CompTIA Advanced Security Practitioner (CASP) Recertification Exam for Continuing Education v7.0 (RC0-C02)

Page:    1 / 21   
Total 308 questions

In order for a company to boost profits by implementing cost savings on non-core business activities, the IT manager has sought approval for the corporate email system to be hosted in the cloud. The compliance officer has been tasked with ensuring that data lifecycle issues are taken into account. Which of the following BEST covers the data lifecycle end- to-end?

  • A. Creation and secure destruction of mail accounts, emails, and calendar items
  • B. Information classification, vendor selection, and the RFP process
  • C. Data provisioning, processing, in transit, at rest, and de-provisioning
  • D. Securing virtual environments, appliances, and equipment that handle email


Answer : C

An administrator is tasked with securing several website domains on a web server. The administrator elects to secure www.example.com, mail.example.org, archive.example.com, and www.example.org with the same certificate. Which of the following would allow the administrator to secure those domains with a single issued certificate?

  • A. Intermediate Root Certificate
  • B. Wildcard Certificate
  • C. EV x509 Certificate
  • D. Subject Alternative Names Certificate


Answer : D

Explanation:
Subject Alternative Names let you protect multiple host names with a single SSL certificate.
Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
When you order the certificate, you will specify one fully qualified domain name in the common name field. You can then add other names in the Subject Alternative Names field.

A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encrypted and is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement?

  • A. SAN
  • B. NAS
  • C. Virtual SAN
  • D. Virtual storage


Answer : B

Explanation:
A NAS is an inexpensive storage solution suitable for small offices. Individual files can be encrypted by using the EFS (Encrypted File System) functionality provided by the NTFS file system.
NAS typically uses a common Ethernet network and can provide storage services to any authorized devices on that network.
Two primary NAS protocols are used in most environments. The choice of protocol depends largely on the type of computer or server connecting to the storage. Network File
System (NFS) protocol usually used by servers to access storage in a NAS environment.
Common Internet File System (CIFS), also sometimes called Server Message Block
(SMB), is usually used for desktops, especially those running Microsoft Windows.
Unlike DAS and SAN, NAS is a file-level storage technology. This means the NAS appliance maintains and controls the files, folder structures, permission, and attributes of the data it holds. A typical NAS deployment integrates the NAS appliance with a user database, such as Active Directory, so file permissions can be assigned based on established users and groups. With Active Directory integration, most Windows New
Technology File System (NTFS) permissions can be set on the files contained on a NAS device.

A user has a laptop configured with multiple operating system installations. The operating systems are all installed on a single SSD, but each has its own partition and logical volume.
Which of the following is the BEST way to ensure confidentiality of individual operating system data?

  • A. Encryption of each individual partition
  • B. Encryption of the SSD at the file level
  • C. FDE of each logical volume on the SSD
  • D. FDE of the entire SSD as a single disk


Answer : A

Explanation:
In this question, we have multiple operating system installations on a single disk. Some operating systems store their boot loader in the MBR of the disk. However, some operating systems install their boot loader outside the MBR especially when multiple operating systems are installed. We need to encrypt as much data as possible but we cannot encrypt the boot loaders. This would prevent the operating systems from loading.
Therefore, the solution is to encrypt each individual partition separately.

A systems administrator establishes a CIFS share on a UNIX device to share data to
Windows systems. The security authentication on the Windows domain is set to the highest level. Windows users are stating that they cannot authenticate to the UNIX share. Which of the following settings on the UNIX server would correct this problem?

  • A. Refuse LM and only accept NTLMv2
  • B. Accept only LM
  • C. Refuse NTLMv2 and accept LM
  • D. Accept only NTLM


Answer : A

Explanation:
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN or LM), an older
Microsoft product, and attempts to provide backwards compatibility with LANMAN. NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, and adding the ability for a server to authenticate to the client.
This question states that the security authentication on the Windows domain is set to the highest level. This will be NTLMv2. Therefore, the answer to the question is to allow
NTLMv2 which will enable the Windows users to connect to the UNIX server. To improve security, we should disable the old and insecure LM protocol as it is not used by the
Windows computers.

