CompTIA Security Plus Practice Exam

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Pinguisweb
P
Pinguisweb
Community Contributor
Quizzes Created: 1 | Total Attempts: 336
| Attempts: 336
Quiz Flashcard
SettingsSettings
Please wait...
  • 1/100 Questions

    With _______________, access decisions are based on the roles that individual users have as part of an organization.

    • Server based access control
    • Rule based access control
    • Token based access control
    • Role based access control
    • All of the Above
Please wait...
Security Plus Quizzes & Trivia
About This Quiz

Comptia Security+ Practice Exam- 1
Full length Comptia Security+ Practice Exam. Take this exam like thereal exam to see if you are completely prepared for the real exam. Time yourself to 90 minutes to get a feel of thepressures of the real exam. The practice test is designed to reflectthe final exam.

Quiz Preview

  • 2. 

    Which of the following is NOT a valid access control mechanism?

    • DAC (Discretionary Access Control) list.

    • SAC (Subjective Access Control) list.

    • MAC (Mandatory Access Control) list.

    • RBAC (Role Based Access Control) list.

    Correct Answer
    A. SAC (Subjective Access Control) list.
    Explanation
    There is no such thing as a SAC (Subjective Access Control) list.

    Rate this question:

  • 3. 

    A smartcard represents:

    • Something you are

    • Something you know

    • Something you have

    • All of the Above

    • None of the Above

    Correct Answer
    A. Something you have
    Explanation
    Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.

    Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint.

    Rate this question:

  • 4. 

    All logs are kept on archive for a period of time. What determines this period of time?

    • Retention policies

    • Administrator preferences

    • MTTF

    • MTTR

    • All of the Above

    Correct Answer
    A. Retention policies
    Explanation
    All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

    Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

    MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.

    Rate this question:

  • 5. 

    A password represents:

    • Something you have

    • Something you know

    • Something you are

    • All of the Above

    • None of the Above

    Correct Answer
    A. Something you know
    Explanation
    Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

    Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know.

    Rate this question:

  • 6. 

    Which if the following technologies would you use if you need to implement a system that simulates a network of vulnerable devices, so that this network can be targeted by attackers ?

    • A circuit-level firewall

    • A honeypot

    • A IDS

    • A system integrity verifier

    Correct Answer
    A. A honeypot
    Explanation
    A honeypot is the correct answer because it is a technology used to simulate a network of vulnerable devices. It is designed to attract attackers and gather information about their techniques and tactics. By setting up a honeypot, organizations can study and analyze the behavior of attackers, identify vulnerabilities in their systems, and develop appropriate countermeasures to enhance their overall security.

    Rate this question:

  • 7. 

    For which of the following can biometrics be used?

    • Authentication

    • Authorization

    • Certification

    • Accountability

    Correct Answer
    A. Authentication
    Explanation
    Biometrics devices use physical characteristics to identify the user.
    Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 18

    Rate this question:

  • 8. 

    Identify the authentication system where a unique username and password is used to access multiple systems within a company?

    • Challenge Handshake Authentication Protocol (CHAP) is used to access multiple systems within a company.

    • Single Sign-on is used to access multiple systems within a company.

    • Kerberos is used to access multiple systems within a company.

    • Mandatory Access Control (MAC) is used to access multiple systems within a company.

    Correct Answer
    A. Single Sign-on is used to access multiple systems within a company.
    Explanation
    Single Sign-on (SSO) is an authentication system where a unique username and password are used to access multiple systems within a company. With SSO, users only need to enter their credentials once and they can then access various systems and applications without having to re-authenticate each time. This improves user convenience and productivity, as well as simplifying administration and security management for the company.

    Rate this question:

  • 9. 

    Which of the following are used to make access decisions in a MAC (Mandatory Access Control) environment?

    • Sensitivity labels

    • Group membership

    • Ownership

    • Access control lists

    Correct Answer
    A. Sensitivity labels
    Explanation
    Mandatory Access Control is a strict hierarchical model usually associated with governments. All objects are given security labels known as sensitivity labels and are classified accordingly. Then all users are given specific security clearances as to what they are allowed to access.

    Rate this question:

  • 10. 

    Identify the process where users can access numerous resources without needing multiple credentials?

    • The authentication process is known as need to know.

    • The authentication process is known as decentralized management.

    • The authentication process is known as Discretionary Access Control (DAC).

    • The authentication process is known as single sign-on.

    Correct Answer
    A. The authentication process is known as single sign-on.
    Explanation
    Single sign-on (SSO) is a process where users can access numerous resources without needing multiple credentials. With SSO, users only need to authenticate once, usually with a username and password, and then they can access multiple applications or systems without needing to provide their credentials again. This simplifies the authentication process for users and improves efficiency by reducing the need to remember and manage multiple sets of credentials.

    Rate this question:

  • 11. 

    Which of the following is NOT a good password deployment guideline?

    • Passwords must be changed at least once every 60 days, depending on your environment.

    • Passwords must not be the same as user id or login id.

    • Password aging must be enforced on all systems.

    • Password must be easy to memorize.

    • All of the Above

    Correct Answer
    A. Password must be easy to memorize.
    Explanation
    Passwords should be easy to memorize, because that minimizes the chance that users will write the password down somewhere that others could see it.

    Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

    Rate this question:

  • 12. 

    An administrator wishes to enable network auditing policies. Which of the following should the security administrator log?

    • Both logon successes and logon failures

    • Only logon failures for non-existent users

    • Only logon success

    • Only logon failures

    Correct Answer
    A. Both logon successes and logon failures
    Explanation
    The administrator should log both logon successes and logon failures in order to effectively monitor and track any unauthorized access attempts or suspicious activity on the network. By logging both types of events, the administrator can identify potential security breaches and take appropriate actions to mitigate them. Logging only logon failures for non-existent users or only logon successes or only logon failures may not provide a comprehensive view of the network's security posture and may result in missed or delayed detection of security incidents.

    Rate this question:

  • 13. 

    Which of the following best describes an access control mechanism in which access control decisions are based on the responsibilities that an individual user or process has in an organization?

    • RBAC (Role Based Access Control)

    • DAC (Discretionary Access Control)

    • MAC (Mandatory Access Control)

    • All of the Above

    • None of the above.

    Correct Answer
    A. RBAC (Role Based Access Control)
    Explanation
    The RBAC model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide.

    Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

    Rate this question:

  • 14. 

    What authentication model uses a smart card and a User ID/Password for accessing network resources?

    • You should identify the Biometric authentication model.

    • You should identify the Multifactor authentication model.

    • You should identify the Mutual authentication model.

    • You should identify the Tokens authentication model.

    Correct Answer
    A. You should identify the Multifactor authentication model.
    Explanation
    The correct answer is the Multifactor authentication model. This model uses a combination of two or more authentication factors, such as a smart card and a User ID/Password, to verify the identity of a user before granting access to network resources. This adds an extra layer of security compared to using a single factor authentication method.

    Rate this question:

  • 15. 

    A centralized database of remote users for a multi-site network typically uses

    • RADIUS

    • PAP

    • MS-CHAP

    • CHAP

    Correct Answer
    A. RADIUS
    Explanation
    RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text.

    Rate this question:

  • 16. 

    Least privilege is defined as giving access to information:

    • Based on sense of urgency from management

    • Based on tenure at the company

    • Needed to complete the task

    • That may be revealed to the public

    • All of the Above

    Correct Answer
    A. Needed to complete the task
    Explanation
    The concept of least privilege is about providing access to information that is necessary to complete a specific task. It is not based on the sense of urgency from management or the tenure at the company. Additionally, it does not involve giving access to information that may be revealed to the public. Therefore, the correct answer is that access should be given based on what is needed to complete the task.

    Rate this question:

  • 17. 

    Why are clocks used in a Kerberos authentication system?

    • To ensure proper connections.

    • To ensure tickets expire correctly.

    • To generate the seed value for the encryptions keys.

    • To benchmark and set the optimal encryption algorithm.

