Correct Answer: D

The private key must be kept secret at all time. The private key is only by the client. The public key is available to anybody.

Incorrect Answers:

A: The private key is only by the client, while the public key is used by all.

B: You can use the private key to encrypt data. Then you would need to use the public key to decrypt it.

C: The key pair, consisting of a private key and a public key, is used in asymmetric encryption and asymmetric decryption.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285

Correct Answer: AF

The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult. Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks.

Incorrect Answers:

B: IDS (intrusion detection systems) can be implemented to capture suspicious logins, but that assumes that the passwords are already cracked.

C: Password history implementation is used to prevent users changing their password to the same value as the old one, or to one that they used the last time around, this might also be used by some crackers to hack passwords and thus is not mitigating password attacks.

D: Monitoring the logins is part of auditing and does not mitigate the password cracking attacks.

E: Password expiration refers to the period of validity of passwords. Some crackers will even make use of these expiry periods to crack passwords.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 139-140

Correct Answer: C

Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. Thus the actual switch configuration should first be subject to the change management approval.

Incorrect Answers:

A: Incident management refers to the steps followed WHEN events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets). The scenario want to know what must be done prior to the incident.

B: Incident management refers to the process that has to be followed WHEN an event occurred not prior to the event.

D: Immediately prior to the actual switch configuration the request should be approved through the change management process.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 10

Correct Answer: C

Blocking e-mail is the same as preventing the receipt of those e-mails and this is done by applying a filter. But the filter must be configured to block it. Thus you should add that specific domain from where the e-mails are being sent to the list of addresses that is to be blocked.

Incorrect Answers:

A: ACLs enable devices in your network to ignore requests from specified users or systems or to grant them access to certain network capabilities.

B: URL filtering involves blocking websites (or sections of websites) based solely on the URL, restricting access to specified websites and certain web-based applications.

D: TLS is a security protocol that further enhances SSL and though this is also a solution to establish a secure communication connection between two TCP- based machines, it is not short term to prevent emails from being received.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 119, 269

Correct Answer: B

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.

Incorrect Answers:

A: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts. The question states that the Quality team does not have any experience with the application. Therefore, this answer is incorrect.

C: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. It is not used specifically for general application testing. Therefore, this answer is incorrect.

D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

(i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. The question states that the Quality team does not have any experience with the application. Therefore, this answer is incorrect.

References: http://en.wikipedia.org/wiki/Black-box_testing http://searchsoftwarequality.techtarget.com/definition/gray-box http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/wiki/ White-box_testing