An audit finding reveals that a legacy platform has not retained loos for more than 30 days The platform has been segmented due to its interoperability with newer technology. As a temporary solution, the IT department changed the log retention to 120 days.
Which of the following should the security engineer do to ensure the logs are being properly retained?
A. Configure a scheduled task nightly to save the logs
B. Configure event-based triggers to export the logs at a threshold.
C. Configure the SIEM to aggregate the logs
D. Configure a Python script to move the logs into a SQL database.
Correct Answer: C
To ensure that logs from a legacy platform are properly retained beyond the default retention period, configuring the SIEM to aggregate the logs is the best approach. SIEM solutions are designed to collect, aggregate, and store logs from
various sources, providing centralized log management and retention. This setup ensures that logs are retained according to policy and can be easily accessed for analysis and compliance purposes.
References:
CompTIA SecurityX Study Guide: Discusses the role of SIEM in log management and retention.
NIST Special Publication 800-92, "Guide to Computer Security Log Management":
Recommends the use of centralized log management solutions, such as SIEM, for effective log retention and analysis.
"Security Information and Event Management (SIEM) Implementation" by David Miller: Covers best practices for configuring SIEM systems to aggregate and retain logs from various sources.
Question 152:
A senior security engineer flags me following log file snippet as hawing likely facilitated an attacker's lateral movement in a recent breach:
Which of the following solutions, if implemented, would mitigate the nsk of this issue reoccurnnp?
A. Disabling DNS zone transfers
B. Restricting DNS traffic to UDP'W
C. Implementing DNS masking on internal servers
D. Permitting only clients from internal networks to query DNS
Correct Answer: A
The log snippet indicates a DNS AXFR (zone transfer) request, which can be exploited by attackers to gather detailed information about an internal network's infrastructure. Disabling DNS zone transfers is the best solution to mitigate this risk.
Zone transfers should generally be restricted to authorized secondary DNS servers and not be publicly accessible, as they can reveal sensitive network information that facilitates lateral movement during an attack.
References:
CompTIA SecurityX Study Guide: Discusses the importance of securing DNS configurations, including restricting zone transfers. NIST Special Publication 800-81, "Secure Domain Name System (DNS) Deployment Guide": Recommends
restricting or disabling DNS zone transfers to prevent information leakage.
Question 153:
A company's help desk is experiencing a large number of calls from the finance department slating access issues to www bank com The security operations center reviewed the following security logs:
Which of the following is most likely the cause of the issue?
A. Recursive DNS resolution is failing
B. The DNS record has been poisoned.
C. DNS traffic is being sinkholed.
D. The DNS was set up incorrectly.
Correct Answer: C
Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address. In
the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or
redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident. Recursive DNS resolution failure (A) would generally lead to inability to
resolve DNS at all, not to a specific HTTP error.
DNS poisoning (B) could result in users being directed to malicious sites, but again, would likely result in a different set of errors or unusual activity. Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted
errors like the one seen here.
By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is
being sinkholed.
References:
CompTIA SecurityX study materials on DNS security mechanisms. Standard HTTP status codes and their implications.
Question 154:
Which of the following best explains the importance of determining organization risk appetite when operating with a constrained budget?
A. Risk appetite directly impacts acceptance of high-impact low-likelihood events.
B. Organizational risk appetite varies from organization to organization
C. Budgetary pressure drives risk mitigation planning in all companies
D. Risk appetite directly influences which breaches are disclosed publicly
Correct Answer: A
Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. When operating with a constrained budget, understanding the organization's risk appetite is crucial because:
It helps prioritize security investments based on the level of risk the organization is willing to tolerate.
High-impact, low-likelihood events may be deemed acceptable if they fall within the organization's risk appetite, allowing for budget allocation to other critical areas. Properly understanding and defining risk appetite ensures that limited
resources are used effectively to manage risks that align with the organization's strategic goals.
References:
CompTIA Security+ Study Guide
NIST Risk Management Framework (RMF) guidelines
ISO 31000, "Risk Management ?Guideline";
Question 155:
An organization wants to implement a platform to better identify which specific assets are affected by a given vulnerability.
Which of the following components provides the best foundation to achieve this goal?
A. SASE
B. CMDB
C. SBoM
D. SLM
Correct Answer: B
A Configuration Management Database (CMDB) provides the best foundation for identifying which specific assets are affected by a given vulnerability. A CMDB maintains detailed information about the IT environment, including hardware,
software, configurations, and relationships between assets. This comprehensive view allows organizations to quickly identify and address vulnerabilities affecting specific assets.
References:
CompTIA SecurityX Study Guide: Discusses the role of CMDBs in asset management and vulnerability identification.
ITIL (Information Technology Infrastructure Library) Framework: Recommends the use of CMDBs for effective configuration and asset management. "Configuration Management Best Practices" by Bob Aiello and Leslie Sachs:
Covers the importance of CMDBs in managing IT assets and addressing vulnerabilities.
Question 156:
The identity and access management team is sending logs to the SIEM for continuous monitoring. The deployed log collector is forwarding logs to the SIEM. However, only false positive alerts are being generated.
Which of the following is the most likely reason for the inaccurate alerts?
A. The compute resources are insufficient to support the SIEM
B. The SIEM indexes are 100 large
C. The data is not being properly parsed
D. The retention policy is not property configured
Correct Answer: C
Proper parsing of data is crucial for the SIEM to accurately interpret and analyze the logs being forwarded by the log collector. If the data is not parsed correctly, the SIEM may misinterpret the logs, leading to false positives and inaccurate alerts. Ensuring that the log data is correctly parsed allows the SIEM to correlate and analyze the logs effectively, which is essential for accurate alerting and monitoring.
Question 157:
A security review revealed that not all of the client proxy traffic is being captured. Which of the following architectural changes best enables the capture of traffic for analysis?
A. Adding an additional proxy server to each segmented VLAN
B. Setting up a reverse proxy for client logging at the gateway
C. Configuring a span port on the perimeter firewall to ingest logs
D. Enabling client device logging and system event auditing
Correct Answer: C
Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here's why:
Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.
Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies. Minimal Disruption: Implementing a span port is a non-intrusive
method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.
Question 158:
Users must accept the terms presented in a captive petal when connecting to a guest network. Recently, users have reported that they are unable to access the Internet after joining the network A network engineer observes the following:
1.
Users should be redirected to the captive portal.
2.
The Motive portal runs Tl. S 1 2
3.
Newer browser versions encounter security errors that cannot be bypassed
4.
Certain websites cause unexpected re directs
Which of the following mow likely explains this behavior?
A. The TLS ciphers supported by the captive portal ate deprecated
B. Employment of the HSTS setting is proliferating rapidly.
C. Allowed traffic rules are causing the NIPS to drop legitimate traffic
D. An attacker is redirecting supplicants to an evil twin WLAN.
Correct Answer: A
The most likely explanation for the issues encountered with the captive portal is that the TLS ciphers supported by the captive portal are deprecated. Here's why:
TLS Cipher Suites: Modern browsers are continuously updated to support the latest security standards and often drop support for deprecated and insecure cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may
refuse to connect, causing security errors.
HSTS and Browser Security: Browsers with HTTP Strict Transport Security (HSTS) enabled will not allow connections to sites with weak security configurations. Deprecated TLS ciphers would cause these browsers to block the connection.
References:
By updating the TLS ciphers to modern, supported ones, the security engineer can ensure compatibility with newer browser versions and resolve the connectivity issues reported by users.
Question 159:
Company A acquired Company B and needs to determine how the acquisition will impact the attack surface of the organization as a whole.
Which of the following is the best way to achieve this goal? (Select two).
A. Implementing DLP controls preventing sensitive data from leaving Company B's network
B. Documenting third-party connections used by Company B
C. Reviewing the privacy policies currently adopted by Company B
D. Requiring data sensitivity labeling tor all files shared with Company B
E. Forcing a password reset requiring more stringent passwords for users on Company B's network
F. Performing an architectural review of Company B's network
Correct Answer: AB
To determine how the acquisition of Company B will impact the attack surface, the following steps are crucial:
A. Documenting third-party connections used by Company B: Understanding all external connections is essential for assessing potential entry points for attackers and ensuring that these connections are secure. E. Performing an architectural
review of Company B's network: This review will identify vulnerabilities and assess the security posture of the acquired company's network, providing a comprehensive understanding of the new attack surface. These actions will provide a
clear picture of the security implications of the acquisition and help in developing a plan to mitigate any identified risks.
References:
CompTIA SecurityX Study Guide: Emphasizes the importance of understanding third-party connections and conducting architectural reviews during acquisitions. NIST Special Publication 800-37, "Guide for Applying the Risk Management
Framework to Federal Information Systems": Recommends comprehensive reviews and documentation of third-party connections. "Mergers, Acquisitions, and Other Restructuring Activities" by Donald DePamphilis:
Discusses the importance of security assessments during acquisitions.
Question 160:
A company's security policy states that any publicly available server must be patched within 12 hours after a patch is released A recent llS zero-day vulnerability was discovered that affects all versions of the Windows Server OS:
Which of the following hosts should a security analyst patch first once a patch is available?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
Correct Answer: A
Based on the security policy that any publicly available server must be patched within 12 hours after a patch is released, the security analyst should patch Host 1 first. Here's why:
Public Availability: Host 1 is externally available, making it accessible from the internet. Publicly available servers are at higher risk of being targeted by attackers, especially when a zero-day vulnerability is known. Exposure to Threats: Host 1
has IIS installed and is publicly accessible, increasing its exposure to potential exploitation. Patching this host first reduces the risk of a successful attack. Prioritization of Critical Assets: According to best practices, assets that are exposed to
higher risks should be prioritized for patching to mitigate potential threats promptly.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-005 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
