CompTIA Security+ Certification (SY0-501): Practice Tests

Which of the following describes an alternate processing site that is instantly available in the event of a disaster?

Options are :

  • Warm site
  • Cold site
  • Reciprocal site
  • Hot site (Correct)

Answer : Hot site

Explanation A hot site is an alternate processing site that can function almost immediately after a disaster and has equipment and data prepositioned, as well as full utilities.Cold sites have only space and utilities available and take longer to activate. Warm sites have space, utilities, and possibly some equipment and furniture, but still need equipment, personnel, and data transferred, so they cannot be activated instantly. Reciprocal sites are alternate locations provided by and in agreement with another organization and are typically co-located with that organization.

Which of the following is the best way to prevent cross-site scripting attacks?

Options are :

  • Require certificate-based authentication for web site access
  • Restrict CGI script execution
  • Validate the input into a web site for illegal characters in a particular field (Correct)
  • Block ports 443 and 80 on the firewall

Answer : Validate the input into a web site for illegal characters in a particular field

Explanation Validating the input into a web site form for illegal characters in a field is the best choice for preventing cross-site scripting (XSS) attacks.Blocking ports 443 and 80 will make the site unusable, as these are the typical ports used to access web sites. Requiring certificate-based authentication will not prevent cross-site scripting attacks and is an unnecessary measure. CGI is not a method used for cross-site scripting attacks.

SY0-401 CompTIA Security+ Certification Practice Exam Set 6

The network administrator for your office has configured the company web site for SSL by applying a certificate to the site. What port will you need to open on the firewall to allow communication to the site?

Options are :

  • 80
  • 443 (Correct)
  • 22
  • 53

Answer : 443

Explanation TCP port 443 must be opened on the firewall to allow SSL traffic to pass.None of these ports are used by SSL.

Which authentication technology makes use of a key distribution center composed of an authentication server and a ticket-granting service?

Options are :

  • RADIUS
  • Single sign-on
  • Sesame
  • Kerberos (Correct)

Answer : Kerberos

Explanation Kerberos uses a key distribution center (KDC), which consists of an authentication server and a ticket-granting service.None of these choices is associated with these terms.

Which of the following simple command-line tools would be used from the host to determine what open ports a host is listening on?

Options are :

  • ifconfig
  • ping
  • netstat (Correct)
  • nbtstat

Answer : netstat

Explanation netstat is a tool found on both Unix/Linux and Windows hosts that can give network statistics and connection information, including port usage. This would help determine if a host is listening on an unexpected or unwanted port.None of the other choices give information on open ports. nbtstat is a command found only on Windows hosts and gives NetBIOS usage information. Ping is found on both Unix/Linux and Windows hosts but only sends simple ICMP requests to a host. ifconfig is found only on Unix and Linux hosts and only gives network interface configuration information.

JK0-017 CompTIA E2C Project+ Certification Practice Exam Set 8

A common attack on databases through a web-based form is called:

Options are :

  • Cross-site scripting
  • SQL injection (Correct)
  • Directory traversal
  • XML injection

Answer : SQL injection

Explanation SQL injection is a common attack on databases through a web-based form, where the attacker injects SQL commands into the form input.Cross-site scripting allows client-side scripts to be run on a web site. XML injection is an attack that injects faulty or malicious XML code into an XML statement. Directory traversal is the ability to search a web server?s directories and files.

What is the security term for disabling unnecessary services on a system and uninstalling unnecessary software?

Options are :

  • System hardening (Correct)
  • Application restriction
  • System reduction
  • Network hardening

Answer : System hardening

Explanation System hardening involves disabling unnecessary services and protocols on a host, as well as uninstalling software that is not needed.System reduction, network hardening and application restriction are incorrect. These are nonexistent terms used as distractors.

Which of the following devices is intentionally left nonsecure, with the hopes of luring a hacker away from the network and observing them?

