CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 171:

  A company has noticed recently that its corporate information has ended up on an online forum. An investigation has identified that internal employees are sharing confidential corporate information on a daily basis. Which of the following are the MOST effective security controls that can be implemented to stop the above problem? (Select TWO).

  A. Implement a URL filter to block the online forum

  B. Implement NIDS on the desktop and DMZ networks

  C. Security awareness compliance training for all employees

  D. Implement DLP on the desktop, email gateway, and web proxies

  E. Review of security policies and procedures

  Correct Answer: CD

  Security awareness compliance training for all employees should be implemented to educate employees about corporate policies and procedures for working with information technology (IT). Data loss prevention (DLP) should be implemented to make sure that users do not send sensitive or critical information outside the corporate network.

• Question 172:

  The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company's wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

  A. Business or technical justification for not implementing the requirements.

  B. Risks associated with the inability to implement the requirements.

  C. Industry best practices with respect to the technical implementation of the current controls.

  D. All sections of the policy that may justify non-implementation of the requirements.

  E. A revised DRP and COOP plan to the exception form.

  F. Internal procedures that may justify a budget submission to implement the new requirement.

  G. Current and planned controls to mitigate the risks.

  Correct Answer: ABG

  The Exception Request must include:

  A description of the non-compliance.

  The anticipated length of non-compliance (2-year maximum). The proposed assessment of risk associated with non-compliance. The proposed plan for managing the risk associated with non-compliance. The proposed metrics for evaluating

  the success of risk management (if risk is significant). The proposed review date to evaluate progress toward compliance. An endorsement of the request by the appropriate Information Trustee (VP or Dean).

• Question 173:

  The internal audit department is investigating a possible breach of security. One of the auditors is sent to interview the following employees:

  Employee A: Works in the accounts receivable office and is in charge of entering data into the finance system.

  Employee B: Works in the accounts payable office and is in charge of approving purchase orders.

  Employee C: Is the manager of the finance department, supervises Employee A and Employee B, and can perform the functions of both Employee A and Employee B.

  Which of the following should the auditor suggest be done to avoid future security breaches?

  A. All employees should have the same access level to be able to check on each others.

  B. The manager should only be able to review the data and approve purchase orders.

  C. Employee A and Employee B should rotate jobs at a set interval and cross-train.

  D. The manager should be able to both enter and approve information.

  Correct Answer: B

• Question 174:

  Due to a new regulation, a company has to increase active monitoring of security-related events to 24 hours a day. The security staff only has three full time employees that work during normal business hours. Instead of hiring new security analysts to cover the remaining shifts necessary to meet the monitoring requirement, the Chief Information Officer (CIO) has hired a Managed Security Service (MSS) to monitor events. Which of the following should the company do to ensure that the chosen MSS meets expectations?

  A. Develop a memorandum of understanding on what the MSS is responsible to provide.

  B. Create internal metrics to track MSS performance.

  C. Establish a mutually agreed upon service level agreement.

  D. Issue a RFP to ensure the MSS follows guidelines.

  Correct Answer: C

• Question 175:

  Company policy requires that all company laptops meet the following baseline requirements:

  Software requirements: Antivirus Anti-malware Anti-spyware Log monitoring Full-disk encryption Terminal services enabled for RDP Administrative access for local users Hardware restrictions: Bluetooth disabled FireWire disabled WiFi adapter disabled Ann, a web developer, reports performance issues with her laptop and is not able to access any network resources. After further investigation, a bootkit was discovered and it was trying to access external websites. Which of the following

  hardening techniques should be applied to mitigate this specific issue from reoccurring? (Select TWO).

  A. Group policy to limit web access

  B. Restrict VPN access for all mobile users

  C. Remove full-disk encryption

  D. Remove administrative access to local users

  E. Restrict/disable TELNET access to network resources

  F. Perform vulnerability scanning on a daily basis

  G. Restrict/disable USB access

  Correct Answer: DG

  A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. A bootkit is similar to a rootkit except the malware infects the master boot record on a hard disk. Malicious software such as bootkits or rootkits typically require administrative privileges to be installed. Therefore, one method of preventing such attacks is to remove administrative access for local users. A common source of malware infections is portable USB flash drives. The flash drives are often plugged into less secure computers such as a user's home computer and then taken to work and plugged in to a work computer. We can prevent this from happening by restricting or disabling access to USB devices.

• Question 176:

  After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position?

  A. Least privilege

  B. Job rotation

  C. Mandatory vacation

  D. Separation of duties

  Correct Answer: B

  Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.

• Question 177:

  The IT Security Analyst for a small organization is working on a customer's system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the FIRST step the analyst should take in mitigating the impact of the potential intrusion?

  A. Contact the local authorities so an investigation can be started as quickly as possible.

  B. Shut down the production network interfaces on the server and change all of the DBMS account passwords.

  C. Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed.

  D. Refer the issue to management for handling according to the incident response process.

  Correct Answer: D

  The database contains PII (personally identifiable information) so the natural response is to want to get the issue addressed as soon as possible. However, in this question we have an IT Security Analyst working on a customer's system. Therefore, this IT Security Analyst does not know what the customer's incident response process is. In this case, the IT Security Analyst should refer the issue to company management so they can handle the issue (with your help if required) according to their incident response procedures.

• Question 178:

  During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 40 percent of the desktops do not meet requirements. Which of the following is the MOST likely cause of the noncompliance?

  A. The devices are being modified and settings are being overridden in production.

  B. The patch management system is causing the devices to be noncompliant after issuing the latest patches.

  C. The desktop applications were configured with the default username and password.

  D. 40 percent of the devices use full disk encryption.

  Correct Answer: A

  The question states that all hosts are hardened at the OS level before deployment. So we know the desktops are fully patched when the users receive them. Six months later, the desktops do not meet the compliance standards. The most likely explanation for this is that the users have changed the settings of the desktops during the six months that they've had them.

• Question 179:

  A new piece of ransomware got installed on a company's backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?

  A. Determining how to install HIPS across all server platforms to prevent future incidents

  B. Preventing the ransomware from re-infecting the server upon restore

  C. Validating the integrity of the deduplicated data

  D. Restoring the data will be difficult without the application configuration

  Correct Answer: D

  Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

  Since the backup application configuration is not accessible, it will require more effort to recover the data.

  Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.

• Question 180:

  A health service provider is considering the impact of allowing doctors and nurses access to the internal email system from their personal smartphones. The Information Security Officer (ISO) has received a technical document from the security administrator explaining that the current email system is capable of enforcing security policies to personal smartphones, including screen lockout and mandatory PINs. Additionally, the system is able to remotely wipe a phone if reported lost or stolen. Which of the following should the Information Security Officer be MOST concerned with based on this scenario? (Select THREE).

  A. The email system may become unavailable due to overload.

  B. Compliance may not be supported by all smartphones.

  C. Equipment loss, theft, and data leakage.

  D. Smartphone radios can interfere with health equipment.

  E. Data usage cost could significantly increase.

  F. Not all smartphones natively support encryption.

  G. Smartphones may be used as rogue access points.

  Correct Answer: BCF