CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 1:

  A new IT company has hired a security consultant to implement a remote access system, which will enable employees to telecommute from home using both company issued as well as personal computing devices, including mobile devices. The company wants a flexible system to provide confidentiality and integrity for data in transit to the company's internally developed application GUI. Company policy prohibits employees from having administrative rights to company issued devices. Which of the following remote access solutions has the lowest technical complexity?

  A. RDP server

  B. Client-based VPN

  C. IPSec

  D. Jump box

  E. SSL VPN

  Correct Answer: A

  Connecting to a remote desktop server by using a remote desktop connection on a client device is has the lowest technical complexity.

  Remote Desktop Services (or Remote Desktop Protocol server) is one of the components of Microsoft Windows that allows a user to take control of a remote computer or virtual machine over a network connection. RDS is Microsoft's

  implementation of thin client, where Windows software and the entire desktop of the computer running RDS, are made accessible to a remote client machine that supports Remote Desktop Protocol (RDP). With RDS, only software user

  interfaces are transferred to the client system. All input from the client system is transmitted to the server, where software execution takes place.

• Question 2:

  Company A needs to export sensitive data from its financial system to company B's database, using company B's API in an automated manner. Company A's policy prohibits the use of any intermediary external systems to transfer or store its sensitive data, therefore the transfer must occur directly between company A's financial system and company B's destination server using the supplied API. Additionally, company A's legacy financial software does not support encryption, while company B's API supports encryption. Which of the following will provide end-to-end encryption for the data transfer while adhering to these requirements?

  A. Company A must install an SSL tunneling software on the financial system.

  B. Company A's security administrator should use an HTTPS capable browser to transfer the data.

  C. Company A should use a dedicated MPLS circuit to transfer the sensitive data to company B.

  D. Company A and B must create a site-to-site IPSec VPN on their respective firewalls.

  Correct Answer: A

  We need to transfer the data from company A's financial system to company B's destination server. Company B's API does support encryption. Company A's legacy financial software does not support encryption.

  To provide end-to-end encryption for the data transfer, we need a way of enabling Company A's financial system to support encryption. The easiest way to do this is to install an SSL tunneling software application on the financial system.

  There are several SSL tunneling software applications out there; one example is STunnel.

• Question 3:

  Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted?

  A. The company should develop an in-house solution and keep the algorithm a secret.

  B. The company should use the CEO's encryption scheme.

  C. The company should use a mixture of both systems to meet minimum standards.

  D. The company should use the method recommended by other respected information security organizations.

  Correct Answer: D

  In this question, we have one person's opinion about the best way to secure the network. His method may be more secure than other systems. However, for consensus of opinion, it is better to use the method recommended by other respected information security organizations. If the CEO's methods were the best methods, it is likely that the other respected information security organizations would have thought about them and would be using them. In other words, the methods recommended by other respected information security organizations are probably the best methods. Furthermore, if the company's systems need to communicate with external systems, the systems will need to use a `standard' method otherwise the external system may not be able to decipher the communications from the company's systems.

• Question 4:

  VPN users cannot access the active FTP server through the router but can access any server in the data center. Additional network information: DMZ network – 192.168.5.0/24 (FTP server is 192.168.5.11) VPN network – 192.168.1.0/24 Datacenter – 192.168.2.0/24 User network - 192.168.3.0/24 HR network – 192.168.4.0/24\ Traffic shaper configuration: VLANBandwidth Limit (Mbps) VPN50 User175 HR250 Finance250 Guest0 Router ACL: ActionSourceDestination Permit192.168.1.0/24192.168.2.0/24 Permit192.168.1.0/24192.168.3.0/24 Permit192.168.1.0/24192.168.5.0/24 Permit192.168.2.0/24192.168.1.0/24 Permit192.168.3.0/24192.168.1.0/24 Permit192.168.5.1/32192.168.1.0/24 Deny192.168.4.0/24192.168.1.0/24 Deny192.168.1.0/24192.168.4.0/24 Denyanyany

  Which of the following solutions would allow the users to access the active FTP server?

  A. Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network

  B. Add a permit statement to allow traffic to 192.168.5.1 from the VPN network

  C. IPS is blocking traffic and needs to be reconfigured

  D. Configure the traffic shaper to limit DMZ traffic

  E. Increase bandwidth limit on the VPN network

  Correct Answer: A

  The FTP Server is in the DMZ network (192.168.5.0/24). VPN users connect to the VPN network (192.168.1.0/24)

  We have a firewall rule which allows traffic from the VPN network to the DMZ network as shown below. Permit192.168.1.0/24192.168.5.0/24

  However, we do not have a rule allowing traffic going the other way. This means that FTP requests will reach the FTP server but any response from the FTP server back to a VPN user's computer will be blocked at the firewall. The solution is to allow the return traffic by adding a permit statement to allow traffic from 192.168.5.0/24 (the DMZ network) to the VPN network. Such a rule would look like the rule shown below: Permit192.168.5.0/24192.168.1.0/24

• Question 5:

  In order to reduce costs and improve employee satisfaction, a large corporation is creating a BYOD policy. It will allow access to email and remote connections to the corporate enterprise from personal devices; provided they are on an approved device list. Which of the following security measures would be MOST effective in securing the enterprise under the new policy? (Select TWO).

  A. Provide free email software for personal devices.

  B. Encrypt data in transit for remote access.

  C. Require smart card authentication for all devices.

  D. Implement NAC to limit insecure devices access.

  E. Enable time of day restrictions for personal devices.

  Correct Answer: BD

  In this question, we are allowing access to email and remote connections to the corporate enterprise from personal devices. When providing remote access to corporate systems, you should always ensure that data travelling between the corporate network and the remote device is encrypted. We need to provide access to devices only if they are on an approved device list. Therefore, we need a way to check the device before granting the device access to the network if it is an approved device. For this we can use NAC (Network Access Control). When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy; including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre- installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.

• Question 6:

  An IT manager is working with a project manager from another subsidiary of the same multinational organization. The project manager is responsible for a new software development effort that is being outsourced overseas, while customer acceptance testing will be performed in house. Which of the following capabilities is MOST likely to cause issues with network availability?

  A. Source code vulnerability scanning

  B. Time-based access control lists

  C. ISP to ISP network jitter

  D. File-size validation

  E. End to end network encryption

  Correct Answer: B

  The new software development effort is being outsourced overseas. Overseas means a different country and therefore a different time zone. Time-based access control lists allow access to resources only at defined times, for example: during office hours. If time-based access control lists are used at the overseas location while customer acceptance testing will be performed in house, it is likely that the testing would be performed at a time which is not allowed by the time-based access control lists.

  Time-based ACLs are types of control lists that allow for network access based on time or day. Its function is similar to that of the extended ACLs. Time-based ACLs is implemented by creating a time range that defines specific times of the day and week. This time range created have to be identified with a specific name and then refer to it by a function. The time restrictions are imposed on the function itself. Time-based ACLs are especially useful when you want to place restriction(s) on inbound or outbound traffic based on the time of day. For example, you might apply time-based ACLs if you wanted to only allow access to the Internet during a particular time of the day or allow access to a particular server only during work hours. The time range relies on the router system clock.

• Question 7:

  An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO).

  A. The company's IDS signatures were not updated.

  B. The company's custom code was not patched.

  C. The patch caused the system to revert to http.

  D. The software patch was not cryptographically signed.

  E. The wrong version of the patch was used.

  F. Third-party plug-ins were not patched.

  Correct Answer: BF

  In this question, we have an extensible commercial software system. Extensibility is a software design principle defined as a system's ability to have new functionality extended, in which the system's internal structure and data flow are

  minimally or not affected, particularly that recompiling or changing the original source code is unnecessary when changing a system's behavior, either by the creator or other programmers.

  Extensible systems are typically modified either by custom code or third party plugins. In this question, the core application was updated/patched. However, the custom code and third-party plugins were not patched. Therefore, a security

  vulnerability remained with was exploited.

• Question 8:

  A company is deploying a new iSCSI-based SAN. The requirements are as follows:

  SAN nodes must authenticate each other.

  Shared keys must NOT be used.

  Do NOT use encryption in order to gain performance.

  Which of the following design specifications meet all the requirements? (Select TWO).

  A. Targets use CHAP authentication

  B. IPSec using AH with PKI certificates for authentication

  C. Fiber channel should be used with AES

  D. Initiators and targets use CHAP authentication

  E. Fiber channel over Ethernet should be used

  F. IPSec using AH with PSK authentication and 3DES

  G. Targets have SCSI IDs for authentication

  Correct Answer: BD

  CHAP (Challenge Handshake Authentication Protocol) is commonly used for iSCSI authentication.

  Initiators and targets both using CHAP authentication is known as mutual CHAP authentication.

  Another option is to use IPSec using AH with PKI certificates for authentication. One of the two core security protocols in IPSec is the Authentication Header (AH). This is another protocol whose name has been well chosen: AH is a protocol

  that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. We can use PKI certificates for authentication rather than shared keys.

• Question 9:

  A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it is an e-discovery firm where chain of custody is important, which of the following scenarios should they consider?

  A. Offload some data processing to a public cloud

  B. Aligning their client intake with the resources available

  C. Using a community cloud with adequate controls

  D. Outsourcing the service to a third party cloud provider

  Correct Answer: C

  We can use a cloud service to expand the compute resources. "Adequate controls" are controls that ensure that no one else including the cloud provider can access the data. A community cloud is a multi-tenant infrastructure that is shared among several organizations from a specific group with common computing concerns. Such concerns might be related to regulatory compliance, such as audit requirements, or may be related to performance requirements, such as hosting applications that require a quick response time, for example. The goal of a community cloud is to have participating organizations realize the benefits of a public cloud -- such as multi-tenancy and a pay-as-you-go billing structure -- but with the added level of privacy, security and policy compliance usually associated with a private cloud. The community cloud can be either on-premises or off-premises, and can be governed by the participating organizations or by a third-party managed service provider (MSP).

• Question 10:

  A system administrator has just installed a new Linux distribution. The distribution is configured to be "secure out of the box". The system administrator cannot make updates to certain system files and services. Each time changes are attempted, they are denied and a system error is generated. Which of the following troubleshooting steps should the security administrator suggest?

  A. Review settings in the SELinux configuration files

  B. Reset root permissions on systemd files

  C. Perform all administrative actions while logged in as root

  D. Disable any firewall software before making changes

  Correct Answer: A

  Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense璼tyle mandatory access controls (MAC). NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.