Options are :

  • IPS
  • Honeypot (Correct)
  • IDS
  • Bastion host

Answer : Honeypot

Explanation A honeypot is a host that has been left with some vulnerabilities open to lure a hacker away from attacking the network and to observe his or her attack methods.A bastion host is a secure host outside the network. An intrusion detection system (IDS) is used to detect network attacks. An intrusion prevention system (IPS) is used to detect attacks and attempt to prevent them by rerouting traffic, blocking ports, etc.

SK0-004 CompTIA Server+ Certification Practice Exam Set 1

You are troubleshooting a communication problem with an application that sends data to a remote system. What tool can you use to view the traffic being sent on the network by the application?

Options are :

  • Frequency analyzer
  • Spectrum analyzer
  • Switch monitor
  • Protocol analyzer (Correct)

Answer : Protocol analyzer

Explanation In order to view network traffic, it must be sniffed or captured using a protocol analyzer (sometimes called a sniffer).These devices cannot be used to capture and view network traffic.

The hacker has managed to modify the cache on the system that stores the IP address and corresponding MAC address with inappropriate entries. What type of attack has occurred?

Options are :

  • DHCP poisoning
  • VLAN poisoning
  • ARP poisoning (Correct)
  • DNS poisoning

Answer : ARP poisoning

Explanation ARP poisoning involves introducing false entries into the host?s ARP cache, essentially spoofing MAC addresses.DNS poisoning involves introducing false entries into a DNS server?s cache or its zone files. DHCP and VLAN poisoning are invalid answers.

Which of the following files might the hacker modify in order to redirect a user to the wrong web site?

Options are :

  • hosts (Correct)
  • services
  • ARP cache
  • lmhosts

Answer : hosts

Explanation The hosts file on a local machine provides for fully qualified domain name (FQDN) resolution in the absence of DNS and can be used to redirect users to the wrong web site.The lmhosts file is a Windows-specific file that maps computer names to IP addresses. The services file lists well-known services, such as HTTP and FTP. The ARP cache contains recently resolved local network IP addresses to MAC addresses.

SY0-401 CompTIA Security+ Certification Practice Exam Set 7

Which of the following terms is most accurately defined by the amount of time a business can survive without a particular function?

Options are :

  • Maximum tolerable downtime (MTD) (Correct)
  • Recovery time objective (RTO)
  • Mean time between failures (MTBF)
  • Recovery point objective (RPO)

Answer : Maximum tolerable downtime (MTD)

Explanation The maximum tolerable downtime (MTD) indicates how long an asset may be down or offline without seriously impacting the organization.The mean time between failures is an estimate of how long a piece of equipment will perform before failure. The recovery point objective and recovery time objective refer to how much data may be lost during a failure or disaster and the maximum amount of time it must take to recover the system or data, respectively, before the organization is seriously impacted.

All of the following are types of penetration testing EXCEPT:

Options are :

  • Black box
  • Blue box (Correct)
  • Gray box
  • White box

Answer : Blue box

Explanation Blue box testing is not a type of penetration testing.Black box testing involves a penetration test where the test team has no knowledge of the network. In gray box testing, the tester may have some knowledge given to them, such as an infrastructure diagram or IP address list. In a white box test, the test team has full and detailed knowledge of the network, its design, functions, and applications.

Which of the following application attacks allows attackers to inject client-side script into web pages viewed by other users?

Options are :

  • SQL injection
  • Cross-site scripting (Correct)
  • Buffer overflow
  • XML injection

Answer : Cross-site scripting

Explanation Cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by others.XML injection occurs when malicious XML code is inserted into an XML statement. SQL injection involves inserting faulty SQL input commands into a site that connects to a database, producing unintended results or returning privileged information. A buffer overflow takes advantage of programming flaws that occur when data overwrites a program?s allocated memory address and enables arbitrary code to be executed in that address.

CompTIA JK0-022 E2C Security+ Network Security Practice Exam Set 1

Which type of intrusion detection system identifies suspicious activity by monitoring log files on the system?