    Correct Answer
    A. To ensure tickets expire correctly.
    Explanation
    The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).

    Reference: http://www.faqs.org/faqs/kerberos-faq/general/section-22.html

    Rate this question:

  • 18. 

    Which services is provided by message authentication codes?

    • You make use of message authentication codes to provide the Key recovery service.

    • You make use of message authentication codes to provide the Fault recovery service.

    • You make use of message authentication codes to provide the Acknowledgement service.

    • You make use of message authentication codes to provide the Integrity service.

    Correct Answer
    A. You make use of message authentication codes to provide the Integrity service.
    Explanation
    Message authentication codes (MACs) are cryptographic algorithms that are used to provide integrity to messages. They ensure that the message has not been tampered with during transmission or storage. By generating a unique code or tag for each message, MACs allow the recipient to verify the integrity of the message by comparing the generated code with the received code. This helps to detect any unauthorized modifications or alterations to the message. Therefore, the correct answer is that message authentication codes are used to provide the Integrity service.

    Rate this question:

  • 19. 

    With Discretionary access controls, who determines who has access and what privilege they have?

    • Only the administrators

    • Resource owners

    • End users

    • All of the Above

    • None of the Above

    Correct Answer
    A. Resource owners
    Explanation
    Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.

    If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource, because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities.

    Rate this question:

  • 20. 

    You work as the security administrator at Certkiller .com. Certkiller has a RBAC (Role Based Access Control) compliant system for which you are planning the security implementation. There are three types of resources including files, printers, and mailboxes and four distinct departments with distinct functions including Sales, Marketing, Management, and Production in the system. Each department needs access to different resources. Each user has a workstation. Which roles should you create to support the RBAC (Role Based Access Control) model?

    • File, printer, and mailbox roles

    • Sales, marketing, management, and production roles

    • User and workstation roles

    • Allow access and deny access roles

    Correct Answer
    A. Sales, marketing, management, and production roles
    Explanation
    Each distinct department (sales, marketing, management, and production) has their own role in the company, which probably includes using the: filer server, print server, and mail server. So it would be wise to create roles for each department.

    Rate this question:

  • 21. 

    Microsoft supports the _______________ and ______standards for use in extranet.

    • CORBA

    • IPSec

    • PPTP

    • DCOM

    • Both A & D

    Correct Answer(s)
    A. IPSec
    A. PPTP
    Explanation
    Netscape, Oracle, and Sun Microsystems have announced an alliance to ensure that their extranet products can work together by standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA). Microsoft supports the Point-to-Point Tunneling Protocol (PPTP) and IPSec.

    CORBA and DCOM are programming technologies.

    Rate this question:

  • 22. 

    A company creates its own application that accesses the company databases and requires a unique login, based on the user’s domain account. The developer has an undocumented login for testing that does not need to be authenticated against the domain. Which of the following is a security issue regarding this scenario?

    • The login should be the same as the domain account for authentication purposes

    • The application should not be deployed if it is not fully tested

    • It is not considered best practice to have a user remember multiple logins

    • It can be used as a backdoor into the company’s databases

    Correct Answer
    A. It can be used as a backdoor into the company’s databases
    Explanation
    The presence of an undocumented login that does not require authentication against the domain poses a security issue because it can be used as a backdoor into the company's databases. This means that unauthorized individuals could potentially gain access to sensitive information or manipulate the data without proper authentication or authorization.

    Rate this question:

  • 23. 

    Which of the following access control methods allows access control decisions to be based on security labels associated with each data item and each user?

    • MACs (Mandatory Access Control)

    • RBACs (Role Based Access Control)

    • LBACs (List Based Access Control)

    • DACs (Discretionary Access Control)

    Correct Answer
    A. MACs (Mandatory Access Control)
    Explanation
    The MAC model is a static model that uses a predefined set of access privileges to files on the system. The system administrator establishes these parameters and associates them with an account, files or resources. The MAC model can be very restrictive.

    Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 11

    Rate this question:

  • 24. 

