CompTIA Advanced Security Practitioner (CAS-001) 241-270

1. A Physical Security Manager is ready to replace all 50 analog surveillance cameras with IP cameras with built-in web management. The Security Manager has several security guard desk on different networks that must be able to view the cameras without unauthorized people viewing the video as well. The selected IP camera vendor does not have the ability to authenticate users at the camera level. Which of the following should the Security Manager suggest to BEST secure this environment?

Create an IP camera network and deploy NIPS to prevent unauthorized access.

Create an IP camera network and only allow SSL access to the cameras.

Create an IP camera network and deploy a proxy to authenticate users prior to accessing the cameras.

Create and IP camera network and restrict access to cameras from a single management host.

The Security Manager should suggest creating an IP camera network and deploying a proxy to authenticate users prior to accessing the cameras. This solution would ensure that only authorized users can view the cameras by requiring them to authenticate through the proxy before accessing the camera feed. This would prevent unauthorized people from viewing the video while allowing the security guard desks on different networks to view the cameras securely.

Explanation

The Security Manager should suggest creating an IP camera network and deploying a proxy to authenticate users prior to accessing the cameras. This solution would ensure that only authorized users can view the cameras by requiring them to authenticate through the proxy before accessing the camera feed. This would prevent unauthorized people from viewing the video while allowing the security guard desks on different networks to view the cameras securely.

2. After three vendors submit their requested documentation, the CPO and the SPN can better understand what each vendor does and what solutions that they can provide. But now they want to see the intricacies of how these solutions can adequately match the requirements needed by the firm. Upon the directive of the CPO, the CISO should submit which of the following to the three submitting firms?

A T&M contract

An RFP

A FFP agreement

A new RFQ

The CPO and the SPN want to evaluate the solutions provided by the three vendors and determine if they can meet the firm's requirements. To do this, they need more detailed information about the vendors' solutions. An RFP (Request for Proposal) is a document that outlines the firm's requirements and asks the vendors to provide detailed proposals on how they will meet those requirements. Therefore, the CISO should submit an RFP to the three submitting firms to gather the necessary information and evaluate their solutions.

Explanation

The CPO and the SPN want to evaluate the solutions provided by the three vendors and determine if they can meet the firm's requirements. To do this, they need more detailed information about the vendors' solutions. An RFP (Request for Proposal) is a document that outlines the firm's requirements and asks the vendors to provide detailed proposals on how they will meet those requirements. Therefore, the CISO should submit an RFP to the three submitting firms to gather the necessary information and evaluate their solutions.

3. A data breach has occured at Company A and as a result, the Chief Information Officer (CIO) has resigned. The CIO's laptop, cell phone and PC were all wiped of data per company policy. A month later, prosecutors in litigation with Company A suspect the CIO knew about the data breach long before it was discovered and have issued a subpoena requesting all the CIO's email from the last 12 months. The corporate retention policy recommends keeping data for no longer than 90 days. Which of the following should occur?

Inform the litigators that the CIO's information has been deleted as per corporate policy.

The correct answer is to restore the CIO's email from an email server backup and provide whatever is available up to the last 12 months from the subpoena date. This is because the prosecutors have issued a subpoena requesting all the CIO's email from the last 12 months, and it is important to comply with legal requests. Although the corporate retention policy recommends keeping data for no longer than 90 days, the subpoena takes precedence in this situation. Therefore, all available email data should be restored and provided to the prosecutors.

Explanation

The correct answer is to restore the CIO's email from an email server backup and provide whatever is available up to the last 12 months from the subpoena date. This is because the prosecutors have issued a subpoena requesting all the CIO's email from the last 12 months, and it is important to comply with legal requests. Although the corporate retention policy recommends keeping data for no longer than 90 days, the subpoena takes precedence in this situation. Therefore, all available email data should be restored and provided to the prosecutors.

4. A company receives an e-discovery request for the Chief Information Officer's (CIO's) email data. The storage administrator reports that the data retention policy relevant to their industry only requires one year of email data. However the storage administrator also reports that there are three years of email data on the server and five years of email data on the backup tapes. How many years of data MUST the company legally provide?

1

2

3

5

The company must legally provide five years of email data. Although the data retention policy for their industry only requires one year of email data, the fact that there are three years of data on the server and five years of data on the backup tapes means that the company must provide the maximum amount of data available, which is five years.

Explanation

The company must legally provide five years of email data. Although the data retention policy for their industry only requires one year of email data, the fact that there are three years of data on the server and five years of data on the backup tapes means that the company must provide the maximum amount of data available, which is five years.

5. A financial company implements end-to-end encryption via SSL in the DMZ, and only IPSEC in transport mode with AH enabled and ESP disabled throughout the internal network. The company has hired a security consultant to analyze the network infrastructure and provide a solution for intrusion prevention. Which of the following recommendations should the consultant provide to the security administrator?

