SY0-501 CompTIA Security+ Practice Questions
Confidentiality Confidentiality ensures that data is not disclosed to unintended persons. Removable media poses a big threat to confidentiality because it makes it easy to remove data and share data with unauthorized users.
A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing? Availability Integrity Confidentiality Non-repudiation
$33,333.33 ALE (annual loss expectancy) is equal to the SLE times the annualized rate of occurrence. In this case, the SLE is $2 million and the ARO is 1/60.
Consider the following scenario: The asset value of your company's primary servers is $2 million, and they are housed in a single office building in Anderson, Indiana. Field offices are scattered throughout the United States, but the workstations located at the field offices serve as thin clients and access data from the Anderson servers. Tornados in this part of the country are not uncommon, and it is estimated that one will level the building every 60 years. Which of the following amounts is the ALE for this scenario? $500,000 $33,333.33 $2 million $1 million $16,666.67
Confidentiality Smart phones with cameras and data transfer capabilities pose a risk to confidentiality. Users can take pictures of computer screens or save data to cell phones and make that information available to non-authorized users.
Smart phones with cameras and internet capabilities pose a risk to which security concept? Confidentiality Availability Non-repudiation Integrity
USB devices The greatest threat to data confidentiality in most secure organizations is portable devices (including USB devices). There are so many devices that can support file storage that stealing data has become easy, and preventing data theft is difficult.
What is the greatest threat to the confidentiality of data in most secure organizations? USB devices Operator error Hacker intrusion Malware
Prevent conflicts of interest The primary purpose of separation of duties is to prevent conflicts of interest by dividing administrative powers between several trusted administrators. This prevents a single person from having all of the privileges over an environment, which would create a primary target for attack and a single point of failure.
What is the primary purpose of separation of duties? Grant a greater range of control to senior management Increase the difficulty of performing administration Inform managers that they are not trusted Prevent conflicts of interest
False positives: False positives are events that were mistakenly flagged and aren't truly events to be concerned about.
What is the term used for events that were mistakenly flagged although they weren't truly events about which to be concerned? Error flags False positives Non-incidents Fool's gold
Keep systems up-to-date and use standard security practices. Because script kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against script kiddies involves keeping systems up-to-date and using standard security practices.
A script kiddie is a threat actor who lacks knowledge and sophistication. Script kiddie attacks often seek to exploit well-known vulnerabilities in systems. What is the best defense against script kiddie attacks? Keep systems up-to-date and use standard security practices. Have appropriate physical security controls in place. Implement e-mail filtering systems. Build a comprehensive security approach that uses all aspects of threat prevention and protection. Properly secure and store data backups.
Implicit deny With implicit deny, users or groups that are not specifically given access to a resource are denied access. Implicit deny means that there is an assumed or unstated deny that prevents access to anyone not explicitly on the list.
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list? Explicit deny Explicit allow Implicit deny Implicit allow
Confidentiality Confidentiality ensures that only authorized parties can access data. When a cryptographic system protects data confidentiality, unauthorized users cannot view the resource.
By definition, which security concept ensures that only authorized parties can access data? Non-repudiation Authentication Integrity Confidentiality
Non-repudiation The ability to prove that a sender sent a message is known as non-repudiation. By various mechanisms in different cryptographic solutions, you can prove that only the sender is able to initiate a communication. Therefore, the sender cannot repute that they originated a message.
By definition, which security concept uses the ability to prove that a sender sent an encrypted message? Integrity Non-repudiation Authentication Privacy
$2 million It does not matter how frequent a loss is projected (only once every 60 years, in this case). What does matter is that each occurrence will be disastrous: SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million and the exposure factor is 1.
Consider the following scenario: The asset value of your company's primary servers is $2 million, and they are housed in a single office building in Anderson, Indiana. Field offices are scattered throughout the United States, but the workstations located at the field offices serve as thin clients and access data from the Anderson servers. Tornados in this part of the country are not uncommon, and it is estimated that one will level the building every 60 years. Which of the following is the SLE for this scenario? $500,000 $1 million $33,333.33 $16,666.67 $2 million
Preventive Preventive access controls deter intrusion or attacks (for example, separation of duties or dual-custody processes).
