CompTIA Sec+ SY-601 Chapter 3
Your organization hosts a public-facing web application using the architecture depicted in Figure 3-1. Which solutions would enable the secure remote management of DB1 from the Internet? (Choose two.) A. Jump box B. Expose DB1 directly to the Internet C. VPN D. Encryption of data at rest on DB1 https://imgur.com/a/LJFQ3gW
A and C. A jump box solution is a host (physical or virtual) that has two network interfaces: one allows connections from the Internet, and the other allows connectivity to an internal private network. To manage internal hosts remotely from the Internet, connections first go to the jump box, and from there remote management to internal hosts is possible. Another option is using a virtual private network (VPN) to establish a secure tunnel between two endpoints such as an IT technician station and the networking hosting the public-facing web application. VPN clients are assigned IP addresses from a known pool that can enable them to access the private IP address of internal hosts such as DB1. B and D are incorrect. Exposing a web site database directly to the Internet presents unacceptable security risks. While encrypting data at rest on DB1 is a good idea, it is not related to the secure remote management of that host.
Which of the following options best describe the proper use of PII? (Choose two.) A. Law enforcement tracking an Internet offender using a public IP address B. Distributing an e-mail contact list to marketing firms C. Logging into a secured laptop using a fingerprint scanner D. Practicing due diligence
A and C. Proper use of PII means not divulging a person's or entity's personal information to other parties. Law enforcement tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII. B and D are incorrect. Distributing e-mail contact lists is an improper use of PII. Due diligence does not imply PII.
Refer to Figure 3-2. You have been tasked with hardening Internet access to Windows web server hosts. The web servers must be managed remotely using Remote Desktop Protocol. Standard TCP port number are in use. Which changes will enhance security? (Choose two.) A. On the Windows web servers, disable SSL v3 and enable TLS v1.2 or higher. B. On the firewall device, block all traffic destined for port 443. C. Deploy a jump box. D. On the Windows web servers, disable RDP. https://imgur.com/a/YwijaiZ
A and C. Secure Sockets Layer (SSL) is a network security protocol that uses security certificates. SSL has been deprecated since 2015 because of many known vulnerabilities and should not be used on clients or servers. Transport Layer Security (TLS) version 1.2 or higher supersede SSL and provide network security that has not been deprecated. Like SSL, TLS must be enabled on clients and servers, just as SSL should be disabled on clients and servers. Deploy a jump box to enable indirect Windows remote management through the jump box instead of directly to each Windows host from the Internet. B and D are incorrect. Blocking port 443 traffic would not enable HTTPS secured traffic to access the web servers. Disabling RDP would not enable remote management of the Windows web servers using this protocol, which is a stated requirement.
Which of the following statements are true? (Choose two.) A. Security labels are used for data classifications, such as restricted and top secret. B. PII is applicable only to biometric authentication devices. C. Forcing user password changes is considered change management. D. A person's signature on a check is considered PII.
A and D. Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic. B and C are incorrect. PII also applies to other personal traits such as speech, handwriting, tattoos, and so on. Change management ensures standardized procedures are applied to the entire life cycle of IT configuration changes.
After a lengthy background check and interviewing process, your company hired a new payroll clerk named Tammy. Tammy will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Tammy read and sign? A. Internet acceptable use policy B. Password policy C. Service level agreement D. Remote access acceptable use policy
A. Because Tammy will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy. B, C, and D are incorrect. Password policies are rules stating how often passwords must change and so on. Service level agreements are contractual documents guaranteeing a specific quality, availability, and responsibility agreed upon between a service provider and the service user. Remote access acceptable use policies define how remote access to a network, such as through a VPN, is to be done securely.
You are a file server administrator for a health organization. Management has asked you to configure your servers appropriately to classify files containing unique manufacturing processes. What is an appropriate data classification for these types of files? A. Proprietary B. PII C. PHI D. Public
A. Company trade secrets such as unique manufacturing processes should be labeled as proprietary. B, C, and D are incorrect. PII refers to private user information that can be traced back to an individual. PHI refers to private healthcare information. Public is not an appropriate label.
Your legal consulting services company is headquartered in Berlin with a branch office in Paris. You are determining how to comply with applicable data privacy regulations. Which of the following security standards must your company comply with? A. GDPR B. PCI DSS C. HIPAA D. PIPEDA
A. The GDPR is designed to protect sensitive EU citizen data. B, C, and D are incorrect. The PCI DSS provides guidance on securing environments where credit card information is processed. In the United States, HIPAA is designed to protect sensitive medical patient information. PIPEDA is Canadian legislation that applies to how organizations manage personally identifiable information (PII) as opposed to sensitive government data.
You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure? A. Minimum password age B. Maximum password age C. Password complexity D. Password history
A. The minimum password age is a period of time that must elapse before a password can be changed. This prevents users from changing passwords multiple times in a short period to reuse old passwords. B, C, and D are incorrect. The maximum password age defines the interval by which the password must be changed—in this case, 60 days. Password complexity prevents users from using simple passwords, such as a variation of the username. Password history prevents the reuse of passwords.
Which of the following are examples of PII? (Choose two.) A. Public IP address of a NAT router B. Mobile phone number C. Digital certificate D. Gender
B and C. Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate. The appropriate security controls must be put in place to prevent identify theft, which can include pseudo-anonymization to prevent tracing data back to an individual. A and D are incorrect. NAT device public IP addresses identify a network, but not a specific host that initiated a connection from that private network. The same private IP address could be used on separate private networks. Gender is a generic categorization that alone does not uniquely identify a person.
Your company has decided to adopt a public cloud device management solution whereby all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on? A. Password policy B. Service level agreement C. Remote access acceptable use policy D. Mobile device acceptable use policy
B. A service level agreement is a contract stipulating what level of service and availability can be expected from a third party. A, C, and D are incorrect. Password policies specify how user password behavior will be implemented. Remote access acceptable use policies dictate how users will securely access corporate networks remotely—for example, access from home or from hotels when traveling. Mobile device acceptable use policies dictate how mobile devices are to be used to conduct business.
Your organization must observe the appropriate cloud security ISO compliance standards. Which ISO standard must be observed? A. ISO 27001 B. ISO 27017 C. ISO 27002 D. ISO 27701
B. International Organization for Standardization (ISO) 27017 provides guidelines related to the secure use of cloud computing. A, C, and D are incorrect. While ISO 27001, 27002, and 27701 are all related to information security, they do not focus on cloud computing security.
You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first? A. Issue smart phones to all employees. B. Obtain support from management. C. Get a legal opinion. D. Create the first draft of the policy.
B. Management support is crucial in the successful implementation of corporate security policies. A, C, and D are incorrect. Smart phones should be issued only after having obtained management approval and having created the appropriate policies. Legal counsel can be an important part of the policy creation process, but management approval must be obtained first, even before the first draft of the policy.
Which of the following best illustrates potential security problems related to social media sites? A. Other users can easily see your IP address. B. Talkative employees can expose a company's intellectual property. C. Malicious users can use your pictures for steganography. D. Your credit card number is easily stolen.
B. People tend to speak more freely on social networking sites than anywhere else. Exposing sensitive company information could pose a problem. A, C, and D are incorrect. Knowing a computer's IP address has nothing to do with social networking risks. Secretly embedding messages in pictures is not a threat tied specifically to social networks. Credit card numbers are not normally stolen through social networks.
Your company restricts firewall administrators from modifying firewall rules unless they make the modifications with a member of the IT security team. What is this an example of? A. Due care B. Separation of duties C. Principle of least privilege D. Acceptable use
B. Separation of duties requires more than one person to complete a process such as controlling a firewall and its rules. A, C, and D are incorrect. Due care means implementing policies to correct security problems. The principle of least privilege requires users to have only the rights they need to do their jobs; although this answer could apply in this case, separation of duties is a much stronger answer. Acceptable use refers to proper conduct when using company assets.
Your online retail business accepts PayPal and credit card payments. You need to ensure that your company is compliant with the relevant security standards. Which payment security standard should you focus on? A. GDPR B. PCI DSS C. HIPAA D. PIPEDA
B. The Payment Card Industry Data Security Standard (PCI DSS) provides guidance on securing environments where credit card information is processed. A, C, and D are incorrect. The European Union (EU) General Data Protection Regulation (GDPR) is designed to protect sensitive EU citizen data. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is designed to protect sensitive medical patient information. The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canadian legislation designed to protect data privacy.
You are the network administrator for a legal firm. Users in Vancouver must be able to view trade secrets for patent submission. You have shared a network folder called Trade Secrets and allowed the following NTFS permissions: Vancouver_Staff: Read, List Folder Contents Executives: Write IT_Admins: Full Control Regarding Vancouver staff, which principle is being adhered to? A. Job rotation B. Least privilege C. Mandatory vacations D. Separation of duties
B. The principle of least privilege states that people should be granted access based on the minimum access required to do their job. In this case, Vancouver staff members have only read access to the Trade Secrets because they should not be allowed to make changes. A, C, and D are incorrect. Job rotation refers to the practice of periodically moving people from one job role to a different role for a variety of reasons, such as employee skill enhancement or exposure to a wider range of business processes. Like job rotation, mandatory vacations are used as a tool to help detect potential fraud or privilege abuse while a user fulfilling a role is not actively working. Separation of duties is not related to file system security; it prevents a single person from having end-to-end control of a single business process.
Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving's view of the organization, such as the benefits of the job he held and suggestions of improvements that could be made. Which of the following issues should also be addressed in the exit interview? (Choose two.) A. Background check B. Job rotation C. Nondisclosure agreement D. Property return form
C and D. Nondisclosure agreements (NDAs) are used to ensure that sensitive data an employees or contractor may have been exposed to is not revealed outside of the organization. An NDA is signed during employee onboarding, when other contracts are signed; reminding employees leaving the organization of their responsibility of not violating NDAs is important. Any equipment, access codes, passes, and keys must be surrendered to the company when an employee leaves the organization (employee offboarding). This is formalized and recorded on a property return form. A and B are incorrect. Background checks are a part of the hiring process and can reveal past problems related to a potential employee's credit or criminal record. In job rotation, employees periodically switch job roles with other employees to ensure broad expertise in various job roles or to identify suspicious activity from previous job role occupants.
As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this? A. Privacy B. Acceptable use C. Clean desk D. Password
C. A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them. A, B, and D are incorrect. Although the clean desk policy is one of several privacy policies that protect sensitive information, the question refers specifically to the clean desk policy, so this is not the best answer. Acceptable use policies govern the proper use of corporate assets. Password policies control all aspects of passwords for authentication, not securing paper documents.
Which type of document is a nonbinding agreement between two parties? A. BPA B. MSA C. MOU D. EOSL
C. A memorandum of understanding (MOU) is a document outlining an agreement between entities such as business partners; unlike a contract, it is not legally binding. An example of how a MOU is used between organizations that connect IT environments together is an interconnection security agreement (ISA) which can be put in place to ensure the secure transmission of sensitive data between organizations. A, B, and D are incorrect. A business partnership agreement (BPA) is a contract between two or more business partners to create a joint business venture; a BPS is legally binding. Measurement systems analysis (MSA) is used to determine the accuracy of a system used to collect data metrics, such as capturing web site metrics through usage activity and user surveys. It is not an agreement document. End of service life (EOSL) refers to the point at which a hardware or software product will no longer be supported by its creator or manufacturer; it has nothing to do with a document.
Which of the following is an example of PHI? A. Education records B. Employment records C. Fingerprints D. Credit history
C. Fingerprints are considered protected health information (PHI) under the American HIPAA rules. A, B, and D are incorrect. Although education and employment records and credit history are considered PII, they are not considered to be PHI.
You have been hired to review security controls for a medical practice in rural Tennessee. Which of the following data privacy frameworks must the medical practice be compliant with? A. GDPR B. PCI DSS C. HIPAA D. PIPEDA
C. HIPAA is American legislation designed to protect sensitive medical patient information. A, B, and D are incorrect. The GDPR is designed to protect sensitive EU citizen data. PCI DSS provides guidance on securing environments where credit card information is processed. PIPEDA is Canadian legislation designed to protect data privacy.
Which action will have the largest impact on mitigating against SQL injection attacks? A. Enable HTTPS B. Change default web server settings C. Enable input validation D. Apply web server host OS updates
C. Input validation is used to prevent unexpected characters or data from being sent to a server in a SQL injection attack. This can prevent sensitive data disclosure. A, B, and D are incorrect. Enabling HTTPS increases the security of network transmissions. Changing default settings hardens the web server, as does applying OS updates. None of these is a SQL injection attack countermeasure.
Christine is the server administrator for your organization. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing? A. Mail server acceptable use policy B. VPN server acceptable use policy C. Procedural policy D. File server acceptable use policy
C. Procedural policies provide step-by-step instructions for configuring servers. A, B, and D are incorrect. Acceptable use policies are usually user-centric documents outlining rules and regulations for appropriate computing use, and they do not provide step-by-step instructions.
You are planning the secure management of servers and network infrastructure devices on your corporate LAN. Which design will best protect these devices from RDP and SSH attacks? A. Enabling HTTPS B. Periodic vulnerability scanning C. SSH public key authentication D. Dedicated network management interface
D. A dedicated network management interface connects to a dedicated secure network used only for management purposes. Because no user traffic is present, this will protect devices from Remote Desktop Protocol (RDP) and Secure Shell (SSH) attacks. A, B, and C are incorrect. Although enabling HTTPS increases the security of network transmissions, it does not specifically protect against RDP and SSH attacks. Periodic vulnerability scanning is important for identifying weaknesses, but it is not focused on remote management, so it will not protect against these attacks. SSH public key authentication improves upon Linux username and password authentication, and in conjunction with dedicated management network interfaces it provides a secure remote management solution.
You need to manage cloud-based Windows virtual machines (VMs) from your on-premises network. Which option presents the most secure remote management solution? A. Enable HTTPS for RDP B. Configure each VM with a public IPv6 address C. Use PowerShell remoting for remote management D. Manage the VMs through a jump box
D. A jump box is a host with a connection to a public and a private network. After successfully authenticating to the jump box, administrators can remotely connect to hosts on the private network. This prevents the direct exposure of hosts to the public network. A, B, and C are incorrect. None of the listed solutions presents as secure a remote management solution as a jump box, which prevents direct access to private hosts from the Internet. Allowing direct, externally-initiated access to internal Windows VMs via HTTPS, IPv6, or PowerShell remoting presents more security risks than allowing indirect access through a jump box. One reason for this is that the jump box may only be accessible using nonstandard port numbers or through a VPN.
You have instructed your web app developers to include a message for web site visitors detailing how their data will be processed and used. What should web app develops add to the site? A. Information life cycle document B. Terms of agreement C. Public disclosure D. Privacy notice
D. A privacy notice provides details regarding how sensitive data will be collected, stored, used, and shared and may be required for legal or regulatory compliance. A, B, and C are incorrect. The information life cycle relates to the creation, processing, usage, reporting, archiving, and deletion of information during its useful life. A variety of hardware and software solutions can apply to information at different stages, such as data retention policies for financial records. Terms of agreement is a generic term that normally applies to contractual terms, such as how a subcontractor will provide materials and services. In the realm of IT security, public disclosure deals with the reporting of discovered product vulnerabilities or the reporting of a cybersecurity incident that may involve a data breach.
During customer support calls, customer service representatives periodically pull up customer details on their screens, including credit card numbers. What should be enabled to prevent the disclosure of credit card numbers? A. Tokenization B. Anonymization C. Data minimization D. Data masking
D. Data masking replaces sensitive characters (such as credit card number digits) with other characters, such as asterisks (*). Normally, only the last four digits of a credit number are shown. Data masking is an option available in many database solutions. A, B, and C are incorrect. Data tokenization substitutes sensitive data for something that cannot be traced back to that sensitive data (the "token"). The token can then be presented to apps instead of the original sensitive data (such as credit card information). Anonymization modifies data so that it cannot be traced back to its original form; data masking and tokenization are forms of data anonymization. Data minimization is a strategy of collecting and processing only required data.
To enhance your organization's security posture, management has decided that new and existing security technician employee IT security awareness will be implemented through gamification. What is the best way to achieve this? A. User onboarding procedures B. Computer-based training C. Role-based training D. Capture the flag
D. Gamification involves using game-style drills to prepare for cybersecurity incident response, or using a reward system that provides some kind of incentive for demonstrating cybersecurity acumen. Capture the flag security competitions work by awarding a flag when a team overcomes a security problem. The flag owner submits the flag to a central authority to earn points. Individuals or teams with the highest number of points win the competition. A, B, and C are incorrect. User onboarding refers to processes related to the hiring and training of new employees. Computer-based training (CBT) can help in achieving security goals, but this is not gamification. Role-based training focuses on the skills necessary to complete specific job tasks.
The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize that somebody has illegally obtained the credit card details. You also learn that Juan recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided? A. Provide credit card holders with smartcards. B. Tell users to increase the strength of online passwords. C. Install a workstation-based firewall. D. Provide security awareness training to employees.
D. If Juan had been made aware of phishing scams by attending phishing training campaigns or by being shown phishing simulations, he would have ignored the e-mail message. Perpetrators of this type of crime can be charged with fraud, which can result in fines or imprisonment, depending on applicable laws. A, B, and C are incorrect. Smartcards enable users to authenticate to a resource but would not have prevented this problem. Even the strongest password means nothing if the user willingly reveals it. Although very important, a workstation-based firewall will not prevent phishing scams.
What is the primary purpose of enforcing a mandatory vacation policy? A. To adhere to government regulation B. To ensure employees are refreshed C. To enable other employees to experience other job roles D. To prevent improper activity
D. Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices, because when a different employee fills a job role while the vacationing employee is out of the office, he or she is likely to notice any irregularities. A, B, and C are incorrect. Adhering to regulations is not the primary purpose of mandatory vacations as they pertain to security policies. Refreshed employees tend to be more productive, but this is not the primary reason for mandatory vacations. A job rotation policy enables other employees to gain experience in additional job roles; although this would occur for a vacationing employee, this is not the best answer.
Which of the following security standards focuses on assessing and managing risk? A. CIS B. SOC 2 C. NIST CSF D. NIST RMF
D. The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides guidance regarding how to assess, frame, monitor, and respond to risks, including how to apply security controls to mitigate risk. The Cloud Security Alliance (CSA) Reference Architecture can also be used to assess risk, and the Cloud Controls Matrix can be used to organize risk mitigations. A, B, and C are incorrect. The Center for Internet Security (CIS) is a nonprofit entity providing guidance for securing IT systems and data. SOC 2 is a standard for measuring data availability and confidentiality protection provided by service providers such as public cloud providers. The NIST Cyber Security Framework (CSF) consists of security best practices and recommendations for hardening the use of IT systems and related data.
In Figure 3-3, match the terms on the left with the descriptions on the right. Note that some descriptions on the right do not have matching terms on the left. https://imgur.com/a/zJysr3H
Figure 3-4 shows the terms matched to correct answers. A retention policy may be a regulation requiring financial data to be kept for three years. Regulatory compliance will often influence IT activities such as the retention of specific types of data for periods of time. Service accounts assign required permissions to software components. They are similar to user accounts but are instead used by software components that require special permissions to resources. Reputation damage can be caused by security breaches that expose sensitive customer data. Such exposure can negatively affect the reputation and shareholder confidence in the organization. In incident escalation, unsolved security issues must be addressed by other parties. Incident response plans must include details on how to escalate an incident when the first responders cannot contain the breach. Impact assessments are tools that determine the result of negative incidents. They are used to measure the negative impact of realized threats. This in turn can be used to prioritize threats and ultimately resources and time to mitigate the threats. https://imgur.com/a/MeXzG9l
Match the security policy terms with the appropriate definitions: Scope ____ Overview ____ Policy ____ Definitions ____ Enforcement ____ A. Describes how the security policy improves security B. Consequences of policy nonadherence C. Explanation of terms used throughout the security policy D. Collection of dos and don'ts E. Defines which set of users a security policy applies to
Scope: E, Overview: A, Policy: D, Definitions: C, Enforcement: B