Options are :

  • HIDS (Correct)
  • ACL
  • NIDS
  • NIPS

Answer : HIDS

Explanation A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack.A NIDS is a network-based intrusion detection system and does not monitor host log files. A NIPS is a network-based intrusion prevention system and works on the network instead of the host. An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.

Which of the following best describes a minimum password age setting?

Options are :

  • Users must change passwords after a certain amount of time.
  • Passwords cannot be reused until they have been expired a certain amount of time.
  • Users must wait a certain amount of time before they are allowed to change passwords. (Correct)
  • Users must not change passwords until a certain date.

Answer : Users must wait a certain amount of time before they are allowed to change passwords.

Explanation A minimum password age requires that users must wait a certain amount of time before they are allowed to change passwords.A maximum password age setting requires that users must change passwords after a certain amount of time. Passwords are typically good only for a certain amount of time, not through a certain date. Passwords typically cannot be reused until a certain number of password changes have occurred, preventing the use of the last specified number of passwords.

Which of the following techniques involves sending unexpected or invalid data to an application to determine vulnerabilities?

Options are :

  • Scanning
  • Spoofing
  • Cracking
  • Fuzzing (Correct)

Answer : Fuzzing

Explanation Fuzzing is an application vulnerability testing technique that sends invalid or unexpected data to the application, with the intent to see if any security vulnerabilities exist.Cracking typically involves passwords, not applications. Scanning usually means network port or service scanning. Spoofing means to masquerade as another entity, usually by spoofing an IP address, MAC address, or user.

SY0-401 CompTIA Security+ Certification Practice Exam Set 5

Which of the following protocols is a more secure version of the SSL protocol?

Options are :

  • SSH
  • AES
  • TLS (Correct)
  • RSA

Answer : TLS

Explanation Transport Layer Security (TLS) is considered a strong replacement for SSL.SSH is a secure replacement for Telnet and other nonsecure protocols. AES is a symmetric algorithm that replaces DES. RSA is an asymmetric algorithm used in public key cryptography.

All of the following are considered secure password creation practices EXCEPT:

Options are :

  • Passwords must not use common dictionary-based words.
  • Passwords must be of sufficient length.
  • Passwords must include the userid. (Correct)
  • Passwords must use a mixture of uppercase, lowercase, numbers, and special characters.

Answer : Passwords must include the userid.

Explanation Passwords should not be created that include the user?s userid.All of these practices contribute to a secure password.

What is the term used when two different pieces of data generate the same hash value?

Options are :

  • Interference
  • Collision (Correct)
  • Crossover error
  • Disruption

Answer : Collision

Explanation A collision occurs when two pieces of plaintext are hashed and produce identical hashes.A crossover error is a reference to biometric authentication factors. Interference refers to wireless networks, and disruption is an invalid term in this context.

SY0-401 CompTIA Security+ Certification Practice Exam Set 4

When performing an investigation on a mobile device, you would like to ensure that you shield the device from sending or receiving signals. What would you use?

Options are :

  • Protocol analyzer
  • Signal reducer
  • Spectrum analyzer
  • Faraday cage (Correct)

Answer : Faraday cage

Explanation A Faraday cage can be used to shield devices from sending or receiving electronic signals.A protocol analyzer is used to capture and view network traffic. A spectrum analyzer is used for site surveys when designing wireless networks. A signal reducer is not a device used in this context.

You are performing a site survey of a company location and notice that one of the wireless access points is on top of a bookshelf that is located by the outer wall of the building. What is the security concern?

Options are :

  • Wireless network access by persons outside the building (Correct)
  • Interference
  • Signal degradation
  • Damage due to falling

Answer : Wireless network access by persons outside the building

Explanation Because of the placement near the outer wall, the wireless access point?s signals could be detected outside the building and could allow an unauthorized user to eavesdrop on or use the connection.Damage due to falling is a concern, but not the most immediate security concern. Interference could happen only if other wireless devices are nearby that transmit on frequencies close to the one that the access point uses. This is a performance concern, but not typically a security concern unless it is malicious in nature and seeks to cause a denial-of-service condition. Signal degradation for the rest of the facility would not be caused by the placement of the access point next to the outer wall.