Switch to TLS in the DMZ. Implement NIPS on the internal network, and HIPS on the DMZ.

Switch IPSEC to tunnel mode. Implement HIPS on the internal network, and NIPS on the DMZ.

Disable AH. Enable ESP on the internet network, and use NIPS on both networks.

Enable ESP on the internal network, and place NIPS on both networks.

The recommendation to switch to TLS in the DMZ is based on the fact that the financial company already has end-to-end encryption via SSL in the DMZ. TLS is a more secure and updated version of SSL, so switching to TLS would enhance the security of the DMZ. Implementing NIPS (Network Intrusion Prevention System) on the internal network and HIPS (Host Intrusion Prevention System) on the DMZ would provide additional layers of security to detect and prevent any potential intrusions or attacks on both networks.

Explanation

The recommendation to switch to TLS in the DMZ is based on the fact that the financial company already has end-to-end encryption via SSL in the DMZ. TLS is a more secure and updated version of SSL, so switching to TLS would enhance the security of the DMZ. Implementing NIPS (Network Intrusion Prevention System) on the internal network and HIPS (Host Intrusion Prevention System) on the DMZ would provide additional layers of security to detect and prevent any potential intrusions or attacks on both networks.

6. A developer is coding the crypo routing of an application that will be installed on a standard headless and diskless server connected to a NAS housed in the datacenter. The developer has written the following six lines of code to add entropy to the routine:

If VIDEO input exists, use video data for entropy
If AUDIO input exists, use audio data for entropy
If MOUSE input exists, use mouse data for entropy
If KEYBOARD input exists, use keyboard data for entropy
If IDE input exists, use IDE data for entropy
If NETWORK input exists, use network data for entropy

Which of the following lines of code will result in the STRONGEST seed when combined?

2 and 1

3 and 5

5 and 2

6 and 4

Lines 6 and 4 will result in the strongest seed when combined. Line 6 uses network data for entropy, which can provide a high level of randomness and unpredictability. Line 4 uses keyboard data for entropy, which can also contribute to a strong seed. Combining these two sources of entropy will enhance the overall strength of the seed used for cryptographic routing.

Explanation

Lines 6 and 4 will result in the strongest seed when combined. Line 6 uses network data for entropy, which can provide a high level of randomness and unpredictability. Line 4 uses keyboard data for entropy, which can also contribute to a strong seed. Combining these two sources of entropy will enhance the overall strength of the seed used for cryptographic routing.

7. A manager who was attending an all-day training session was overdue to entertaining bonus and payroll information for subordinates. The manager felt the best way to get the changes entered while in training was to log into the payroll system, and then activate desktop sharing with a trusted subordinate. The manager granted the subordinate control of the desktop thereby giving the subordinate full access to the payroll system. The subordinate did not have authorization to be in the payroll system. Another employee reported the incident to the security team. Which of the folloing would be the MOST appropriate method for dealing with this issue going forward?

Provide targeted security awareness training and impose termination for repeat violators.

Block desktop sharing and web conferencing application and enable use only with approval.

Actively monitor the data traffic for each employee using desktop sharing or web conferencing applications.

Permanently block desktop sharing and web conferencing applications and do not allow its use at the company.

The most appropriate method for dealing with this issue going forward would be to provide targeted security awareness training and impose termination for repeat violators. This incident highlights a lack of understanding of security protocols and the potential risks associated with granting unauthorized access to sensitive systems. By providing targeted security awareness training, employees can be educated on the importance of following proper security procedures and the potential consequences of their actions. Additionally, imposing termination for repeat violators sends a strong message that security breaches will not be tolerated, further discouraging similar incidents in the future.

Explanation

The most appropriate method for dealing with this issue going forward would be to provide targeted security awareness training and impose termination for repeat violators. This incident highlights a lack of understanding of security protocols and the potential risks associated with granting unauthorized access to sensitive systems. By providing targeted security awareness training, employees can be educated on the importance of following proper security procedures and the potential consequences of their actions. Additionally, imposing termination for repeat violators sends a strong message that security breaches will not be tolerated, further discouraging similar incidents in the future.

8. A small customer focused bank with implemented least privilege principles, is concerned about the possibility of branch staff unintentionally aiding fraud in their day to day interactions with customers. Bank staff has been encouraged to build friendships with customers to make the banking experience feel more personal. The security and risk team have decided that a policy needs to be implemented across all branches to address the risk. Which of the following BEST addresses the security and risk team's concerns?

Information disclosure policy

Awareness training

Job rotation

Separation of duties

Awareness training is the best option to address the security and risk team's concerns in this scenario. By providing training to the bank staff, they will be educated about the potential risks and threats associated with unintentionally aiding fraud. This will help them to better understand their roles and responsibilities, and enable them to identify and mitigate any suspicious activities or behaviors. Awareness training will also ensure that the staff is aware of the importance of maintaining security measures and following the least privilege principles while building relationships with customers.

