Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which of the following allows Pete, a security technician, to provide the MOST secure wireless implementation?
A. Implement WPA
B. Disable SSID
C. Adjust antenna placement
D. Implement WEP
Answer: A
Explanation: Of the options supplied, WiFi Protected Access (WPA) is the most secure and is the replacement for WEP.
Q2. An administrator has successfully implemented SSL on srv4.comptia.com using wildcard certificate *.comptia.com, and now wishes to implement SSL on srv5.comptia.com. Which of the following files should be copied from srv4 to accomplish this?
A. certificate, private key, and intermediate certificate chain
B. certificate, intermediate certificate chain, and root certificate
C. certificate, root certificate, and certificate signing request
D. certificate, public key, and certificate signing request
Answer: A
Explanation:
a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. In public-key cryptography, the receiver has a private key known only to them; a public key corresponds to it, which they make known to others. The public key can be sent to all other parties; the private key is never divulged. A symmetric algorithm requires that receivers of the message use the same private key. Thus you should copy the certificate, the private key and the intermediate certificate chain from srv4 to srv5.
Q3. Which of the following is a way to implement a technical control to mitigate data loss in case of a mobile device theft?
A. Disk encryption
B. Encryption policy
C. Solid state drive
D. Mobile device policy
Answer: A
Explanation:
Disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
Q4. Which of the following practices is used to mitigate a known security vulnerability?
A. Application fuzzing
B. Patch management
C. Password cracking
D. Auditing security logs
Answer: B
Explanation:
Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from new attacks and vulnerabilities that have recently become known.
Q5. A security administrator has implemented a policy to prevent data loss. Which of the following is the BEST method of enforcement?
A. Internet networks can be accessed via personally-owned computers.
B. Data can only be stored on local workstations.
C. Wi-Fi networks should use WEP encryption by default.
D. Only USB devices supporting encryption are to be used.
Answer: D
Explanation:
The concern for preventing data loss is the concern for maintaining data confidentiality. This can
be accomplished through encryption, access controls, and steganography.
USB encryption is usually provided by the vendor of the USB device. It is not included on all USB
devices.
Q6. A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements?
A. Trust model
B. Key escrow
C. OCSP
D. PKI
Answer: A
Explanation:
In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t. This arrangement allows a high level of control at all levels of the hierarchical tree.
Q7. Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization?
A. It should be enforced on the client side only.
B. It must be protected by SSL encryption.
C. It must rely on the user’s knowledge of the application.
D. It should be performed on the server side.
Answer: D
Explanation:
Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks.
Q8. A malicious person gained access to a datacenter by ripping the proximity badge reader off the wall near the datacenter entrance. This caused the electronic locks on the datacenter door to release because the:
A. badge reader was improperly installed.
B. system was designed to fail open for life-safety.
C. system was installed in a fail closed configuration.
D. system used magnetic locks and the locks became demagnetized.
Answer: B
Explanation:
It describes a design the lock to fail open for life safety, causing the door to stay open when power is lost – in this case the proximity badge reader was ripped off the wall.
Q9. A system administrator wants to confidentially send a user name and password list to an individual outside the company without the information being detected by security controls. Which of the following would BEST meet this security goal?
A. Digital signatures
B. Hashing
C. Full-disk encryption
D. Steganography
Answer: D
Explanation:
Q10. Establishing a published chart of roles, responsibilities, and chain of command to be used during a disaster is an example of which of the following?
A. Fault tolerance
B. Succession planning
C. Business continuity testing
D. Recovery point objectives
Answer: B
Explanation:
Succession planning outlines those internal to the organization that has the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.
Q11. Joe, the information security manager, is tasked with calculating risk and selecting controls to protect a new system. He has identified people, environmental conditions, and events that could affect the new system. Which of the following does he need to estimate NEXT in order to complete his risk calculations?
A. Vulnerabilities
B. Risk
C. Likelihood
D. Threats
Answer: A
Explanation:
Q12. Which of the following allows a network administrator to implement an access control policy based on individual user characteristics and NOT on job function?
A. Attributes based
B. Implicit deny
C. Role based
D. Rule based
Answer: A
Explanation:
Attribute-based access control allows access rights to be granted to users via policies, which combine attributes together. The policies can make use of any type of attributes, which includes user attributes, resource attributes and environment attributes.
Q13. A bank has a fleet of aging payment terminals used by merchants for transactional processing. The terminals currently support single DES but require an upgrade in order to be compliant with security standards. Which of the following is likely to be the simplest upgrade to the aging terminals which will improve in-transit protection of transactional data?
A. AES
B. 3DES
C. RC4
D. WPA2
Answer: B
Explanation:
3DES (Triple DES) is based on DES.
In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The electronic payment industry uses Triple DES and continues to develop and promulgate standards based upon it (e.g. EMV). Microsoft OneNote, Microsoft Outlook 2007, and Microsoft System Center Configuration Manager 2012, use Triple DES to password protect user content and system data.
Q14. A software firm posts patches and updates to a publicly accessible FTP site. The software firm also posts digitally signed checksums of all patches and updates. The firm does this to address:
A. Integrity of downloaded software.
B. Availability of the FTP site.
C. Confidentiality of downloaded software.
D. Integrity of the server logs.
Answer: A
Explanation:
Digital Signatures is used to validate the integrity of the message and the sender. In this case the software firm that posted the patches and updates digitally signed the checksums of all patches and updates.
Q15. The marketing department wants to distribute pens with embedded USB drives to clients. In the past this client has been victimized by social engineering attacks which led to a loss of sensitive data. The security administrator advises the marketing department not to distribute the USB pens due to which of the following?
A. The risks associated with the large capacity of USB drives and their concealable nature
B. The security costs associated with securing the USB drives over time
C. The cost associated with distributing a large volume of the USB pens
D. The security risks associated with combining USB drives and cell phones on a network
Answer: A
Explanation:
USB drive and other USB devices represent a security risk as they can be used to either bring malicious code into a secure system or to copy and remove sensitive data out of the system.