JK0-022 Online Practice Questions and Answers

Correct Answer: C

Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

Incorrect Answers:

A: NAT serves as a basic firewall by only allowing incoming traffic that is in response to an internal system's request.

B: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.

D: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access.

References:

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 39, 40.

http://en.wikipedia.org/wiki/Intrusion_prevention_system

Correct Answer: A

Cloud users install operating-system images and their application software on the cloud infrastructure to deploy their applications. In this model, the cloud user patches and maintains the operating systems and the application software.

Incorrect Answers:

B: Storage as a Service (SaaS) is a business model in which third-party providers rent space on their storage to end users that lack the capital budget and/or technical personnel to implement and maintain their own storage infrastructure.

C: This entails cloud providers deliver a computing platform, typically including operating system, programming language execution environment, database, and web server.

D: Software as a Service (SaaS) is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis or using a subscription fee.

References: http://en.wikipedia.org/wiki/Cloud_computing http://searchstorage.techtarget.com/definition/Storage-as-a-Service-SaaS

Correct Answer: A

Correct Answer: A

Correct Answer: B

Correct Answer: A

A guard can be intimidating and respond to a situation and in a case where you want to limit an individual's access to a sensitive area a guard would be the most effective.

Incorrect Answers:

B: CCTV will only serve to record the perimeter breach and is not as intimidating as placing a guard to limit the individual's access.

C: Bollards are designed to keep big objects from breaching a perimeter and not individuals who can still slip through between the bollards.

D: A spike strip will only immobilize vehicles trying to breach a perimeter and will not keep individuals out. Individuals can just step over the spike strips and still gain access.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 372-373

Correct Answer: C

Integrity means the message can't be altered without detection.

Incorrect Answers:

A: Confidentiality means that the message/data retains its privacy.

B: Compliance refers to the degree which documents represent the standards that are agreed upon.

D: Availability refers to the measures that are used to keep services and systems operational

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 291

Correct Answer: A

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.

Incorrect Answers:

B: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. They are not used specifically for general application testing. Therefore, this answer is incorrect.

C: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts. This question is asking about testing the application without any knowledge of the internal mechanisms. Therefore, this answer is incorrect.

D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

(i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. This question is asking about testing the application without any knowledge of the internal mechanisms. Therefore, this answer is incorrect.

References: http://en.wikipedia.org/wiki/Black-box_testing http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://searchsoftwarequality.techtarget.com/definition/gray-box http://en.wikipedia.org/wiki/ White-box_testing

Correct Answer: A

Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

Incorrect Answers:

B, D: Fuzzing uses invalid input and not output to test the application's response, such as crashes, or failed validation, or memory leaks, to such input.

C: Parameterized input may be one of the invalid, unexpected, or random data that would be used in fuzz testing. Other forms of invalid data should also be tested.

References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 218 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 229

Correct Answer: C

Screen-lock is a security feature that requires the user to enter a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications. Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the internet connection and helps ensure that sensitive data is not accessed by unauthorized people.

Incorrect Answers:

A: Voice encryption is used to protect audio (voice) transmission. It cannot secure data stored on a mobile device. Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for

advertisements but can also be used to distribute malicious code.

A host-based firewall is installed on a client system and is used to protect the client system from the activities of the user as well as from communication from the network or Internet by filtering the type of network traffic that can sent or

received by the systems.

B: Firewalls, network access control, and strong passwords would secure the network rather than the mobile device. Firewalls protect systems from network attacks by filtering the type of network traffic that can sent or received by the

systems. Strong passwords are likely to mitigate risk of the user account being used to access the network. A strong password would be more difficult to crack. It does not secure the mobile device.

D: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities.

Antivirus software is used to protect systems against viruses, which are a form of malicious code designed to spread from one system to another, consuming network resources. Locking cabinets would secure mobile device when they have

not been issued to users.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 161-162, 220, 418-419 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 231- 232,

236, 237, 246