CompTIA Sec+ Sy0-601 Chapter 12

29. You plan on using a web browser secured connection to manage your public cloud subscription. Which outbound port number must be allowed on your network firewall? A. 636 B. 995 C. 993 D. 443

D. HTTPS secured connections use TCP port 443.

20. Which of the following is a cryptographic stream cipher? A. AES B. DES C. Blowfish D. RC4

D. The Rivest Cipher 4 (RC4) algorithm is a stream cipher, meaning that data is encrypted 1 byte at a time instead of an entire data block (more than 1 byte) being encrypted at once.

19. Which cryptographic attribute mitigates brute-force key attacks? A. Key length B. Key exchange C. Authentication D. Encryption

A. In general, the longer a cryptographic key (number of bits), the more difficult it becomes to brute-force key values due to the increased number of possible key combinations. The strength and implementation of an encryption algorithm (and not only the key size) determine its resilience to attacks.

You are reviewing network perimeter firewall rules for the firewall public interface and notice allowances for incoming UDP port 161 and TCP port 443 traffic. What type of traffic will be allowed through the firewall public interface, assuming default ports are being used? (Choose two.) A. SFTP B. SNMPv3 C. FTPS D. HTTPS

B and D. SNMP uses UDP port 161 and HTTPS uses TCP 443. A and C are incorrect. SFTP uses remote encrypted SSH sessions to transfer files securely between SSH hosts. FTPS uses TLS to enable the secure transfer of files between FTP hosts over TCP port 21 (explicit FTPS) or 990 (implicit FTPS).

You are configuring SNMPv3 authentication. Which of the following hashing algorithms are available? A. MD5, RSA B. MD5, SHA C. SHA, AES D. AES, 3DES

B. MD5 and SHA are hashing algorithms that are used to verify the integrity of data and can be used for authentication SNMPv3 connections over the network.

31. Which network security protocol can encrypt all network traffic using a single configuration? A. TLS B. SSL C. IPSec D. HTTPS

C. IPSec can be configured to secure some or all network traffic using a single configuration, unlike application security protocols like HTTPS, which apply only to web servers, where each server requires a PKI certificate.

14. You are planning your SMTP mail system so that mail transfers are encrypted. Which protocol should you use? A. NTS B. SRTP C. S/MIME D. LDAPS

C. Mail traffic can be encrypted and digitally signed through the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, which requires SMTP hosts to be configured with a PKI certificate

You are evaluating a secure network management solution that will be used to monitor and configure network infrastructure devices remotely. Which of the following is the best choice? A. SFTP B. FTPS C. SNMPv3 D. HTTPS

C. The Simple Network Management Protocol (SNMP) version 3 supports authenticated and encrypted messages when remotely monitoring and managing devices running an SNMP agent such as routers, switches, and server operating systems. SNMP normally uses UDP port 161.

18. A government informant embeds sensitive drug cartel data in an e-mail attachment. The attachment appears to be a picture of a dog. Which data secrecy technique is being used? A. Steganography B. Encryption C. Hashing D. Blockchain

A. Steganography is a technique used to hide sensitive data within other nonsensitive items, such as hiding a secret message within a photo of a dog, which often requires special software to hide and unhide the message. Messages can he hidden in many types of files, including audio and video.

You have configured LDAP over SSL (LDAPS) with default settings to secure directory service queries across subnets. Which port must be open on the subnet firewall? A. TCP 389 B. TCP 22 C. TCP 25 D. TCP 636

D. Lightweight Directory Access Protocol Secure (LDAPS) uses a PKI certificate to secure LDAP connections over the network and uses TCP port 636. LDAP is used to connect to and query a centralized network directory service database such as Microsoft Active Directory.

32. Which cryptographic technique is often referred to as "hiding in plain sight"? A. Entropy B. Quantum computing C. Hashing D. Steganography

D. Steganography is a technique used to hide sensitive data within other nonsensitive items, such as hiding a secret message within a photo of a dog, which requires special software to hide and unhide the message.

Which type of key is used by an IPSec VPN configured with a pre-shared key (PSK)? A. Public B. Private C. Asymmetric D. Symmetric

D. With symmetric encryption, the same key is used for encryption and decryption. The IPSec VPN PSK must be configured on both ends of the VPN tunnel. A, B, and C are incorrect. PSKs do not use asymmetric encryption, which uses public and private key pairs. With asymmetric encryption, the public key encrypts and the related private key decrypts.

28. For security and performance reasons, you would like IP phone VoIP traffic to be isolated from regular TCP/IP network traffic. Which network protocol will allow this end result? A. IPSec B. S/MIME C. SSH D. DHCP

D. You can configure DHCP vendor-class options to identity the type of device making a DHCP request (IP phone), and then assign IP settings such as IP address range and default gateway.

Which encryption algorithms can SNMPv3 use? A. AES, MD5 B. SHA-256, 3DES C. 3DES, AES D. MD5, 3DES

C. SNMPv3 can use Triple Digital Encryption Standard (3DES) or the newer Advanced Encryption Standard (AES) algorithm to encrypt SNMP data sent over the network.

26. Which benefit is derived from using a HSM to carry out cryptographic operations as opposed to a standard operating system such as Microsoft Windows? A. Ability to store cloud-generated certificates B. Ability to enable IPSec tunnel mode C. Lower cost D. Lower computational latency

D. A hardware security module (HSM) is a tamper-proof dedicated appliance that can securely store cryptographic keys and perform cryptographic operations. Offloading these tasks from a Microsoft Windows computer results in lower computational latency, since dedicated firmware is generally faster and more reliable than a general purpose operating system.

17. Which technology is described as "a secure distributed public ledger of transactions"? A. Quantum communications B. Quantum computing C. Steganography D. Blockchain

D. Blockchain provides a distributed public ledger of transactions that cannot be modified. Because the blockchain of transactions is managed by thousands of computers, it is not controlled by a single central organization or government. Bitcoin digital currency transactions are one example of how blockchain can be used. Bitcoin transactions are considered anonymous, since the transactions are linked to a digital identity.

16. Which cryptographic operations use a public key? (Choose two.) A. Verifying digital signatures B. Encrypting messages C. Creating digital signatures D. Decrypting messages

A and B. Private keys create a digital signature and the related public key is used to verify the signature. The sender of an encrypted message must have access to the public key of message recipients to encrypt the message for them.

21. Which of the following are symmetric encryption block ciphers? (Choose two.) A. AES B. CBC C. RC5 D. RC4

A and C. AES and RC5 are symmetric block encryption ciphers. Block ciphers encrypt entire data blocks as opposed to individual bytes of data.

Which cryptographic operations use an asymmetric private key? (Choose two.) A. Creating a digital signature B. Verifying a digital signature C. Encrypting a message D. Decrypting messages

A and D. Digital signatures assure the recipient of a message that it is authentic and has not been modified. The message sender's private key is used to create a digital signature thus constituting nonrepudiation; the sender cannot deny having sent and signed the message because only the sender has access to their private key. Private keys are also used to decrypt messages, such as e-mail messages.

27. Which statements regarding PKI certificates are correct? (Choose two.) A. A certificate can be used for more than one cryptographic purpose. B. A 2048-bit key is considered weak. C. Certificates cannot be issued to routers. D. Certificates have an expiry date.

A and D. PKI certificates can be used for multiple purposes such as message encryption, digital signatures, and file encryption. Certificates have an expiry date upon which the certificate is no longer valid.

11. Secure POP mail transmissions use which standard port number? A. 995 B. 110 C. 993 D. 443

A. The Post Office Protocol (POP) is a client mail retrieval standard and can be secured using a PKI certificate. Secure POP uses a standard port number of TCP 995.

13. Which IPSec configuration mode encapsulates origin IP packets? A. ESP B. AH C. Tunnel D. Transport

C. IPSec tunnel mode can place an entire IP packet within another IP packet (encapsulation) and encrypt that payload.

22. Which public key cryptographic design can use smaller keys while maintaining cryptographic strength? A. CBC B. S/MIME C. ECC D. IPSec

C. Elliptic curve cryptography uses a set of points for a curve over a finite field instead of using prime number factoring for encryption. This allows for smaller key lengths, which minimizes required compute power. ECC small keys have the strength of much longer keys. For example, a 256-bit ECC key is equivalent to a 3072-bit RSA key.

30. Which service is provided by DNSSEC? A. Confidentiality B. Integrity C. Network address allocation D. Availability

B. DNSSEC protects DNS clients from forged DNS answers in response to client DNS queries. With DNSSEC, DNS zone records are digitally signed. DNS clients verify the signature of DNS query results using a public key to ensure that the response is valid. (DNS clients trust the private key used to sign the DNS zone.)

Your company provides remote word processing and spreadsheet file access using FTP. After a security audit, the findings suggest employing TLS to harden FTP access. Which protocol should you configure to address this concern? A. SFTP B. FTPS C. SNMPv3 D. HTTPS

B. FTPS uses TLS to enable the secure transfer of files between FTP hosts over TCP port 21 (explicit FTPS) or 990 (implicit FTPS); traditional FTP passes credentials and data over the network in clear text.

Which cryptographic operation does not use a cryptographic key? A. Encrypting B. Hashing C. Decrypting D. Creating digital signatures

B. Hashing is used to verify that a file or message has not changed. The origin data is fed into a one-way cryptographic algorithm resulting in a unique value called a hash; a cryptographic key is not used. One-way algorithms are easy to compute given input, but it is very difficult to take a hash and determine the original value.

24. Which cryptographic technique allows the analysis of data without first decrypting it? A. Lightweight encryption B. Homomorphic encryption C. Entropy D. Blockchain

B. Homomorphic encryption provides data confidentiality and is a computationally expensive cryptographic technique that allows encrypted data to be analyzed without fully decrypting it. Decrypting data, while it is accessed, presents a risk of unauthorized access while in a decrypted state.

23. Which encryption technique is designed to run on devices with constraints such as low power and low processing capabilities? A. Homomorphic encryption B. Lightweight cryptography C. Entropy D. Blockchain

B. Lightweight encryption requires less compute power than traditional encryption algorithms and is well suited for mobile devices. ECC is a lightweight encryption technique that uses small keys to achieve strong security. A small key size means less computational requirements.

15. Which term refers to providing random data as additional input to a hashing algorithm? A. Key stretching B. Salting C. Perfect forward secrecy D. Ephemeral

B. Salting enhances hashing security using random bits in addition to origin data, such as a passphrase that is fed into a one-way hashing algorithm. To calculate the original passphrase value, the salt value must be known. Salting makes dictionary attacks much less likely to succeed.