A security administrator is shown the following log excerpt from a Unix system:
2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port
37914 ssh2
2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port
37915 ssh2
2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port
37916 ssh2
2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port
37918 ssh2
2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port
37920 ssh2
2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port
37924 ssh2
Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).

  • A. An authorized administrator has logged into the root account remotely.
  • B. The administrator should disable remote root logins.
  • C. Isolate the system immediately and begin forensic analysis on the host.
  • D. A remote attacker has compromised the root account using a buffer overflow in sshd.
  • E. A remote attacker has guessed the root password using a dictionary attack.
  • F. Use iptables to immediately DROP connections from the IP 198.51.100.23.
  • G. A remote attacker has compromised the private key of the root account.
  • H. Change the root password immediately to a password not found in a dictionary.


Answer : C,E

Explanation:
The log shows six attempts to log in to a system. The first five attempts failed due to failed password. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a dictionary attack.
The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any further access to it and prevent it from doing any damage to other systems on the network. You should perform a forensic analysis on the system to determine what the attacker did on the system after gaining access.

A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:
POST http://www.example.com/resources/NewBankAccount HTTP/1.1

Content-type: application/json -
account:
{ creditAccount:Credit Card Rewards account}
{ salesLeadRef:www.example.com/badcontent/exploitme.exe}
],
customer:
{ name:Joe Citizen}
{ custRef:3153151}
The banking website responds with:

HTTP/1.1 200 OK -
newAccountDetails:
{ cardNumber:1234123412341234}
{ cardExpiry:2020-12-31}
{ cardCVV:909}
],
marketingCookieTracker:JSESSIONID=000000001
returnCode:Account added successfully
Which of the following are security weaknesses in this example? (Select TWO).

  • A. Missing input validation on some fields
  • B. Vulnerable to SQL injection
  • C. Sensitive details communicated in clear-text
  • D. Vulnerable to XSS
  • E. Vulnerable to malware file uploads
  • F. JSON/REST is not as secure as XML


Answer : A,C

Explanation:
The SalesLeadRef field has no input validation. The penetration tester should not be able to enter www.example.com/badcontent/exploitme.exe in this field.
The credit card numbers are communicated in clear text which makes it vulnerable to an attacker. This kind of information should be encrypted.

The Chief Technology Officer (CTO) has decided that servers in the company datacenter should be virtualized to conserve physical space. The risk assurance officer is concerned that the project team in charge of virtualizing servers plans to co-mingle many guest operating systems with different security requirements to speed up the rollout and reduce the number of host operating systems or hypervisors required. Which of the following BEST describes the risk assurance officers concerns?

  • A. Co-mingling guest operating system with different security requirements allows guest OS privilege elevation to occur within the guest OS via shared memory allocation with the host OS.
  • B. Co-mingling of guest operating systems with different security requirements increases the risk of data loss if the hypervisor fails.
  • C. A weakly protected guest OS combined with a host OS exploit increases the chance of a successful VMEscape attack being executed, compromising the hypervisor and other guest OS.
  • D. A weakly protected host OS will allow the hypervisor to become corrupted resulting in data throughput performance issues.


Answer : C

The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges.
Web server logs show the following:
90.76.165.40 - [08/Mar/2014:10:54:04] GET calendar.php?create%20table%20hidden

HTTP/1.1 200 5724 -
90.76.165.40 - [08/Mar/2014:10:54:05] GET ../../../root/.bash_history HTTP/1.1 200
5724
90.76.165.40 - [08/Mar/2014:10:54:04] GET index.php?user=<script>Create</script>

HTTP/1.1 200 5724 -
The security administrator also inspects the following file system locations on the database server using the command ls -al /root drwxrwxrwx 11 root root 4096 Sep 28 22:45 . drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..
-rws------ 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .profile
-rw------- 25 root root 4096 Mar 8 09:30 .ssh
Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).

