CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 151:

  Which of the following activities is commonly deemed "OUT OF SCOPE" when undertaking a penetration test?

  A. Test password complexity of all login fields and input validation of form fields

  B. Reverse engineering any thick client software that has been provided for the test

  C. Undertaking network-based denial of service attacks in production environment

  D. Attempting to perform blind SQL injection and reflected cross-site scripting attacks

  E. Running a vulnerability scanning tool to assess network and host weaknesses

  Correct Answer: C

  Penetration testing is done to look at a network in an adversarial fashion with the aim of looking at what an attacker will use. Penetration testing is done without malice and undertaking a network-based denial of service attack in the production environment is as such `OUT OF SCOPE'.

• Question 152:

  Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap 璒 192.168.1.54 Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node?

  A. Linux

  B. Windows

  C. Solaris

  D. OSX

  Correct Answer: C

  TCP/22 is used for SSH; TCP/111 is used for Sun RPC; TCP/512-514 is used by CMD like exec, but automatic authentication is performed as with a login server, etc. These are all ports that are used when making use of the Sun Solaris operating system.

• Question 153:

  A company is in the process of implementing a new front end user interface for its customers, the goal is to provide them with more self-service functionality. The application has been written by developers over the last six months and the project is currently in the test phase.

  Which of the following security activities should be implemented as part of the SDL in order to provide the MOST security coverage over the solution? (Select TWO).

  A. Perform unit testing of the binary code

  B. Perform code review over a sampling of the front end source code

  C. Perform black box penetration testing over the solution

  D. Perform grey box penetration testing over the solution

  E. Perform static code review over the front end source code

  Correct Answer: DE

  With grey box penetration testing it means that you have limited insight into the devise which would most probable by some code knowledge and this type of testing over the solution would provide the most security coverage under the circumstances. A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. With a static code review it is assumed that you have all the sources available for the application that is being examined. By performing a static code review over the front end source code you can provide adequate security coverage over the solution.

• Question 154:

  The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls must be implemented to reduce the risk of an extended customer service outage due to the VoIP system being unavailable. Which of the following BEST describes the scenario presented and the document the ISO is reviewing?

  A. The ISO is evaluating the business implications of a recent telephone system failure within the BIA.

  B. The ISO is investigating the impact of a possible downtime of the messaging system within the RA.

  C. The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ.

  D. The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.

  Correct Answer: D

  VoIP is an integral part of network design and in particular remote access, that enables customers accessing and communicating with the company. If VoIP is unavailable then the company is in a situation that can be compared to downtime. And since the ISO is reviewing he summary of findings from the last COOP tabletop exercise, it can be said that the ISO is assessing the effect of a simulated downtime within the AAR.

• Question 155:

  New zero-day attacks are announced on a regular basis against a broad range of technology systems. Which of the following best practices should a security manager do to manage the risks of these attack vectors? (Select TWO).

  A. Establish an emergency response call tree.

  B. Create an inventory of applications.

  C. Backup the router and firewall configurations.

  D. Maintain a list of critical systems.

  E. Update all network diagrams.

  Correct Answer: BD

• Question 156:

  A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe's concerns?

  A. Ensure web services hosting the event use TCP cookies and deny_hosts.

  B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions.

  C. Contract and configure scrubbing services with third-party DDoS mitigation providers.

  D. Purchase additional bandwidth from the company's Internet service provider.

  Correct Answer: C

  Scrubbing is an excellent way of dealing with this type of situation where the company wants to stay connected no matter what during the one-time high profile event. It involves deploying a multi-layered security approach backed by extensive threat research to defend against a variety of attacks with a guarantee of always-on.

• Question 157:

  The security administrator has just installed an active\passive cluster of two firewalls for enterprise perimeter defense of the corporate network. Stateful firewall inspection is being used in the firewall implementation. There have been numerous reports of dropped connections with external clients. Which of the following is MOST likely the cause of this problem?

  A. TCP sessions are traversing one firewall and return traffic is being sent through the secondary firewall and sessions are being dropped.

  B. TCP and UDP sessions are being balanced across both firewalls and connections are being dropped because the session IDs are not recognized by the secondary firewall.

  C. Prioritize UDP traffic and associated stateful UDP session information is traversing the passive firewall causing the connections to be dropped.

  D. The firewall administrator connected a dedicated communication cable between the firewalls in order to share a single state table across the cluster causing the sessions to be dropped.

  Correct Answer: A

• Question 158:

  The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of the following is the ALE?

  A. $6,000

  B. $24,000

  C. $30,000

  D. $96,000

  Correct Answer: A

  Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF = $120 000 x 20% = $ 24,000 (this is over 4 years) Thus ALE = $ 24,000 / 4 = $ 6,000

  References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 5th Edition, Project Management Institute, Inc., Newtown Square, 2013, p. 198 McMillan, Troy and Robin Abernathy, CompTIA Advanced Security Practitioner (CASP) CAS-002 Cert Guide, Pearson Education, Indianapolis, 2015, p. 305

• Question 159:

  A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm's expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO).

  A. Code review

  B. Penetration testing

  C. Grey box testing

  D. Code signing

  E. White box testing

  Correct Answer: AE

  A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. White box testing assumes that the penetration test team has full knowledge of the network and the infrastructure per se thus rendering the testing to follow a more structured approach.

• Question 160:

  A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers?

  A. Provide a report of all the IP addresses that are connecting to the systems and their locations

  B. Establish alerts at a certain threshold to notify the analyst of high activity

  C. Provide a report showing the file transfer logs of the servers

  D. Compare the current activity to the baseline of normal activity

  Correct Answer: D

  In risk assessment a baseline forms the foundation for how an organization needs to increase or enhance its current level of security. This type of assessment will provide Ann with the necessary information to take to management.