CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 221:

  The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in another country. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customer data. The Chief Risk Officer (CRO) is concerned about the outsourcing plans. Which of the following risks are MOST likely to occur if adequate controls are not implemented?

  A. Geographical regulation issues, loss of intellectual property and interoperability agreement issues

  B. Improper handling of client data, interoperability agreement issues and regulatory issues

  C. Cultural differences, increased cost of doing business and divestiture issues

  D. Improper handling of customer data, loss of intellectual property and reputation damage

  Correct Answer: D

  The risk of security violations or compromised intellectual property (IP) rights is inherently elevated when working internationally. A key concern with outsourcing arrangements is making sure that there is sufficient protection and security in place for personal information being transferred and/or accessed under an outsourcing agreement.

• Question 222:

  A new IDS device is generating a very large number of irrelevant events. Which of the following would BEST remedy this problem?

  A. Change the IDS to use a heuristic anomaly filter.

  B. Adjust IDS filters to decrease the number of false positives.

  C. Change the IDS filter to data mine the false positives for statistical trending data.

  D. Adjust IDS filters to increase the number of false negatives.

  Correct Answer: B

• Question 223:

  A large financial company has a team of security-focused architects and designers that contribute into broader IT architecture and design solutions. Concerns have been raised due to the security contributions having varying levels of quality and consistency. It has been agreed that a more formalized methodology is needed that can take business drivers, capabilities, baselines, and re-usable patterns into account. Which of the following would BEST help to achieve these objectives?

  A. Construct a library of re-usable security patterns

  B. Construct a security control library

  C. Introduce an ESA framework

  D. Include SRTM in the SDLC

  Correct Answer: C

• Question 224:

  A large corporation which is heavily reliant on IT platforms and systems is in financial difficulty and needs to drastically reduce costs in the short term to survive. The Chief Financial Officer (CFO) has mandated that all IT and architectural functions will be outsourced and a mixture of providers will be selected. One provider will manage the desktops for five years, another provider will manage the network for ten years, another provider will be responsible for security for four years, and an offshore provider will perform day to day business processing functions for two years. At the end of each contract the incumbent may be renewed or a new provider may be selected. Which of the following are the MOST likely risk implications of the CFO's business decision?

  A. Strategic architecture will be adversely impacted through the segregation of duties between the providers. Vendor management costs will remain unchanged. The risk position of the organization will decline as specialists now maintain the environment. The implementation of security controls and security updates will improve. Internal knowledge of IT systems will improve as providers maintain system documentation.

  B. Strategic architecture will improve as more time can be dedicated to strategy. System stability will improve as providers use specialists and tested processes to maintain systems. Vendor management costs will increase and the organization's flexibility to react to new market conditions will be reduced slightly. Internal knowledge of IT systems will improve as providers maintain system documentation. The risk position of the organization will remain unchanged.

  C. Strategic architecture will not be impacted in the short term, but will be adversely impacted in the long term through the segregation of duties between the providers. Vendor management costs will stay the same and the organization's flexibility to react to new market conditions will be improved through best of breed technology implementations. Internal knowledge of IT systems will decline over time. The implementation of security controls and security updates will not change.

  D. Strategic architecture will be adversely impacted through the segregation of duties between the providers. Vendor management costs will increase and the organization's flexibility to react to new market conditions will be reduced. Internal knowledge of IT systems will decline and decrease future platform development. The implementation of security controls and security updates will take longer as responsibility crosses multiple boundaries.

  Correct Answer: D

• Question 225:

  A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two- factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred?

  A. Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data.

  B. A stolen two factor token was used to move data from one virtual guest to another host on the same network segment.

  C. A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to gain unauthorized access.

  D. An employee with administrative access to the virtual guests was able to dump the guest memory onto a mapped disk.

  Correct Answer: A

  In this question, two virtual machines have been accessed by an attacker. The question is asking what is MOST likely to have occurred.

  It is common for operating systems to not be fully patched. Of the options given, the most likely occurrence is that the two VMs were not fully patched allowing an attacker to access each of them. The attacker could then copy data from one

  VM and hide it in a hidden folder on the other VM.

• Question 226:

  A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization's customer database. The database will be accessed by both the company's users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).

  A. Physical penetration test of the datacenter to ensure there are appropriate controls.

  B. Penetration testing of the solution to ensure that the customer data is well protected.

  C. Security clauses are implemented into the contract such as the right to audit.

  D. Review of the organizations security policies, procedures and relevant hosting certifications.

  E. Code review of the solution to ensure that there are no back doors located in the software.

  Correct Answer: CD

  Due diligence refers to an investigation of a business or person prior to signing a contract. Due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance. Due diligence should verify the data supplied in the RFP and concentrate on the following: Company profile, strategy, mission, and reputation Financial status, including reviews of audited financial statements Customer references, preferably from companies that have outsourced similar processes Management qualifications, including criminal background checks Process expertise, methodology, and effectiveness Quality initiatives and certifications Technology, infrastructure stability, and applications Security and audit controls Legal and regulatory compliance, including any outstanding complaints or litigation Use of subcontractors Insurance Disaster recovery and business continuity policies

  C and D form part of Security and audit controls.

• Question 227:

  A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue?

  A. Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption.

  B. Require each user to log passwords used for file encryption to a decentralized repository.

  C. Permit users to only encrypt individual files using their domain password and archive all old user passwords.

  D. Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.

  Correct Answer: D

  Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline

  on a particular computer or it can be done in a network.

  An e-discovery policy would define how data is archived and encrypted. If the data is archived in an insecure manor, a user could be able to delete data that the user does not want to be searched. Therefore, we need to find a way of securing

  the data in a way that only authorized people can access the data.

  A public key infrastructure (PKI) supports the distribution and identification of public encryption keys for the encryption of data. The data can only be decrypted by the private key.

  In this question, we have an escrowed corporate PKI. Escrow is an independent and licensed third party that holds something (money, sensitive data etc.) and releases it only when predefined conditions have been met. In this case, Escrow is

  holding the private key of the PKI.

  By encrypting the e-discovery data by using the PKI public key, we can ensure that the data can only be decrypted by the private key held in Escrow and this will only happen when the predefined conditions are met.

• Question 228:

  A small customer focused bank with implemented least privilege principles, is concerned about the possibility of branch staff unintentionally aiding fraud in their day to day interactions with customers. Bank staff has been encouraged to build friendships with customers to make the banking experience feel more personal. The security and risk team have decided that a policy needs to be implemented across all branches to address the risk. Which of the following BEST addresses the security and risk team's concerns?

  A. Information disclosure policy

  B. Awareness training

  C. Job rotation

  D. Separation of duties

  Correct Answer: B

• Question 229:

  A company has implemented data retention policies and storage quotas in response to their legal department's requests and the SAN administrator's recommendation. The retention policy states all email data older than 90 days should be eliminated. As there are no technical controls in place, users have been instructed to stick to a storage quota of 500Mb of network storage and 200Mb of email storage. After being presented with an e- discovery request from an opposing legal council, the security administrator discovers that the user in the suit has 1Tb of files and 300Mb of email spanning over two years. Which of the following should the security administrator provide to opposing council?

  A. Delete files and email exceeding policy thresholds and turn over the remaining files and email.

  B. Delete email over the policy threshold and hand over the remaining emails and all of the files.

  C. Provide the 1Tb of files on the network and the 300Mb of email files regardless of age.

  D. Provide the first 200Mb of e-mail and the first 500Mb of files as per policy.

  Correct Answer: C

• Question 230:

  During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the company's database server. Which of the following is the correct order in which the forensics team should engage?

  A. Notify senior management, secure the scene, capture volatile storage, capture non- volatile storage, implement chain of custody, and analyze original media.

  B. Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data.

  C. Implement chain of custody, take inventory, secure the scene, capture volatile and non- volatile storage, and document the findings.

  D. Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

  Correct Answer: D

  The scene has to be secured first to prevent contamination. Once a forensic copy has been created, an analyst will begin the process of moving from most volatile to least volatile information. The chain of custody helps to protect the integrity and reliability of the evidence by keeping an evidence log that shows all access to evidence, from collection to appearance in court.