CompTIA Security Plus Mock Test Q1722

The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers’ names and credit card numbers with the PIN. Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data?

A. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted
B. Create a user training program to identify the correct use of email and perform regular audits to ensure compliance
C. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files
D. Classify all data according to its sensitivity and inform the users of data that is prohibited to share

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1721

The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers’ names and credit card numbers with the PIN. Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data?

A. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted
B. Create a user training program to identify the correct use of email and perform regular audits to ensure compliance
C. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files
D. Classify all data according to its sensitivity and inform the users of data that is prohibited to share

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1617

A company often processes sensitive data for the government. The company also processes a large amount of commercial work and as such is often providing tours to potential customers that take them into various workspaces. Which of the following security methods can provide protection against tour participants viewing sensitive information at minimal cost?

A. Strong passwords
B. Screen protectors
C. Clean-desk policy
D. Mantraps

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1581

A company must send sensitive data over a non-secure network via web services. The company suspects that competitors are actively trying to intercept all transmissions. Some of the information may be valuable to competitors, even years after it has been sent. Which of the following will help mitigate the risk in the scenario?

A. Digitally sign the data before transmission
B. Choose steam ciphers over block ciphers
C. Use algorithms that allow for PFS
D. Enable TLS instead of SSL
E. Use a third party for key escrow

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1558

An attacker has gained access to the company’s web server by using the administrator’s credentials. The attacker then begins to work on compromising the sensitive data on other servers. Which off the following BEST describes this type of attack?

A. Privilege escalation
B. Client-side attack
C. Man-in-the-middle
D. Transitive access

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1210

Two organizations want to share sensitive data with one another from their IT systems to support a mutual customer base. Both organizations currently have secure network and security policies and procedures. Which of the following should be the PRIMARY security considerations by the security managers at each organization prior to sharing information? (Select THREE)

A. Physical security controls
B. Device encryption
C. Outboarding/Offboarding
D. Use of digital signatures
E. SLA/ISA
F. Data ownership
G. Use of smartcards or common access cards
H. Patch management

Correct Answer: B,E,F
Section: Mixed Questions

CompTIA Security Plus Mock Test Q772

The marketing department wants to distribute pens with embedded USB drives to clients. In the past this client has been victimized by social engineering attacks which led to a loss of sensitive data. The security administrator advises the marketing department not to distribute the USB pens due to which of the following?

A. The risks associated with the large capacity of USB drives and their concealable nature
B. The security costs associated with securing the USB drives over time
C. The cost associated with distributing a large volume of the USB pens
D. The security risks associated with combining USB drives and cell phones on a network

Correct Answer: A
Section: Application, Data and Host Security

Explanation:
USB drive and other USB devices represent a security risk as they can be used to either bring malicious code into a secure system or to copy and remove sensitive data out of the
system.

Incorrect Answers:
B, C: Cost is not a security concern and would not be raised by the security administrator.
D: USB drives and cell phones represent separate security risks as USB drives cannot easily be inserted in cell phones.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 204
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 247

CompTIA Security Plus Mock Test Q760

Which of the following can be used on a smartphone to BEST protect against sensitive data loss if the device is stolen? (Select TWO).

A. Tethering
B. Screen lock PIN
C. Remote wipe
D. Email password
E. GPS tracking
F. Device encryption


Correct Answer: C,F
Section: Application, Data and Host Security

Explanation:
C: Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the
internet connection and helps ensure that sensitive data is not accessed by unauthorized people.
F: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.

Incorrect Answers:
A: Device tethering is the process of connecting one device to another over a wireless LAN (Wi-Fi) or Bluetooth connection or by using a cable. This allows the tethered devices to
share an Internet connection. It does not protect the device against data loss in the event of the device being stolen.
B: Screen locks are a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature
ensures that if your device is left unattended or is lost or stolen, it will be a bit difficult for anyone else to access your data or applications. However, screen locks may have
workarounds, such as accessing the phone application through the emergency calling feature.
D: Some email applications allow users to set a password on an email that could be shared with the recipient. This does not protect against sensitive data loss if the device is stolen.
E: Global Positioning System (GPS) tracking can be used to identify its location of a stolen device and can allow authorities to locate the device. However, for GPS tracking to work, the
device must have an Internet connection or a wireless phone service over which to send its location information.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 418-419
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 236, 237

CompTIA Security Plus Mock Test Q712

An organization must implement controls to protect the confidentiality of its most sensitive data. The company is currently using a central storage system and group based access control for its sensitive information. Which of the following controls can further secure the data in the central storage system?

A. Data encryption
B. Patching the system
C. Digital signatures
D. File hashing


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Data encryption makes data unreadable to anyone who does not have the required key to decrypt the data. The question states that the sensitive data is stored on a central storage
system. Group based access control is used to control who can access the sensitive data. However, this offers no physical security for the data. Someone could steal the central
storage system or remove the hard disks from it with the plan of placing the hard disks into another system to read the data on the disks. With the data encrypted, the data would be
unreadable.

Incorrect Answers:
B: The question states that the sensitive data is stored on a central storage system (such as a SAN). A SAN typically does not need patching. Even if the storage was attached to a
system that did need patching (such as a file server), patching the system would still provide no protection against the removal of the hard disks containing the data.
C: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. Digital signatures would not further secure
the data in the central storage system.
D: File hashing is used to ensure that the version of the file a user receives has not been tampered with when accessing files over a network. It is not used to secure files on a storage
system.

CompTIA Security Plus Mock Test Q586

Highly sensitive data is stored in a database and is accessed by an application on a DMZ server. The disk drives on all servers are fully encrypted. Communication between the application server and end-users is also encrypted. Network ACLs prevent any connections to the database server except from the application server. Which of the following can still result in exposure of the sensitive data in the database server?

A. SQL Injection
B. Theft of the physical database server
C. Cookies
D. Cross-site scripting


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
The question discusses a very secure environment with disk and transport level encryption and access control lists restricting access. SQL data in a database is accessed by SQL queries from an application on the application server. The data can still be compromised by a SQL injection attack.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Incorrect Answers:
B: Theft of the physical database server would not expose the sensitive data in the database server because the disks are encrypted. You would need the certificate used to encrypt the data in order to decrypt the data on the disks.
C: Cookies are text files stored on a user’s computer to store website information. This is to provide the user with a consistent website browsing experience. Cookies do not pose a risk to the sensitive data on the database server.
D: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
The sensitive data is stored in databases on the database server. It is therefore not vulnerable to an XSS attack.

References:
http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scripting