Learn About CompTIA Exam SY0-201: Security+ 2008 Edition

The following are questions from MeasureUp’s Practice Test to help you prepare for CompTIA Exam SY0-201: Security+ 2008 Edition.

The audience for this exam includes individuals who have at least two years of experience supporting and securing computers and networks. This exam covers the following topics that were not addressed in the original exam, Security+ 2007 Edition (SY0-101): implementing virtualization technologies, using security and monitoring tools appropriately, using logical and physical access control methods to secure computing resources and performing vulnerability assessments. Also, exam SY0-201 focuses more on performing tasks required to secure and defend computers, devices and networks than on merely identifying security-related issues and understanding basic security-related concepts.

Passing SY0-201 earns a candidate one of the certifications required by the U.S. Department of Defense (DOD) directive 8570.1. This directive mandates that both DOD employees and contractors who work with the DOD on any security-related initiative must receive proper training and earn one or more security-related certifications.

Note: You may also use these questions to prepare for CompTIA’s Security+ Bridge Exam, BR0-001.

Objective: Assessments and audits.
Sub-objective: Within the realm of vulnerability assessments, explain the proper use of penetration testing vs. vulnerability scanning.

Single answer, multiple-choice

You are configuring security for a network that is isolated from the Internet by a perimeter network. Three Web servers and a network intrusion detection system (NIDS) are deployed in the perimeter network. You need to test the network’s ability to detect and respond to a denial of service (DoS) attack against the applications running on the Web servers. What should you do?

A.    Use vulnerability scanning.
B.    Use penetration testing.
C.    Use network analysis.
D.    Use port scanning.



You should use penetration testing. During penetration testing, you simulate an actual attack. In this case, you would simulate a DoS attack to determine if your security configuration is sufficient to meet the requirements. If there are potential problems, the penetration test can be used to justify the time and expense of making additional changes to the security configuration.

You should not use vulnerability scanning. This is more general, looking for potential weaknesses rather than testing a specific security scenario. Vulnerability scanning is more useful in identifying risks such as configuration problems and missing security patches, as well as suggesting mitigating actions.

You should not use network analysis. Network analysis, also known as protocol analysis, lets you collect network communication statistics and identify changes in traffic patterns. It does not provide a way of testing for specific shortcomings.

You should not use port scanning. Port scanning searches the network entry points and servers for open ports that might be exploited. This does not test the effectiveness of the NIDS against a DoS attack.

“Guide to penetration testing, Part 1: Reasons to perform a penetration test”


“Penetration test”


“Vulnerability scanner”

Objective: Cryptography.
Sub-objective: Explain basic hashing concepts and map various algorithms to appropriate applications.

Single answer, multiple-choice

MD5 and SHA are what type of algorithms?

A.    Symmetric encryption
B.    Asymmetric encryption
C.    Hashing
D.    Private key encryption


A hash value (or message digest) uses one-way encryption. A hash is a short value that is derived from the message itself. It is computed using a hash algorithm such as Message Digest Service (MD5) or Secure Hash Algorithm (SHA). When the message is received, the hash algorithm is applied again. If the hash values match, you can be reasonably certain that the message has not been altered.

MD5 uses a 128-bit hash value. SHA-1 uses a 160-bit hash value and is considered more secure than MD5, but it is slower. Digital signatures, which use asymmetric cryptography, also use hashing to ensure the integrity of the message. Hashing also is used for storing information that will not need to be decrypted, such as a PIN number on an ATM card or a password.

Symmetric encryption (private key encryption) uses a private key to both encrypt and decrypt the message. The problem is that both parties must share the private key, which can be difficult if it must be sent over an insecure network such as the Internet. Data encryption standard (DES), Triple DES (3DES), and advanced encryption standard (AES or Rijndael) are examples of symmetric encryption algorithms.

Asymmetric encryption (public key encryption) uses a combination of a private key and a public key. The message is encrypted by using the recipient's public key (often distributed with digital certificates) and is decrypted by using the recipient's private key. RSA, Diffie-Hellman and ElGamal are used in asymmetric encryption.

“Cryptography Basics”


“Advanced Encryption Standard”


“Data Encryption Standard”


“Triple DES”


“SHA hash functions”



“Cryptographic hash function”

Objective: Network infrastructure.
Sub-objective: Determine the appropriate use of network security tools to facilitate network security.

Single answer, multiple-choice

What type of IDS reports possible attacks when it detects conditions that match the conditions contained in a database of attacks?

A.    Signature-based
B.    Anomaly-based
C.    Network-based
D.    Host-based


An intrusion detection system (IDS) can detect attacks in one of two ways. A signature-based system matches activity against known patterns of attacks. These attack signatures are kept in a database that must be updated as new attacks are uncovered. An anomaly-based system examines patterns that develop over time to establish a baseline. Events that differ enough statistically from the baseline (normal) are tagged as possible attacks. Anomaly-based systems require time to establish the baseline but may be less prone to miss new attacks.

IDS architecture includes two types of intrusion detection systems: host-based and network-based. A host-based IDS (HIDS) is more ambitious and provides more information. A host-based IDS uses a manager and multiple agents to communicate with each other, along with a reporting system to help in solving problems within the network. The agents run on individual host computers.

A network-based IDS (NIDS) is one application that is used to scan all transmissions on a subnet for activity in real time. This application works as both the agent and manager and is effective for thwarting denial-of-service attacks.



“intrusion prevention”

“Penetration testing — Social engineering, IDS and honey pots”

Objective: Systems security.
Sub-objective: Explain the security risks pertaining to system hardware and peripherals.

Single answer, multiple-choice

You currently have all computer systems set up to boot first from the hard drive. You want to prevent computers from booting from CDs, DVDs or USB drives. What should you do?

A.    Flash the BIOS.
B.    Password protect the BIOS.
C.    Apply a security template.
D.    Create a configuration baseline.


You need to password protect the BIOS to prevent users from changing the boot order in the BIOS. If the BIOS is not protected with a password, any user can enter the BIOS when the computer is booting and alter the boot order.

There is no reason to flash the system BIOS. Flashing is the method used to update the BIOS. It is typically not necessary unless BIOS problems are discovered or if a newer version is required to support an upgrade, such as a new operating system version.

You should not apply a security template. Security templates configure security settings such as password and access settings. They do not apply any settings before the operating system has loaded. The security templates provided with Windows have various levels of default settings. You also can create custom security templates.

You should not create a configuration baseline. You create a configuration baseline to help manage changes to your computer systems. The configuration baseline describes the state of the system at the time you create the baseline. When you make changes to the system, you should also update the baseline. A configuration baseline can also describe the desired standard configuration of a system.

“USB storage devices: Two ways to stop the threat to network security”



“Understanding Windows Security Templates”


“Baseline (configuration management)”

Objective: Access control.
Sub-objective: Identify and apply industry best practices for access control methods.

Single answer, multiple-choice

What does an implicit deny on an access control list (ACL) do?

A.    It denies all traffic.
B.    It denies only traffic that is specifically denied.
C.    It deactivates the ACL.
D.    It denies any traffic not specifically allowed.


The principle of implicit deny is implemented in most routers and firewalls. An implicit deny means that any traffic that is not specifically allowed by an access control entry (ACE) is denied. This makes the network more secure. An ACL restricts access to a network or network segment to only those addresses and ports that are allowed. Operating systems also use ACLs to determine which users have rights to files and folders.

“Infrastructure Planning and Design”
Microsoft TechNet


“access control list”


Like what you see? Share it.Google+LinkedInFacebookRedditTwitterEmail


Posted in Archive|