  • A. Privilege escalation
  • B. Brute force attack
  • C. SQL injection
  • D. Cross-site scripting
  • E. Using input validation, ensure the following characters are sanitized: <>
  • F. Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh
  • G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)
  • H. Set an account lockout policy


Answer : A,F

Explanation:
This is an example of privilege escalation.
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
The question states that the web server communicates with the database server via an account with SELECT only privileges. However, the privileges listed include read, write and execute (rwx). This suggests the privileges have been escalated.
Now that we know the system has been attacked, we should investigate what was done to the system.
The command Update crontab with: find / \( -perm -4000 \) type f print0 | xargs -0 ls l | email.sh is used to find all the files that are setuid enabled. Setuid means set user ID upon execution. If the setuid bit is turned on for a file, the user executing that executable file gets the permissions of the individual or group that owns the file.
Topic 2, Risk Management and Incident Response

An architect has been engaged to write the security viewpoint of a new initiative. Which of the following BEST describes a repeatable process that can be used for establishing the security architecture?

  • A. Inspect a previous architectural document. Based on the historical decisions made, consult the architectural control and pattern library within the organization and select the controls that appear to best fit this new architectural need.
  • B. Implement controls based on the system needs. Perform a risk analysis of the system. For any remaining risks, perform continuous monitoring.
  • C. Classify information types used within the system into levels of confidentiality, integrity, and availability. Determine minimum required security controls. Conduct a risk analysis. Decide on which security controls to implement.
  • D. Perform a risk analysis of the system. Avoid extreme risks. Mitigate high risks. Transfer medium risks and accept low risks. Perform continuous monitoring to ensure that the system remains at an adequate security posture.


Answer : C

A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the companys online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation?

  • A. $60,000
  • B. $100,000
  • C. $140,000
  • D. $200,000


Answer : A

Explanation:
ALE before implementing application caching:

ALE = ARO x SLE -

ALE = 5 x $40,000 -

ALE = $200,000 -
ALE after implementing application caching:

ALE = ARO x SLE -

ALE = 1 x $40,000 -

ALE = $40,000 -
The monetary value earned would be the sum of subtracting the ALE calculated after implementing application caching and the cost of the countermeasures, from the ALE calculated before implementing application caching.
Monetary value earned = $200,000 - $40,000 - $100,000

Monetary value earned = $60,000 -

During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the companys database server. Which of the following is the correct order in which the forensics team should engage?

  • A. Notify senior management, secure the scene, capture volatile storage, capture non- volatile storage, implement chain of custody, and analyze original media.
  • B. Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data.
  • C. Implement chain of custody, take inventory, secure the scene, capture volatile and non- volatile storage, and document the findings.
  • D. Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.


Answer : D

Explanation:
The scene has to be secured first to prevent contamination. Once a forensic copy has been created, an analyst will begin the process of moving from most volatile to least volatile information. The chain of custody helps to protect the integrity and reliability of the evidence by keeping an evidence log that shows all access to evidence, from collection to appearance in court.

In an effort to reduce internal email administration costs, a company is determining whether to outsource its email to a managed service provider that provides email, spam, and malware protection. The security manager is asked to provide input regarding any security implications of this change. Which of the following BEST addresses risks associated with disclosure of intellectual property?

  • A. Require the managed service provider to implement additional data separation.
  • B. Require encrypted communications when accessing email.
  • C. Enable data loss protection to minimize emailing PII and confidential data.
  • D. Establish an acceptable use policy and incident response policy.


Answer : C

Wireless users are reporting issues with the companys video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).

  • A. Install a HIPS on the SIP servers
  • B. Configure 802.1X on the network
  • C. Update the corporate firewall to block attacking addresses
  • D. Configure 802.11e on the network
  • E. Configure 802.1q on the network


Answer : A,D

Explanation:
Host-based intrusion prevention system (HIPS) is an installed software package that will monitor a single host for suspicious activity by analyzing events taking place within that host.
IEEE 802.11e is deemed to be of significant consequence for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia.

A new piece of ransomware got installed on a companys backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?

  • A. Determining how to install HIPS across all server platforms to prevent future incidents
  • B. Preventing the ransomware from re-infecting the server upon restore
  • C. Validating the integrity of the deduplicated data
  • D. Restoring the data will be difficult without the application configuration


Answer : D

Explanation:
Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.
Since the backup application configuration is not accessible, it will require more effort to recover the data.
Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.

Page:    1 / 21   
Total 308 questions