Can You Pass This Difficult CompTIA Security+ Exam?

All precautions for networks are being taken to preserve network and data availability. Hence iti s mandatory that data be given maximum online and offline fault tolerance.

The �deny all� is the most restrictive statement that is implicitly defined in the fireall when no other statement is configured. This will get applied to all packets that do not match with the criteria mentioned in the list above the �deny all� statement.

Router is a gateway and antivirus resides on all systems. Firewall is meant to safe guard the network from external attacks.

The security awareness program attended by the employee may provide security awareness up to that date only. Any improvements and up gradation in security awareness there after must reach all the staff in form of bulletins.

Burglar alarms and surveillance systems are an integral part of tracking and alerting authorities against intruders and attackers.

If you wish to allow the external users access your Web server you must unblock port number 80.

When a particular message has been encrypted using random combinations, a person who is capturing this message will have to try all combinations of deciphering possible to expose the original message. This is known as brute force attack.

It is very essential for every employee/user to know the relevant security policies and the effect of security breach.

SQL injection is a code injection technique used to attack data-driven applications. The other options are types of social engineering attacks:

Phishing uses deceptive emails or websites to trick individuals into revealing sensitive information.

Pretexting involves creating a false scenario to gain trust and obtain personal data.

Baiting offers something enticing to lure victims into a trap, like a malicious USB drive.

Cryptography without keys is not at all secure as the deciphering program will reside on the same media where the data or message is being received. In case of thest, the data can be stolen along with the deciphering program.

Network resources not being available means the user has to manage with available resource and hence use more time than required to complete a task. Server crashing and no DRP in place means excess of down time and this affecting the work of several employees. Both these situations can hamper productivity.

NTFS supports EFS (Encrypted File System) which allows data stored on a mass storage device to be saved in encrypted format.

By auditing all servers in the network for stored data, you can classify data as sensitive or non-sensitive. Auditing is the best process of taking stock of sensitive data in the network.

SMTP service uses port number 25.

Auditing is an accounting process where in the organization assets and deficits will be accounted for.

DoS is a way of engaging a Web Server continuously in one specific task by outing it on a loop and ensuring it is unable to respond to any further requests.

Biometric will authenticate or establish User ID depending on the physical attribute of the user. For ex: Finger print, hand scan or retina scan. Since these physical attributes are always physically attached to the person, there is no fear of any of these being lost or reaching wrong hands. Hence Biometric is the most secure form of authentication.

A programmer makes use of back doors in the program for the purpose of debugging or observing the performance of the program.

RC5 and Blowfish are encryption systems. MAC is a type of hardware address. ARP is a protocol that resolves MAC address to IP address.

Supporting only a specific encryption standard will make that network a closed network and will make it impossible to communicate with networks that follow flexibility in encryption.

As the name suggests the modem mainly modulates and demodulates signals. Seated (logically) between the telephone line and the PC, it is responsible for converting the analog signals of the telephone to the digital signals required by the PC and vice versa.

Authorizing the sender of the update and then checking for verification purpose is one way of securing the DNS server database and service availability.

They forma an essential part of Web site security system, as it is the most convenient security system for Web sites considering that clients would be accessing the Web site over the public network. The Certificate security system uses the basic logic of Public/Private key pairs.

The issues with key distribution faced by conventional encryption, was overcome by the Public-key cryptography concepts introduced by Diffie-Hellman.

The port number 443 must also be blocked.

Address Resolution Protocol (ARP) of the IP protocol suite is responsible for obtaining MAC address of the PC whose IP address is available for communication.

Biometrics is a technology used to establish user identity through unique physiological or behavioral characteristics. Fingerprints are one of the most widely recognized biometric identifiers. Each person's fingerprint pattern is unique, and allows for highly accurate and rapid identification. Retinal scans provides a high level of accuracy because the retinal pattern remains stable throughout a person's life. DNA-based identification is typically reserved for situations where the utmost accuracy is required, such as in forensic investigations or specialized security applications.

Clear text authentication is very simple and easy to implement and verify. But a network that has implemented clear text security is not very secure as it is very easy to decipher clear text passwords.

A VPN tunnel requires tunneling protocols. L2TP (Layer 2 Tunneling Protocol) and PPTP (Point to Point Tunneling Protocol) are the only two relevant protocols that relate to VPN. HTTP and NNTP are services that are usually configured on a Web Server.

A warm site would provide all facilities other than computers. Hence the return time to business is usually more than t hat in hot site.

Usually, burglar alarms are connected to the local police or security organization through telephone lines as well as being powered by electric supply. Hence it is important to backup telephone lines as well as power lines.

Leaving the electric supply on during fire can have disastrous effect on the site. T o avoid this, it is ideal that the electric supply be programmed to be put off with the usage of heat sensors.