Explanation

Awareness training is the best option to address the security and risk team's concerns in this scenario. By providing training to the bank staff, they will be educated about the potential risks and threats associated with unintentionally aiding fraud. This will help them to better understand their roles and responsibilities, and enable them to identify and mitigate any suspicious activities or behaviors. Awareness training will also ensure that the staff is aware of the importance of maintaining security measures and following the least privilege principles while building relationships with customers.

9. A data processing server uses a Linux based file system to remotely mount physical disks on a shared SAN. The server administrator reports problems related to processing of files where the files appears to be incompletely written to the disk. The network administration team has conducted a thorough review of all network infrastructure and devices and found everything running at optimal performance. Other SAN customers are unaffected. The data being processed consists of millions of small files being written to disk from a network source one file at a time. These files are then accessed by a local Javal program for processing before being transferred over the network to a SE Linux host for processing. Which of the following is the MOST likely cause of the processing problem?

The administrator has a PERL script running which disrupts the NIC by restarting the CRON process every 65 seconds.

The Java developers accounted for network latency only for the read portion of the processing and not the write process.

The most likely cause of the processing problem is that the Linux file system being used is unable to write files as fast as they can be read by the Java program. This means that the files are being accessed and processed before they are completely written to the disk, resulting in incomplete files and errors. This issue is specific to the Linux file system and is not related to the network infrastructure or devices, as other SAN customers are unaffected. The problem arises due to the large number of small files being written to disk from a network source one file at a time.

Explanation

The most likely cause of the processing problem is that the Linux file system being used is unable to write files as fast as they can be read by the Java program. This means that the files are being accessed and processed before they are completely written to the disk, resulting in incomplete files and errors. This issue is specific to the Linux file system and is not related to the network infrastructure or devices, as other SAN customers are unaffected. The problem arises due to the large number of small files being written to disk from a network source one file at a time.

10. A WAF without customization will protect the infrastructure from which of the following combinations?

DDoS, DNS poisoning, Boink, Teardrop

Reflective XSS, HTTP exhaustion, Teardrop

SQL Injection, DOM based XSS, HTTP exhaustion

SQL Injection, CSRF, Clickjacking

A web application firewall (WAF) is designed to protect the infrastructure from various types of attacks. In this case, the correct answer is "SQL Injection, DOM based XSS, HTTP exhaustion." SQL Injection refers to the exploitation of a vulnerability in a web application's database layer, while DOM based XSS (Cross-Site Scripting) is a type of vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. HTTP exhaustion refers to overwhelming a server with a high volume of HTTP requests, causing it to become unresponsive. These three combinations of attacks can be mitigated by a WAF without any customization.

Explanation

A web application firewall (WAF) is designed to protect the infrastructure from various types of attacks. In this case, the correct answer is "SQL Injection, DOM based XSS, HTTP exhaustion." SQL Injection refers to the exploitation of a vulnerability in a web application's database layer, while DOM based XSS (Cross-Site Scripting) is a type of vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. HTTP exhaustion refers to overwhelming a server with a high volume of HTTP requests, causing it to become unresponsive. These three combinations of attacks can be mitigated by a WAF without any customization.

11. An administrator at a small company replaces servers whenever budget money becomes available. Over the past several years the company has acquired and still uses 20 servers and 50 desktops from five different computer manufacturers. Which of the following are management challenges and risk associated with this style of technology lifecycle management?

Decreased security posture, decommission of outdated hardware, inability to centrally manage, and performance bottlenecks on old hardware.

Increased mean time to failure rate of legacy servers, OS variances, patch availability, and ability to restore to dissimilar hardware.

OS end-of-support issues, ability to backup data, hardware parts availability, and firmware update availablility and management.

Inability to use virtualization, trusted OS complexities, and multiple patch versions based on OS dependency.

The given answer correctly identifies the management challenges and risks associated with the style of technology lifecycle management described in the question. Replacing servers whenever budget money becomes available can lead to an increased mean time to failure rate of legacy servers, as older hardware may be more prone to failures. Additionally, using servers and desktops from different manufacturers can result in OS variances, making it difficult to manage and maintain a consistent system. Patch availability may also be a challenge, as different hardware and OS versions may require specific patches. Lastly, the ability to restore data to dissimilar hardware can be problematic, as compatibility issues may arise.

Explanation

The given answer correctly identifies the management challenges and risks associated with the style of technology lifecycle management described in the question. Replacing servers whenever budget money becomes available can lead to an increased mean time to failure rate of legacy servers, as older hardware may be more prone to failures. Additionally, using servers and desktops from different manufacturers can result in OS variances, making it difficult to manage and maintain a consistent system. Patch availability may also be a challenge, as different hardware and OS versions may require specific patches. Lastly, the ability to restore data to dissimilar hardware can be problematic, as compatibility issues may arise.

12. Company ABC was formed by combining numerous companies which all had multiple databases, web portals, and cloud data sets. Each data store had a unique set of custom developed authentication mechanisms and schemas. Which of the following approaches to combining the disparate mechanisms has the LOWEST up front development costs?

Attestation

PKI

Biometrics

Federated IDs

Federated IDs have the lowest up front development costs for combining the disparate authentication mechanisms in this scenario. By implementing federated IDs, the company can create a single identity management system that allows users to access multiple databases, web portals, and cloud data sets using a single set of credentials. This eliminates the need to develop and maintain custom authentication mechanisms and schemas for each data store, reducing development costs.

Explanation

Federated IDs have the lowest up front development costs for combining the disparate authentication mechanisms in this scenario. By implementing federated IDs, the company can create a single identity management system that allows users to access multiple databases, web portals, and cloud data sets using a single set of credentials. This eliminates the need to develop and maintain custom authentication mechanisms and schemas for each data store, reducing development costs.

13. Customer Need:"We need the system to produce a series of numbers with no discernible mathematical progression for use by our Java based, PKI-enabled, customer facing website."Which of the following BEST restates the customer need?

The system shall use a pseudo-random number generator seeded the same every time.

The system shall generate a pseudo-random number upon invocation by the existing Java program.

The system shall generate a truly random number based upon user PKI certificates.

The system shall implement a psuedo-random number generator for use by corporate customers.

The customer needs the system to generate a pseudo-random number when the existing Java program is invoked. This means that the system should be able to produce a series of numbers without any discernible mathematical progression, as required by the customer's website.

Explanation

The customer needs the system to generate a pseudo-random number when the existing Java program is invoked. This means that the system should be able to produce a series of numbers without any discernible mathematical progression, as required by the customer's website.

14. A corporation has expanded for the first time by integrating several newly acquired businesses.Which of the following are the FIRST tasks that the security team should undertake? (Select TWO).

Remove acquired companies Internet access.

Federate identity management systems.

Install firewall between the businesses.

Re-image all end user computers to a standard image.

Develop interconnection policy

Conduct a risk analysis of each acquired company's networks.

The security team should develop an interconnection policy to establish guidelines and protocols for connecting the newly acquired businesses to the existing corporate network. This will ensure that the integration is done securely and efficiently. Additionally, conducting a risk analysis of each acquired company's networks is important to identify any vulnerabilities or potential security threats that may exist. This will help the security team prioritize their efforts and address any weaknesses in the acquired networks.

Explanation

The security team should develop an interconnection policy to establish guidelines and protocols for connecting the newly acquired businesses to the existing corporate network. This will ensure that the integration is done securely and efficiently. Additionally, conducting a risk analysis of each acquired company's networks is important to identify any vulnerabilities or potential security threats that may exist. This will help the security team prioritize their efforts and address any weaknesses in the acquired networks.

Submit

15. After connecting to a secure payment server at https://pay.xyz.com, an auditor notices that the SSL certificate was issued to *.xyz.com. The auditor also notices that many of the internal development servers use the same certificate. After installing the certificate on dev1.xyz.com, one of the developers reports misplacing the USB thumb-drive where the SSL certificate was stored. Which of the following should the auditor recommend FIRST?

Generate a new public key on both servers.

Replace the SSL certificate on dev1.xyz.com.

Generate a new private key password for both servers.

Replace the SSL certificate on pay.xyz.com.

The auditor should recommend replacing the SSL certificate on pay.xyz.com as the first step. This is because the SSL certificate was issued to *.xyz.com, which means it is a wildcard certificate that can be used for multiple subdomains. Since many of the internal development servers also use the same certificate, it is important to replace the certificate on the payment server to ensure its security. Additionally, the misplacement of the USB thumb-drive where the certificate was stored poses a potential risk, further emphasizing the need to replace the certificate.

Explanation

The auditor should recommend replacing the SSL certificate on pay.xyz.com as the first step. This is because the SSL certificate was issued to *.xyz.com, which means it is a wildcard certificate that can be used for multiple subdomains. Since many of the internal development servers also use the same certificate, it is important to replace the certificate on the payment server to ensure its security. Additionally, the misplacement of the USB thumb-drive where the certificate was stored poses a potential risk, further emphasizing the need to replace the certificate.

16. Company ABC is planning to outsource its Customer Relationship Management System (CRM) and marketing / leads management to Company XYZ.Which of the following is the MOST important to be considered before going ahead with the service?

Internal auditors have approved the outsourcing arrangement.

Penetration testing can be performed on the externally facing web system.

