CAS-001 CompTIA Advanced Security Practitioner Practice Exam Set 11

A trust relationship has been established between two organizations with web based services.

One organization is acting as the Requesting Authority (RA) and the other acts as the Provisioning

Service Provider (PSP). Which of the following is correct about the trust relationship?

Options are :
  • The trust relationship uses SPML in the SOAP header. The SOAP body transports the SAML requests / responses.
  • The trust relationship uses SAML in the SOAP header. The SOAP body transports the SPML requests / responses. (Correct)
  • The trust relationship uses SPML in the SAML header. The SAML body transports the SPML requests / responses.
  • The trust relationship uses XACML in the SAML header. The SAML body transports the SOAP requests / responses.

Answer : The trust relationship uses SAML in the SOAP header. The SOAP body transports the SPML requests / responses.

Company XYZ plans to donate 1,000 used computers to a local school. The company has a large

research and development section and some of the computers were previously used to store

proprietary research.

The security administrator is concerned about data remnants on the donated machines, but the

company does not have a device sanitization section in the data handling policy.

Which of the following is the BEST course of action for the security administrator to take?

Options are :
  • Reload the machines with an open source operating system and then donate the machines.
  • Delay the donation until all storage media on the computers can be sanitized. (Correct)
  • Delay the donation until a new policy is approved by the Chief Information Officer (CIO), and then donate the machines.
  • Move forward with the donation, but remove all software license keys from the machines

Answer : Delay the donation until all storage media on the computers can be sanitized.

select id, firstname, lastname from authors

User input= firstname= Hack;man

lastname=Johnson

Which of the following types of attacks is the user attempting?

Options are :
  • XML injection
  • Command injection
  • Cross-site scripting
  • SQL injection (Correct)

Answer : SQL injection

A retail bank has had a number of issues in regards to the integrity of sensitive information across

all of its customer databases. This has resulted in the bankís share price decreasing in value by

50% and regulatory intervention and monitoring.

The new Chief Information Security Officer (CISO) as a result has initiated a program of work to

solve the issues.

The business has specified that the solution needs to be enterprise grade and meet the following

requirements:

Be across all major platforms, applications and infrastructure.

Be able to track user and administrator activity.

Does not significantly degrade the performance of production platforms, applications, and

infrastructures.

Real time incident reporting.

Manageable and has meaningful information.

Business units are able to generate reports in a timely manner of the unitís system assets.

In order to solve this problem, which of the following security solutions will BEST meet the above

requirements? (Select THREE).

CompTIA CAS-001 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 155

A. Implement a security operations center to provide real time monitoring and incident response

with self service reporting capability.

B. Implement an aggregation based SIEM solution to be deployed on the log servers of the major

platforms, applications, and infrastructure.

C. Implement a security operations center to provide real time monitoring and incident response

and an event correlation dashboard with self service reporting capability.

D. Ensure that the network operations center has the tools to provide real time monitoring and

incident response and an event correlation dashboard with self service reporting capabilities.

E. Implement an agent only based SIEM solution to be deployed on all major platforms,

applications, and infrastructures.

F. Ensure appropriate auditing is enabled to capture the required information.

G. Manually pull the logs from the major platforms, applications, and infrastructures to a central

secure server.

Options are :
  • A,C,F
  • B,C,F (Correct)
  • B,C,A
  • B,C,D

Answer : B,C,F

general insurance company wants to set up a new online business. The requirements are that

the solution needs to be:

Extendable for new products to be developed and added

Externally facing for customers and business partners to login

Usable and manageable

Be able to integrate seamlessly with third parties for non core functions such as document

printing

Secure to protect customerís personal information and credit card information during transport

and at rest

The conceptual solution architecture has specified that the application will consist of a traditional

three tiered architecture for the front end components, an ESB to provide services, data

transformation capability and legacy system integration and a web services gateway.

Which of the following security components will BEST meet the above requirements and fit into the

solution architecture? (Select TWO).

A. Implement WS-Security for services authentication and XACML for service authorization.

B. Use end-to-end application level encryption to encrypt all fields and store them encrypted in the

database.

