CompTIA Security Plus Mock Test Q1456

A website is breached, exposing the usernames and MD5 password hashes of its entire user base. Many of these passwords are later cracked using rainbow tables. Which of the following actions could have helped prevent the use of rainbow tables on the password hashes?

A. use salting when computing MD5 hashes of the user passwords
B. Use SHA as a hashing algorithm instead of MD5
C. Require SSL for all user logins to secure the password hashes in transit
D. Prevent users from using a dictionary word in their password

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1205

Ann a network administrator has been tasked with strengthening the authentication of users logging into systems in area containing sensitive information. Users log in with usernames and passwords, following by a retinal scan. Which of the following could she implement to add an additional factor of authorization?

A. Requiring PII usage
B. Fingerprint scanner
C. Magnetic swipe cards
D. Complex passphrases

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q848

A Human Resources user is issued a virtual desktop typically assigned to Accounting employees. A system administrator wants to disable certain services and remove the local accounting groups installed by default on this virtual machine. The system administrator is adhering to which of the following security best practices?

A. Black listing applications
B. Operating System hardening
C. Mandatory Access Control
D. Patch Management


Correct Answer: B
Section: Application, Data and Host Security

Explanation:
Operating System hardening is the process of securing the operating system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing
unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

Incorrect Answers:
A: Blacklising applications is a security stance that allows all applications to run on a system except those exceptions that are explicitly denied. It is the opposite of whitelisting, in which
all applications are denied except those that are explicitly allowed to run.
C: Mandatory Access Control (MAC) is a form of access control that specifies that levels of access based on the sensitivity of the object being accessed. It uses sensitivity labels,
security domains, or classifications. It defines specific security domains or sensitivity levels and uses the associated labels from those security domains to impose access control on
objects and subjects.
D: Patch management is the process of maintaining the latest source code for applications and operating systems. This helps protect a systems from known attacks and
vulnerabilities, but not from unknown vulnerabilities

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 215-217, 220, 221, 236
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 231-232, 240, 278-279
http://www.techopedia.com/definition/24833/hardening

CompTIA Security Plus Mock Test Q775

A company has purchased an application that integrates into their enterprise user directory for account authentication. Users are still prompted to type in their usernames and passwords. Which of the following types of authentication is being utilized here?

A. Separation of duties
B. Least privilege
C. Same sign-on
D. Single sign-on


Correct Answer: C
Section: Application, Data and Host Security

Explanation
Same sign-on requires the users to re-enter their credentials but it allows them to use the same credentials that they use to sign on locally.

Incorrect Answers:
A: Separation of duties is the division of administrative tasks and their assignment to different administrators. This ensures that no one user has complete access or power over an
entire network, server, or system. This is not an authentication system.
B: The principle of least privilege is used to ensure that users are only provided with the minimum privileges and permissions that allow them to perform their duties. This is not an
authentication system.
D: Single sign-on does not require users to re-enter their credentials once they have logged on locally.

References:
http://blogs.technet.com/b/jeff_stokes/archive/2013/07/08/today-s-cloud-tip-same-sign-on-vs-single-sign-on.aspx
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 149-150, 153
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 82, 289

CompTIA Security Plus Mock Test Q753

Which of the following describes the process of removing unnecessary accounts and services from an application to reduce risk exposure?

A. Error and exception handling
B. Application hardening
C. Application patch management
D. Cross-site script prevention


Correct Answer: B
Section: Application, Data and Host Security

Explanation:
Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and
features, removing unnecessary usernames or logins and disabling unnecessary services.

Incorrect Answers:
A: Error handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system, and should include error and
exception handling.
C: Patch management is the process of maintaining the latest source code for applications and operating systems. This helps protect a systems from newly discovered attacks and
vulnerabilities.
D: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be
mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 215-217, 220
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 231-232

CompTIA Security Plus Mock Test Q751

The process of making certain that an entity (operating system, application, etc.) is as secure as it can be is known as:

A. Stabilizing
B. Reinforcing
C. Hardening
D. Toughening


Correct Answer: C
Section: Application, Data and Host Security

Explanation:
Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and
features, removing unnecessary usernames or logins and disabling unnecessary services.

Incorrect Answers:
A, B, D: The correct term for making a system as secure as possible is hardening, not stabilizing, reinforcing, or toughening.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 215-217

CompTIA Security Plus Mock Test Q155

Which of the following would satisfy wireless network implementation requirements to use mutual authentication and usernames and passwords?

A. EAP-MD5
B. WEP
C. PEAP-MSCHAPv2
D. EAP-TLS

Correct Answer: C
Section: Network Security

Explanation:
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards.

Incorrect Answers:
A: MD5 has been employed in a wide selection of cryptographic applications, and is also commonly used to verify data integrity.
B: Usernames and passwords are not required for WEP authentication.
D: Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer
certificates to authenticate wireless access clients. EAP-TLS does not use usernames and passwords for authentication.

References:
https://technet.microsoft.com/en-us/library/dd348500(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd348478(v=ws.10).aspx
http://en.wikipedia.org/wiki/MD5