CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 111:

  The helpdesk manager wants to find a solution that will enable the helpdesk staff to better serve company employees who call with computer-related problems. The helpdesk staff is currently unable to perform effective troubleshooting and relies on callers to describe their technology problems. Given that the helpdesk staff is located within the company headquarters and 90% of the callers are telecommuters, which of the following tools should the helpdesk manager use to make the staff more effective at troubleshooting while at the same time reducing company costs? (Select TWO).

  A. Web cameras

  B. Email

  C. Instant messaging

  D. BYOD

  E. Desktop sharing

  F. Presence

  Correct Answer: CE

  C: Instant messaging (IM) allows two-way communication in near real time, allowing users to collaborate, hold informal chat meetings, and share files and information. Some IM platforms have added encryption, central logging, and user access controls. This can be used to replace calls between the end-user and the helpdesk.

  E: Desktop sharing allows a remote user access to another user's desktop and has the ability to function as a remote system administration tool. This can allow the helpdesk to determine the cause of the problem on the end-users desktop.

• Question 112:

  Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology.

  Which of the following would be the advantage of conducting this kind of penetration test?

  A. The risk of unplanned server outages is reduced.

  B. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.

  C. The results will show an in-depth view of the network and should help pin-point areas of internal weakness.

  D. The results should reflect what attackers may be able to learn about the company.

  Correct Answer: D

  A black box penetration test is usually done when you do not have access to the code, much the same like an outsider/attacker. This is then the best way to run a penetration test that will also reflect what an attacker/outsider can learn about the company. A black box test simulates an outsiders attack.

• Question 113:

  There have been some failures of the company's internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month's performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?

  A. 92.24 percent

  B. 98.06 percent

  C. 98.34 percent

  D. 99.72 percent

  Correct Answer: B

  A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing

  the rules to your application, many attacks can be identified and blocked.

  14h of down time in a period of 772 supposed uptime = 14/772 x 100 = 1.939 % Thus the % of uptime = 100% - 1.939% = 98.06%

  References:

  Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, pp. 43, 116

• Question 114:

  The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company's contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO).

  A. Block traffic from the ISP's networks destined for blacklisted IPs.

  B. Prevent the ISP's customers from querying DNS servers other than those hosted by the ISP.

  C. Scan the ISP's customer networks using an up-to-date vulnerability scanner.

  D. Notify customers when services they run are involved in an attack.

  E. Block traffic with an IP source not allocated to customers from exiting the ISP's network.

  Correct Answer: DE

  Since DDOS attacks can originate from nay different devices and thus makes it harder to defend against, one way to limit the company's contribution to DDOS attacks is to notify customers about any DDOS attack when they run services that are under attack. The company can also block IP sources that are not allocated to customers from the existing SIP's network.

• Question 115:

  The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make?

  A. Social media is an effective solution because it is easily adaptable to new situations.

  B. Social media is an ineffective solution because the policy may not align with the business.

  C. Social media is an effective solution because it implements SSL encryption.

  D. Social media is an ineffective solution because it is not primarily intended for business applications.

  Correct Answer: B

  Social media networks are designed to draw people's attention quickly and to connect people is thus the main focus; security is not the main concern. Thus the CEO should decide that it would be ineffective to use social media in the company as it does not align with the company business.

• Question 116:

  Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE).

  A. Check log files for logins from unauthorized IPs.

  B. Check /proc/kmem for fragmented memory segments.

  C. Check for unencrypted passwords in /etc/shadow.

  D. Check timestamps for files modified around time of compromise.

  E. Use lsof to determine files with future timestamps.

  F. Use gpg to encrypt compromised data files.

  G. Verify the MD5 checksum of system binaries.

  H. Use vmstat to look for excessive disk I/O.

  Correct Answer: ADG

  The MD5 checksum of the system binaries will allow you to carry out a forensic analysis of the compromised Linux system. Together with the log files of logins into the compromised system from unauthorized IPs and the timestamps for those files that were modified around the time that the compromise occurred will serve as useful forensic tools.

• Question 117:

  A security administrator is assessing a new application. The application uses an API that is supposed to encrypt text strings that are stored in memory. How might the administrator test that the strings are indeed encrypted in memory?

  A. Use fuzzing techniques to examine application inputs

  B. Run nmap to attach to application memory

  C. Use a packet analyzer to inspect the strings

  D. Initiate a core dump of the application

  E. Use an HTTP interceptor to capture the text strings

  Correct Answer: D

  Applications store information in memory and this information include sensitive data, passwords, and usernames and encryption keys. Conducting memory/core dumping will allow you to analyze the memory content and then you can test that the strings are indeed encrypted.

• Question 118:

  A security consultant is conducting a network assessment and wishes to discover any legacy backup Internet connections the network may have. Where would the consultant find this information and why would it be valuable?

  A. This information can be found in global routing tables, and is valuable because backup connections typically do not have perimeter protection as strong as the primary connection.

  B. This information can be found by calling the regional Internet registry, and is valuable because backup connections typically do not require VPN access to the network.

  C. This information can be found by accessing telecom billing records, and is valuable because backup connections typically have much lower latency than primary connections.

  D. This information can be found by querying the network's DNS servers, and is valuable because backup DNS servers typically allow recursive queries from Internet hosts.

  Correct Answer: A

  A routing table is a set of rules, often viewed in table format that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. All IP- enabled devices, including routers and switches, use routing tables. Each packet contains information about its origin and destination. When a packet is received, a network device examines the packet and matches it to the routing table entry providing the best match for its destination. The table then provides the device with instructions for sending the packet to the next hop on its route across the network. Thus the security consultant can use the global routing table to get the appropriate information.

• Question 119:

  A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPN's no other security action was taken.

  To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed?

  A. Residual Risk calculation

  B. A cost/benefit analysis

  C. Quantitative Risk Analysis

  D. Qualitative Risk Analysis

  Correct Answer: C

  Performing quantitative risk analysis focuses on assessing the probability of risk with a metric measurement which is usually a numerical value based on money or time.

• Question 120:

  The latest independent research shows that cyber attacks involving SCADA systems grew an average of 15% per year in each of the last four years, but that this year's growth has slowed to around 7%. Over the same time period, the number of attacks against applications has decreased or stayed flat each year. At the start of the measure period, the incidence of PC boot loader or BIOS based attacks was negligible. Starting two years ago, the growth in the number of PC boot loader attacks has grown exponentially. Analysis of these trends would seem to suggest which of the following strategies should be employed?

  A. Spending on SCADA protections should stay steady; application control spending should increase substantially and spending on PC boot loader controls should increase substantially.

  B. Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially.

  C. Spending all controls should increase by 15% to start; spending on application controls should be suspended, and PC boot loader protection research should increase by 100%.

  D. Spending on SCADA security controls should increase by 15%; application control spending should increase slightly, and spending on PC boot loader protections should remain steady.

  Correct Answer: B

  Spending on the security controls should stay steady because the attacks are still ongoing albeit reduced in occurrence Due to the incidence of BIOS-based attacks growing exponentially as the application attacks being decreased or staying flat spending should increase in this field.