CompTIA Security+ Practice Exam

A honeypot is a technology that would be used to implement a system that simulates a network of vulnerable devices. A honeypot is a decoy system that is intentionally designed to attract attackers. It appears to be a legitimate target, but in reality, it is isolated and closely monitored. By deploying a honeypot, organizations can gather information about attackers' tactics, techniques, and potential vulnerabilities in their systems. This information can then be used to enhance security measures and protect the actual network from real attacks.

Biometrics devices use physical characteristics to identify the user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 18

With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Most access control systems are rule-based -- that is, they use a preset list of rules when deciding whether or not a user should have access to a resource; this is not specific to access control systems based on user role. Most networks use server-based access control to control access to network resources, however, local resources are typically under the control of the local machine. Neither is particularly unique to role-based access control. Some networks may use token-based access control, but that is not a requirement for role-based access control, either.

Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know.

Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.

Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint.

Each distinct department (sales, marketing, management, and production) has their own role in the company, which probably includes using the: filer server, print server, and mail server. So it would be wise to create roles for each department.

Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be.

The correct answer is "Both logon successes and logon failures" because by logging both logon successes and failures, the administrator can have a comprehensive view of all the login activities on the network. This will help in identifying any unauthorized access attempts or potential security breaches. Logging only logon failures for non-existent users or only logon successes or failures would provide incomplete information and may lead to overlooking important security incidents.

Netscape, Oracle, and Sun Microsystems have announced an alliance to ensure that their extranet products can work together by standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA). Microsoft supports the Point-to-Point Tunneling Protocol (PPTP) and IPSec.

CORBA and DCOM are programming technologies.

There is no such thing as a SAC (Subjective Access Control) list.

Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.

Logical, physical and Trojan horse attacks are often much less successful when security is properly implemented on a network.

not-available-via-ai

Biometrics These technologies are becoming more reliable, and they will become widely used over the next few years. Many companies use smart cards as their primary method of access control. Implementations have been limited in many applications because of the high cost associated with these technologies. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 265

The RBAC model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

A one time password is simply a password that has to be changed every time you log on; effectively making any intercepted password good for only the brief interval of time before the legitimate user happens to login themselves. So by chance, if someone were to intercept a password it would probably already be expired, or be on the verge of expiration within a matter of hours.

RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text.

A performance baseline is most useful for detecting performance anomalies that may be due to security breaches. By establishing a baseline of normal performance, any deviations from this baseline can indicate potential security breaches or unauthorized activities. This allows for timely detection and response to security incidents. Assuring optimal system capacity, knowing when security scans will finish, and predicting the end of useful life for the firewall are not directly related to the security perspective of a performance baseline.

The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).

Reference: http://www.faqs.org/faqs/kerberos-faq/general/section-22.html

Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.

If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource, because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities.

Explanation: Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

Passwords should be easy to memorize, because that minimizes the chance that users will write the password down somewhere that others could see it.

Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

Single sign-on is a process where users can access numerous resources without needing multiple credentials. This means that once a user is authenticated into one system or application, they can automatically access other systems or applications without having to provide their credentials again. This simplifies the authentication process for users and improves user experience by eliminating the need to remember and enter multiple usernames and passwords.

Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.

Lattice-based access control is associated with Mandatory Access Control (MAC). Directory based and ID based access controls are not relevant.

The ActiveX code is bundled into a single file called an ActiveX control. ActiveX controls can be digitally signed using Microsoft's Authenticode technology. Internet Explorer can be configured to disregard any ActiveX control that isn't signed, to run only ActiveX controls that have been signed by specific publishers, or to accept ActiveX controls signed by any registered software publisher. ActiveX controls do not run in a sandbox. The burden is on the user to determine which ActiveX controls s/he feels are "safe" to run.

Applets and CGI are alternate types of content, and a sandbox refers to a protected area of the system in which web content runs.

Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.

Mandatory controls are based on policy. Secret controls and corrective controls are not related to access control.

RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified management. RADIUS is a standard published in RFC2138 as mentioned above.

The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server.

All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.

In a DAC model, network users have some flexibility regarding how information is accessed. This model allows users to dynamically share information with other users. The process allows a more flexible environment, but it increases the risk of unauthorized disclosure of information. Administrators will have a more difficult time ensuring that information access is controlled and that only appropriate access is given.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 440

The correct answer is that you should make use of the Mandatory Access Control (MAC) model. This model uses security labels connected to objects to determine access control. In MAC, access decisions are based on the sensitivity of the information being accessed and the security clearances of the subjects. This model is often used in environments where strict control over information flow is required, such as military or government organizations.

A DNS (Domain Name Service) server requires port 53. DNS servers are responsible for translating domain names into IP addresses, allowing users to access websites and other resources using human-readable names. Port 53 is specifically designated for DNS traffic, and it is used for both incoming and outgoing DNS queries and responses. By using this port, DNS servers can efficiently communicate with other DNS servers and clients to provide accurate and timely domain name resolution services.

Sensitivity labels are used in a Mandatory Access Control (MAC) environment to determine the level of sensitivity or classification of data. These labels are assigned to resources such as files, folders, or documents, and are used to control access based on the security clearance or level of authorization of users. By applying sensitivity labels, access decisions can be enforced in a MAC environment to ensure that only users with the appropriate clearance can access certain resources.

The undocumented login for testing that does not need to be authenticated against the domain can be considered a security issue because it creates a potential backdoor into the company's databases. This means that someone who knows about this login could potentially gain unauthorized access to sensitive information and manipulate the company's data without going through the proper authentication process. This loophole in the application's security measures poses a significant risk to the company's data integrity and confidentiality.

The Role Based Access Control (RBAC) access control model would be most suitable in this scenario. RBAC allows access to be based on the roles or responsibilities of users within an organization. In this case, the finance department only needs access to staff data, and the marketing department only needs access to production data. RBAC can easily assign specific roles to each department, ensuring that they only have access to the data that is relevant to their responsibilities. This model provides a more organized and efficient way to manage access control within the Certkiller.com network.

File and print servers typically contain sensitive data that should not be accessible to the public. Placing them on a private network ensures that only authorized users can access and manage the files and printers. Remote Access Server (RAS), E-mail server, and Web server, on the other hand, are often required to be accessible from the public network in order to provide remote access, email services, and web hosting respectively.

In a replay attack, an attacker captures a communication segment and later resends it to the server, pretending to be the original user. This allows the attacker to gain unauthorized access or perform malicious actions. TCP/IP hijacking attack refers to the manipulation of TCP/IP packets to gain unauthorized access. Man in the middle attack involves intercepting and altering communication between two parties. Back door attack refers to unauthorized access through a hidden entry point. Therefore, the correct term for this scenario is a replay attack.

In Role Based Access Control (RBAC), users are assigned access rights based on their function within the organization. This means that users are given permissions based on their roles or job functions, rather than their individual identities. RBAC allows for more efficient and scalable access control management, as it simplifies the process of granting and revoking access rights by associating them with predefined roles. This model ensures that users have the necessary access to perform their job duties, while also maintaining security by limiting access to sensitive information.

MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

In MAC, subjects (such as users) are each assigned a clearance (such as "secret" or "top secret"). Objects (containers for information, such as files) are assigned a sensitivity (classification, similar to clearance). When determining whether or not to grant a subject access to an object, the requesting subject's clearance is compared with the sensitivity of the object, and if the clearance is at or higher than the object's sensitivity level, access is granted. Therefore, a clearance functions as a privilege.

Least privilege is a principle in information security that states that users should only have the minimum level of access necessary to perform their job tasks. This means that access to information should be granted based on what is needed to complete the task at hand, rather than factors such as management urgency, tenure at the company, or whether the information may be revealed to the public. Therefore, the correct answer is "needed to complete the task."

The Owner is allowed to: Read, Write, & Execute User A is allowed to: Read, Write, & - Sales is allowed to: Read, -, - Marketing is allowed to: -, Write, - Others are allowed to: Red, Write, - And User B is allowed to do nothing! -,-,-(None)

Mandatory Access Control (MAC) is an access control mechanism that uses security labels assigned to both data items and users to determine access permissions. MAC enforces access policies based on the security levels assigned to data and the security clearances of users. This ensures that only authorized users with appropriate clearances can access data with matching security labels. Role Based Access Control (RBAC) is a different access control mechanism that is based on assigning roles to users and granting permissions based on those roles. Discretionary Access Control (DAC) is another access control mechanism that allows data owners to determine access permissions. List Based Access Control (LBAC) is not a commonly used access control mechanism.

MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Under MAC, you define who is allowed to access objects, and if you haven't defined an access right, access is not permitted. So, it is not the case that All that is expressly permitted is forbidden, or that All that is not expressly permitted is not forbidden

Network counters and access denied errors should be reviewed because they can provide valuable information about a possible attack. Network counters can help identify abnormal network traffic patterns or spikes in data transfer, which could indicate a malicious activity. Access denied errors can indicate unauthorized attempts to access sensitive information or resources, suggesting a potential intrusion or attack. By monitoring these elements, network administrators can quickly detect and respond to potential security threats.

Multifactor authentication is the correct answer because it requires multiple forms of identification to access a workstation. In this scenario, the user must provide a username, a password, and undergo a thumb print scan, which demonstrates the use of multiple factors for authentication. Biometric authentication only involves the thumb print scan and does not require a username or password. Kerberos authentication is a network authentication protocol and does not involve a thumb print scan. Mutual authentication involves both the client and the server verifying each other's identities, but does not require a thumb print scan. Therefore, multifactor authentication is the most appropriate choice in this scenario.

The correct answer is 65,535. TCP/IP has a range of 65,535 ports, and each port is a unique identifier for different services or protocols. Some ports are well-known and commonly used, while others are less known and may be vulnerable to scanning, exploitation, or attack. Therefore, all 65,535 ports are potentially vulnerable to being scanned, exploited, or attacked.

Non-essential services are often appealing to attackers because they are less likely to be closely monitored or protected, making it easier for attackers to maintain their attacks without being detected. Additionally, non-essential services are often not configured correctly or secured, providing vulnerabilities that attackers can exploit to gain unauthorized access or control.

With RBAC (role-based access control), security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.

Roles are not all equal. The point of RBAC is that different rules can be assigned different security privileges. Labels (such as secret, top secret, etc.) are more usually associated with MAC (Mandatory Access Control). RBAC roles are not typically determined by information flows.

A Windows file server is an example of a Discretionary Access Control (DAC) model because it allows the owner of a file or folder to control access permissions and determine who can access and modify the file or folder. The owner can grant or revoke permissions for specific users or groups, giving them discretion over access rights. This model provides flexibility and allows for granular control over access permissions based on individual user needs and requirements.

Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner. If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only way an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) for of authentication.

Reusing a ticket as a replay attack in Kerberos would not be successful because the tickets are time stamped. This means that each ticket has a specific expiration time, and once that time has passed, the ticket becomes invalid. Therefore, even if an attacker were able to obtain a valid ticket, they would not be able to reuse it after its expiration time, making the replay attack ineffective.

The correct answer is the Multifactor authentication model. This model uses multiple factors for authentication, such as a smart card and a User ID/Password, to provide a higher level of security. By requiring multiple factors, it reduces the risk of unauthorized access to network resources.