CompTIA Security Plus Mock Test Q1676

A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. The access the server using RDP on a port other than the typical registered port for the RDP protocol?

A. TLS
B. MPLS
C. SCP
D. SSH


Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1060

Recent data loss on financial servers due to security breaches forced the system administrator to harden their systems. Which of the following algorithms with transport encryption would be implemented to provide the MOST secure web connections to manage and access these servers?

A. SSL
B. TLS
C. HTTP
D. FTP


Correct Answer: B
Section: Cryptography

Explanation:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC
2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by
default.

Incorrect Answers:
A: As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher
supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.
B: The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is not a transport protocol.
D: The File Transfer Protocol (FTP) is not a transport layer protocol. FTP is a standard network protocol used to transfer computer files from one host to another host over a TCPbased
network, such as the Internet.
FTP is built on a client-server architecture and uses separate control and data connections between the client and the server.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 75, 268-269

CompTIA Security Plus Mock Test Q1043

Which of the following ciphers would be BEST used to encrypt streaming video?

A. RSA
B. RC4
C. SHA1
D. 3DES


Correct Answer: B
Section: Cryptography

Explanation:
In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). While remarkable for its
simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not
discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.
Because RC4 is a stream cipher, it is more malleable than common block ciphers. If not used together with a strong message authentication code (MAC), then encryption is vulnerable
to a bit-flipping attack. The cipher is also vulnerable to a stream cipher attack if not implemented correctly. Furthermore, inadvertent double encryption of a message with the same key
may accidentally output plaintext rather than ciphertext because the involutory nature of the XOR function would result in the second operation reversing the first.
It is noteworthy, however, that RC4, being a stream cipher, was for a period of time the only common cipher that was immune to the 2011 BEAST attack on TLS 1.0. The attack
exploits a known weakness in the way cipher block chaining mode is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers.

Incorrect Answers:
A: RSA encryption is used for encrypting data in transit. RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages.
Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. However, RSA is not used to encrypt streaming video.
C: SHA stands for “secure hash algorithm”. SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols
including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity. However, it is not used to encrypt streaming video.
D: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data
Encryption Standard (DES) cipher algorithm three times to each data block. The electronic payment industry uses Triple DES and continues to develop and promulgate standards
based upon it (e.g. EMV). Microsoft OneNote, Microsoft Outlook 2007, and Microsoft System Center Configuration Manager 2012, use Triple DES to password protect user content
and system data. However, it is not used to encrypt streaming video.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 250, 251, 255-256
http://en.wikipedia.org/wiki/RC4
http://en.wikipedia.org/wiki/SHA-1
http://en.wikipedia.org/wiki/Triple_DES

CompTIA Security Plus Mock Test Q1032

Which of the following is used to verify data integrity?

A. SHA
B. 3DES
C. AES
D. RSA


Correct Answer: A
Section: Cryptography

Explanation:
SHA stands for “secure hash algorithm”. SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols
including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity.
Note:
A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a
formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
Hashes play a role in security systems where they’re used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts
it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two
hashes. If they’re the same, there is a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity.

Incorrect Answers:
B: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data
Encryption Standard (DES) cipher algorithm three times to each data block. 3DES is used to encrypt data, not to verify data integrity.
C: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was
published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is used to encrypt
data, not to verify data integrity.
D: RSA encryption is used for encrypting data in transit. RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages.
Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. RSA is used to encrypt data, not to verify data integrity.

References:
http://en.wikipedia.org/wiki/SHA-1
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 250, 251, 255-256

CompTIA Security Plus Mock Test Q1011

Which of the following transportation encryption protocols should be used to ensure maximum security between a web browser and a web server?

A. SSLv2
B. SSHv1
C. RSA
D. TLS

Correct Answer: D
Section: Cryptography

Explanation:
HTTP Secure HTTP Secure (HTTPS) is the protocol used for “secure” web pages that users should see when they must enter personal information such as credit card numbers,
passwords, and other identifiers. It combines HTTP with SSL/TLS to provide encrypted communication.
Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL, and it is also referred to as SSL 3.1.

