JK0-022 Online Practice Questions and Answers

Correct Answer: AF

Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present.

DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.

Incorrect Answers:

B: Applying the current ACL to all interfaces of the firewall, and adding a deny clause will also prevent internal users from performing the actions included in the deny clause.

C: Removing the current ACL will block web traffic coming in.

D: An implicit deny clause is implied at the end of each ACL.

E: ICMP is a network health and link-testing protocol, and is not related to the question.

References:

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 26, 44.

Correct Answer: D

Virtualization allows a single set of hardware to host multiple virtual machines.

Incorrect Answers:

A: The IEEE standard 802.1X defines port-based security for wireless network access control.

B: Network Access Control (NAC) is as a set of standards defined by the network for clients attempting to access it.

C: This allows you to use a standby adaptive security appliance to take over the functionality of a failed unit.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 19, 95, 158.

Correct Answer: D

MOU or Memorandum of Understanding is a document outlining which party is responsible for what portion of the work.

Incorrect Answers:

A: The memorandum of understanding is a part of the interoperability agreement between the parties involved.

B: Data backup processes are part of data recovery and incidence response and are not the purpose of a memorandum of understanding.

C: Onboard and offboard procedures are not part of the MOU, it just refers to the transitioning phase that both parties have to engage in.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 398

Correct Answer: D

This is a risk acceptance measure that has to be implemented since the cost of patching would be too high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.

Incorrect Answers:

A: This is a business critical function and cannot be avoided, least of all by having the user base re-enable their own user accounts.

B: Patching the application amounts to risk mitigation methods and would be too costly.

C: Replacing the application in five years' time would still cost more than a monthly cost of having the IT department manually re-enable the user accounts each month even over 60 months.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 9-10

Correct Answer: C

After you have implemented security controls based on risk, you must perform routine audits. These audits should include reviews of user rights and permissions as well as specific events. You should pay particular attention to false positives and negatives.

Incorrect Answers:

A: User permissions are part of the routine checks that should be followed.

B: Policy enforcement usually refers to account policies and these determine the security parameters regarding who may and may not access the system. These are already in place and should be routine checked in this scenario.

D: Change management is the structured approach that is followed to secure a company's assets.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 28

Correct Answer: C

Adware is free software that is supported by advertisements. Common adware programs are toolbars, games and utilities. They are free to use, but require you to watch advertisements as long as the programs are open. Adware typically requires an active Internet connection to run.

Incorrect Answers:

A: A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send

spam email or participate in distributed denial-of-service attacks. A botnet does hide itself, but is not commonly identified by marketing popups. Therefore, this answer is incorrect.

B: A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. A rootkit does hide itself,

but is not commonly identified by marketing popups. Therefore, this answer is incorrect.

D: A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made. A simple virus that can

make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one

capable of transmitting itself across networks and bypassing security systems. A virus does hide itself, but is not commonly identified by marketing popups.

Therefore, this answer is incorrect.

References: http://techterms.com/definition/adware http://en.wikipedia.org/wiki/Botnet http://www.webopedia.com/TERM/V/virus.html

Correct Answer: D

MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists.

In this question, a rogue access point would need to be able to connect to the network to provide access to network resources. If the MAC address of the rogue access point isn't allowed to connect to the network port, then the rogue access point will not be able to connect to the network.

Incorrect Answers:

A: There can be many sources of interference to network communications especially in wireless networks. However, limiting the MAC addresses that can connect to a network port will not prevent interference. Therefore, this answer is

incorrect.

B: In cryptography and computer security, a man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in

fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an

attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle. Limiting the MAC addresses that can connect to a network port is not used to prevent man-in-the-middle attacks.

Therefore, this answer is incorrect.

C: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged

ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's

computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user.

ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR). Limiting the MAC addresses that can connect to a network port is not used to prevent ARP poisoning. Therefore, this answer is incorrect.

References: http://en.wikipedia.org/wiki/MAC_filtering http://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp- poisoning

Correct Answer: C

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

Incorrect Answers:

A: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it --this exploit is called a zero day attack. Uses of zero

day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the

vulnerability becomes known, a race begins for the developer, who must protect users. This type of attack does not attempt to write too much data to an application's memory.

Therefore, this answer is incorrect.

B: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must

exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly

executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. This type of attack does not attempt to write too much data to an application's memory. Therefore, this answer is

incorrect.

D: Cross-Site Request Forgery--also known as XSRF, session riding, and one-click attack-- involves unauthorized commands coming from a trusted user to the website. This is often done without the user's knowledge, and it employs some

type of social networking to pull it off. For example, assume that Evan and Spencer are chatting through Facebook. Spencer sends Evan a link to what he purports is a funny video that will crack him up. Evan clicks the link, but it actually

brings up Evan's bank account information in another browser tab, takes a screenshot of it, closes the tab, and sends the information to Spencer. The reason the attack is possible is because Evan is a trusted user with his own bank. In order

for it to work, Evan would need to have recently accessed that bank's website and have a cookie that had yet to expire. The best protection against cross-site scripting is to disable the running of scripts (and browser profi les). This type of

attack does not attempt to write too much data to an application's memory.

Therefore, this answer is incorrect.

References: http://searchsecurity.techtarget.com/definition/buffer-overflow http://www.pctools.com/security-news/zero-day-vulnerability/ http://en.wikipedia.org/wiki/ SQL_injection Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 335

Correct Answer: B

Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. Penetration testing (also called pen testing) is the practice of testing a computer

system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about

the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A

pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat

attacks because in a pen test, the good guys are attempting to break in.

Pen test strategies include:

Targeted testing

Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

External testing

This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can

get in once they've gained access.

Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company.

Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing

Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double- blind tests can be useful for testing an

organization's security monitoring and incident identification as well as its response procedures.

Incorrect Answers:

A: A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine. Port scanning does not actively test security controls on a system. Therefore, this answer is incorrect.

C: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is considered passive in that it doesn't actually attempt to circumvent the security controls of a system to gain access (unlike a penetration test). Therefore, this answer is incorrect.

D: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing does not actively test security controls on a system. Therefore, this answer is incorrect.

References:

http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/wiki/Port_scanner http://searchsoftwarequality.techtarget.com/definition/gray-box

Correct Answer: C

Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture all errors and exceptions that could cause the application or its modules to crash. Restarting the application or module would ensure that the application reverts back to a secure state.

Incorrect Answers:

A: Checking whether a program is running already is not a form of error or exception handling. B, D: These are examples of input validation.

References:

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 230,