Separation of duties is an example of which type of access control? Compensative Detective Preventive Corrective
Insider Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them. Require mandatory vacations Create and follow onboarding and off-boarding procedures Employ the principal of least privilege Have appropriate physical security controls in place
The IT manager in your organization proposes taking steps to protect against a potential threat actor. The proposal includes the following: Create and follow onboarding and off-boarding procedures Employ the principal of least privilege Have appropriate physical security controls in place Which type of threat actor do these steps guard against? Insider Hacktivist Competitor Script Kiddie
0.0167 ARO (annualized rate of occurrence) is the frequency (in number of years) that an event can be expected to happen. In this case, ARO is 1/60, or 0.0167.
The asset value of your company's primary servers is $2 million, and they are housed in a single office building in Anderson, Indiana. Field offices are scattered throughout the United States, but the workstations located at the field offices serve as thin clients and access data from the Anderson servers. Tornados in this part of the country are not uncommon, and it is estimated that one will level the building every 60 years. Which of the following is the ARO for this scenario? 5 0.0167 16.7 60 1
Unauthorized users are prevented from viewing or accessing the resource Confidentiality is the protection of disclosure to unauthorized users.
When a cryptographic system is used to protect the data confidentiality, what actually takes place? The data is protected from corruption or change Transmitting the encrypted data is prohibited The data is available for access whenever authorized users need it Unauthorized users are prevented from viewing or accessing the resource
Layered security Layered security, sometimes called defense in depth security, is a security approach that combines multiple security controls and defenses to create a cumulative effect.
Which of the following is a security approach that combines multiple security controls and defenses and is sometime called defense in depth? Network security Countermeasure security Perimeter security Layered security Cumulative security
A misconfigured server A misconfigured server is a vulnerability. A vulnerability is the absence or weakness of a safeguard that could be exploited, such as a USB port that is enabled on the server hosting the database.
Which of the following is an example of a vulnerability? A misconfigured server Virus infection Unauthorized access to confidential resources Denial of service attack
A user accidentally deletes the new product designs. Malicious acts such as theft, fraud, or sabotage Intentional or unintentional actions that destroy or alter data Disclosing sensitive information by snooping or espionage
Which of the following is an example of an internal threat? A delivery man is able to walk into a controlled area and steal a laptop. A user accidentally deletes the new product designs. A water pipe in the server room breaks. A server back door allows an attacker on the internet to gain access to the intranet site.
Creeping privileges Creeping privileges occur when a user's job position changes and they are granted a new set of access privileges for their new work tasks, but their previous access privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. This is a form of privilege escalation.
Which of the following is an example of privilege escalation? Principle of least privilege Mandatory vacations Separation of duties Creeping privileges
Control access to resources to prevent unwanted access To control access to resources and prevent unwanted access is to protect of confidentiality, not integrity.
Which of the following is not a valid concept to associate with integrity? Control access to resources to prevent unwanted access Prevent the unauthorized change of data Ensure that your systems record the real information when collecting data Protect your environment so it maintains the highest source of truth
The term hacker is a general term used to describe any individual who uses their technical knowledge to gain unauthorized access to an organization. The following are specific types of hackers, also known as threat actors: A hacktivist is any individual whose attacks are politically motivated. A nation state is the most organized, well-funded, and dangerous type of threat actor. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A script kiddie is a threat actor who lacks skills and sophistication but wants to impress their friends or garner attention. Script kiddies carry out an attack by using scripts or programs written by more advanced hackers.
Which of the following is the best definition of the term "hacker"? A threat actor who lacks skills and sophistication but wants to impress their friends or garner attention. A threat actor whose main goal is financial gain. The most organized, well-funded, and dangerous type of threat actor. A general term used to describe any individual who uses their technical knowledge to gain unauthorized access to an organization. Any individual whose attacks are politically motivated.
Any potential danger to the confidentiality, integrity, or availability of information or systems
Which of the following is the correct definition of a threat? The likelihood of an attack taking advantage of a vulnerability Instance of exposure to losses from an attacker Absence or weakness of a safeguard that could be exploited Any potential danger to the confidentiality, integrity, or availability of information or systems
Employees Employees are the single greatest threat to network security. Therefore, user education is very important. Employees need to be aware that they are the primary targets in most attacks. Phishing attacks are one of the most common attacks directed toward employees. Employees should be able to identify attacks by e-mail, instant messages, downloads, and websites. Effective password policies should be enforced, and passwords should not be written down. Employees should be able to identify both internal and external threats. Employees need to be aware of the company's security policies.
Which of the following is the single greatest threat to network security? Insecure physical access to network resources Weak passwords Employees E-mail phishing
Change management: Change management is the structured approach that is followed to secure a company's assets.
Which of the following is the structured approach that is followed to secure a company's assets? Skill management Incident management Change management Audit management
Separation of duties A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.
Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization? Physical access control Separation of duties Acceptable use Least privilege
Exception The exception policy statement may include an escalation contact in the event that the person dealing with a situation needs to know who to contact.
Which of the following policy statements may include an escalation contact in the event that the person dealing with a situation needs to know who to contact? Exception Overview Scope Accountability
Need to know Need to know is used with mandatory access control environments to implement granular control over access to segmented and classified data.
Which of the following principles is implemented in a mandatory access control model to determine object access by classification level? Need to know Separation of duties Clearance Ownership
Countermeasures A countermeasure is a means of mitigating potential risk. Countermeasures reduce the risk of a threat agent being able to exploit a vulnerability.
Which of the following reduce the risk of a threat agent being able to exploit a vulnerability? Secure data transmissions Implementation of VLANs Manageable network plans Countermeasures
Risk avoidance: Risk avoidance involves identifying a risk and making the decision no longer to engage in the actions associated with that risk.
Which of the following strategies involves identifying a risk and making the decision to discontinue engaging in the action? Risk avoidance Risk transference Risk mitigation Risk acceptance
Risk transference Risk transference involves sharing some of the risk burden with someone else, such as an insurance company.
Which of the following strategies involves sharing some of the risk burden with someone else, such as an insurance company? Risk deterrence Risk avoidance Risk transference Risk mitigation Risk acceptance
Hacktivist A hacktivist is any individual whose attacks are politically motivated. Instead of seeking financial gain, hacktivists want to defame, shed light on, or cripple an organization or government. Often times, hacktivists work alone. Occasionally, they create unified groups with like-minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets, some of which have been obtain by hacktivists.
Which of the following threat actors seeks to defame, shed light on, or cripple an organization or government? Insider Hacktivist Competitor Nation state Script kiddie
Separation of duties Separation of duties is the security principle that states that no single user is granted sufficient privileges to compromise the security of an entire environment. Usually, this principle is implemented by dividing administrative privileges among several administrators.
Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution? Separation of duties Dual administrator accounts Principle of least privilege Need to know
Sanitization Sanitize media that will be reused in a different security context. Sanitization is the process of cleaning a device by having all data remnants removed. Sanitization is necessary because deleting, overwriting, and reformatting does not remove all data remnants, even when performed multiple times.
Which type of media preparation is sufficient for media that will be reused in a different security contexts within your organization? Deletion Formatting Destruction Sanitization
Job rotation Job rotation is a technique where users are cross-trained in multiple job positions and responsibilities are regularly rotated between personnel. Job rotation can be used for training purposes, but also allows for oversight of past transactions. As jobs rotate, personnel in new positions have the chance to review actions taken by others in that same position and catch security problems.
You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities. Which security principle are you implementing by periodically shifting accounting responsibilities? Explicit deny Job rotation Least privilege Need to know Separation of duties
Principle of least privilege The principle of least privilege is the assignment of access permissions so that users can only access the resources required to accomplish their specific work tasks.
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with? Job rotation Need to know Cross-training Principle of least privilege
Separation of duties Separation of duties is the policy of requiring more than one person participate in completing a task. It helps prevent insider attacks because no one person has end-to-end control, and no one person is irreplaceable.
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal? Separation of duties Job rotation Mandatory vacations Implicit deny Least privilege
Guidelines: Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards.
You're the chief security contact for MTS. One of your primary tasks is to document everything related to security and to create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the ones that identify the methods used to accomplish a given task? Policies Standards Guidelines BIA
Integrity Hashing of any sort at any time, including within a digital signature, provides data integrity.
Your computer system is a participant in an asymmetric cryptography system. You've created a message to send to another user. Before transmission, you hash the message and encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. In this example, what protection does the hashing activity provide? Integrity Confidentiality Availability Non-repudiation