Ensure there are security controls within the contract adn the right to audit.

A physical site audit is performed on Company XYZ's management / operation.

The most important consideration before outsourcing the CRM and marketing/leads management to Company XYZ is to ensure that there are security controls within the contract and the right to audit. This is crucial because it ensures that the sensitive customer data and company information will be protected and that the outsourced company will be held accountable for any security breaches. By having security controls in the contract, Company ABC can establish clear expectations and requirements for data protection. The right to audit provides Company ABC with the ability to assess and verify the security measures implemented by Company XYZ.

Explanation

The most important consideration before outsourcing the CRM and marketing/leads management to Company XYZ is to ensure that there are security controls within the contract and the right to audit. This is crucial because it ensures that the sensitive customer data and company information will be protected and that the outsourced company will be held accountable for any security breaches. By having security controls in the contract, Company ABC can establish clear expectations and requirements for data protection. The right to audit provides Company ABC with the ability to assess and verify the security measures implemented by Company XYZ.

17. A security administrator at a Lab Company is required to implement a solution which will provide the highest level of confidentiality possible to all data on the lab network.The current infrastructure design includes:

Two-factor token and biometric based authentication for all users
Attributable administrator accounts
Logging of all transactions
Full disk encryption of all HDDs
Finely granular access control to all resources
Full virtualization of all servers
The use of LUN masking to segregate SAN data
Port security on all switches

The network is protected with a firewall implementing ACLs, a NIPS device, and secured wireless access points.Which of the following cyptographic improvements should be made to the current architecutre to achieve the stated goals?

PKI based authentication

Transport encryption

Data at rest encryption

Code signing

Transport encryption should be implemented to achieve the highest level of confidentiality for data on the lab network. Transport encryption ensures that data transmitted over the network is encrypted, protecting it from unauthorized access or interception. This is especially important when sensitive data is being transmitted between different systems or over the internet. Implementing transport encryption will add an extra layer of security to the existing infrastructure design, ensuring that data remains confidential during transmission.

Explanation

Transport encryption should be implemented to achieve the highest level of confidentiality for data on the lab network. Transport encryption ensures that data transmitted over the network is encrypted, protecting it from unauthorized access or interception. This is especially important when sensitive data is being transmitted between different systems or over the internet. Implementing transport encryption will add an extra layer of security to the existing infrastructure design, ensuring that data remains confidential during transmission.

18. A security engineer is implementing a new solution designed to process e-business transactions and record them in a corporate audit database. The project has multiple technical stakeholders. The database team controls the physical database resources, the internal audit division control the audit records in the database, the web hosting team is responsible for implementing the website front end and shopping cart application, and the accounting department is responsible for processing the transaction and interfacing with the payment processor. As the solution owner, the security engineer is responsible for ensuring which of the following?

Ensure the process functions in a secure manner from customer input to audit review.

Security solutions result in zero additional processing latency.

Ensure the process of storing audit records is in compliance with applicable laws.

Web transactions are conducted in a secure network channel.

The security engineer is responsible for ensuring that the entire process, from customer input to audit review, functions in a secure manner. This means that the engineer needs to ensure that all steps in the process, including the website front end, shopping cart application, transaction processing, and audit record storage, are secure and protected against potential threats or vulnerabilities. This includes implementing appropriate security controls, encryption, access controls, and monitoring mechanisms to ensure the confidentiality, integrity, and availability of the e-business transactions and audit records.

Explanation

The security engineer is responsible for ensuring that the entire process, from customer input to audit review, functions in a secure manner. This means that the engineer needs to ensure that all steps in the process, including the website front end, shopping cart application, transaction processing, and audit record storage, are secure and protected against potential threats or vulnerabilities. This includes implementing appropriate security controls, encryption, access controls, and monitoring mechanisms to ensure the confidentiality, integrity, and availability of the e-business transactions and audit records.

19. A hosting company provides inexpensive guest virtual machines to low-margin customers. Customers manage their own guest virtual machines. Some customers want basic guarantees of logical separation from other customers and it has been indicated that some customers would like to have configuration control of this separation; whereas others want this provided as a value-added service by the hosting company. Which of the following BEST meets these requirements?

The hosting company should install a hypervisor-based firewall and allow customers to manage this on an as-needed basis.

The hosting company should manage the hypervisor-based firewall while allowing customers to configure their own host-based firewall.

Customers should purchase physical firewalls to protect their guests hosts and have the hosting company manage these if requested.

The hosting company should manage the hypervisor-based firewall while allowing customers to configure their own host-based firewall. This option best meets the requirements because it provides logical separation between customers through the hypervisor-based firewall, which is managed by the hosting company. At the same time, it allows customers to have configuration control over their own host-based firewall, giving them the flexibility and control they desire. This solution satisfies both the need for separation and the option for customers to have configuration control or value-added service from the hosting company.

Explanation

The hosting company should manage the hypervisor-based firewall while allowing customers to configure their own host-based firewall. This option best meets the requirements because it provides logical separation between customers through the hypervisor-based firewall, which is managed by the hosting company. At the same time, it allows customers to have configuration control over their own host-based firewall, giving them the flexibility and control they desire. This solution satisfies both the need for separation and the option for customers to have configuration control or value-added service from the hosting company.

20. A security researcher is about to evaluate a new secure VoIP routing appliance. The applicance manufacturer claims the new device is hardened against all known attacks and several undisclosed zero day exploits. The code base used for the device is a combination of compiled C and TC/TKL scripts. Which of the following methods should the security research use to enumerate the ports and protocols in use by the applicance?

Device fingerprinting

Switchport analyzer

Grey box testing

Penetration testing

Device fingerprinting is the method that the security researcher should use to enumerate the ports and protocols in use by the appliance. Device fingerprinting involves analyzing the network traffic or device responses to identify specific characteristics or patterns that can be used to determine the device's operating system, software, or configuration. By performing device fingerprinting, the security researcher can gather information about the ports and protocols being used by the appliance, which is crucial for evaluating its security.

Explanation

Device fingerprinting is the method that the security researcher should use to enumerate the ports and protocols in use by the appliance. Device fingerprinting involves analyzing the network traffic or device responses to identify specific characteristics or patterns that can be used to determine the device's operating system, software, or configuration. By performing device fingerprinting, the security researcher can gather information about the ports and protocols being used by the appliance, which is crucial for evaluating its security.

21. A morphed worm carrying a 0-day payload has infiltrated the cmpany network and is now spreading across the organization. The security administrator was able to isolate the worm communication and payload distribution channel to TCP port 445. Which of the following can the administrator do in the short term to minimize the attack?

Deploy the followin ACL to the HIPS: DENY - TCP - ANY - ANY - 445.

Run a TCP 445 port scan across the organization and patch hosts with open ports.

Add the following ACL to the corporate firewall: DENY - TCP - ANY - ANY - 445.

Force a signature update and full system scan from the enterprize anti-virus solution.

The correct answer is to deploy the following ACL to the HIPS: DENY - TCP - ANY - ANY - 445. By implementing this access control list (ACL) on the host-based intrusion prevention system (HIPS), the security administrator can block any TCP communication on port 445, which is the channel through which the worm is spreading. This will effectively minimize the attack by preventing further communication and distribution of the worm within the organization's network.

Explanation

The correct answer is to deploy the following ACL to the HIPS: DENY - TCP - ANY - ANY - 445. By implementing this access control list (ACL) on the host-based intrusion prevention system (HIPS), the security administrator can block any TCP communication on port 445, which is the channel through which the worm is spreading. This will effectively minimize the attack by preventing further communication and distribution of the worm within the organization's network.

22. A security administrator wants to verify and improve the security of a business process which is tied to proven company workflow. The security administrator was able to improve security by applying controls that were defined by the newly released company security standard. Such controls included code improvement, transport encryption, and interface restrictions. Which of the following can the security administrator do to further increase security after having exhausted all the technical control dictated by the company's security standard?

Conduct a gap analysis and recommend appropriate non-technical mitigating controls, and incorporate the new controls into the standard.

Conduct a risk analysis on all current contorls, and recommend appropriate mechanisms to increase overall security.

Modify the company policy to account for higher security, adapt the standard accordingly, and implement new technical controls.

The security administrator can conduct a gap analysis to identify any areas where the current controls may be lacking or insufficient. Based on the findings of the gap analysis, the administrator can recommend appropriate non-technical mitigating controls to address the identified gaps. These non-technical controls can include policies, procedures, and training measures. The administrator can then incorporate these new controls into the company's security standard to further enhance security. This approach ensures that security is improved beyond just technical controls and takes into account the overall security posture of the business process.

Explanation

The security administrator can conduct a gap analysis to identify any areas where the current controls may be lacking or insufficient. Based on the findings of the gap analysis, the administrator can recommend appropriate non-technical mitigating controls to address the identified gaps. These non-technical controls can include policies, procedures, and training measures. The administrator can then incorporate these new controls into the company's security standard to further enhance security. This approach ensures that security is improved beyond just technical controls and takes into account the overall security posture of the business process.

23. The VoIP administrator starts receiving reports that users are having problems placing phone calls. The VoIP administrator cannot determine the issue, and asks the security administrator for help. The security administrator reviews the switch interfaces and does not see an excessive amount of network traffic on the voice network. Using a protocol analyzer, the security administrator does see an excessive number of SIP INVITE packets destined for the SIP proxy. Based on the information given, which of the following attacks is underway and how can it be remediated?

Man in the middle attack; install an IPS in front of the SIP proxy.

Man in the middle attack; use 802.1x to secure voice VLAN.

Denial of Service; switch to more secure H.323 protocol.

Denial of Service; use rate limiting to limit traffic.

The correct answer is "Denial of Service; use rate limiting to limit traffic." The explanation for this answer is that the security administrator observed an excessive number of SIP INVITE packets destined for the SIP proxy. This indicates that a Denial of Service (DoS) attack is underway, where the attacker floods the network with a high volume of SIP INVITE packets, causing congestion and preventing legitimate users from placing phone calls. To remediate this attack, rate limiting can be implemented to restrict the amount of traffic allowed to the SIP proxy, ensuring that the network resources are not overwhelmed and legitimate users can make phone calls.

Explanation

The correct answer is "Denial of Service; use rate limiting to limit traffic." The explanation for this answer is that the security administrator observed an excessive number of SIP INVITE packets destined for the SIP proxy. This indicates that a Denial of Service (DoS) attack is underway, where the attacker floods the network with a high volume of SIP INVITE packets, causing congestion and preventing legitimate users from placing phone calls. To remediate this attack, rate limiting can be implemented to restrict the amount of traffic allowed to the SIP proxy, ensuring that the network resources are not overwhelmed and legitimate users can make phone calls.

24. The Chief Information Security Office (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?

Grey box testing performed by a major external consulting firm who have signed a NDA.

Black box testing performed by a major external consulting firm who have signed a NDA.

White box testing performed by the development and security assurance teams.

Grey box testing performed by the development and security assurance teams.

White box testing, performed by the development and security assurance teams, would satisfy the CISO's requirements. This type of testing allows for a thorough examination of the system, as it involves testing the internal workings and code of the application. It can be scripted and has a low risk of impacting system stability. Additionally, since the development team has a deep understanding of the system, they can provide the necessary introspection that a third party may lack.

Explanation

White box testing, performed by the development and security assurance teams, would satisfy the CISO's requirements. This type of testing allows for a thorough examination of the system, as it involves testing the internal workings and code of the application. It can be scripted and has a low risk of impacting system stability. Additionally, since the development team has a deep understanding of the system, they can provide the necessary introspection that a third party may lack.

25. A large corporation which is heavily reliant on IT platforms and systems is in financial difficulty and needs to drastically reduce costs in the short term to survive. The Chief Financial Officer (CFO) has mandated that all IT architectural functions will be outsourced and a mixture of providers will be selected. One provider will manage the desktops for five years, another provider will manage the network for ten years, another provider will be responsible for security for four years, and an offshore provider will perform day to day business processing functions for two years. At the end of each contract the incumbent may be renewed or a new provider may be selected. Which of the following are the MOST likely risk implications of the CFO's business decision?

The CFO's decision to outsource IT architectural functions to multiple providers will have several risk implications. Firstly, the segregation of duties between the providers may adversely impact the strategic architecture of the organization. Secondly, vendor management costs are likely to increase as the organization will now have to manage multiple providers. This may also reduce the organization's flexibility to react to new market conditions. Additionally, internal knowledge of IT systems is likely to decline as providers maintain system documentation. This could hinder future platform development. Lastly, the implementation of security controls and updates may take longer as responsibility crosses multiple boundaries.

Explanation

The CFO's decision to outsource IT architectural functions to multiple providers will have several risk implications. Firstly, the segregation of duties between the providers may adversely impact the strategic architecture of the organization. Secondly, vendor management costs are likely to increase as the organization will now have to manage multiple providers. This may also reduce the organization's flexibility to react to new market conditions. Additionally, internal knowledge of IT systems is likely to decline as providers maintain system documentation. This could hinder future platform development. Lastly, the implementation of security controls and updates may take longer as responsibility crosses multiple boundaries.

26. In single sign-on, the secondary domain needs to trust the primary domain to do which of the following? (Select TWO).

Correctly assert the identity and authorization credentials of the end user.

Correctly assert the authentication and authorization credentials of the end user.

Protect the authentication credentials used to verify the end user identity to the secondary domain for unauthorized use.

Protect the authentiation credentials used to verify the end user identity to the secondary domain for authorized use.

Protect the accounting credentials used to verify the end identity to the secondary domain for unauthorized use.

Correctly assert the identify and authentication credentials of the end user.

The secondary domain in single sign-on needs to trust the primary domain in order to protect the authentication credentials used to verify the end user identity to the secondary domain for authorized use. Additionally, it needs to correctly assert the identity and authentication credentials of the end user.

Explanation

The secondary domain in single sign-on needs to trust the primary domain in order to protect the authentication credentials used to verify the end user identity to the secondary domain for authorized use. Additionally, it needs to correctly assert the identity and authentication credentials of the end user.

Submit

27. New zero-day attacks are announced on a regular basis against a broad range of technology systems. Which of the following best practices should a security manager do to manage the risks of these attack vectors

Establish an emergency response call tree.

Create an inventory of applications.

Backup the router and firewall configurations.

Maintain a list of critical systems.

Update all network diagrams

To manage the risks of new zero-day attacks, it is important for a security manager to create an inventory of applications and maintain a list of critical systems. Creating an inventory of applications helps in identifying and monitoring the software that is being used within the organization, allowing for better vulnerability management. Maintaining a list of critical systems helps prioritize their protection and ensure that necessary security measures are in place to mitigate the risks associated with zero-day attacks.

Explanation

To manage the risks of new zero-day attacks, it is important for a security manager to create an inventory of applications and maintain a list of critical systems. Creating an inventory of applications helps in identifying and monitoring the software that is being used within the organization, allowing for better vulnerability management. Maintaining a list of critical systems helps prioritize their protection and ensure that necessary security measures are in place to mitigate the risks associated with zero-day attacks.

Submit

28. A corporation has Research and Development (R&D) and IT support teams, each requiring separate networks with independent control of their security boundaries to support department objectives. The coporation's Information Security Officer (ISO) is responsible for providing firewall services to both departments, but does not want to increase the hardware footprint within the datacenter. Which of the following should the ISO consider to provide the independent functionality required by each department's IT teams?

Put both departments behind the firewall and assign administrative control for each department to the corporate firewall.

Provide each department with a virtual firewall and assign administrative control to the physical firewall.

Put both departments behind the firewall and incorporate restrictive controls on each department's network.

Provide each department with a virtual firewall and assign appropriate levels of management for the virtual device.

The ISO should consider providing each department with a virtual firewall and assigning appropriate levels of management for the virtual device. This approach allows for separate networks with independent control of their security boundaries, meeting the requirements of both the R&D and IT support teams. By using virtual firewalls, the ISO can provide the necessary functionality without increasing the hardware footprint within the datacenter. This ensures that each department has its own firewall and can manage it according to their specific needs.

Explanation

The ISO should consider providing each department with a virtual firewall and assigning appropriate levels of management for the virtual device. This approach allows for separate networks with independent control of their security boundaries, meeting the requirements of both the R&D and IT support teams. By using virtual firewalls, the ISO can provide the necessary functionality without increasing the hardware footprint within the datacenter. This ensures that each department has its own firewall and can manage it according to their specific needs.

29. The <nameID> element in SAML can be provided in which of the following predefined formats? (Select TWO).

X.509 subject name

PTR DNS record

EV certificate

Kerberos principal name

WWN record name

The element in SAML can be provided in the X.509 subject name format, which is a standard format for identifying subjects in X.509 certificates. It can also be provided in the Kerberos principal name format, which is a format used to identify principals in a Kerberos authentication system. Both of these formats are commonly used and supported in SAML implementations for identifying subjects in SAML assertions.

Explanation

The element in SAML can be provided in the X.509 subject name format, which is a standard format for identifying subjects in X.509 certificates. It can also be provided in the Kerberos principal name format, which is a format used to identify principals in a Kerberos authentication system. Both of these formats are commonly used and supported in SAML implementations for identifying subjects in SAML assertions.

Submit

30. The Linux server at Company A hosts a graphical application widely used by the company designers. One designer regularly connects to the server from a Mac laptop in the designers's office down the hall. When the security engineer learns of this it is discovered the connection is not secured and the password can easily be obtained via network sniffing. Which of the following would the security engineer MOST likely implement to secure this connection?Linux Server: 192.168.10.10/24Mac Laptop: 192.168.10.200/24

From the server, establish an SSH tunnel to the Mac and VPN to 192.168.10.200.

From the Mac, establish a remote desktop connection to 192.168.10.10 using Network Layer Authentication and the CredSSP security provider.

From the Mac, establish a VPN to the Linux server and connect the VNC to 127.0.0.1.

From the Mac, establish a SSH tunnel to Linux server an connect the VNC to 127.0.0.1.

The security engineer would most likely implement establishing an SSH tunnel from the Mac to the Linux server and connecting the VNC to 127.0.0.1. This would secure the connection by encrypting the data transmitted between the Mac and the server, preventing network sniffing and unauthorized access to the password. By using the SSH tunnel, the connection would be secure and the designers can continue accessing the graphical application on the Linux server without compromising security.

Explanation

The security engineer would most likely implement establishing an SSH tunnel from the Mac to the Linux server and connecting the VNC to 127.0.0.1. This would secure the connection by encrypting the data transmitted between the Mac and the server, preventing network sniffing and unauthorized access to the password. By using the SSH tunnel, the connection would be secure and the designers can continue accessing the graphical application on the Linux server without compromising security.

CompTIA Advanced Security Practitioner (Cas-001) 241-270