CASP ? 181-210 Network Diagrams

Which of the following potential vulnerabilities exists in the following code snippet?var myEmail = document.getElementById(“formInputEmail”).value;if (xmlhttp.readyState==4 && xmlhttp.status==200){Document.getElementById(“profileBox”).innerHTML = “Emails will be sent to “ + myEmail +xmlhttp.responseText;}

• Javascript buffer overflow

• AJAX XHR weaknesses

• DOM-based XSS

• JSON weaknesses

The Chief Information Security Officer (CISO) has just returned from attending a securityconference and now wants to implement a Security Operations Center (SOC) to improve andcoordinate the detection of unauthorized access to the enterprise. The CISO’s biggest concern isthe increased number of attacks that the current infrastructure cannot detect. Which of thefollowing is MOST likely to be used in a SOC to address the CISO’s concerns?

• DLP, Analytics, SIEM, Forensics, NIPS, HIPS, WIPS and eGRC

• Forensics, White box testing, Log correlation, HIDS, and SSO

• Vulnerability assessments, NIDP, HIDS, SCAP, Analytics and SIEM

• EGRC, WIPS, Federated ID, Network enumerator, NIPS and Port Scanners

The IT Manager has mandated that an extensible markup language be implemented which can beused to exchange provisioning requests and responses for account creation. Which of thefollowing is BEST able to achieve this?

• XACML

• SAML

• SOAP

• SPML

A company is planning to deploy an in-house Security Operations Center (SOC).One of the new requirements is to deploy a NIPS solution into the Internet facing environment.The SOC highlighted the following requirements:Perform fingerprinting on unfiltered inbound traffic to the companyMonitor all inbound and outbound traffic to the DMZ'sIn which of the following places should the NIPS be placed in the network?

• In front of the Internet firewall and in front of the DMZs

• In front of the Internet firewall and in front of the internal firewall

• In front of the Internet firewall and behind the internal firewall

• Behind the Internet firewall and in front of the DMZs

A company recently experienced a malware outbreak. It was caused by a vendor using anapproved non-company device on the company’s corporate network that impacted manufacturinglines, causing a week of downtime to recover from the attack. Which of the following reduces thisthreat and minimizes potential impact on the manufacturing lines?

• Disable remote access capabilities on manufacturing SCADA systems.

• Require a NIPS for all communications to and from manufacturing SCADA systems.

• Add anti-virus and client firewall capabilities to the manufacturing SCADA systems.

• Deploy an ACL that restricts access from the corporate network to the manufacturing SCADA systems.

Capital Reconnaissance, LLC is building a brand new research and testing location, and thephysical security manager wants to deploy IP-based access control and video surveillance. Thesetwo systems are essential for keeping the building open for operations. Which of the followingcontrols should the security administrator recommend to determine new threats against the newIP-based access control and video surveillance systems?

• Develop a network traffic baseline for each of the physical security systems.

• Air gap the physical security networks from the administrative and operational networks.

• Require separate non-VLANed networks and NIPS for each physical security system network.

• Have the Network Operations Center (NOC) review logs and create a CERT to respond to breaches.

A company has recently implemented a video conference solution that uses the H.323 protocol.The security engineer is asked to make recommendations on how to secure video conferences toprotect confidentiality. Which of the following should the security engineer recommend?

• Implement H.235 extensions with DES to secure the audio and video transport.

• Recommend moving to SIP and RTP as those protocols are inherently secure.

• Recommend implementing G.711 for the audio channel and H.264 for the video.

• Encapsulate the audio channel in the G.711 codec rather than the unsecured Speex.

A healthcare company recently purchased the building next door located on the same campus.The building previously did not have any IT infrastructure. The building manager has selected fourpotential locations to place IT equipment consisting of a half height open server rack with fiveswitches, a router, a firewall, and two servers. Given the descriptions below, where would thesecurity engineer MOST likely recommend placing the rack?The Boiler Room: The rack can be placed 5 feet (1.5 meters) up on the wall, between the secondand third boiler. The room is locked and only maintenance has access to it.The Reception AreA. The reception area is an open area right as customers enter. There is acloset 5 feet by 5 feet (1.5 meters by 1.5 meters) that the rack will be placed in with floor mounts.There is a 3 digit PIN lock that the receptionist sets.The Rehabilitation AreA. The rack needs to be out of the way from patients using the whirlpoolbath, so it will be wall mounted 8 feet (2.4 meters) up as the area has high ceilings. The rehabarea is staffed full time and admittance is by key card only.The Finance AreA. There is an unused office in the corner of the area that can be used for theserver rack. The rack will be floor mounted. The finance area is locked and alarmed at night.

