Feedback on some questions?

st14

As I mentioned in my other thread, I'm taking Security+ pretty soon and I've been studying for it using Darril's book which is fantastic. Darril is great at explaining things exactly how I understand them best. I scored 90% or better at the end of each chapter so I was feeling pretty confident ... until I went to the CompTIA site yesterday and answered some sample questions. At the end I come to find out that I had failed which I was surprised about. I was caught off guard by some of them. For instance, one of the questions talks about TEMPEST while another was about what type of backup turns off the archive bit and what type doesn't. I did not find anything about these two subjects in Darril's book. Combine that with what I would describe as pretty poor wording of some of the questions and am now worried that the real exam will be full of them. I would appreciate any feedback you guys might have about the following questions which I wasn't too sure about and what I think are the correct answers (I've indicated them in bold along with notes for the less obvious questions):

1. What is the advantage of using application virtualization?

a. It lets you minimize the attack surface relating to the application.
b. It lets a server support multiple isolated client sessions.
c. It lets a server support multiple operating systems.
d. It lets a user run a legacy operating system on a client computer.

Note: b sounds oddly phrased. What is "multiple isolated client sessions"?

2. Which environmental control is part of TEMPEST compliance?

a. Fire suppression
b. HVAC
c. Biometric scans
d. Shielding

3. What is the role of an HVAC system in this environment? (Choose two.)

a. Provide isolation in case of a fire
b. Shield equipment from EMI
c. Provide an appropriate ambient temperature
d. Vent fumes from the data center
e. Maintain appropriate humidity levels

4. For which of the following is centralized key management most complicated?

a. Symmetric key
b. TPM
c. Asymmetric key
d. Whole disk encryption

Note: This was also another odd one. What do they mean by "most complicated" here? Symmetric encryption is complicated if they are talking about the delivery method. However, Asymmetric encryption is also complicated, if you want to separate the public from private keys and make sure you don't lose the private one i.e. by using an escrow. This is why I vote for c. But, also, there is no such thing as an asymmetric key. There are public and private keys. Is this done on purpose to mislead you? Having taken some Microsoft exams you always have to watch out for traps. Is that the case with Security+ as well?

5. You are designing a secure application environment. You need to ensure that data is kept as secure as possible. You need to select the strictest access control model.

a. What access control model should you use?
b. Role-based access control
c. DAC
d. Rule-based access control
e. MAC

Note: I chose e thinking of the amount of granularity you can have with MAC e.g. labels for objects along with classification.

6. You are performing risk assessment for an organization. What should you do during impact assessment?

a. Determine how likely it is that a threat might actually occur
b. Determine how well the organization is prepared to manage the threat.
c. Determine actions that can be taken to mitigate a potential threat.
d. Determine the potential monetary costs related to a threat.

7. You are designing network access control so that remote users are limited to accessing the network during normal business hours only. Policies regarding user access apply to all users.

This is an example of what type of access control?

a. DAC
b. MAC
c. Rule-based access control
d. Role-based access control

Note: I chose c thinking that in a Windows NAC environment you would need to create a time based rule to achieve this.

8. What is the best way to prepare a network to prevent a virus infection from spreading? (Choose two.)

a. Configure personal software firewalls on all computers.
b. Configure all Windows systems to use the NTFS file system.
c. Install a HIDS on the network.
d. Install antivirus software on all network computers.
e. Divide the network into multiple subnetworks.

9. You are deploying a corporate telephony solution. The network includes several branch offices in remote geographic locations. You need to provide VoIP support among all office locations. You need to design a network infrastructure to support communications. You need to minimize the impact on network security. You need to minimize the costs related to deploying the solution.

What should you do?

a. Configure direct network interconnections.
b. Configure NAC.
c. Configure a DMZ in each office.
d. Configure a VLAN.

Note: DMZ is possible but could be too expensive. Direct network interconnections sounds like a made up statement. I was thinking that by segregating the VoIP traffic in a VLAN, it would be easier to control.

10. Your network has servers that are configured as member servers in a Windows Active Directory domain. You need to minimize the risk of unauthorized persons logging on locally to the servers. The solution should have minimal impact on local management and administration and should not limit administrator access.

What should you do? (Choose two.)


a. Rename the local default accounts.
b. Disable the local default accounts.
c. Provide back doors into network servers.
d. Configure all services to run under the context of the Local System account.
e. Require strong passwords.
f. Disable account lockout policies.

Note: b could be an answer. However since the question states that administrator access should not be limited it is ruled out.

11. You are looking for ways to prevent users from removing data from their computer systems. You have disabled all floppy disk drives, and the computers are configured with read-only CD\DVD players.

What else should you do? (Choose two.)

a. Disable all USB ports in the system BIOS.
b. Disable hard disk discovery in the system BIOS.
c. Disable onboard disk controllers in the system BIOS.
d. Password protect the system BIOS.
e. Flash the system BIOS.

Note: My thinking here is that the only way users can remove data here is through USB drives. Once the drives are disabled in the BIOS, password-protecting the BIOS should stop them from enabling them again. The problem though is what stops a user from yanking the side panel off and taking the CMOS battery out for a few seconds and then putting it back in again?

Thanks guys and sorry to make this so long!

Darril

One of the benefits of using practice test questions when studying for an exam is that you can use them to learn. However, when the practice test questions do not include the correct answers or the reasoning behind them, it often results in either memorizing the wrong information or spinning your wheels without gaining in real knowledge.

That said, I do not see the practice test questions that CompTIA is providing as being that useful. Some have clear answers and others are questionable. It's sometimes difficult to determine what was going through the mind of the writer.

Over the years I've written literally thousands of practice test questions for a wide assortment of certification exams for books and practice test question sites such as ucertify.com. While writing the explanation, I often find that I have to reevaluate the incorrect answers I originally created because I realize that they could easily be interpreted as correct. If I never took the time to write the explanation, I wouldn't realize that the correct answer is the only correct answer.

You could post any one of these questions and start a thread where people could weigh in and debate the question/answer. This link is an example where some of the questions were debated: http://www.techexams.net/forums/security/59020-crytography-hashing-encryption.html. In that thread, WizardOfWar identified how he was able to determine what the site is saying the correct answer is.