Incorrect Answers:
A: SSLv2 is not as secure as TLS(also known as SSL 3.1).
B: Secure Shell, or SSH, is not used to secure browser sessions. SSH is a cryptographic (encrypted) network protocol for initiating text-based shell sessions on remote machines in a
secure way.
C: RSA is not used to encrypt browser sessions.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 252, 268-269, 271

CompTIA Security Plus Mock Test Q1010

The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats is BEST categorized as which of the following?

A. Stream ciphers
B. Transport encryption
C. Key escrow
D. Block ciphers


Correct Answer: B
Section: Cryptography

Explanation:
Transport encryption is the process of encrypting data ready to be transmitted over an insecure network. A common example of this would be online banking or online purchases
where sensitive information such as account numbers or credit card numbers is transmitted.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS
ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

Incorrect Answers:
A: A stream cipher is used for encrypting data when the size of the data is unknown (such as streaming a movie). The data is encrypted one bit at a time as it is streamed. RC4 is a
commonly used stream cipher. A stream cipher is a specific description of something that is used to encrypt a stream of data. It is not a concept of securing data between two points.
C: Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain
access to those keys. It is not a concept of securing data between two points.
D: A block cipher is used to encrypt a chunk of data (block) before transmitting the data. A block cipher is a specific description of something that is used to encrypt a block of data. It is
not a concept of securing data between two points.

References:
http://en.wikipedia.org/wiki/Transport_Layer_Security
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 249, 250, 262

CompTIA Security Plus Mock Test Q1002

Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session?

A. SFTP
B. HTTPS
C. TFTP
D. TLS


Correct Answer: D
Section: Cryptography

Explanation:
SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.

Incorrect Answers:
A: SFTP, Secure File Transfer Protocol, does not provide authentication and security; it expects the underlying protocol to secure this.
B: HTTPS, “HTTP over SSL/TLS”, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL or TLS protocol,
thus adding the security capabilities of SSL/TLS to standard HTTP communications.
C: TFTP, Trivial File Transfer Protocol, includes no login or access control mechanisms.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 76, 268-269, 274

CompTIA Security Plus Mock Test Q884

Which of the following was based on a previous X.500 specification and allows either unencrypted authentication or encrypted authentication through the use of TLS?

A. Kerberos
B. TACACS+
C. RADIUS
D. LDAP


Correct Answer: D
Section: Access Control and Identity Management

Explanation:
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services
over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users,
systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure,
such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
A common usage of LDAP is to provide a “single sign on” where one password for a user is shared between many services, such as applying a company login code to web pages (so
that staff log in only once to company computers, and then are automatically logged into the company intranet).
LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP and UDP port 389, or on port 636 for LDAPS. Global
Catalog is available by default on ports 3268, and 3269 for LDAPS. The client then sends an operation request to the server, and the server sends responses in return.
The client may request the following operations:
StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection

Incorrect Answers:
A: Kerberos is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one
another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity.
Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally
may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default. Kerberos is not based on a previous X.500 specification as is LDAP.
B: Terminal Access Controller Access-Control System (TACACS) refers to a family of related protocols handling remote authentication and related services for networked access
control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX
networks. TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and is not
compatible with its predecessors, TACACS and XTACACS. TACACS+ uses TCP (while RADIUS operates over UDP). Since TACACS+ uses the authentication, authorization, and
accounting (AAA) architecture, these separate components of the protocol can be segregated and handled on separate servers. TACACS+ is not based on a previous X.500
specification as is LDAP.
C: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users
who connect and use a network service. Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to
the Internet or internal networks, wireless networks, and integrated e-mail services.
Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks,
wireless networks, and integrated e-mail services. RADIUS is not based on a previous X.500 specification as is LDAP.

References:
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
http://en.wikipedia.org/wiki/TACACS
http://en.wikipedia.org/wiki/RADIUS

CompTIA Security Plus Mock Test Q614

During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).

A. SSL 1.0
B. RC4
C. SSL 3.0
D. AES
E. DES
F. TLS 1.0


Correct Answer: A,E
Section: Threats and Vulnerabilities

Explanation:
TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a byproduct, message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”.
TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0”. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.

Incorrect Answers:
B: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). Whilst some argue that RC4 does have a weakness, it is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.
C: Although TLS 1.2 has been created to replace SSL 3.0, SSL 3.0 is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.
D: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is not considered to be a weak cipher.
F: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Although DES has been superseded by 3DES and AES, DES is still used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.

References:
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Triple_DES