Security+ 4.0 Domain

Flexibility
Performing a physical-to-virtual migration (P2V).
Testing
Verifying that security controls are working as designed.
Server consolidation
Isolating a virtual machine from the physical network
Sandboxing
Moving virtual machines between hypervisor hosts.
You are implementing a iSCSI SAN that will be used by the file servers in your organization. You are concerned about security, so your design specifies that iSCSI initiators and targets must authenticate with each other before connection over the SAN will be allowed. In addition, you want data being transferred over the SAN to be encrypted. Which of the following are true in the scenario? (select two)

– The Encapsulating Security Payload (ESP) protocol can be used to encrypt data in transit.
– The Challenge-Handshake Authentication Protocol (CHAP) and Reverse CHAP can be used to mutually authenticate SAN hosts.
– The Fibre Channel Authentication Protocol (FCAP) can be used to mutually authenticate SAN hosts.
– The Internet Protocol Security (IPSec) protocol can be used to encrypt the data in transit.
– The Diffie-Hellman Challenge Handshake Authentication Protocol (DC-CHAP) can be used to mutually authenticate SAN hosts.

– The Challenge-Handshake Authentication Protocol (CHAP) and Reverse CHAP can be used to mutually authenticate SAN hosts.
– The Internet Protocol Security (IPSec) protocol can be used to encrypt data in transit.
Your organization recently purchased 30 tablet devices for your traveling sales force. These devices have Windows RT preinstalled on them. To increase the security of these devices, you want to apply a default set of security-related configuration settings. What is the best approach to take to accomplish this? (select two)

-Link the Group Policy Object to the container where the tablets’ computer objects reside.
– Manually configure security settings using the Local Group Policy Editor.
– Configure security settings in a Group Policy Object.
– Enroll the devices in a mobile device management system.
– Configure and apply security policy settings in a mobile device management system.
– Join the tablets to your domain.

– Enroll the devices in a mobile device management system.
– Configure and apply security policy settings in a mobile device management system.
You are designing a Fibre Channel SAN Implementation that will be used to file servers in your organization. Multiple volumes will be configured on the SAN, each used by different departments in your organization. It’s very important that only the appropriate server be able to connect to a given volume on the SAN. For example, the Sales and Marketing server must not be allowed to connect to the SAN volume used by Human Resources.
To enable this, you decided to use LUN Masking.
Which of the following is true of this scenario?

– LUN Masking provides weak security as it only obscures volumes on the disk.
– LUN masking is enforced by the SAN switch using ACLs.
– Encryption protocols such as ESP are not compatible with LUN masking.
– Authentication protocols such as DH-CHAP are not compatible with LUN masking.

– LUN Masking provides weak security as it only obscures volumes on the disk.
You manage the Information systems for a large manufacturing firm. Supervisory control and data acquisition (SCADA) devices are used on the manufacturing floor to manage your organization’s automated factory equipment. The SCADA devices use embedded smart technology, allowing them to be managed using a mobile device app over an Internet connection. You are concerned about the security of these devices. What can you do to increase their security posture?

-Enroll each device in a mobile device management system.
– Install a network monitoring agent on each device.
– Verify that your network’s existing security infrastructure is working properly.
– Install anti-malware software on each device.
– Install the latest firmware updates from the device manufacturer.

– Verify that your network’s existing security infrastructure is working properly.
– Install the latest firmware updates from the device manufacturer.
You have recently experienced a security incident with one of your servers. After some research, you determine that the hotfix #568994 that has recently been released would have protected the server. Which of the following recommendations should you follow when applying the hotfix?

– Test the hotfix, then apply it to the server that had the problem.
– Test the hotfix, then apply it to all servers.
– Apply the hotfix immediately to the server; apply the hotfix to other devices only as the security threat manifests itself.
– Apply the hotfix immediately to all servers.

– Test the hotfix, then apply it to all servers.
You’ve been assigned to evaluate NoSQL databases as a part of a big data analysis initiative in your organization. You’ve downloaded an Open Source NoSQL database from the Internet and installed it on a test system in an isolated lab environment. Which of the following are likely to be true about this test system?

– Data will be stored in the database in unencrypted format.
– The database is more susceptible to SQL injection attacks than traditional SQL databases.
– The database admin user has no password assigned.
– The default admin user password is admin.
– Data will be stored in the database in encrypted format by default.

– Data will be stored in the database in unencrypted format.
– The database admin user has no password assigned.
You have a development machine that contains sensitive Information relative to your business. You are concerned that spyware and malware might get installed while browsing websites and could compromise your system or pose a confidentially risk. Which of the following would best protect your system?

– Run the browser within a virtual environment.
– Run the browser in protected mode.
– Change the security level for the Internet zone to High.
– Configure the browser to block all cookies and pop-ups.

– Run the browser within a virtual environment.
Which of the following is specifically meant to ensure that a program operates on clean, correct and useful data?

– Error and exception handling
– Application hardening
– Input validation
– Process spawning

– Input validation
What is the main function of a TPM hardware chip?

– Generate and store cryptographic keys
– Perform bulk encryption in a hardware processor
– Provide authentication credentials on a hardware device
– Control access to removable media

– Generate and store cryptographic keys
Your organization has recently purchased 20tablet devices for the Human Resources department to use for training sessions.
You are concerned that these device could represent a security risk to your network and want to strengthen their security profile as much as possible. Which actions should you take? (select two)

– Install the devices in your organization’s directory services tree.
– Join the devices to your organization’s domain.
– Configure a Group Policy object (GPO) contain mobile device-specific security settings.
– Implement storage segmentation
– Enable device encryption.

– Implement storage segmentation
– Enable device encryption
You are implementing a Fibre Channel SAN that will be used by the database servers in your organization. You are concered about security, so your design specifies that SAN hosts must authenicate with each other before a connection over the SAN will be allowed. In addition, you want data being transferred over the SAN to be encrypted. Which of the following are true in this scenario?

– The Internet Protocol Security (IPSec) protocol can be used to encrypt data in transit.
– The Challenge-Handshake Authentication Protocol (CHAP) and reverse CHAP can be used to mutually authenticate SAN hosts.
– Kerberos can be used to mutually authenticate SAN hosts.
– The Encapsulating Security Payload (ESP) protocol can be used to encrypt data in transit.
– The Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) can be used to mutually authenticate SAN hosts.

– The Encapsulating Security Payload (ESP) protocol can be used to encrypt data in transit.
– The Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) can be used to mutually authenticate SAN hosts.
You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files.
What should you do?

-Implement BitLocker without a TPM
-Implement BitLocker with a TPM
-Have each user encrypt the entire volume with EFS
– Have each user encrpyt user files with EFS

-Implement BitLocker with a TPM
Preventing Malware infections
Implement a network access control (NAC) solution
Supporting mobile device users
Specify who users can call for help with mobile device apps in your acceptable use policy
Preventing loss of control of sensitive data
Enroll devices in a mobile device management system.
Preventing malicious insider attacks
Specify where and when mobile devices can be possessed in your acceptable use policy.
Applying the latest anti-malware definitions
Implement a network access control (NAC) solution
You manage the information systems for a large co-location data center. Networked environmental controls are used to manage the temperature within the data center. These controls use embedded smart technology allowing them to be managed using a mobile device app over an Internet connection. You are concerned about the security of these devices. What can you do to increase their security posture?

-Rely on the device manufacture to maintain device security with automated firmware updates.
– Verify that your network’s existing security infrastructure is working properly.
– Install anti-malware software on each device.
– Enroll each device in a mobile device management system.

– Verify that your network’s existing security infrastructure is working properly.
Which of the following tools can you use on a Windows network to automatically distribute and install software and operating system patches on workstations?

-Group Policy
-WSUS
-Security Templates
-Security Configuration and Analysis

-Group Policy
-WSUS

Windows Software Update Services (WSUS) is a patch management tool that allows clients on a network to download software updates from a WSUS server internal to their organization.