Virus database not being updated as per schedule could be a common but serious error on the servers that gives rise to vulnerabilities.

Stateful Inspection firewall will not operate on all the & layers of OSI reference mode.

Network resource access will have to be controlled through access permissions. Server access will have to be controlled through physical security to the server. Unauthorized access prevention of stored information or information being transmitted is the role of cryptography.

A digital signature is a mathematical scheme for verifying the authenticity and integrity of digital documents or messages. It is the electronic equivalent of a handwritten signature, providing assurance that the document or message originated from the claimed sender and has not been altered in transit.

Blocking port numbers 67 and 68 on the external interface of the firewall for incoming connections will ensure that no external user will be able to access the internal DHCP server.

When cryptography uses a hash function on plain text, a fixed length of data called the message digest is generated. This message digest helps to preserve the data integrity by generating a digest value when the data was originally transmitted. If during transmission the data gets modified, the message digest value that will be resulting will be a totally different value from the original one. This is usually verified at the receiving end before accepting and confirming the receipt of data.

Differential Cryptanalysis is nothing but pattern studying. It chooses a pair of plain text with specific differences.

RADIUS is abbreviation for Remote Access Dial In User Service.

ECC is the encryption system used in cellular devices.

Customer information is usually classified as highly confidential information. Budget related information is classified as confidential information.

Since the only protocol that supports cross platform communication is IP, the best way to implement security in this scenario would be through IPSec. PPTP is a tunneling protocol and does not relate to security. Kerberos is a LAN security protocol. Certificates can help in this scenario provided the access limitation is acceptable.

Although as per certain company policies that provide granular clarity and specific information, even ex-employees are considered as insiders, by and large many corporates consider only key employees and contractors as insiders as they require some kind of an access to the company resources and in specific network resources.

Cypher locks can be used in punch lock systems and not Ciphertext. Cyphertext is an encryption scheme.

To allow access to a campus you would use smart cards.

The information of mapping users to their permissions for resource access would be available in the ACL.

In symmetric-key encryption, one key will be used for encryption as well as decryption.

Server clustering is the ideal solution for enhancing file server availability on the network

Cold site usually has electricity and space for furniture. Networking will have to be set up from scratch.

Wireless LANs are most susceptible to eavesdropping as the media here is dependent on frequency for transmission and reception. This makes the media very susceptible to overhearing or eavesdropping as well.

Brute force attack is the most common attack faced by the DES algorithm

There are web sites that keep updating vulnerability information for different platforms. It is ideal to constantly browse these sites and keep checking if it applicable for the platform and applications housed in your web server. Another mandatory task is to update virus definition files regularly.

The best way to preserve an internal server from external attacks is to make sure there are no unnecessary services running on the server, no unused user names are existing in the user database, all vulnerabilities are being verified and monitored at required intervals.

In the Kerberos authentication system, the key components include the Ticket Granting Server (TGS) and the Key Distribution Center (KDC). These components work together to provide secure authentication services. Options C, D, and E are not typically considered key components of the Kerberos system.

Keys are measured by bits.

SLIP and PPP are the only two protocols that can be used for dial-up connections. SLIP is now obsolete. PPTP is a tunneling protocol and POP3 is used for mail retrieval.

There are two types of key-based algorithms. Depending on the key pair types they use, they can be categorized as symmetric or asymmetric algorithms.

SHA is a security hash algorithm that is used with encryption protocols. Its latest version is SHA-1

Cryptography without encryption and before encryption is not cryptography at all. Cryptography is possible with keys and without keys. When used without keys, it will be using simple or complex substitution.

It is important to have a classification of data to ensure correct levels of security to the relevant type of data. Although it is possible to have informal methods to classify data, it is much methodical to employ a strategy to achieve the end result. The usual strategy employs a scheme that splits into different levels to classify data in the organization. The number of levels is usually dependent on the company needs and requirements or security.

Usually email attachments are documents, pictures or zip files. EXE files are usually too large to be sent as mail attachments hence EXE file virus is not appropriate. Boot record virus is deposited into a system through floppy media and not via email.

Proxy service as well as the Router is both capable of Network Address translation (NAT) which is the basic function of a firewall.

The firewall will first look at the destination address.

View the data in the history and study any visible occurrences to analyze the pattern and frequency of its occurrence. This will allow you to be better prepared for risk management.

The access policy or the Service access policy will dictate to what extent the external users can access internal network resources or which of the internal resources will be totally inaccessible to the outside world.

It is always safe that you host a database server on a server resource internal to the network rather than on the same server as your Web server. A three-tier model ensures security to your database server as the database server cannot be directly accessed in this model. Centralized or distributed administration will not be a security concern here.

It is not wise to have just one administrator account in case that administrator gets locked out. It is always safe to rename guest and administrator accounts renamed. Administrator passwords must be difficult to guess and should not be blank.

Content specific action will ensure that you can discard the mail that is containing sensitive or prohibited data.

To transfer mails between email servers of different domains you would require SMTP service.

In the mentioned scenario, the RADIUS server would be challenging the user's request first, the rest of the servers on the network would then verify with this RADIUS server at a later stage when they receive a request for resource access from this dial-in or remote user.

When conventional encryption is used for stored data rather than the data being transmitted, encryption and decryption process can be very fast.

The block size in RC5 can be 32-bit, 64-bit or 128-bit.

A separate group for contract employees will be a good idea as they are all similar in nature of the role and will require similar access to the network. Disabling an account of the contractor who has completed contract is a must as he will no longer be able to log in.

The mentioned devices� purpose is media access. Media access is the responsibility of Layer 2 or the data link layer. Hence the devices belong to data link layer.

The microwave operates on the 2.4 GHz range, which is why is it is necessary to place the Wireless 802.11b and g devices slightly apart from Microwave device when used in homes. Bluetooth, as well as Wireless 802.11b and g devices, operate on 2.4 GHz frequency.

IDEA provides high level of security along with ease of implementation.

Ping the server will only ensure if the connectivity is proper. Simulating a DoS attack could only test for a very few vulnerabilities on the server. DDoS (Distributed DoS) would test for more vulnerabilities on the server than the DoS would. Checking for patches and antivirus is just a precaution. It is not a process of testing for vulnerabilities.

Infrared and Radio frequency are two different communication media. The Infrared communication requires line of sight. If the device that intends interception is placed in the line of sight as the main devices then interception will be very easy. This mode of communication is least secure.

ABA concerns itself with key issues in providing security to financial transaction/communication between banks.

Incremental backups take the fastest to perform in comparison with full and differential backups, but are the longest to restore

To keep a message a secret it is required that the cipher must be able to generate several cipher text.

The Stateful inspection firewall, monitors connection status based on the state table. It functions on the network layer and monitors connection status for the entire network.

RC2 or Ron's code 2 is a 64-bit block cipher. It was devised by Ron Rivest.

MAC uses a static or predefined set of access privileges and hence cannot allow dynamic sharing of resources.

A token is generated when a user has been successfully authenticated. This token is attached to the users� session and will be destroyed once the session is terminated or after the user has logged out. This token will contain user access permission assigned on the network resources for that user.

Cryptanalysis is a process of studying the pattern of secure communication and breaking it. It involves complex combination such as patience and determination combined with skills of pattern finding, mathematical tools and analytical reasoning.

System administrator is responsible for access control in the MAC model. The owner of the organization will be responsible for DAC. The RBAC is dependent on the role played by the user in the organization.

No one encryption scheme can handle the security required by an entire organization. It will usually be a combination of two or more.

Scan before downloading will ensure the message that is infected will be deleted before actually downloading to the hard disk. Scan before sending will ensure that you are not inadvertently transmitting a virus along with the message tot the destination email Id.

LAN login will be secure if the network policies in the organization follow book rules. It will not require certificates. Certificates are best used during WAN access. For ex: when using web sites that require you to provide confidential information about yourself, or when you are logging in to the Intranet, from an unknown location. The Dial-up connection in itself does not require any authentication except with the service provider.

Application filtering firewalls operate at the application layer of the OSI model and can block specific applications or protocols, such as FTP. They can identify and block FTP traffic based on its characteristics, such as port numbers, commands, and data patterns.

Cross-site scripting (XSS) is a web security vulnerability, not a social engineering tactic. Social engineering manipulates people to gain unauthorized access or information. Phishing uses deceptive emails or websites, pretexting involves creating a false scenario, and baiting offers tempting lures to hook victims.

L2TP (Layer 2 Tunneling Protocol) was created by Cisco as well as Microsoft. It is meant to function over IP, IPX and SNA networks.

The implementation of Public key cryptography does not need any existing security measure to be implemented. Public key can only encrypt and Private key can only decrypt.

Before transmitting any email, the mail server is bound to verify the domain in the destination address of the email to see if it the domain name is self or not before it actually sends the mail out. Before receiving any email its primary security function is to ensure that the email is not infected. In case of the email being infected it is supposed to be discarded.

TACACS (Terminal Access Controller Access Control System), RADIUS are both dedicated authenticating services for dial-in users. IAS (Internet Authentication Server) is not ideally meant for this purpose.

Any off site location is good. Within the vicinity of the site will ensure that data backup is safe in case of fire and is also available at short notice when required to restore. In general, Budget and security concerns should dictate distance, as far away location will protect against natural disasters that may effect the city/neighbrohood.

Whenever a user requests login, the Server poses a challenge and then the user provides the requested password and then the server will decide based on the credentials if it should authorize the user or not. This is what is referred to as three-way handshake.