Correct Answer: A

Obfuscated passwords are transmitted by the RADIUS protocol via a shared secret and the MD5 hashing algorithm.

Incorrect Answers:

B: Kerberos works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

C: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

D: The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

References: http://en.wikipedia.org/wiki/RADIUS http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://en.wikipedia.org/wiki/Public_key_infrastructure http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Correct Answer: A

This question is asking about "authorization", not authentication.

Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications.

MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to most sensitive):

Public Sensitive Private Confidential

A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label--in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels). MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can't be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization. MAC isn't a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they're compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they're denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC

Incorrect Answers:

A: Biometrics is used in authentication. Biometrics includes fingerprints and retina scans. This question is asking about "authorization", which generally comes after authentication.

C: Single sign-on is used to access multiple systems with a single login. Single sign-on is used for authentication, not authorization.

D: Role-based access control (RBAC) defines access to resources based on job role. We need to authorize access to sensitive systems on a need-to-know basis. Therefore, the default access should be "no access" unless the person can prove a `need to know'. RBAC would give everyone performing a role access to the sensitive system.

References:

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 278- 284.

Correct Answer: D

Quantitative analysis / assessment is used to the show the logic and cost savings in replacing a server for example before it fails rather than after the failure. Quantitative assessments assign a dollar amount.

Incorrect Answers:

A: Risk can also be calculated qualitatively and are subjective in nature.

B: A business impact analysis is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.

C: A risk management framework is an umbrella term that concerns all risk management best practices.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 17, 28-29

Correct Answer: A

A structured walkthrough test of a recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete and can be implemented when required.

Incorrect Answers:

B: In a full interruption test, operations are shut down at the primary site and shifted to the recovery site in accordance with the disaster recovery plan.

C: In a checklist test disaster recovery checklists are distributed to all members of a disaster recovery team. The members are asked to review the checklist. This ensures that the checklist is still current, and that the assigned members of disaster recovery teams are still working for the company.

D: A tabletop exercise is a simulation of a disaster. A Tabletop Test is a test of the recovery plan in which actions are not actually performed.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 454-455

Correct Answer: C

By validating user input and preventing special characters, we can prevent the injection of client- side scripting code. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Incorrect Answers:

A: Eliminating cross-site scripting vulnerabilities is always a good idea. However, that will not prevent SQL Injection attacks. Therefore this answer is incorrect.

B: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors"

and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required

nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for

other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies.

An IDS is not used to prevent SQL Injection attacks. Therefore this answer is incorrect.

D: A firewall is used to restrict the flow of traffic between subnets based on rules that specify what source/destination IP addresses, ports and protocols are allowed. A firewall is not used to prevent SQL Injection attacks. Therefore this answer

is incorrect.

References: http://en.wikipedia.org/wiki/SQL_injection http://en.wikipedia.org/wiki/Intrusion_detection_system