• The Rehabilitation Area

• The Reception Area

• The Boiler Room

• The Finance Area

A network security engineer would like to allow authorized groups to access network devices witha shell restricted to only show information while still authenticating the administrator's group to anunrestricted shell. Which of the following can be configured to authenticate and enforce these shellrestrictions? (Select TWO).

• Single Sign On

• Active Directory

• Kerberos

• NIS+

• RADIUS

• TACACS+

An administrator is unable to connect to a server via VNC. Upon investigating the host firewallconfiguration, the administrator sees the following lines:A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPTA INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DENYA INPUT -m state --state NEW -m tcp -p tcp --sport 3389 -j ACCEPTWhich of the following should occur to allow VNC access to the server?

• DENY needs to be changed to ACCEPT on one line.

• A line needs to be added.

• A line needs to be removed.

• Fix the typo in one line.

Company A is trying to implement controls to reduce costs and time spent on litigation. Toaccomplish this, Company A has established several goals:Prevent data breaches from lost/stolen assetsReduce time to fulfill e-discovery requestsPrevent PII from leaving the networkLessen the network perimeter attack surfaceReduce internal fraudWhich of the following solutions accomplishes the MOST of these goals?

• Implement separation of duties; enable full encryption on USB devices and cell phones, allow cell phones to remotely connect to e-mail and network VPN, enforce a 90 day data retention policy.

• Eliminate VPN access from remote devices. Restrict junior administrators to read-only shell access on network devices. Install virus scanning and SPAM filtering. Harden all servers with trusted OS extensions.

• Create a change control process with stakeholder review board, implement separation of duties and mandatory vacation, create regular SAN snapshots, enable GPS tracking on all cell phones and laptops, and fully encrypt all email in transport.

• Implement outgoing mail sanitation and incoming SPAM filtering. Allow VPN for mobile devices; cross train managers in multiple disciplines, ensure all corporate USB drives are provided by Company A and de-duplicate all server storage.

A security architect is seeking to outsource company server resources to a commercial cloudservice provider. The provider under consideration has a reputation for poorly controlling physicalaccess to datacenters and has been the victim of multiple social engineering attacks. The serviceprovider regularly assigns VMs from multiple clients to the same physical resources. Whenconducting the final risk assessment which of the following should the security architect take intoconsideration?

• The ability to implement user training programs for the purpose of educating internal staff about the dangers of social engineering.

• The cost of resources required to relocate services in the event of resource exhaustion on a particular VM.

• The likelihood a malicious user will obtain proprietary information by gaining local access to the hypervisor platform.

• Annual loss expectancy resulting from social engineering attacks against the cloud service provider affecting corporate network infrastructure.

The root cause analysis of a recent security incident reveals that an attacker accessed a printerfrom the Internet. The attacker then accessed the print server, using the printer as a launch padfor a shell exploit. The print server logs show that the attacker was able to exploit multipleaccounts, ultimately launching a successful DoS attack on the domain controller. Defendingagainst which of the following attacks should form the basis of the incident mitigation plan?

• DDoS

• SYN flood

• Buffer overflow

• Privilege escalation

An existing enterprise architecture included an enclave where sensitive research and developmentwork was conducted. This network enclave also served as a storage location for proprietarycorporate data and records. The initial security architect chose to protect the enclave by restrictingaccess to a single physical port on a firewall. All downstream network devices were isolated fromthe rest of the network and communicated solely through the single 100mbps firewall port. Overtime, researchers connected devices on the protected enclave directly to external resources andcorporate data stores. Mobile and wireless devices were also added to the enclave to support highspeed data research. Which of the following BEST describes the process which weakened thesecurity posture of the enclave?

• Emerging business requirements led to the de-perimiterization of the network.

• Emerging security threats rendered the existing architecture obsolete.

• The single firewall port was oversaturated with network packets.

• The shrinking of an overall attack surface due to the additional access.

At one time, security architecture best practices led to networks with a limited number (1-3) ofnetwork access points. This restriction allowed for the concentration of security resources andresulted in a well defined attack surface. The introduction of wireless networks, highly portablenetwork devices, and cloud service providers has rendered the network boundary and attacksurface increasingly porous. This evolution of the security architecture has led to which of the following?

• Increased security capabilities, the same amount of security risks and a higher TCO but a smaller corporate data center on average.

• Increased business capabilities and increased security risks with a lower TCO and smaller physical footprint on the corporate network.

• Increased business capabilities and increased security risks with a higher TCO and a larger physical footprint.

• Decreased business capabilities and increased security risks with a lower TCO and increased logical footprint due to virtualization.

An administrator notices the following file in the Linux server’s /tmp directory.-rwsr-xr-x. 4 root root 234223 Jun 6 22:52 bash*Which of the following should be done to prevent further attacks of this nature?

• Never mount the /tmp directory over NFS

• Stop the rpcidmapd service from running

• Mount all tmp directories nosuid, noexec

• Restrict access to the /tmp directory

Company ABC has entered into a marketing agreement with Company XYZ, whereby ABC willshare some of its customer information with XYZ. However, XYZ can only contact ABC customerswho explicitly agreed to being contacted by third parties. Which of the following documents wouldcontain the details of this marketing agreement?

• BPA

• ISA

• NDA

• SLA

Company ABC has a 100Mbps fiber connection from headquarters to a remote office 200km (123miles) away. This connection is provided by the local cable television company. ABC would like toextend a secure VLAN to the remote office, but the cable company says this is impossible sincethey already use VLANs on their internal network. Which of the following protocols should thecable company be using to allow their customers to establish VLANs to other sites?

• IS-IS

• EIGRP

• MPLS

• 802.1q

An ecommerce application on a Linux server does not properly track the number of incomingconnections to the server and may leave the server vulnerable to which of following?

• Buffer Overflow Attack

• Storage Consumption Attack

• Denial of Service Attack

• Race Condition

Company A has a remote work force that often includes independent contractors and out of statefull time employees. Company A's security engineer has been asked to implement a solution allowing these users to collaborate on projects with the following goals:-All communications between parties need to be encrypted in transportUsers must all have the same application sets at the same versionAll data must remain at Company A's siteAll users must not access the system between 12:00 and 1:00 as that is the maintenancewindowEasy to maintain, patch and change application environmentWhich of the following solutions should the security engineer recommend to meet the MOSTgoals?

• Create an SSL reverse proxy to a collaboration workspace. Use remote installation service to maintain application version. Have users use full desktop encryption. Schedule server downtime from 12:00 to 1:00 PM.

• Install an SSL VPN to Company A's datacenter, have users connect to a standard virtual workstation image, set workstation time of day restrictions.

• Create an extranet web portal using third party web based office applications. Ensure that Company A maintains the administrative access.

• Schedule server downtime from 12:00 to 1:00 PM, implement a Terminal Server Gateway, use remote installation services to standardize application on user’s laptops.

• Option 1

• Option 2

• Option 3

• Option 4

• Answer: You need to check the hash value of download software with md5 utility.

• Option 2

Compliance with company policy requires a quarterly review of firewall rules. A new administrator is asked to conduct this review on the internal firewall sitting between several internal networks. The intent of this firewall is to make traffic more restrictive. Given the following information answer the questions below.User Subnet 192.168.1.0/24Server Subnet 192.168.2.0/24Finance Subnet 192.168.3.0/24Instructions: To perform the necessary tasks, please modify the DST port, Protocol, Action and/or rule order columns, Firewall ACLs and read from the top down administrator added a rule to allow their machine terminal server access to the sever subnet. This is not working. Identify this rule and correct this web servers have been changed to communicate soley over SSL. Modify the appropriate rule to allow communications. Administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue. Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

• Option 4

• 192.18.1.0/24 any 192.168.20.0/24 3389 any

The IDS has detected abnormal behavior on this network. Click on the network devices to view device information. Based on this information, the following tasks need to be completed.1. Select the server that is a victim of a SQL injection attack.2. Select the source of the buffer overflow attack.3. Modify the access control list (ACL) on the routers to ONLY block the buffer overflow attack.

• Answer: Follow the Steps as 1) Click on the server and find the SQL Server then Note the ip address of the server 2)click on the host machine and find the attacker then note the ip adddress of the host 3)check the host machine ip address in router ac source field and SQL Server ip in destination field and check the deny and uncheck the permit

Company A has experienced external attacks on their network and wants to minimize the attacks from reoccurring. Modify the proposed network diagram to prevent SQL injections, XSS attacks, smurf attacks, email spam,downloaded malware viruses and ping attacks. The company can spend a maximum of 50,000$ USD. A cost list for each item is listed below.1. Anti-Virus-Server 10,000$2. Firewall 15,000$3. Load Ballance Server 10,000$4. NIDS/NIPS 10,000$5. Packet Analyzer 5,000$6. Patch Server 10,000$7. Proxy Server 10,000$8. Router 10,000$9. Spam Filter 5,000$10. Traffic Shaper 20,000011. Web Application Firewall 10,000$Instructions: Not all placeholders in the diagram need to be filled and items can only be billed once. If you place an object on the network diagram, you can remove it by clicking the (x) in the upper right hand corner of the object.

• Answer: Following steps need to do as 8 then 2 replace 6 with 3, 7,11 same segment replace 2 with 1 , put 6 same segment replace 9 with 10 replace 3 with 5 replace 1 with 4

• Option 2

A startup company offering software on demand has hired a security consultant to provideexpertise on data security. The company’s clients are concerned about data confidentiality. Thesecurity consultant must design an environment with data confidentiality as the top priority, overavailability and integrity. Which of the following designs is BEST suited for this purpose?

• All of the company servers are virtualized in a highly available environment sharing common hardware and redundant virtual storage. Clients use terminal service access to the shared environment to access the virtualized applications. A secret key kept by the startup encrypts the application virtual memory and data store.

• All of the company servers are virtualized in a highly available environment sharing common hardware and redundant virtual storage. Clients use terminal service access to the shared environment and to access the virtualized applications. Each client has a common shared key, which encrypts the application virtual memory and data store.

• Each client is assigned a set of virtual hosts running shared hardware. Physical storage is partitioned into LUNS and assigned to each client. MPLS technology is used to segment and encrypt each of the client’s networks. PKI based remote desktop with hardware tokens is used by the client to connect to the application.

• Each client is assigned a set of virtual hosts running shared hardware. Virtual storage is partitioned and assigned to each client. VLAN technology is used to segment each of the client’s networks. PKI based remote desktop access is used by the client to connect to the application.

A financial institution wants to reduce the costs associated with managing and troubleshootingemployees’ desktops and applications, while keeping employees from copying data onto externalstorage. The Chief Information Officer (CIO) has asked the security team to evaluate four solutionssubmitted by the change management group. Which of the following BEST accomplishes thistask?

• Implement desktop virtualization and encrypt all sensitive data at rest and in transit.

• Implement server virtualization and move the application from the desktop to the server.

• Implement VDI and disable hardware and storage mapping from the thin client.

• Move the critical applications to a private cloud and disable VPN and tunneling.

A health service provider is considering the impact of allowing doctors and nurses access to theinternal email system from their personal smartphones. The Information Security Officer (ISO) hasreceived a technical document from the security administrator explaining that the current emailsystem is capable of enforcing security policies to personal smartphones, including screen lockoutand mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost orstolen. Which of the following should the Information Security Officer be MOST concerned withbased on this scenario? (Select THREE).

• The email system may become unavailable due to overload.

• Compliance may not be supported by all smartphones.

• Equipment loss, theft, and data leakage.

• Smartphone radios can interfere with health equipment.

• Data usage cost could significantly increase.

• Not all smartphones natively support encryption.

• Smartphones may be used as rogue access points.

The security administrator at a company has received a subpoena for the release of all the emailreceived and sent by the company Chief Information Officer (CIO) for the past three years. Thesecurity administrator is only able to find one year’s worth of email records on the server and isnow concerned about the possible legal implications of not complying with the request. Which ofthe following should the security administrator check BEFORE responding to the request?

• The company data privacy policies

• The company backup logs and archives

• The company data retention policies and guidelines

• The company data retention procedures