    Determine the access control model where users are assigned access rights based on their function within the organization?

    • This is a feature of Discretionary Access Control (DAC).

    • This is a feature of Rule Based Access Control (RBAC).

    • This is a feature of Role Based Access Control (RBAC).

    • This is a feature of Mandatory Access Control (MAC).

    Correct Answer
    A. This is a feature of Role Based Access Control (RBAC).
    Explanation
    In a Role Based Access Control (RBAC) model, users are assigned access rights based on their function within the organization. This means that users are granted permissions based on their specific roles or job functions, rather than individual identities. RBAC allows for more efficient and streamlined access management, as it simplifies the process of assigning and revoking permissions by linking them to predefined roles.

    Rate this question:

  • 25. 

    Which of the following is the most costly method of an authentication?

    • Passwords

    • Tokens

    • Biometrics

    • Shared secrets

    Correct Answer
    A. Biometrics
    Explanation
    Biometrics These technologies are becoming more reliable, and they will become widely used over the next few years. Many companies use smart cards as their primary method of access control. Implementations have been limited in many applications because of the high cost associated with these technologies. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 265

    Rate this question:

  • 26. 

    Identify the method that should be used to ensure that the user is able to authenticate to the server and the server to the user?

    • You should make use of the Mutual authentication method.

    • You should make use of the Biometric authentication method.

    • You should make use of the Username/password authentication method.

    • You should make use of the Multifactor authentication method.

    Correct Answer
    A. You should make use of the Mutual authentication method.
    Explanation
    Mutual authentication is the method that should be used to ensure that both the user and the server can authenticate each other. This method requires both parties to present valid credentials to verify their identities. By using mutual authentication, the server can confirm that the user is who they claim to be, and the user can also verify the authenticity of the server. This helps to establish a secure and trusted connection between the user and the server.

    Rate this question:

  • 27. 

    Identify the access decisions based on a Mandatory Access Control (MAC) environment?

    • Sensitivity labels are based on a Mandatory Access Control (MAC) environment.

    • Access control lists are based on a Mandatory Access Control (MAC) environment.

    • Group membership is based on a Mandatory Access Control (MAC) environment.

    • Ownership is based on a Mandatory Access Control (MAC) environment.

    Correct Answer
    A. Sensitivity labels are based on a Mandatory Access Control (MAC) environment.
    Explanation
    Sensitivity labels are used in a Mandatory Access Control (MAC) environment to determine the level of sensitivity or classification of data. These labels are assigned to resources and users, and access decisions are made based on these labels. In a MAC environment, the access to resources is strictly controlled and determined by the sensitivity labels assigned to them. Access control lists, group membership, and ownership are not specific to MAC environments and can be used in other access control models as well.

    Rate this question:

  • 28. 

    How many ports in TCP/IP (Transmission Control Protocol/Internet Protocol) are vulnerable to being scanned, exploited, or attached?

    • 1,024

    • 32

    • 16,777,216

    • 65,535

    Correct Answer
    A. 65,535
    Explanation
    The correct answer is 65,535. TCP/IP has 65,535 ports, and each port is associated with a specific service or application. Some of these ports are commonly used and well-known, while others are used for more specialized purposes. Attackers can scan, exploit, or attack these ports to gain unauthorized access or disrupt the functioning of a system or network. Therefore, all 65,535 ports in TCP/IP are potentially vulnerable to such activities.

    Rate this question:

  • 29. 

    Enforcing minimum privileges for general system users can be easily achieved through the use of:

    • IPSEC

    • TSTEC

    • PRVMIN

    • RBAC

    Correct Answer
    A. RBAC
    Explanation
    Explanation: Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

    Rate this question:

  • 30. 

    From a security perspective a performance baseline is MOST useful for:

    • Detecting performance anomalies that may be due to security breaches

    • Assuring that systems are working to their optimal capacity

    • Knowing when security scans are going to finish

    • Predicting the end of useful life for the firewall

    • All of the Above

    Correct Answer
    A. Detecting performance anomalies that may be due to security breaches
    Explanation
    A performance baseline is a benchmark or standard that represents normal or optimal performance for a system. By establishing a baseline, any deviations from this normal performance can be identified and investigated. In the context of security, performance anomalies could indicate potential security breaches or attacks. Therefore, a performance baseline is most useful for detecting performance anomalies that may be due to security breaches. This allows organizations to identify and respond to potential security incidents in a timely manner.

