secure?
A. Certificate Authority B. Certificate revocation list C. Public key ring D. Private key
Correct Answer: D Section: Cryptography
The private key, which is also called the secret key, must be kept secret.
A: The CA must be accessible. It should not be kept secret.
A certificate authority (CA) is an organization. A CA is responsible for issuing, revoking, and distributing certificates.
B: The CRL should be readily accessible. It should be posted on a publically accessible location.
A CRL is a database of revoked keys and signatures.
C: A public key ring must be available for all.
A public key ring is often implemented as a file with public keys in it.
The traditional PGP Key Ring is a sequential file with a sequential list of keys in it.
Slightly more advanced key rings, such as those used in Key Servers actually use a database.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 279-280, 279-285, 285
A security engineer is asked by the company’s development team to recommend the most secure method for password storage. Which of the following provide the BEST protection against brute forcing stored passwords? (Select TWO).
A. PBKDF2 B. MD5 C. SHA2 D. Bcrypt E. AES F. CHAP
Correct Answer: A,D Section: Cryptography
A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to
produce a derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other systems.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
Which of the following would be used as a secure substitute for Telnet?
A. SSH B. SFTP C. SSL D. HTTPS
Correct Answer: A Section: Cryptography
Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides
alternative, security-equivalent programs for such Unix standards as Telnet, FTP, and many other communications-oriented applications. SSH is available for use on Windows
systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.
B: SFTP is for File transfers, not for telnet.
The SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over any
reliable data stream.
C: SSL is used to provide a secure channel, not to establish a telnet connection.
The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel
between two machines operating over the Internet or an internal network.
D: HTTPS is not used for telnet connections.
HTTPS is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 76, 91, 268-269, 271, 274