Which of the following wireless attacks specifically attempts to take control of or use Bluetooth-enabled cell phones to make unauthorized calls?

Options are :

  • Bluesniffing
  • Bluejacking
  • Bluesnarfing
  • Bluebugging (Correct)

Answer : Bluebugging

Explanation Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls.Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device. Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device. Bluesniffing is a false, nonexistent term.

SY0-401 CompTIA Security+ Certification Practice Exam Set 2

Which of the following networking technologies provides for local area network segregation using switches?

Options are :

  • VPN
  • VLAN (Correct)
  • Virtualization
  • RADIUS

Answer : VLAN

Explanation VLANs (virtual LANs) provide for local area network segmentation and separation and are implemented on switches.RADIUS is a remote access authentication technology. Virtualization refers to the creation and management of virtual hosts running in a virtualized environment. VPN is a secure remote access technology.

Which of the following is used to identify certificates that are no longer valid for use?

Options are :

  • CAL
  • CRL (Correct)
  • CA
  • PKS

Answer : CRL

Explanation The certificate revocation list (CRL) is used to identify invalid certificates.A CAL is a client access license. PKS is a cryptographic file standard, and a CA is a certificate authority, which issues certificates.

Which of the following attacks seeks to introduce erroneous or malicious entries into a server?s hostname-to-IP address cache or zone file?

Options are :

  • DNS poisoning (Correct)
  • Session hijacking
  • ARP poisoning
  • DHCP poisoning

Answer : DNS poisoning

Explanation DNS poisoning involves introducing false entries into a DNS server?s zone file, or a server?s hostname-to-IP address cache, both with the intent of misdirecting a DNS resolution request to a different server or site.ARP poisoning involves introducing false entries into a host?s ARP cache, which maps MAC addresses to IP addresses. DHCP poisoning is a false term, although there are several known DHCP network attacks. Session hijacking involves intercepting and taking over an in-progress communications session between two hosts.

FC0-U41 CompTIA Strata IT Fundamentals Practice Exam Set 9

When a user types his or her username into a logon screen, this is known as ___________?

Options are :

  • Authorization
  • Impersonation
  • Identification (Correct)
  • Authentication

Answer : Identification

Explanation Identification is the first step in the process and involves the user presenting his or her credentials to the server.Authentication occurs after identification and involves the user?s credentials being authenticated by the server. Authorization refers to granting an authenticated user the correct access to an object. Impersonation is an invalid term in this context.

Which of the following algorithms is the stronger hashing algorithm?

Options are :

  • AES-256
  • MD5
  • SHA-1 (Correct)
  • 3DES

Answer : SHA-1

Explanation SHA-1 (secure hashing algorithm) generates a 160-bit hash.MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1. 3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.

Which of the following protocols is considered a secure replacement for Telnet?

Options are :

  • SSL
  • TLS
  • RLOGIN
  • SSH (Correct)

Answer : SSH

Explanation Secure Shell (SSH) is considered a secure replacement for Telnet.TLS and SSL are secure session protocols used in HTTPS traffic. RLOGIN is an older, nonsecure protocol.

SY0-401 CompTIA Security+ Certification Practice Exam Set 2

Bob logs on to the network and receives a message indicating that patches are not up to date and that he cannot be granted access to the network until patches are updated. What network feature is responsible for the message?

Options are :

  • TPM
  • NAT
  • NAC (Correct)
  • VPN

Answer : NAC

Explanation Network access control (NAC) can be used to prevent hosts from connecting to the network unless they meet certain security requirements, such as patch level, up-to-date antivirus signatures, and so forth.None of these other technologies are concerned with enforcing host security requirements prior to connecting to the network.

Your manager has read a lot about server virtualization and is wondering if there are any security benefits to using server virtualization. How would you respond?

Options are :

  • Fewer systems to physically secure (Correct)
  • More work required to harden systems
  • Larger hardware footprint
  • Decentralized server security

Answer : Fewer systems to physically secure

Explanation Virtualization results in fewer physical systems (and less hardware) that must be secured.None of the other choices offer any benefits, security or otherwise, of virtualization.

You are troubleshooting a communication issue on the network. Which of the following protocols is responsible for converting the IP address to a MAC address?

Options are :

  • DNS
  • ARP (Correct)
  • RARP
  • DHCP

Answer : ARP

Explanation Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses.RARP, the Reverse Address Resolution Protocol, resolves MAC addresses to IP addresses?the exact opposite of ARP. DNS, the Domain Name System, resolves fully qualified domain names (FQDN) to IP addresses. DHCP, the Dynamic Host Configuration Protocol, dynamically issues IP addressing information to hosts.

SY0-401 CompTIA Security+ Certification Practice Exam Set 8

Jeff is a user on the network and needs to be able to change the system time. Instead of adding Jeff to the Administrators group, you give Jeff the ?Change the system time? right. What security principle are you following in this example?

Options are :

  • Role-based access control
  • Separation of duties
  • Discretionary access control
  • Least privilege (Correct)

Answer : Least privilege

Explanation The principle of least privilege allows users to have only the privileges necessary to perform their duties and no more.Separation of duties requires critical roles to be split among personnel so no one user has the privileges to commit fraud or to abuse his or her role. Role-based access control and discretionary access control are access control models.

All of the following are security measures used to harden a host EXCEPT:

Options are :

  • Updating antivirus signatures
  • Installing security patches
  • Uninstalling unnecessary applications
  • Opening unused ports (Correct)

Answer : Opening unused ports

Explanation Opening unused ports would increase the attack surface on a host. Closing unused ports is considered a good hardening practice.All of the other choices are considered good security measures to use when hardening a host.

All of the following are considered elements of a password policy EXCEPT:

Options are :

  • Password history
  • Password aging
  • Password complexity
  • Password sharing (Correct)

Answer : Password sharing

Explanation Password sharing typically will be in the acceptable use policy (AUP), as a directive to users about what they can and cannot do.Password history, aging, and complexity will all typically be found in a password policy, as technical elements that describe how passwords should be constructed, implemented, and managed by administrators.

SY0-401 CompTIA Security+ Certification Practice Exam Set 4

Your manager has asked that you perform an assessment of user passwords on the servers but wants to ensure that when you test the passwords you do not lock the user accounts. Which type of password audit should you perform?

Options are :

  • Online password audit
  • Account lockout audit
  • Offline password audit (Correct)
  • White-box penetration test

Answer : Offline password audit

Explanation If the goal is to prevent user account lockout, then offline password auditing is the correct method.Online auditing would definitely lock out user accounts as soon as the account lockout threshold is reached. An account lockout audit is an invalid type of audit, and a white-box penetration test involves full system or network testing and is incorrect in this context.

Your manager is interested in implementing a strong authentication scheme. Which of the following is considered the strongest authentication?

Options are :

  • Username/password
  • PIN
  • Fingerprint
  • Iris scan (Correct)

Answer : Iris scan

Explanation Out of the choices given, an iris scan is the strongest method of authentication, as these patterns are very unique to individuals. Of all of the biometric authentication methods, including voiceprint and fingerprints, iris scans are most accurate.Username and password combinations are not considered strong methods of authentication, as would be a PIN by itself. These are all considered single-factor forms of authentication. Fingerprints are not considered as strong a method of biometric authentication as iris scans.

Which of the following keys is used for nonrepudiation?