    Rate this question:

  • 31. 

    Which of the following best describes an access control mechanism that allows the data owner to create and administer access control?

    • DACs (Discretionary Access Control)

    • LBACs (List Based Access Control)

    • RBACs (Role Based Access Control)

    • MACs (Mandatory Access Control)

    Correct Answer
    A. DACs (Discretionary Access Control)
    Explanation
    The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorization to that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

    Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

    Rate this question:

  • 32. 

    Which of the following is a characteristic of MAC (Mandatory Access Control)?

    • Use levels of security to classify users and data

    • Allow owners of documents to determine who has access to specific documents

    • Use access control lists which specify a list of authorized users

    • Use access control lists which specify a list of unauthorized users

    Correct Answer
    A. Use levels of security to classify users and data
    Explanation
    Mandatory Access Control is a strict hierarchical model, first developed by governments and it is based on classifying data on importance and categorizing data by department. Users receive specific security clearances to access this data. For instance, the most important piece of data would have the highest classification, where only the President would of that department would have access; while the least important resources would be classified at the bottom where everyone in the organization including the janitors could access it.

    Rate this question:

  • 33. 

    What model assigns sensitivity labels to users and their data?

    • You should identify the Discretionary Access Control (DAC) access control model.

    • You should identify the Role Based Access Control (RBAC) access control model.

    • You should identify the Mandatory Access Control (MAC) access control model.

    • You should identify the Rule Based Access Control (RBAC) access control model.

    • None of the Above

    Correct Answer
    A. You should identify the Mandatory Access Control (MAC) access control model.
    Explanation
    The correct answer is the Mandatory Access Control (MAC) access control model. This model assigns sensitivity labels to users and their data, allowing access to be determined by the security levels assigned to both the user and the data. Unlike the Discretionary Access Control (DAC) model, where access is controlled by the owner of the resource, MAC enforces access based on predefined rules and policies set by the system administrator. Similarly, the Role Based Access Control (RBAC) and Rule Based Access Control (RBAC) models do not specifically assign sensitivity labels to users and their data.

    Rate this question:

  • 34. 

    What is based upon an authentication server that allocates tickets to users?

    • You should make use of the Kerberos authentication method.

    • You should make use of the Challenge Handshake Authentication Protocol (CHAP) authentication method.

    • You should make use of the Username/password authentication method

    • You should make use of the Multifactor authentication method.

    Correct Answer
    A. You should make use of the Kerberos authentication method.
    Explanation
    The correct answer is to make use of the Kerberos authentication method. Kerberos is a network authentication protocol that relies on a trusted third-party authentication server. This server allocates tickets to users, which they can then use to access various services and resources on the network. The tickets are encrypted and provide a secure way to authenticate users without revealing their passwords to individual services. This method is widely used in enterprise environments to ensure secure authentication and authorization.

    Rate this question:

  • 35. 

    Which of the following ports does a DNS (Domain Name Service) server require?

    • 21

    • 23

    • 53

    • 55

    Correct Answer
    A. 53
    Explanation
    A DNS (Domain Name Service) server requires port 53. The DNS server uses this port to receive and respond to DNS queries from clients. Port 53 is specifically assigned for DNS communication, allowing the server to listen for incoming requests and provide the corresponding IP addresses for domain names.

    Rate this question:

  • 36. 

    Identify the access control model that makes use of security labels connected to the objects?

    • . You should make use of the Role Based Access Control (RBAC) model.

    • You should make use of the Mandatory Access Control (MAC) model.

    • You should make use of the Rule Based Access Control (RBAC) model.

    • You should make use of the Discretionary Access Control (DAC) model.

    Correct Answer
    A. You should make use of the Mandatory Access Control (MAC) model.
    Explanation
    The correct answer is the Mandatory Access Control (MAC) model. This model uses security labels connected to the objects to determine access control. In MAC, access decisions are based on the sensitivity level of the object and the clearance level of the user. Users are only granted access to objects with matching or lower sensitivity levels. This model is commonly used in high-security environments where strict access control is necessary.

    Rate this question:

  • 37. 

    What type of attacks occurs when a rogue application has been planted on an unsuspecting user's workstation?

    • Social Engineering attacks

    • Logical attacks

    • Physical attacks

    • Trojan Horse attacks

    • None of the Above

    Correct Answer
    A. Trojan Horse attacks
    Explanation
    Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

    Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be.

    Rate this question:

  • 38. 

    Which of the following attacks could be the most successful when the security technology is properly implemented and configured?

    • Logical attacks

    • Physical attacks

    • Trojan Horse attacks

    • Social Engineering attacks

    • None of the Above

    Correct Answer
    A. Social Engineering attacks
    Explanation
    Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.

    Logical, physical and Trojan horse attacks are often much less successful when security is properly implemented on a network.

    Rate this question:

  • 39. 

    What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server?

    • RADIUS

    • PPTP

    • L2TP

    • IPSec

    • None of the Above

    Correct Answer
    A. RADIUS
    Explanation
    RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified management. RADIUS is a standard published in RFC2138 as mentioned above.

    The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server.

    Rate this question:

  • 40. 

    What technology involves the use of electronic wallet?

    • TLS

    • SSH

    • SHTTP

    • SET

    • All of the Above

    Correct Answer
    A. SET
    Explanation
    SET (Secure Electronic Transaction) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by MasterCard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's Secure Sockets Layer (SSL (Secure Sockets Layer)), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (public key infrastructure).

    TLS, SSL and SHTTP could all be used for this, but SET is specific to the financial services industry.

    Rate this question:

  • 41. 

    Which of the following access control methods relies on user security clearance and data classification?

    • RBAC (Role Based Access Control).

    • NDAC (Non-Discretionary Access Control).

    • MAC (Mandatory Access Control).

    • DAC (Discretionary Access Control).

    Correct Answer
    A. MAC (Mandatory Access Control).
    Explanation
    Mandatory Access Control is a strict hierarchical model, first developed by governments and it is based on classifying data on importance and categorizing data by department. Users receive specific security clearances to access this data. For instance, the most important piece of data would have the highest classification, where only the President would of that department would have access; while the least important resources would be classified at the bottom where everyone in the organization including the janitors could access it.

    Rate this question:

  • 42. 

    Which of the following best describes a challenge-response session?

    • A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identification Number).

    • A workstation or system that generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).

    • A special hardware device that is used to generate random text in a cryptography system.

    • The authentication mechanism in the workstation or system does not determine if the owner should be authenticated.

    Correct Answer
    A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identification Number).
    Explanation
    A common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in. Reference: http://www.webopedia.com/TERM/C/challenge_response.html

    Rate this question:

  • 43. 

    Which of the following provides the strongest form of authentication?

    • One time password

    • Biometrics

    • Username and password

    • Token

    Correct Answer
    A. Biometrics
    Explanation
    Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner. If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only way an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) for of authentication.

    Rate this question:

  • 44. 

    Why would reusing a ticket as a replay attack in Kerberos not be successful?

    • The tickets are digitally signed.

    • The tickets are used a token.

    • The tickets are encrypted.

    • The tickets are time stamped.

    Correct Answer
    A. The tickets are time stamped.
    Explanation
    Reusing a ticket as a replay attack in Kerberos would not be successful because the tickets are time stamped. This means that each ticket has a specific timestamp indicating when it was issued. When a ticket is presented, the Kerberos server checks the timestamp to ensure that it is within an acceptable time range. If the ticket is expired or outside the valid time range, it is considered invalid and the replay attack would fail.

    Rate this question:

  • 45. 

    Which authentication will provide a username, a password and undergo a thumb print scan to access a workstation?

    • The Biometric authentication best illustrates this scenario.

    • The Kerberos authentication best illustrates this scenario.

    • The Mutual authentication best illustrates this scenario.

    • The Multifactor authentication best illustrates this scenario.

    Correct Answer
    A. The Multifactor authentication best illustrates this scenario.
    Explanation
    Multifactor authentication requires the user to provide multiple forms of identification, such as a username, password, and a thumbprint scan. This ensures a higher level of security for accessing a workstation as it combines different factors to verify the user's identity. Biometric authentication only includes the thumbprint scan and does not require a username and password. Kerberos authentication is a network authentication protocol and does not involve a thumbprint scan. Mutual authentication is a process where both the client and the server verify each other's identities and does not necessarily involve a thumbprint scan. Therefore, the Multifactor authentication is the most appropriate choice for this scenario.

    Rate this question:

  • 46. 

    Which of the following terms represents a MAC (Mandatory Access Control) model?

    • Lattice

    • Bell La-Padula

    • BIBA

    • Clark and Wilson

    Correct Answer
    A. Lattice
    Explanation
    The word lattice is used to describe the upper and lower level bounds of a user' access permission.

    Rate this question:

  • 47. 

    Which access controls are based on security labels assigned to every data item and every user?

    • You should identify Mandatory Access Control (MAC).

    • You should identify Role Based Access Control (RBAC).

    • You should identify Discretionary Access Control (DAC).

    • You should identify List Based Access Control (LBAC).

    Correct Answer
    A. You should identify Mandatory Access Control (MAC).
    Explanation
    Mandatory Access Control (MAC) is a type of access control that is based on security labels assigned to every data item and every user. This means that access to resources is determined by the security labels rather than the user's discretion or role. MAC ensures that access is granted or denied based on predefined rules and policies, which are typically set by system administrators or security officers. This helps to enforce strict control over the flow of information and prevents unauthorized access or data leakage.

    Rate this question:

  • 48. 

    When an attacker captures part of a communication and later sends the communication segment to the server whilst pretending to be the user it is known as a:

    • It is known as the TCP/IP hijacking attack.

    • It is known as the Man in the middle attack.

    • It is known as the Replay attack.

    • It is known as the Back door attack

    Correct Answer
    A. It is known as the Replay attack.
    Explanation
    When an attacker captures part of a communication and later sends the communication segment to the server pretending to be the user, it is known as a replay attack. In a replay attack, the attacker intercepts and records a legitimate communication, and then replays it at a later time to deceive the server into thinking it is a genuine request from the user. This type of attack can be used to gain unauthorized access or perform malicious actions on the server.

    Rate this question:

  • 49. 

    All of the following are correct about LDAP EXCEPT:

    • Most of the implementations use the x.500 directory model

    • Some of the implementations use default TCP ports 389 and 636

    • Some implementations use x.509 certificates for securing communications

    • All attributes will be encrypted

    Correct Answer
    A. All attributes will be encrypted
    Explanation
    The correct answer is "all attributes will be encrypted." While LDAP can support encryption, it does not guarantee that all attributes will be encrypted by default. Encryption of attributes is an optional feature that can be implemented depending on the specific LDAP implementation and configuration.

    Rate this question:

Quiz Review Timeline (Updated): Dec 5, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Dec 05, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 27, 2013
    Quiz Created by
    Pinguisweb

Recent Quizzes

Security Plus Questions: Comptia Quiz! Security Plus Questions: Comptia Quiz!
CompTIA Security+ SY0-501 Practice Test 02 CompTIA Security+ SY0-501 Practice Test 02
CompTIA Security+ SY0-501 Practice Test 01 CompTIA Security+ SY0-501 Practice Test 01
Quiz on CompTIA Security+ Certification! Trivia Questions Quiz on CompTIA Security+ Certification! Trivia Questions
Comptia Security+ Practice Exam Comptia Security+ Practice Exam
CompTIA Security+ (SY0-301) Practice Exam CompTIA Security+ (SY0-301) Practice Exam
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.