C. Implement a certificate based solution on a smart card in combination with a PIN to provide

authentication and authorization of users.

D. Implement WS-Security as a federated single sign-on solution for authentication authorization

of users.

E. Implement SSL encryption for all sensitive data flows and encryption of passwords of the data

at rest.

F. Use application level encryption to encrypt sensitive fields, SSL encryption on sensitive flows,

and database encryption for sensitive data storage.

Options are :
  • A,C
  • A,D
  • A,F (Correct)
  • B,F

Answer : A,F

An external auditor has found that IT security policies in the organization are not maintained and in

some cases are nonexistent. As a result of the audit findings, the CISO has been tasked with the

objective of establishing a mechanism to manage the lifecycle of IT security policies. Which of the

following can be used to BEST achieve the CISOís objectives?

Options are :
  • UCF
  • CoBIT
  • ISO 27002
  • eGRC (Correct)

Answer : eGRC

After being informed that the company DNS is unresponsive, the system administrator issues the

following command from a Linux workstation:

SSH Ėp 2020 -l user dnsserver.company.com

Once at the command prompt, the administrator issues the below commanD.

Service bind restart

The system returns the below response:

Unable to restart BIND

Which of the following is true about the above situation?

Options are :
  • The service did not restart because the bind command is privileged.
  • The administrator used the wrong SSH port to restart the DNS server.
  • The administrator must use the sudo command in order to restart the service. (Correct)
  • The service was restarted correctly, but it failed to bind to the network interface

Answer : The administrator must use the sudo command in order to restart the service.

A security architect is designing a new infrastructure using both type 1 and type 2 virtual

machines. In addition to the normal complement of security controls (e.g. antivirus, host

hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store

cryptographic keys used to sign code and code modules on the VMs. Which of the following will

meet this goal without requiring any hardware pass-through implementations?

Options are :
  • TPM
  • vTPM (Correct)
  • INE
  • HSM

Answer : vTPM

Continuous monitoring is a popular risk reduction technique in many large organizations with

formal certification processes for IT projects. In order to implement continuous monitoring in an

effective manner which of the following is correct?

Options are :
  • Critical logs must be monitored hourly and adequate staff must be assigned to the network team.
  • All logs must be centrally managed and access to the logs restricted only to data storage staff.
  • Only security related alerts should be forwarded to the network team for resolution.
  • Logging must be set appropriately and alerts delivered to security staff in a timely manner. (Correct)

Answer : Logging must be set appropriately and alerts delivered to security staff in a timely manner.

A new IDS device is generating a very large number of irrelevant events. Which of the following

would BEST remedy this problem?

Options are :
  • Change the IDS to use a heuristic anomaly filter.
  • Adjust IDS filters to increase the number of false negatives.
  • Adjust IDS filters to decrease the number of false positives (Correct)
  • Change the IDS filter to data mine the false positives for statistical trending data.

Answer : Adjust IDS filters to decrease the number of false positives

An audit at a popular on-line shopping site reveals that a flaw in the website allows customers to

purchase goods at a discounted rate. To improve security the Chief Information Security Officer

(CISO) has requested that the web based shopping cart application undergo testing to validate

user input in both free form text fields and drop down boxes.

Which of the following is the BEST combination of tools and / or methods to use?

Options are :
  • Blackbox testing and fingerprinting
  • Enumerator and vulnerability assessment
  • Code review and packet analyzer
  • Fuzzer and HTTP interceptor (Correct)

Answer : Fuzzer and HTTP interceptor

A bank provides single sign on services between its internally hosted applications and externally

hosted CRM. The following sequence of events occurs:

1. The banker accesses the CRM system, a redirect is performed back to the organizationís

internal systems.

2. A lookup is performed of the identity and a token is generated, signed and encrypted.

3. A redirect is performed back to the CRM system with the token.

4. The CRM system validates the integrity of the payload, extracts the identity and performs a

lookup.

5. If the banker is not in the system and automated provisioning request occurs.

6. The banker is authenticated and authorized and can access the system.

This is an example of which of the following?

Options are :
  • OpenID federated single sign on
  • Service provider initiated SAML 1.1
  • Service provider initiated SAML 2.0 (Correct)
  • Identity provider initiated SAML 1.0

Answer : Service provider initiated SAML 2.0

A company has implemented data retention policies and storage quotas in response to their legal

department's requests and the SAN administrator's recommendation. The retention policy states

all email data older than 90 days should be eliminated. As there are no technical controls in place,

users have been instructed to stick to a storage quota of 500Mb of network storage and 200Mb of

email storage. After being presented with an e-discovery request from an opposing legal council,

the security administrator discovers that the user in the suit has 1Tb of files and 300Mb of email

spanning over two years. Which of the following should the security administrator provide to

opposing council?

Options are :
  • Delete email over the policy threshold and hand over the remaining emails and all of the files.
  • Provide the 1Tb of files on the network and the 300Mb of email files regardless of age. (Correct)
  • Delete files and email exceeding policy thresholds and turn over the remaining files and email
  • Provide the first 200Mb of e-mail and the first 500Mb of files as per policy.

Answer : Provide the 1Tb of files on the network and the 300Mb of email files regardless of age.

The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce

business costs by outsourcing to a third party company in another country. Functions to be

outsourced include: business analysts, testing, software development and back office functions

that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about

the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls

are not implemented?

Options are :
  • Improper handling of customer data, loss of intellectual property and reputation damage (Correct)
  • Improper handling of client data, interoperability agreement issues and regulatory issues
  • Cultural differences, increased cost of doing business and divestiture issues
  • Geographical regulation issues, loss of intellectual property and interoperability agreement issues

Answer : Improper handling of customer data, loss of intellectual property and reputation damage

An Association is preparing to upgrade their firewalls at five locations around the United States.

Each of the three vendorís RFP responses is in-line with the security and other requirements.

Which of the following should the security administrator do to ensure the firewall platform is

appropriate for the Association?

Options are :
  • Develop criteria and rate each firewall platform based on information in the RFP responses.
  • Correlate current industry research with the RFP responses to ensure validity.
  • Create a lab environment to evaluate each of the three firewall platforms. (Correct)
  • Benchmark each firewall platformís capabilities and experiences with similar sized companies.

Answer : Create a lab environment to evaluate each of the three firewall platforms.

When generating a new key pair, a security application asks the user to move the mouse and type

random characters on the keyboard. Which of the following BEST describes why this is

necessary?

Options are :
  • The user is providing entropy so the application can use random data to create the key pair. (Correct)
  • The user is providing a diffusion point to the application to aid in creating the key pair.
  • The user needs a non-repudiation data source in order for the application to generate the key pair.
  • The application is requesting perfect forward secrecy from the user in order to create the key pair.

Answer : The user is providing entropy so the application can use random data to create the key pair.

Which of the following BEST describes the implications of placing an IDS device inside or outside

of the corporate firewall?

Options are :
  • Placing the IDS device inside the firewall will allow it to monitor potential internal attacks but may increase the load on the system.
  • Placing the IDS device outside the firewall will allow it to monitor potential remote attacks while still allowing the firewall to block the attack. (Correct)
  • Placing the IDS device inside the firewall will allow it to monitor potential remote attacks but may increase the load on the system.
  • Placing the IDS device outside the firewall will allow it to monitor potential remote attacks but the firewall will not be able to block the attacks.

Answer : Placing the IDS device outside the firewall will allow it to monitor potential remote attacks while still allowing the firewall to block the attack.

The Chief Information Security Officer (CISO) regularly receives reports of a single department

repeatedly violating the corporate security policy. The head of the department in question informs

the CISO that the offending behaviors are a result of necessary business activities. The CISO

assigns a junior security administrator to solve the issue. Which of the following is the BEST

course of action for the junior security administrator to take?

Options are :
  • Work with the department head to find an acceptable way to change the business needs so the department no longer violates the corporate security policy.
  • Work with the CISO and department head to create an SLA specifying the response times of the IT security department when incidents are reported.
  • Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams. (Correct)
  • Draft an RFP for the purchase of a COTS product or consulting services to solve the problem through implementation of technical controls.

Answer : Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.

A security administrator is shown the following log excerpt from a Unix system:

2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914

ssh2

2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915

ssh2

2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916

ssh2

2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918

ssh2

2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920

ssh2

2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924

ssh2

Which of the following is the MOST likely explanation of what is occurring and the BEST

immediate response? (Select TWO).

A. An authorized administrator has logged into the root account remotely.

B. The administrator should disable remote root logins.

C. Isolate the system immediately and begin forensic analysis on the host.

D. A remote attacker has compromised the root account using a buffer overflow in sshd.

E. A remote attacker has guessed the root password using a dictionary attack.

F. Use iptables to immediately DROP connections from the IP 198.51.100.23.

G. A remote attacker has compromised the private key of the root account.

H. Change the root password immediately to a password not found in a dictionary.


Options are :

  • B,E
  • C,E (Correct)
  • C,B
  • C,A

Answer : C,E

At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely

slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs

properly again. The administrator has traced the problem to a lab of thin clients that are all booted

at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the

BEST solution? (Select TWO).

A. Add guests with more memory to increase capacity of the infrastructure.

B. A backup is running on the thin clients at 9am every morning.

C. Install more memory in the thin clients to handle the increased load while booting.

D. Booting all the lab desktops at the same time is creating excessive I/O.

E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity.

F. Install faster SSD drives in the storage system used in the infrastructure.

G. The lab desktops are saturating the network while booting.

H. The lab desktops are using more memory than is available to the host systems.

Options are :
  • D,B
  • D,C
  • D,F (Correct)
  • D,A

Answer : D,F

A medium-sized company has recently launched an online product catalog. It has decided to keep

the credit card purchasing in-house as a secondary potential income stream has been identified in

relation to sales leads. The company has decided to undertake a PCI assessment in order to

determine the amount of effort required to meet the business objectives. Which compliance

category would this task be part of?

Options are :
  • Industry standard (Correct)
  • Company policy
  • Government regulation
  • Company guideline

Answer : Industry standard

Company XYZ has employed a consultant to perform a controls assessment of the HR system,

backend business operations, and the SCADA system used in the factory. Which of the following

correctly states the risk management options that the consultant should use during the

assessment?

Options are :
  • Calculate risk by determining technical likelihood and potential business impact.
  • Risk likelihood, asset value, and threat level.
  • Avoid, transfer, mitigate, and accept. (Correct)
  • Risk reduction, risk sharing, risk retention, and risk acceptance

Answer : Avoid, transfer, mitigate, and accept.

Which of the following is an example of single sign-on?

Options are :
  • An administrator manages multiple platforms with the same username and hardware token. The same username and token is used across all the platforms.
  • A web access control infrastructure performs authentication and passes attributes in a HTTP header to multiple applications. (Correct)
  • Multiple applications have been integrated with a centralized LDAP directory for authentication and authorization. A user has to authenticate each time the user accesses an application.
  • A password is synchronized between multiple platforms and the user is required to authenticate with the same password across each platform.

Answer : A web access control infrastructure performs authentication and passes attributes in a HTTP header to multiple applications.

A security auditor is conducting an audit of a corporation where 95% of the users travel or work

from non-corporate locations a majority of the time. While the employees are away from the

corporate offices, they retain full access to the corporate network and use of corporate laptops.

The auditor knows that the corporation processes PII and other sensitive data with applications

requiring local caches of any data being manipulated. Which of the following security controls

should the auditor check for and recommend to be implemented if missing from the laptops?

Options are :
  • Full disk encryption (Correct)
  • Command shell restrictions
  • Host-based firewalls
  • Trusted operating systems

Answer : Full disk encryption

Company XYZ recently acquired a manufacturing plant from Company ABC which uses a different

manufacturing ICS platform. Company XYZ has strict ICS security regulations while Company

ABC does not. Which of the following approaches would the network security administrator for

Company XYZ MOST likely proceed with to integrate the new manufacturing plant?

Options are :
  • Convert the acquired plant ICS platform to the Company XYZ standard ICS platform solely to eliminate potential regulatory conflicts.
  • Conduct a network vulnerability assessment of acquired plant ICS platform and correct all identified flaws during integration.
  • Require Company ABC to bring their ICS platform into regulatory compliance prior to integrating the new plant into Company XYZís network.
  • Conduct a risk assessment of the acquired plant ICS platform and implement any necessary or required controls during integration. (Correct)

Answer : Conduct a risk assessment of the acquired plant ICS platform and implement any necessary or required controls during integration.

A Security Administrator has some concerns about the confidentiality of data when using SOAP.

Which of the following BEST describes the Security Administratorís concerns?

Options are :
  • The SOAP protocol supports weak hashing of header information. As a result the header and body can easily be deciphered by brute force tools.
  • The SOAP protocol can be easily tampered with, even though the header is encrypted.
  • The SOAP protocol does not support body or header encryption which allows assertions to be viewed in clear text by intermediaries.
  • The SOAP header is not encrypted and allows intermediaries to view the header data. The body can be partially or completely encrypted. (Correct)

Answer : The SOAP header is not encrypted and allows intermediaries to view the header data. The body can be partially or completely encrypted.

A systems administrator establishes a CIFS share on a Unix device to share data to windows

systems. The security authentication on the windows domain is set to the highest level. Windows

users are stating that they cannot authenticate to the Unix share. Which of the following settings

on the Unix server is the cause of this problem?

Options are :
  • Refuse NTLMv2 and accept LM
  • Accept only LM
  • Refuse LM and only accept NTLMv2 (Correct)
  • Accept only NTLM

Answer : Refuse LM and only accept NTLMv2

Company XYZ provides hosting services for hundreds of companies across multiple industries

including healthcare, education, and manufacturing. The security architect for company XYZ is

reviewing a vendor proposal to reduce company XYZís hardware costs by combining multiple

physical hosts through the use of virtualization technologies. The security architect notes concerns

about data separation, confidentiality, regulatory requirements concerning PII, and administrative

complexity on the proposal. Which of the following BEST describes the core concerns of the

security architect?

Options are :
  • Most of company XYZís customers are willing to accept the risks of unauthorized disclosure and access to information by outside users.
  • The availability requirements in SLAs with each hosted customer would have to be re-written to account for the transfer of virtual machines between physical platforms for regular maintenance.
  • Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer. (Correct)
  • Not all of company XYZís customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.

Answer : Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.

The Chief Information Security Officer (CISO) at a software development company is concerned

about the lack of introspection during a testing cycle of the companyís flagship product. Testing

was conducted by a small offshore consulting firm and the report by the consulting firm clearly

indicates that limited test cases were used and many of the code paths remained untested.

The CISO raised concerns about the testing results at the monthly risk committee meeting,

highlighting the need to get to the bottom of the product behaving unexpectedly in only some large

enterprise deployments.

The Security Assurance and Development teams highlighted their availability to redo the testing if

required.

Which of the following will provide the MOST thorough testing?

Options are :
  • Use a larger consulting firm to perform Black box testing.
  • Have the small consulting firm redo the Black box testing.
  • Use the internal teams to perform Grey box testing.
  • Use the internal teams to perform White box testing. (Correct)
  • Use the internal team to perform Black box testing

Answer : Use the internal teams to perform White box testing.

A large enterprise introduced a next generation firewall appliance into the Internet facing DMZ. All

Internet traffic passes through this appliance. Four hours after implementation the network

engineering team discovered that traffic through the DMZ now has un-acceptable latency, and is

recommending that the new firewall be taken offline. At what point in the implementation process

should this problem have been discovered?

Options are :
  • During the product selection phase
  • When testing the appliance (Correct)
  • When writing the RFP for the purchase process
  • During the network traffic analysis phase

Answer : When testing the appliance

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions