CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 191:

  Which of the following provides the BEST risk calculation methodology?

  A. Annual Loss Expectancy (ALE) x Value of Asset

  B. Potential Loss x Event Probability x Control Failure Probability

  C. Impact x Threat x Vulnerability

  D. Risk Likelihood x Annual Loss Expectancy (ALE)

  Correct Answer: B

  Of the options given, the BEST risk calculation methodology would be Potential Loss x Event Probability x Control Failure Probability. This exam is about computer and data security so `loss' caused by risk is not necessarily a monetary value.

  For example:

  Potential Loss could refer to the data lost in the event of a data storage failure. Event probability could be the risk a disk drive or drives failing. Control Failure Probability could be the risk of the storage RAID not being able to handle the

  number of failed hard drives without losing data.

• Question 192:

  The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO's budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?

  A. The company should mitigate the risk.

  B. The company should transfer the risk.

  C. The company should avoid the risk.

  D. The company should accept the risk.

  Correct Answer: B

  To transfer the risk is to deflect it to a third party, by taking out insurance for example.

• Question 193:

  The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO).

  A. Retrieve source system image from backup and run file comparison analysis on the two images.

  B. Parse all images to determine if extra data is hidden using steganography.

  C. Calculate a new hash and compare it with the previously captured image hash.

  D. Ask desktop support if any changes to the images were made.

  E. Check key system files to see if date/time stamp is in the past six months.

  Correct Answer: AC

  Running a file comparison analysis on the two images will determine whether files have been changed, as well as what files were changed. Hashing can be used to meet the goals of integrity and non-repudiation. One of its advantages of hashing is its ability to verify that information has remained unchanged. If the hash values are the same, then the images are the same. If the hash values differ, there is a difference between the two images.

• Question 194:

  A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?

  A. The malware file's modify, access, change time properties.

  B. The timeline analysis of the file system.

  C. The time stamp of the malware in the swap file.

  D. The date/time stamp of the malware detection in the antivirus logs.

  Correct Answer: B

  Timelines can be used in digital forensics to identify when activity occurred on a computer. Timelines are mainly used for data reduction or identifying specific state changes that have occurred on a computer.

• Question 195:

  In an effort to reduce internal email administration costs, a company is determining whether to outsource its email to a managed service provider that provides email, spam, and malware protection. The security manager is asked to provide input regarding any security implications of this change. Which of the following BEST addresses risks associated with disclosure of intellectual property?

  A. Require the managed service provider to implement additional data separation.

  B. Require encrypted communications when accessing email.

  C. Enable data loss protection to minimize emailing PII and confidential data.

  D. Establish an acceptable use policy and incident response policy.

  Correct Answer: C

• Question 196:

  A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the company's online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation?

  A. $60,000

  B. $100,000

  C. $140,000

  D. $200,000

  Correct Answer: A

  ALE before implementing application caching: ALE = ARO x SLE ALE = 5 x $40,000 ALE = $200,000

  ALE after implementing application caching:

  ALE = ARO x SLE ALE = 1 x $40,000 ALE = $40,000

  The monetary value earned would be the sum of subtracting the ALE calculated after implementing application caching and the cost of the countermeasures, from the ALE calculated before implementing application caching.

  Monetary value earned = $200,000 - $40,000 - $100,000 Monetary value earned = $60,000

• Question 197:

  In a situation where data is to be recovered from an attacker's location, which of the following are the FIRST things to capture? (Select TWO).

  A. Removable media

  B. Passwords written on scrap paper

  C. Snapshots of data on the monitor

  D. Documents on the printer

  E. Volatile system memory

  F. System hard drive

  Correct Answer: CE

  An exact copy of the attacker's system must be captured for further investigation so that the original data can remain unchanged. An analyst will then start the process of capturing data from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows: Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives Logs stored on remote systems Archive media

• Question 198:

  A newly-appointed risk management director for the IT department at Company XYZ, a major pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and well-written report from the independent contractor who performed a security assessment of the system. The report details what seem to be a manageable volume of infrequently exploited security vulnerabilities. The director decides to implement continuous monitoring and other security controls to mitigate the impact of the vulnerabilities. Which of the following should the director require from the developers before agreeing to deploy the system?

  A. An incident response plan which guarantees response by tier two support within 15 minutes of an incident.

  B. A definitive plan of action and milestones which lays out resolutions to all vulnerabilities within six months.

  C. Business insurance to transfer all risk from the company shareholders to the insurance company.

  D. A prudent plan of action which details how to decommission the system within 90 days of becoming operational.

  Correct Answer: B

• Question 199:

  An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost. After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow?

  A. File system information, swap files, network processes, system processes and raw disk blocks.

  B. Raw disk blocks, network processes, system processes, swap files and file system information.

  C. System processes, network processes, file system information, swap files and raw disk blocks.

  D. Raw disk blocks, swap files, network processes, system processes, and file system information.

  Correct Answer: C

  The order in which you should collect evidence is referred to as the Order of volatility. Generally, evidence should be collected from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows: Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives Logs stored on remote systems Archive media

• Question 200:

  Company XYZ has employed a consultant to perform a controls assessment of the HR system, backend business operations, and the SCADA system used in the factory. Which of the following correctly states the risk management options that the consultant should use during the assessment?

  A. Risk reduction, risk sharing, risk retention, and risk acceptance.

  B. Avoid, transfer, mitigate, and accept.

  C. Risk likelihood, asset value, and threat level.

  D. Calculate risk by determining technical likelihood and potential business impact.

  Correct Answer: B