Security+ (SY0-101)Test Questions

Answers/Explanations
1. Which of the following should be considered one of the most important features of the asymmetric key algorithm compared to the symmetric key algorithm when used in conjunction with an E-commerce site?
The fact that the symmetric algorithm is faster than the asymmetric algorithm, and offers non-repudiation makes it a better choice for E-Commerce. The fact that the symmetric algorithm is faster than the asymmetric algorithm, and offers non-repudiation makes it a better choice for E-Commerce. The fact that the asymmetric algorithm is faster than the symmetric algorithm, and offers non-repudiation makes it a better choice for E-Commerce. For E-commerce the slower asymmetric algorithm which offers confidentiality, authentication and non-repudiation, makes it a better choice over the symmetric algorithm.
Answer/Explanation
  • For E-commerce the slower asymmetric algorithm which offers confidentiality, authentication and non-repudiation, makes it a better choice over the symmetric algorithm.
    Symmetric algorithm disadvantages:
    Does not implement non-repudiation.
    A secure method to transfer keys is required and may present a problem.
    The algorithm is not scalable.
    Keys must be generated often.
    They are very fast, works well with hardware implementations.
    Strengths of Asymmetric cryptography:
    Better key distribution than with symmetric systems.
    Better scalability than symmetric systems
    Can provide confidentiality, authentication and non-repudiation.
    Asymmetric cryptography weaknesses:
    Works much slower than symmetric systems.
    2. Which of the following attacks is used to exploit an operating system’s ability to reassemble fragmented packets?
    By sending corrupt UDP packets the Bonk attack may successfully crash a machine due to it’s in-ability to assemble them. 
    The teardrop attack is commonly used to exploit an operating system’s ability to reassemble fragmented packets. 
    The Smurf attack has the ability to exploit an operating systems ability to reassemble fragmented packets, which may lead to a system crash. 
    The Ping of Death is commonly used to exploit an operating system’s ability to reassemble fragmented packets.  
    Answer/Explanation
  • The teardrop attack is commonly used to exploit an operating system’s ability to reassemble fragmented packets.
    The Teardrop attack capitalizes on a bug, within the system's reassembly process of fragmented packets.
    Specially formatted packets are sent which will eventually bring the machine down. A patch may be in-stalled on the system to prevent such attacks.
    The Smurf attack uses the resources of a server or network that is used to generate multiple Ping ICMP echo response packets.
    The Bonk attacker sends corrupt UDP packets to DNS port 53, which essentially leads to a system crash.
    The Ping of Death sends multiple oversized packets to the victim, which makes an attempt to process them, and eventually leads to a system crash.
    3. Using the exhibit we can see that three servers are put in a location away from the corporate secured network. Which of the following would be the best description of this type of arrangement? Choose the best answer.Exhibit
    This is representative of a Bastion host security zone. 
    This is the representation of a basic DMZ.  
    This is a representation of a honeypot.  
    This is how a screened subnet should be represented.  
    Answer/Explanation
  • This is the representation of a basic DMZ.
    The DMZ is an area away from the protected corporate network where servers may be accessed by those on the internet.
    4. Which of the following statements would best describe the block cipher that was chosen by NIST (National Institute of Standards and Technology) as the replacement for DES (Data encryption Standard)?
    The U.S. government chose to have the 64 bit DES (Data encryption Standard) cipher, replaced with triple DES for added security.  
    The IDEA ((International Data Encryption Algorithm) was developed due to the weaknesses found in DES and quickly embraced as the new government encryption standard for sensitive but unclassified data.  
    The Blowfish block cipher became the alternative to the DES algorithm by the U.S. government to be used with sensitive but unclassified data. 
    The Rijndael AES (Advanced Encryption Standard) was chosen as the replacement for DES, and was later mandated as the encryption standard for all sensitive but unclassified data by the U.S government.  
    Answer/Explanation
  • The Rijndael AES (Advanced Encryption Standard) was chosen as the replacement for DES, and was later mandated as the encryption standard for all sensitive but unclassified data by the U.S government.

    The Rijndael AES cipher has three key strengths of 128 bits, 192 bits, and 256 bits.
    Although the original specification called for processing in 128 bit blocks, it was further enhanced by Rijndael to be capable of a block size equal to the key size.
    The number of encryption rounds is based on the key length and is seen as follows: The IDEA (International Data Encryption Algorithm) was developed due to the weaknesses of the 64 bit DES algorithm, but it was not embraced by the U.S. government as the new standard.
    The IDEA algorithm is also used with Phil Zimmerman’s secure email, PGP (Pretty Good Privacy).
    Blowfish is another 64 bit cipher that may be found as an alternative to DES but, here again it was not the one declared to be the replacement for DES by the U.S. government.
    5. You have enabled a corporate HTTPS server that resides in the DMZ (Demilitarized zone) firewall of your corporate network. Remote users are unable to connect to this HTTPS server. Which of the following would be the most likely problem?
    Remote users need to enable HTTPS on their web browser. 
    Port 443 is being blocked on your corporate network. 
    Port 110 is being blocked on your corporate firewall. 
    Remote users need to enable HTTPS on their web browser. 
    Answer/Explanation
  • Port 443 is being blocked on your corporate network.
    When setting up firewalls ports are often blocked to prevent entry and departure of traffic to help reduce the risk of damage from an attack.
    Before setting up the firewall make sure you understand which ports are going to be used and then a de-termination can be made as to which ports may be blocked.
    Blocking port 80 which is for HTTP does not affect HTTPS which uses port 443.
    HTTPS is not required to be setup on the browser, since it is there by default.
    Port 110 is used by POP3 to receive email with the username and password sent in clear text.
    6. Your uncle Joe who is located in Miami, Fla. would like to send an e-mail message to your great aunt Betsy in Paris, France. Joe has concerns, and wishes that the message is not viewable by anyone except for your aunt Betsy, thus he wishes to retain his privacy. Which of the following would be the most appropriate statements in regards to your uncle Joe’s wishes?
    Integrity of e-mail is to guarantee that the intended party receive the email from the sender in a state that has been unviewed by any other party while en-route.  
    If the email message from Joe that is meant for Betsy is not viewed by anyone else then confidentiality has been granted.  
    By Uncle Joe wishing to keep the e-mail message secret from anyone else except for aunt Betsy he wishes for authentication of the e-mail.  
    If aunt Betsy receives the e-mail and it has not been viewed by anyone except for herself then she can be assured that non-repudiation of the e-mail message has taken place.  
    Answer/Explanation
  • If the email message from Joe that is meant for Betsy is not viewed by anyone else then confidentiality has been granted.
    Confidentiality is the act of either preventing or minimizing the disclosure or access of data.
    This makes the e-mail confidential between the two known parties.
    Integrity would be to ensure that the message had not changed, or there was not a breach in the original message.
    Non-repudiation is a means to prevent someone from stating that a given transaction did not take place, and may be shown by a third party.
    7. In comparison how does the asymmetric key differ from the symmetric key algorithm?
    The asymmetric key algorithm does not offer non-repudiation, is very slow, but the use in an environment with many users makes key disbursement difficult, in comparison with symmetric key algorithms. 
    The asymmetric key algorithm does not offer non-repudiation, is very fast, but the use in an environment with many users makes key disbursement difficult, in comparison with symmetric key algorithms. 
    The symmetric key algorithm does not offer non-repudiation, is very slow, but the use in an environment with many users makes key disbursement difficult, in comparison with asymmetric key algorithms. 
    The symmetric key algorithm does not offer non-repudiation, is very fast, but the use in an environment with many users makes key disbursement difficult, in comparison with asymmetric key algorithms. 
    Answer/Explanation
  • The symmetric key algorithm does not offer non-repudiation, is very fast, but the use in an environment with many users makes key disbursement difficult, in comparison with asymmetric key algorithms.
    Typically symmetric key algorithms are hardware based which makes them much faster than asymmetric key algorithms.
    Symmetric key algorithms do not offer non-repudiation.
    Keys must be generated and discarded every time a subject leaves the group and another one joins.
    Key distribution is difficult with symmetric key algorithms, since a secure method of key disbursement is required.
    With asymmetric key algorithms key generation is only required when a key has been compromised. If a user leaves the group the administrator invalidates that users key.

    Asymmetric key algorithms may offer non-repudiation if a message digest is used.
    Key distribution is done with the users public key, which is much simpler that with the symmetric key algorithm.
    The asymmetric key (public key) algorithm provides each user with two keys. The public key is shared with all users and the private key (secret key) is assigned to each individual user.
    8. Which of the following statements about security labels, and access controls would be the most accurate?
    DAC uses security labels that are assigned to objects which may be overridden if there is a ‘need to know’.  
    DAC uses ACLs for file access, and the files are labeled according to their sensitivity.  
    MAC uses ACLs to determine who may have access to objects based on their sensitivity and this is monitored by the data owner.  
    MAC uses security labels for objects, and users are assigned security clearances, such as classified, secret, or confidential.  
    Answer/Explanation
  • MAC uses security labels for objects, and users are assigned security clearances, such as classified, secret, or confidential.
    When using MAC (Mandatory access control) users are assigned clearances, and all objects are assigned security labels (sensitivity labels), which cannot be overridden by the owner of the data. The security label is used to identify the level of security of the object, i.e. top secret, secret, confidential etc.
    MAC is a strict multi-level hierarchical model that is controlled by the operating system, and not the owner of the file.
    Furthermore, the security labels also contain categories such as levels management. When an attempt is being made to access a object, the operating system checks the user’s security clearance and the objects classification to determine of access will permitted or denied.
    Thus even though an individual has the appropriate security clearance, but they are not in the proper department access will be denied.
    ACLs (Access control lists) are used with DAC, and the owner determines who may or may not have permission to access a file.
    DAC (Discretionary access control) does not use security labels, nor does the operating system control data access.
    MAC (Mandatory Access Control) is much more structured, and is based on security labels and categories. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book ‘B’ Level.
    9. By comparison between the Biba model and the Bell-LaPadula model which of the following statements are true?
    The Bell-LaPadula model focuses on the Simple Integrity Axiom, and the Integrity Axiom, where as the Biba model focuses on the Simple Security Property, and Security Property.  
    The Biba model focuses on the Simple Integrity Axiom, and the Integrity Axiom, where as the Bell-LaPadula model focuses on the Simple Security Property, and Security Property. 
    The Biba model focuses on the Simple Integrity Axiom, and the Simple Security Property, where as the Bell-LaPadula model focuses on the Integrity Axiom, and Security Property. 
    The Bell-LaPadula model focuses on the Integrity Axiom, and the Security Axiom, where as the Biba model focuses on the Simple Security Property, and Security Property. 
    Answer/Explanation
  • The Biba model focuses on the Simple Integrity Axiom, and the Integrity Axiom, where as the Bell-LaPadula model focuses on the Simple Security Property, and Security Property.
    The Biba model is a state machine model that is based on a classification lattice with mandatory access controls (MAC).
    The Bell-LaPadula model is a tiered structure, and is confined to these two basic rules:
  • The Simple Security Property which states that a subject at a specific classification level cannot read data at a higher classification level. (No read up)
  • The Security Property which states that a subject at a specific classification level cannot write data to a lower classification level. (No write down) The Simple Integrity Axiom states that a subject a specific classification level cannot read data at a lower classification level, and is a property of the Biba model. (No read down)
    The Integrity Axiom states that a subject at a specific classification level cannot write data to a higher classification level, and is a property of the Biba model. (No write up)
    10. We have been tasked with implementing a wide area network to ensure that users may be ensured that the data that is sent, will not be altered while in transit. Which of the following will offer this type of security according to the CIA Triad model? Choose the best answer.
    The CIA Triad model states that when ensuring that data is not tampered with while in transit, is a guarantee that confidentiality has been maintained. 
    The CIA Triad model states that when ensuring that data is not tampered with while in transit, is a guarantee the integrity of the data was maintained.  
    To ensure that data maintains its integrity it relies on confidentiality, therefore there cannot be integrity unless there is also confidentiality.  
    Integrity is the means to ensure that data has not been exposed to unauthorized subjects, and confidentiality states that objects have not been intentionally modified by unauthorized subjects. 
    Answer/Explanation
  • To ensure that data maintains its integrity it relies on confidentiality, therefore there cannot be integrity unless there is also confidentiality.
    This is a tough question because answer b) is also correct, but because confidentiality is required for integrity to be a reality, answer c) is the best answer.
    The CompTIA tests are famous for this type of question asking, therefore ensuring that the information is thoroughly understood by the applicant.
    Answer d) has the role of integrity and confidentiality reversed, although they are very similar they are different. Stated correctly it would as follows:
    Integrity is the means to ensure that data has not been modified by unauthorized subjects, and confidentiality states that objects have not been intentionally exposed to unauthorized subjects.

          Percentage:

    Return Home