Options are :

  • Hash
  • Public key
  • Symmetric key
  • Private key (Correct)

Answer : Private key

Explanation The private key, when used for nonrepudiation, is used to encrypt text that anyone who possesses the public key can decrypt. This assures that only the person owning the private key could have encrypted it, ensuring that he or she is the one who performed the action. Used in this scenario, this does not guarantee confidentiality, but it does provide for nonrepudiation.Symmetric keys and hashes do not provide for nonrepudiation, because they cannot be used to guarantee who sent a message or performed an action. Public keys can be in the possession of anyone and are used in this case to verify that the private key was used to encrypt the text for nonrepudiation.

CompTIA N10-004 Network+ Certification Practice Test Set 1

When users connect to the wireless network, management wants them to receive a message asking them to agree to the terms of use before being granted wireless network access. What network service could be used to perform this goal?

Options are :

  • NAC (Correct)
  • PKI
  • Multifactor authentication
  • Kerberos

Answer : NAC

Explanation Network access control (NAC) can be used to enforce logon or connection banners that will require users to agree to terms of use before being allowed to connect to the network.None of these other technologies can be used to enforce logon warning banners requiring users to agree to terms of use before being allowed to access the network.

Which of the following describes the best security practice to use when granting users elevated or administrative privileges?

Options are :

  • Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges. (Correct)
  • Administrative privileges should be granted directly to those user accounts that perform administrative-level tasks.
  • Users who perform administrative-level tasks should be given the Domain Administrator user account name and password.
  • Users who require higher privileges should be placed in the Administrators group.

Answer : Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges.

Explanation Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges.None of these choices are considered to be good security practices. User accounts should not be directly granted administrative privileges, and ordinary user-level accounts should not be placed in the Administrators group. Additionally, no one should be given the Domain Administrator?s username and password to use on a routine basis.

You are configuring IPSec on your network and need to allow for security association (SA) traffic to pass through the firewall. Which of the following ports does the Internet Key Exchange (IKE) protocol, which is the protocol responsible for the SA setup within IPSec, use?

Options are :

  • 443
  • 500 (Correct)
  • 8080
  • 22

Answer : 500

Explanation IKE uses UDP port 500.Port 443 is used by SSL, 22 is used by SSH, and 8080 does not fall into the range of well-known ports (0?1023) but is frequently used by proxy servers and other security devices.

Which of the following choices concerns itself with ensuring that data is not modified or destroyed while in storage or transit?

Options are :

  • Nonrepudiation
  • Confidentiality
  • Availability
  • Integrity (Correct)

Answer : Integrity

Explanation Integrity is concerned with ensuring that data is not modified.Confidentiality protects information from unauthorized access. Availability provides for information and systems to be online and ready for users at any time. Nonrepudiation means that a user cannot deny that he or she took an action.

A term used to identify an authentication scheme that involves both sides of the communication authenticating is:

Options are :

  • Hashing
  • Nonrepudiation
  • Single sign-on
  • Mutual authentication (Correct)

Answer : Mutual authentication

Explanation Mutual authentication requires both sides of a communications session to authenticate to each other.Single sign-on (SSO) is a concept that provides for one authentication to be used for multiple resources. Nonrepudiation ensures that a party cannot deny that it took an action. Hashing involves a one-way function that produces a message digest from a piece of text.

Which of the following attacks is NOT typically attempted by a rogue access point on a wireless network?

Options are :

  • Interference
  • Spoofing
  • Brute force (Correct)
  • Evil twin

Answer : Brute force

Explanation A brute-force attack is typically a password attack. It may be used separately to break wireless passwords but is not unique to wireless attacks.All of these are attack methods that a rogue access point could attempt to engage in, resulting in a denial-of-service condition on the wireless network (as in the case of intentional interference), or by spoofing valid access points to entice an unsuspecting client to connect to it.

JK0-802 CompTIA A+ Certification Exam Set 1

Which of the following is the most volatile source of evidence and should be collected first during a computer forensics investigation?

Options are :

  • RAM (Correct)
  • Swap file
  • CD/DVDs
  • Hard disks

Answer : RAM

Explanation RAM is the most volatile source of information and is easily lost. It must be collected first during a computer forensics investigation.The order of volatility, and order of evidence collection, is RAM, swap file, hard disk, and CD/DVDs.

Which of the following terms refers to the practices of stealing or obtaining a user?s personal or account information, typically using voice over IP (VoIP) systems?

Options are :

  • Vishing (Correct)
  • VoIP hijacking
  • Whaling
  • Phishing

Answer : Vishing

Explanation Vishing (a combination of the terms voice and phishing) refers to social engineering attacks that make use of VoIP systems to spoof phone numbers, hide caller IDs, and so forth, to obtain personal or account information from unsuspecting users.Phishing involves the use of e-mail targeted to users with a malicious web site link embedded in the e-mail. Whaling involves specifically targeting senior-level executives of an organization for social engineering attacks. VoIP hijacking is a nonexistent term in this context.

Which of the following security controls is designed to prevent tailgating?

Options are :

  • Mantrap (Correct)
  • Multifactor authentication
  • Least privilege
  • Separation of duties

Answer : Mantrap

Explanation A mantrap, an area between two locked doors from which the second door cannot be opened until the first door is locked, is designed to allow only one person at a time to enter a facility, effectively preventing tailgating.Separation of duties and least privilege are two security principles designed to prevent collusion and elevated privileges, respectively. Multifactor authentication is designed to positively identify and authenticate an individual but does not prevent tailgating.

SY0-401 CompTIA Security+ Certification Practice Exam Set 7

Your company has a salesperson who travels a lot and will be connecting to hotel networks. What security recommendation would you make for her laptop?

Options are :

  • Null password
  • FDE
  • Unencrypted drive
  • Host-based firewall (Correct)

Answer : Host-based firewall

Explanation A host-based firewall should be used when connecting to untrusted networks, such as one in a hotel.Having an unencrypted drive and null password are not security recommendations. Although full disk encryption (FDE) can help if the laptop is lost or stolen, it will not help you in situations when you are making connections to an unknown and potentially unsecure network. You could potentially be infected with a virus by connecting to an unknown network without having a firewall enabled, or be vulnerable to an attack.

Which of the following security measures helps ensure data protection in the event a mobile device is lost or stolen?

Options are :

  • Remote encryption
  • Remote access
  • Remote wiping (Correct)
  • Remote destruction

Answer : Remote wiping

Explanation Remote drive or disk wiping is used to ensure data protection and confidentiality on a mobile device in the event it is lost or stolen.Remote destruction and remote encryption are invalid terms in this context. Remote access enables a remote user to authenticate to and access an organization?s private network.

A user complains that he or she cannot access sites that use the HTTPS protocol. Which port should be opened on the firewall to allow this traffic?

Options are :

  • 443 (Correct)
  • 22
  • 8080
  • 80

Answer : 443

Explanation TCP port 443 is used by HTTPS protocol, which uses SSL as its secure session protocol. Both are associated with port 443.Port 80 is used by HTTP, port 22 by SSH, and port 8080 by some proxy server implementations.

CompTIA Security+ Certification (SY0-501)

Which of the following statements are correct with regard to the concepts of fail-secure and fail-safe? (Choose two.)

Options are :

  • A fail-secure device responds by making sure the device is using a secure state when a failure occurs. (Correct)
  • A fail-safe device responds by not doing anything to cause harm when the failure occurs. (Correct)
  • A fail-safe device responds by making sure the device is using a secure state when a failure occurs.
  • A fail-secure device responds by not doing anything to cause harm when the failure occurs.

Answer : A fail-secure device responds by making sure the device is using a secure state when a failure occurs. A fail-safe device responds by not doing anything to cause harm when the failure occurs.

Explanation A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs.A is the definition of fail-safe, and B is the definition of fail-secure, not the other way around.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions