Want to know Examcollection sy0 401 dump Exam practice test features? Want to lear more about CompTIA CompTIA Security+ Certification certification experience? Study Approved CompTIA sy0 401 pdf answers to Regenerate comptia security+ get certified get ahead sy0 401 study guide questions at Examcollection. Gat a success with an absolute guarantee to pass CompTIA sy0 401 study guide pdf (CompTIA Security+ Certification) test on your first attempt.
2017 NEW RECOMMEND
Free VCE & PDF File for CompTIA SY0-401 Real Exam
Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions
Q471. Which of the following uses both a public and private key?
The RSA algorithm is an early public-key encryption system that uses large integers as the basis
for the process.
RSA uses both a public key and a secret.
RSA key generation process:
Generate two large random primes, p and q, of approximately equal size such that their product, n = pq, is of the required bit length (such as 2048 bits, 4096 bits, and so forth). Let n = pq Let m = (p-1)(q-1)
Choose a small number e, co-prime to m (note: Two numbers are co-prime if they have no common factors).
Find d, such that de % m = 1
Publish e and n as the public key. Keep d and n as the secret key.
Q472. Which of the following assessments would Pete, the security administrator, use to actively test that an applicationâs security controls are in place?
A. Code review
B. Penetration test
C. Protocol analyzer
D. Vulnerability scan
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
Pen test strategies include:
Targeted testing Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.
External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access.
Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
Blind testing A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
Double blind testing Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures.
Q473. Ann, the Chief Information Officer (CIO) of a company, sees cloud computing as a way to save money while providing valuable services. She is looking for a cost-effective solution to assist in capacity planning as well as visibility into the performance of the network. Which of the following cloud technologies should she look into?
Q474. A user has several random browser windows opening on their computer. Which of the following programs can be installed on his machine to help prevent this from happening?
B. Pop-up blocker
C. Spyware blocker
Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for advertisements but can also be used to distribute malicious code.
Q475. How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system?
B. Immediately after an employee is terminated
C. Every five years
D. Every time they patch the server
Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time.
Q476. A financial company requires a new private network link with a business partner to cater for realtime and batched data flows.
Which of the following activities should be performed by the IT security staff member prior to establishing the link?
A. Baseline reporting
B. Design review
C. Code review
D. SLA reporting
This question is asking about a new private network link (a VPN) with a business partner. This will
provide access to the local network from the business partner.
When implementing a VPN, an important step is the design of the VPN. The VPN should be
designed to ensure that the security of the network and local systems is not compromised.
The design review assessment examines the ports and protocols used, the rules, segmentation,
and access control in the systems or applications. A design review is basically a check to ensure
that the design of the system meets the security requirements.
Q477. Digital certificates can be used to ensure which of the following? (Select TWO).
Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out.
Q478. Which of the following may cause Jane, the security administrator, to seek an ACL work around?
A. Zero day exploit
B. Dumpster diving
C. Virus outbreak
A zero day vulnerability is an unknown vulnerability so there is no fix or patch for it. One way to attempt to work around a zero day vulnerability would be to restrict the permissions by using an ACL (Access Control List) A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix itâthis exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term âzero dayâ refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Q479. Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment?
A. Water base sprinkler system
D. Video surveillance
HVAC refers to heating, ventilation and air-conditioning to allow for a zone-based environmental control measure. The fire-alarm system should ideally also be hooked up to the HVAC so that the HVAC can monitor the changes in heating and ventilation.
Q480. Symmetric encryption utilizes __________, while asymmetric encryption utilizes _________.
A. Public keys, one time
B. Shared keys, private keys
C. Private keys, session keys
D. Private keys, public keys
Symmetrical systems require the key to be private between the two parties. With asymmetric
systems, each circuit has one key.
In more detail:
Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isnât disclosed to people who arenât authorized to use the encryption system.
Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.