CompTIA Security+ Question G-40

Configuring the mode, encryption methods, and security associations are part of which of the following?

A. IPSec
B. Full disk encryption
C. 802.1x
D. PKI

Answer: A

Explanation:
IPSec can operate in tunnel mode or transport mode. It uses symmetric cryptography to provide encryption security. Furthermore, it makes use of Internet Security Association and Key Management Protocol (ISAKMP).

CompTIA Security+ Question G-39

Ann has taken over as the new head of the IT department. One of her first assignments was to implement AAA in preparation for the company’s new telecommuting policy. When she takes inventory of the organizations existing network infrastructure, she makes note that it is a mix of several different vendors. Ann knows she needs a method of secure centralized access to the company’s network resources. Which of the following is the BEST service for Ann to implement?

A. RADIUS
B. LDAP
C. SAML
D. TACACS+

Answer: A

Explanation:
The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service.

CompTIA Security+ Question G-38

In which of the following scenarios is PKI LEAST hardened?

A. The CRL is posted to a publicly accessible location.
B. The recorded time offsets are developed with symmetric keys.
C. A malicious CA certificate is loaded on all the clients.
D. All public keys are accessed by an unauthorized user.

Answer: C

Explanation:
A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default. A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.

CompTIA Security+ Question G-37

Which of the following types of authentication packages user credentials in a ticket?

A. Kerberos
B. LDAP
C. TACACS+
D. RADIUS

Answer: A

Explanation:
The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject’s password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it’s verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

CompTIA Security+ Question G-36

Which of the following is an authentication method that can be secured by using SSL?

A. RADIUS
B. LDAP
C. TACACS+
D. Kerberos

Answer: B

Explanation:
With secure LDAP (LDAPS), all LDAP communications are encrypted with SSL/TLS

CompTIA Security+ Question G-35

When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator’s request?

A. DMZ
B. Cloud services
C. Virtualization
D. Sandboxing

Answer: A

Explanation:
A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

CompTIA Security+ Question G-34

Which of the following devices is MOST likely being used when processing the following?
1 PERMIT IP ANY ANY EQ 80
2 DENY IP ANY ANY

A. Firewall
B. NIPS
C. Load balancer
D. URL filter

Answer: A

Explanation:
Firewalls, routers, and even switches can use ACLs as a method of security management. An access control list has a deny ip any any implicitly at the end of any access control list. ACLs deny by default and allow by exception.

CompTIA Security+ Question G-33

An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only. Which of the following would BEST address this desire?

A. Install a proxy server between the users’ computers and the switch to filter inbound network traffic.
B. Block commonly used ports and forward them to higher and unused port numbers.
C. Configure the switch to allow only traffic from computers based upon their physical address.
D. Install host-based intrusion detection software to monitor incoming DHCP Discover requests.

Answer: C

Explanation:
Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter. You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses. MAC filtering is commonly used in wireless networks but is considered insecure because a MAC address can be spoofed. However, in a wired network, it is more secure because it would be more difficult for a rogue computer to sniff a MAC address.

CompTIA Security+ Question G-32

Which of the following is the BEST approach to perform risk mitigation of user access control rights?

A. Conduct surveys and rank the results.
B. Perform routine user permission reviews.
C. Implement periodic vulnerability scanning.
D. Disable user accounts that have not been used within the last two weeks.

Answer: B

Explanation:
Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on. User permissions may be the most basic aspect of security and is best coupled with a principle of least privilege. And related to permissions is the concept of the access control list (ACL). An ACL is literally a list of who can access what resource and at what level. Thus the best risk mitigation steps insofar as access control rights are concerned, is the regular/routine review of user permissions.

CompTIA Security+ Question G-31

A network administrator recently updated various network devices to ensure redundancy throughout the network. If an interface on any of the Layer 3 devices were to go down, traffic will still pass through another interface and the production environment would be unaffected. This type of configuration represents which of the following concepts?

A. High availability
B. Load balancing
C. Backout contingency plan
D. Clustering

Answer: A

Explanation:
High availability (HA) refers to the measures used to keep services and systems operational during an outage. In short, the goal is to provide all services to all users, where they need them and when they need them. With high availability, the goal is to have key services available 99.999 percent of the time (also known as five nines availability).