CompTIA Security+ Question I-50

A security administrator wishes to change their wireless network so that IPSec is built into the protocol and NAT is no longer required for address range extension. Which of the following protocols should be used in this scenario?

A. WPA2
B. WPA
C. IPv6
D. IPv4

Answer: C

Explanation:
IPSec security is built into IPv6.

CompTIA Security+ Question I-49

A user has plugged in a wireless router from home with default configurations into a network jack at the office. This is known as:

A. an evil twin.
B. an IV attack.
C. a rogue access point.
D. an unauthorized entry point.

Answer: C

Explanation:
A rogue access point is a wireless access point that should not be there. In this question, the wireless router has been connected to the corporate network without authorization. Therefore, it is a rogue access point. A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

CompTIA Security+ Question I-48

A security architect wishes to implement a wireless network with connectivity to the company’s internal network. Before they inform all employees that this network is being put in place, the architect wants to roll it out to a small test segment. Which of the following allows for greater secrecy about this network during this initial phase of implementation?

A. Disabling SSID broadcasting
B. Implementing WPA2 – TKIP
C. Implementing WPA2 – CCMP
D. Filtering test workstations by MAC address

Answer: A

Explanation:
Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn’t for public use.

CompTIA Security+ Question I-47

A business has set up a Customer Service kiosk within a shopping mall. The location will be staffed by an employee using a laptop during the mall business hours, but there are still concerns regarding the physical safety of the equipment while it is not in use. Which of the following controls would BEST address this security concern?

A. Host-based firewall
B. Cable locks
C. Locking cabinets
D. Surveillance video

Answer: C

Explanation:
Locking cabinets can be used to protect backup media, documentation and other physical artefacts. In this case a locking cabinet will keep the company’s Customer Service kiosk under lock and key when not in use.

CompTIA Security+ Question I-46

Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks?

A. Malicious code on the local system
B. Shoulder surfing
C. Brute force certificate cracking
D. Distributed dictionary attacks

Answer: A

Explanation:
Once a user authenticates to a remote server, malicious code on the user’s workstation could then infect the server.

CompTIA Security+ Question I-45

Which of the following best practices makes a wireless network more difficult to find?

A. Implement MAC filtering
B. UseWPA2-PSK
C. Disable SSID broadcast
D. Power down unused WAPs

Answer: C

Explanation:
Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn’t for public use.

CompTIA Security+ Question I-44

The administrator receives a call from an employee named Peter. Peter says the Internet is down and he is receiving a blank page when typing to connect to a popular sports website. The administrator asks Peter to try visiting a popular search engine site, which Peter reports as successful. Peter then says that he can get to the sports site on this phone. Which of the following might the administrator need to configure?

A. The access rules on the IDS
B. The pop up blocker in the employee’s browser
C. The sensitivity level of the spam filter
D. The default block page on the URL filter

Answer: D

Explanation:
A URL filter is used to block access to a site based on all or part of a URL. There are a number of URL-filtering tools that can acquire updated master URL block lists from vendors, as well as allow administrators to add or remove URLs from a custom list.

CompTIA Security+ Question I-43

A system administrator has been instructed by the head of security to protect their data at-rest.
Which of the following would provide the strongest protection?

A. Prohibiting removable media
B. Incorporating a full-disk encryption system
C. Biometric controls on data center entry points
D. A host-based intrusion detection system

Answer: B

Explanation:
Full disk encryption can be used to encrypt an entire volume with 128-bit encryption. When the entire volume is encrypted, the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer’s security. Full disk encryption is sometimes referred to as hard drive encryption. This would be best to protect data that is at rest.

CompTIA Security+ Question I-42

Which of the following would be MOST appropriate if an organization’s requirements mandate complete control over the data and applications stored in the cloud?

A. Hybrid cloud
B. Community cloud
C. Private cloud
D. Public cloud

Answer: C

Explanation:
A private cloud is a cloud service for internal use only and is located within a corporate network rather than on the Internet. It is usually owned, managed, and operated by the company, which gives the company full control over the data and applications stored in the cloud.

CompTIA Security+ Question I-41

Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization?

A. It should be enforced on the client side only.
B. It must be protected by SSL encryption.
C. It must rely on the user’s knowledge of the application.
D. It should be performed on the server side.

Answer: D

Explanation:
Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks.