CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 231:

  The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point?

  A. Capture process ID data and submit to anti-virus vendor for review.

  B. Reboot the Linux servers, check running processes, and install needed patches.

  C. Remove a single Linux server from production and place in quarantine.

  D. Notify upper management of a security breach.

  E. Conduct a bit level image, including RAM, of one or more of the Linux servers.

  Correct Answer: E

  Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes.

  In this question, an attack has been identified and confirmed. When a server is compromised or used to commit a crime, it is often necessary to seize it for forensics analysis. Security teams often face two challenges when trying to remove a

  physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.

  Evidence retention is a problem when the investigator wants to retain RAM content. For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys,

  and possible footprints left by an attacker.

  A full a bit level image, including RAM should be taken of one or more of the Linux servers. In many cases, if your environment has been deliberately attacked, you may want to take legal action against the perpetrators. In order to preserve

  this option, you should gather evidence that can be used against them, even if a decision is ultimately made not to pursue such action. It is extremely important to back up the compromised systems as soon as possible. Back up the systems prior to performing any actions that could affect data integrity on the original media.

• Question 232:

  Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows:

  Delivered-To: [email protected]

  Received: by 10.14.120.205

  Mon, 1 Nov 2010 11:15:24 -0700 (PDT)

  Received: by 10.231.31.193

  Mon, 01 Nov 2010 11:15:23 -0700 (PDT)

  Return-Path:

  Received: from 127.0.0.1 for ; Mon, 1 Nov 2010 13:15:14 -0500 (envelope-from )

  Received: by smtpex.example.com (SMTP READY)

  with ESMTP (AIO); Mon, 01 Nov 2010 13:15:14 -0500

  Received: from 172.18.45.122 by 192.168.2.55; Mon, 1 Nov 2010 13:15:14 -0500

  From: Company

  To: "[email protected]"

  Date: Mon, 1 Nov 2010 13:15:11 -0500

  Subject: New Insurance Application

  Thread-Topic: New Insurance Application

  Please download and install software from the site below to maintain full access to your account.

  www.examplesite.com

  Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11.

  The network's subnet is 192.168.2.0/25.

  Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO).

  A. Identify the origination point for malicious activity on the unauthorized mail server.

  B. Block port 25 on the firewall for all unauthorized mail servers.

  C. Disable open relay functionality.

  D. Shut down the SMTP service on the unauthorized mail server.

  E. Enable STARTTLS on the spam filter.

  Correct Answer: BD

  In this question, we have an unauthorized mail server using the IP: 192.168.2.55. Blocking port 25 on the firewall for all unauthorized mail servers is a common and recommended security step. Port 25 should be open on the firewall to the IP addresses of the authorized email servers only (192.168.2.10 and 192.168.2.11). This will prevent unauthorized email servers sending email or receiving and relaying email.

  Email servers use SMTP (Simple Mail Transfer Protocol) to send email to other email servers. Shutting down the SMTP service on the unauthorized mail server is effectively disabling the mail server functionality of the unauthorized server.

• Question 233:

  An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials?

  A. Ensure the SaaS provider supports dual factor authentication.

  B. Ensure the SaaS provider supports encrypted password transmission and storage.

  C. Ensure the SaaS provider supports secure hash file exchange.

  D. Ensure the SaaS provider supports role-based access control.

  E. Ensure the SaaS provider supports directory services federation.

  Correct Answer: E

  A SaaS application that has a federation server within the customer's network that interfaces with the customer's own enterprise user-directory service can provide single sign-on authentication. This federation server has a trust relationship with a corresponding federation server located within the SaaS provider's network. Single sign-on will mitigate the risk of managing separate user credentials.

• Question 234:

  Wireless users are reporting issues with the company's video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).

  A. Install a HIPS on the SIP servers

  B. Configure 802.1X on the network

  C. Update the corporate firewall to block attacking addresses

  D. Configure 802.11e on the network

  E. Configure 802.1q on the network

  Correct Answer: AD

  Host-based intrusion prevention system (HIPS) is an installed software package that will monitor a single host for suspicious activity by analyzing events taking place within that host. IEEE 802.11e is deemed to be of significant consequence for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia.

• Question 235:

  A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system?

  A. Isolate the system on a secure network to limit its contact with other systems

  B. Implement an application layer firewall to protect the payroll system interface

  C. Monitor the system's security log for unauthorized access to the payroll application

  D. Perform reconciliation of all payroll transactions on a daily basis

  Correct Answer: A

  The payroll system is not meeting security policy due to missing OS security patches. We cannot apply the patches to the system because the vendor states that the system is only supported on the current OS patch level. Therefore, we need

  another way of securing the system.

  We can improve the security of the system and the other systems on the network by isolating the payroll system on a secure network to limit its contact with other systems. This will reduce the likelihood of a malicious user accessing the

  payroll system and limit any damage to other systems if the payroll system is attacked.

• Question 236:

  A security administrator has been asked to select a cryptographic algorithm to meet the criteria of a new application. The application utilizes streaming video that can be viewed both on computers and mobile devices. The application designers have asked that the algorithm support the transport encryption with the lowest possible performance overhead. Which of the following recommendations would BEST meet the needs of the application designers? (Select TWO).

  A. Use AES in Electronic Codebook mode

  B. Use RC4 in Cipher Block Chaining mode

  C. Use RC4 with Fixed IV generation

  D. Use AES with cipher text padding

  E. Use RC4 with a nonce generated IV

  F. Use AES in Counter mode

  Correct Answer: EF

  In cryptography, an initialization vector (IV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a nonce (number used once), and the primitives are described as stateful as opposed to randomized. This is because the IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. An example of stateful encryption schemes is the counter mode of operation, which uses a sequence number as a nonce.

  AES is a block cipher. Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular.

• Question 237:

  An administrator has four virtual guests on a host server. Two of the servers are corporate SQL servers, one is a corporate mail server, and one is a testing web server for a small group of developers. The administrator is experiencing difficulty connecting to the host server during peak network usage times. Which of the following would allow the administrator to securely connect to and manage the host server during peak usage times?

  A. Increase the virtual RAM allocation to high I/O servers.

  B. Install a management NIC and dedicated virtual switch.

  C. Configure the high I/O virtual servers to use FCoE rather than iSCSI.

  D. Move the guest web server to another dedicated host.

  Correct Answer: B

• Question 238:

  A storage as a service company implements both encryption at rest as well as encryption in transit of customers' data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer's encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers' data would take?

  A. key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) }

  B. password = NULL ; for (int i=0; i<10000; i++) { password = sha256(key) }

  C. password = password + sha(password+salt) + aes256(password+salt)

  D. key = aes128(sha256(password), password))

  Correct Answer: A

  Explanation: References: http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and- encryption-algorithms

• Question 239:

  A senior network security engineer has been tasked to decrease the attack surface of the corporate network. Which of the following actions would protect the external network interfaces from external attackers performing network scanning?

  A. Remove contact details from the domain name registrar to prevent social engineering attacks.

  B. Test external interfaces to see how they function when they process fragmented IP packets.

  C. Enable a honeynet to capture and facilitate future analysis of malicious attack vectors.

  D. Filter all internal ICMP message traffic, forcing attackers to use full-blown TCP port scans against external network interfaces.

  Correct Answer: B

  Fragmented IP packets are often used to evade firewalls or intrusion detection systems.

  Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and

  not so well known ports. A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port).

  One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan

  techniques to avoid this. One method is a fragmented port scan.

  Fragmented packet Port Scan

  The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP

  fragments, but many networks cannot afford the performance loss caused by the queuing.

• Question 240:

  A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual machines, this virtual hardware is indistinguishable from real hardware. By implementing virtualized TPMs, which of the following trusted system concepts can be implemented?

  A. Software-based root of trust

  B. Continuous chain of trust

  C. Chain of trust with a hardware root of trust

  D. Software-based trust anchor with no root of trust

  Correct Answer: C

  A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the

  remainder of the system by using a hardware bus.

  A vTPM is a virtual Trusted Platform Module; a virtual instance of the TPM. IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created

  instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.

  The TPM is the hardware root of trust.

  Chain of trust means to extend the trust boundary from the root(s) of trust, in order to extend the collection of trustworthy functions. Implies/entails transitive trust. Therefore a virtual TPM is a chain of trust from the hardware TPM (root of

  trust).