SY0-401 CompTIA Security+ Certification Practice Exam Set 10

A software company has completed a security assessment. The assessment states that the
company should implement fencing and lighting around the property. Additionally, the assessment
states that production releases of their software should be digitally signed.
Given the recommendations, the company was deficient in which of the following core security
areas? (Choose two.)
A.
Fault tolerance
B.
Encryption
C.

Availability
D.
Integrity
E.
Safety
F.
Confidentiality



Options are :

  • C,D
  • D,E (Correct)
  • A,B
  • B,C

Answer : D,E

While rarely enforced, mandatory vacation policies are effective at uncovering:


Options are :

  • Help desk technicians with oversight by multiple supervisors and detailed quality control systems.
  • Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight. (Correct)
  • Collusion between two employees who perform the same business function.
  • Acts of incompetence by a systems engineer designing complex architectures as a member of a team.

Answer : Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.

Which of the following can result in significant administrative overhead from incorrect reporting?


Options are :

  • Mandatory vacations
  • Job rotation
  • False positives (Correct)
  • Acceptable usage policies

Answer : False positives

A vulnerability scan is reporting that patches are missing on a server. After a review, it is
determined that the application requiring the patch does not exist on the operating system.
Which of the following describes this cause?


Options are :

  • False negative
  • Application hardening
  • Baseline code review
  • False positive (Correct)

Answer : False positive

Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to
some technical issues, ABC services wants to send some of Acme Corpís debug data to a third
party vendor for problem resolution.

Which of the following MUST be considered prior to sending data to a third party?


Options are :

  • This may violate data ownership and non-disclosure agreements (Correct)
  • Acme Corp should send the data to ABC Servicesí vendor instead
  • This would not constitute unauthorized data sharing
  • The data should be encrypted prior to transport

Answer : This may violate data ownership and non-disclosure agreements

A major security risk with co-mingling of hosts with different security requirements is


Options are :

  • Zombie attacks.
  • Privilege creep.
  • Security policy violations (Correct)
  • Password compromises.

Answer : Security policy violations

A security administrator plans on replacing a critical business application in five years. Recently,
there was a security flaw discovered in the application that will cause the IT department to
manually re-enable user accounts each month at a cost of $2,000. Patching the application today
would cost $140,000 and take two months to implement.

Which of the following should the security administrator do in regards to the application?


Options are :

  • Accept the risk and continue to enable the accounts each month saving money (Correct)
  • Avoid the risk to the user base allowing them to re-enable their own accounts
  • Mitigate the risk by patching the application to increase security and saving money
  • Transfer the risk replacing the application now instead of in five years

Answer : Accept the risk and continue to enable the accounts each month saving money

The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to
determine who may be responsible.
Which of the following would be the BEST course of action?


Options are :

  • Separate employees into teams led by a person who acts as a single point of contact for observation purposes.
  • Implement a single sign-on application on equipment with sensitive data and high-profile shares.
  • Create a single, shared user account for every system that is audited and logged based upon time of use.
  • Enact a policy that employees must use their vacation time in a staggered schedule. (Correct)

Answer : Enact a policy that employees must use their vacation time in a staggered schedule.

Which of the following is an example of a false negative?


Options are :

  • A user account is locked out after the user mistypes the password too many times.
  • The IDS does not identify a buffer overflow. (Correct)
  • Anti-virus protection interferes with the normal operation of an application.
  • Anti-virus identifies a benign application as malware.

Answer : The IDS does not identify a buffer overflow.

Which of the following technical controls is BEST used to define which applications a user can
install and run on a company issued mobile device?


Options are :

  • Acceptable use policy
  • Authentication
  • Blacklisting
  • Whitelisting (Correct)

Answer : Whitelisting

Which of the following is the primary security concern when deploying a mobile device on a
network?


Options are :

  • Strong authentication
  • Interoperability
  • Data security (Correct)
  • Cloud storage technique

Answer : Data security

Which of the following controls has a company that has implemented a mandatory vacation
policy?


Options are :

  • Technical control
  • Risk control (Correct)
  • Privacy control
  • Physical control

Answer : Risk control

An administrator wants to minimize the amount of time needed to perform backups during the
week. It is also acceptable to the administrator for restoration to take an extended time frame.
Which of the following strategies would the administrator MOST likely implement?


Options are :

  • Differential backups on the weekend and full backups every day
  • Full backups on the weekend and incremental during the week (Correct)
  • Incremental backups on the weekend and differential backups every day
  • Full backups on the weekend and full backups every day

Answer : Full backups on the weekend and incremental during the week

Which of the following is the GREATEST security risk of two or more companies working together
under a Memorandum of Understanding?


Options are :

  • MOUs between two companies working together cannot be held to the same legal standards as SLAs.
  • Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing.
  • MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. (Correct)
  • MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high.

Answer : MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.

A security administrator needs to update the OS on all the switches in the company.
Which of the following MUST be done before any actual switch configuration is performed?


Options are :

  • The request needs to be sent to the change management team.
  • The request needs to be approved through the change management process. (Correct)
  • The request needs to be sent to the incident management team.
  • The request needs to be approved through the incident management process.

Answer : The request needs to be approved through the change management process.

Which of the following types of risk reducing policies also has the added indirect benefit of cross
training employees when implemented?


Options are :

  • Job rotation (Correct)
  • Mandatory vacations
  • Least privilege
  • Separation of duties

Answer : Job rotation

A company is preparing to decommission an offline, non-networked root certificate server. Before
sending the serverís drives to be destroyed by a contracted company, the Chief Security Officer
(CSO) wants to be certain that the data will not be accessed.
Which of the following, if implemented, would BEST reassure the CSO? (Choose two.)
A.
Disk hashing procedures
B.
Full disk encryption
C.
Data retention policies
D.
Disk wiping procedures
E.
Removable media encryption


Options are :

  • B,C
  • A,B
  • B,D (Correct)
  • B,E

Answer : B,D

An IT security manager is asked to provide the total risk to the business.
Which of the following calculations would he, security manager, choose to determine total risk?


Options are :

  • Threats X vulnerability X control gap
  • (Threats X vulnerability X profit) x asset value
  • (Threats X vulnerability X asset value) x controls gap
  • Threats X vulnerability X asset value (Correct)

Answer : Threats X vulnerability X asset value

Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least
privilege principles?


Options are :

  • Risk based controls
  • User rights reviews (Correct)
  • Annual loss expectancy
  • Incident management

Answer : User rights reviews

Which of the following should Pete, a security manager, implement to reduce the risk of
employees working in collusion to embezzle funds from their company?


Options are :

  • Least Privilege
  • Mandatory Vacations (Correct)
  • Acceptable Use
  • Privacy Policy

Answer : Mandatory Vacations

Users can authenticate to a companyís web applications using their credentials from a popular
social media site.

Which of the following poses the greatest risk with this integration?


Options are :

  • Password breaches to the social media site affect the company application as well (Correct)
  • Malicious users can exploit local corporate credentials with their social media credentials
  • Data loss from the corporate servers can create legal liabilities with the social media site
  • Changes to passwords on the social media site can be delayed from replicating to the company

Answer : Password breaches to the social media site affect the company application as well

Which of the following defines a business goal for system restoration and acceptable data loss?


Options are :

  • MTBF
  • MTTR
  • Warm site
  • RPO (Correct)

Answer : RPO

Two members of the finance department have access to sensitive information. The company is
concerned they may work together to steal information.
Which of the following controls could be implemented to discover if they are working together?


Options are :

  • Mandatory access control
  • Separation of duties
  • Least privilege access
  • Mandatory vacations (Correct)

Answer : Mandatory vacations

Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts for
multicast packets from the switches on the network. After investigation, she discovers that this is
normal activity for her network.
Which of the following BEST describes these results?


Options are :

  • True positives
  • True negatives
  • False negatives
  • False positives (Correct)

Answer : False positives

Identifying residual risk is MOST important to which of the following concepts?


Options are :

  • Risk acceptance (Correct)
  • Risk mitigation
  • Risk deterrence
  • Risk avoidance

Answer : Risk acceptance

A company storing data on a secure server wants to ensure it is legally able to dismiss and
prosecute staff who intentionally access the server via Telnet and illegally tamper with customer
data.

Which of the following administrative controls should be implemented to BEST achieve this?


Options are :

  • Restricted interface
  • Warning banners (Correct)
  • Command shell restrictions
  • Session output pipe to /dev/null

Answer : Warning banners

A user in the company is in charge of various financial roles but needs to prepare for an upcoming
audit. They use the same account to access each financial system.
Which of the following security controls will MOST likely be implemented within the company?


Options are :

  • Account password enforcement
  • Password complexity enabled
  • Separation of duties (Correct)
  • Account lockout policy

Answer : Separation of duties

One of the system administrators at a company is assigned to maintain a secure computer lab.
The administrator has rights to configure machines, install software, and perform user account
maintenance. However, the administrator cannot add new computers to the domain, because that
requires authorization from the Information Assurance Officer.
Which of the following is this an example of?


Options are :

  • Least privilege (Correct)
  • Mandatory access
  • Job rotation
  • Rule-based access control

Answer : Least privilege

A company has decided to move large data sets to a cloud provider in order to limit the costs of
new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make
sure both parties have a clear understanding of the controls needed to protect the data.

Which of the following types of interoperability agreement is this?


Options are :

  • MOU
  • BPA
  • ISA (Correct)
  • SLA

Answer : ISA

A least privilege policy should be used when assigning permissions. Give users only the
permissions that they need to do their work and no more.


Options are :

  • Time of day restrictions
  • Least privilege (Correct)
  • Job rotation
  • Mandatory vacations

Answer : Least privilege

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions