CompTIA Security+ Question L-71

A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server’s drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO).

A. Disk hashing procedures
B. Full disk encryption
C. Data retention policies
D. Disk wiping procedures
E. Removable media encryption

Answer: B,D

Explanation:
B: Full disk encryption is when the entire volume is encrypted; the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer’s security. Full disk encryption is sometimes referred to as hard drive encryption.

D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter the magnetic structure of the disks. This renders the data unreadable.

CompTIA Security+ Question L-49

Which of the following authentication services uses a ticket granting system to provide access?

A. RADIUS
B. LDAP
C. TACACS+
D. Kerberos

Answer: D

Explanation:
The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject’s password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it’s verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

CompTIA Security+ Question L-39

Which of the following types of authentication solutions use tickets to provide access to various resources from a central location?

A. Biometrics
B. PKI
C. ACLs
D. Kerberos

Answer: D

Explanation:
The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject’s password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it’s verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

CompTIA Security+ Question K-55

Which of the following is an advantage of implementing individual file encryption on a hard drive which already deploys full disk encryption?

A. Reduces processing overhead required to access the encrypted files
B. Double encryption causes the individually encrypted files to partially lose their properties
C. Individually encrypted files will remain encrypted when copied to external media
D. File level access control only apply to individually encrypted files in a fully encrypted drive

Answer: C

Explanation:
With full disk encryption a file is encrypted as long as it remains on the disk. This is because the data on the disk is decrypted when the user logs on, thus the data is in a decrypted form when it is copied to another disk. Individually encrypted files on the other hand remain encrypted.

CompTIA Security+ Question J-55

In order to securely communicate using PGP, the sender of an email must do which of the following when sending an email to a recipient for the first time?

A. Import the recipient’s public key
B. Import the recipient’s private key
C. Export the sender’s private key
D. Export the sender’s public key

Answer: A

Explanation:
See step 4 below.

1.

When a user encrypts plaintext with PGP, PGP first compresses the plaintext.

2.

PGP then creates a session key, which is a one-time-only secret key.

3.

This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext.

4.

Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

CompTIA Security+ Question I-43

A system administrator has been instructed by the head of security to protect their data at-rest.
Which of the following would provide the strongest protection?

A. Prohibiting removable media
B. Incorporating a full-disk encryption system
C. Biometric controls on data center entry points
D. A host-based intrusion detection system

Answer: B

Explanation:
Full disk encryption can be used to encrypt an entire volume with 128-bit encryption. When the entire volume is encrypted, the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer’s security. Full disk encryption is sometimes referred to as hard drive encryption. This would be best to protect data that is at rest.

CompTIA Security+ Question G-53

After copying a sensitive document from his desktop to a flash drive, Peter, a user, realizes that the document is no longer encrypted. Which of the following can a security technician implement to ensure that documents stored on Peter’s desktop remain encrypted when moved to external media or other network based storage?

A. Whole disk encryption
B. Removable disk encryption
C. Database record level encryption
D. File level encryption

Answer: D

Explanation:
Encryption is used to ensure the confidentiality of information. In this case you should make use of file level encryption. File level encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself. This is in contrast to full disk encryption where the entire partition or disk, in which the file system resides, is encrypted.

CompTIA Security+ Question G-37

Which of the following types of authentication packages user credentials in a ticket?

A. Kerberos
B. LDAP
C. TACACS+
D. RADIUS

Answer: A

Explanation:
The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject’s password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it’s verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

CompTIA Security+ Question F-74

A company uses PGP to ensure that sensitive email is protected. Which of the following types of cryptography is being used here for the key exchange?

A. Symmetric
B. Session-based
C. Hashing
D. Asymmetric

Answer: A

Explanation:
PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.

CompTIA Security+ Question F-34

Which of the following allows a company to maintain access to encrypted resources when employee turnover is high?

A. Recovery agent
B. Certificate authority
C. Trust model
D. Key escrow

Answer: A

Explanation:
If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.