SY0-401 | Leading CompTIA SY0-401 exam dumps

Question No: 13

A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used?

A. RADIUS

B. SAML

C. TACACS+

D. LDAP

Answer: D

Explanation:

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

An entry can look like this when represented in LDAP Data Interchange Format (LDIF) (LDAP itself is a binary protocol):

dn: cn=John Doe,dc=example,dc=com cn: John Doe

givenName: John sn: Doe

telephoneNumber: +1 888 555 6789

telephoneNumber: +1 888 555 1232 mail: john@example.com

manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson

objectClass: organizationalPerson objectClass: person

objectClass: top

"dn" is the distinguished name of the entry; it is neither an attribute nor a part of the entry. "cn=John Doe" is the entry's RDN (Relative Distinguished Name), and "dc=example,dc=com" is the DN of the parent entry, where "dc" denotes 'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address, and "sn" for surname.

Question No: 14

Human Resources suspect an employee is accessing the employee salary database. The administrator is asked to find out who it is. In order to complete this task, which of the following is a security control that should be in place?

A. Shared accounts should be prohibited.

B. Account lockout should be enabled

C. Privileges should be assigned to groups rather than individuals

D. Time of day restrictions should be in use

Answer: A

Explanation:

Since distinguishing between the actions of one person and another isnu2021t possible if they both use a shared account, shared accounts should not be allowed. If shared accounts are being used, the administrator will find the account, but have more than one suspect. To nullify this occurrence, Shared accounts should be prohibited.

Question No: 15

A system administrator has noticed that users change their password many times to cycle

back to the original password when their passwords expire. Which of the following would BEST prevent this behavior?

A. Assign users passwords based upon job role.

B. Enforce a minimum password age policy.

C. Prevent users from choosing their own passwords.

D. Increase the password expiration time frame.

Answer: B

Explanation:

A minimum password age policy defines the period that a password must be used for before it can be changed.

Question No: 16

Which of the following provides additional encryption strength by repeating the encryption process with additional keys?

A. AES

B. 3DES

C. TwoFish

D. Blowfish

Answer: B

Explanation:

Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and itu2021s more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

Question No: 17

Pete, an employee, needs a certificate to encrypt data. Which of the following would issue Pete a certificate?

A. Certification authority

B. Key escrow

C. Certificate revocation list

D. Registration authority

Answer: A

Explanation:

A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

Question No: 18

Which of the following is true about the recovery agent?

A. It can decrypt messages of users who lost their private key.

B. It can recover both the private and public key of federated users.

C. It can recover and provide users with their lost or private key.

D. It can recover and provide users with their lost public key.

Answer: A

Explanation:

A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.

Question No: 19

Which of the following are restricted to 64-bit block sizes? (Select TWO).

A. PGP

B. DES

C. AES256

D. RSA

E. 3DES

F. AES

Answer: B,E

Explanation:

B: The Data Encryption Standard (DES) has been used since the mid-1970s. It was the primary standard used in government and industry until it was replaced by AES. Itu2021s based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size.

E: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and itu2021s more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

Question No: 20

The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk?

A. Enforce password rules requiring complexity.

B. Shorten the maximum life of account passwords.

C. Increase the minimum password length.

D. Enforce account lockout policies.

Answer: A

Explanation:

Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.

Question No: 21

A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time

interval. Which of the following should the security technician recommend?

A. CHAP

B. TOTP

C. HOTP

D. PAP

Answer: B

Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. Therefore, the password will only be valid for a predefined time interval.

Question No: 22

Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective?

A. CHAP

B. SAML

C. Kerberos

D. Diameter

Answer: D

Explanation:

Diameter is an authentication, authorization, and accounting protocol that replaces the RADIUS protocol. Diameter Applications extend the base protocol by including new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).