CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 241:

  A multi-national company has a highly mobile workforce and minimal IT infrastructure. The company utilizes a BYOD and social media policy to integrate presence technology into global collaboration tools by individuals and teams. As a result of the dispersed employees and frequent international travel, the company is concerned about the safety of employees and their families when moving in and out of certain countries. Which of the following could the company view as a downside of using presence technology?

  A. Insider threat

  B. Network reconnaissance

  C. Physical security

  D. Industrial espionage

  Correct Answer: C

  If all company users worked in the same office with one corporate network and using company supplied laptops, then it is easy to implement all sorts of physical security controls. Examples of physical security include intrusion detection systems, fire protection systems, surveillance cameras or simply a lock on the office door. However, in this question we have dispersed employees using their own devices and frequently traveling internationally. This makes it extremely difficult to implement any kind of physical security. Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.

• Question 242:

  Using SSL, an administrator wishes to secure public facing server farms in three subdomains: dc1.east.company.com, dc2.central.company.com, and dc3.west.company.com. Which of the following is the number of wildcard SSL certificates that should be purchased?

  A. 0

  B. 1

  C. 3

  D. 6

  Correct Answer: C

  You would need three wildcard certificates: *. east.company.com *. central.company.com *. west.company.com

  The common domain in each of the domains is company.com. However, a wildcard covers only one level of subdomain. For example: *. company.com will cover ".company.com" but it won't cover "..company.com". You can only have one wildcard in a domain. For example: *.company.com. You cannot have *.*.company.com. Only the leftmost wildcard (*) is counted.

• Question 243:

  At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the BEST solution? (Select TWO).

  A. Add guests with more memory to increase capacity of the infrastructure.

  B. A backup is running on the thin clients at 9am every morning.

  C. Install more memory in the thin clients to handle the increased load while booting.

  D. Booting all the lab desktops at the same time is creating excessive I/O.

  E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity.

  F. Install faster SSD drives in the storage system used in the infrastructure.

  G. The lab desktops are saturating the network while booting.

  H. The lab desktops are using more memory than is available to the host systems.

  Correct Answer: DF

  The problem lasts for 10 minutes at 9am every day and has been traced to the lab desktops. This question is asking for the MOST likely cause of the problem. The most likely cause of the problem is that the lab desktops being started at the

  same time at the beginning of the day is causing excessive disk I/O as the operating systems are being read and loaded from disk storage.

  The solution is to install faster SSD drives in the storage system that contains the desktop operating systems.

• Question 244:

  The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an

  account with SELECT only privileges.

  Web server logs show the following:

  90.76.165.40 ?- [08/Mar/2014:10:54:04] "GET calendar.php?create%20table%20hidden HTTP/1.1" 200 5724

  90.76.165.40 ?- [08/Mar/2014:10:54:05] "GET ../../../root/.bash_history HTTP/1.1" 200 90.76.165.40 ?- [08/Mar/2014:10:54:04] "GET index.php?user<;scrip>;Creat<;/scrip>; HTTP/1.1" 200 5724

  The security administrator also inspects the following file system locations on the database server using the command `ls -al /root'

  drwxrwxrwx 11 root root 4096 Sep 28 22:45 .

  drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..

  -rws------ 25 root root 4096 Mar 8 09:30 .bash_history

  -rw------- 25 root root 4096 Mar 8 09:30 .bash_history

  -rw------- 25 root root 4096 Mar 8 09:30 .profile

  -rw------- 25 root root 4096 Mar 8 09:30 .ssh

  Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).

  A. Privilege escalation

  B. Brute force attack

  C. SQL injection

  D. Cross-site scripting

  E. Using input validation, ensure the following characters are sanitized: <>

  F. Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh

  G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)

  H. Set an account lockout policy

  Correct Answer: AF

  This is an example of privilege escalation.

  Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

  The question states that the web server communicates with the database server via an account with SELECT only privileges. However, the privileges listed include read, write and execute (rwx). This suggests the privileges have been

  `escalated'.

  Now that we know the system has been attacked, we should investigate what was done to the system.

  The command “Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh” is used to find all the files that are setuid enabled. Setuid means set user ID upon execution. If the setuid bit is turned on for a file, the user

  executing that executable file gets the permissions of the individual or group that owns the file.

• Question 245:

  A security administrator has noticed that an increased number of employees' workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites where malware files can be downloaded. Additionally, the company implements technical measures to disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection?

  A. Implement an Acceptable Use Policy which addresses malware downloads.

  B. Deploy a network access control system with a persistent agent.

  C. Enforce mandatory security awareness training for all employees and contractors.

  D. Block cloud-based storage software on the company network.

  Correct Answer: D

  The question states that the company implements technical measures to disable external storage. This is storage such as USB flash drives and will help to ensure that the users to do not bring unauthorized data that could potentially contain malware into the network. We should extend this by blocking cloud-based storage software on the company network. This would block access to cloud-based storage services such as Dropbox or OneDrive.

• Question 246:

  Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ's headquarters. Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems?

  A. Require each Company XYZ employee to use an IPSec connection to the required systems

  B. Require Company XYZ employees to establish an encrypted VDI session to the required systems

  C. Require Company ABC employees to use two-factor authentication on the required systems

  D. Require a site-to-site VPN for intercompany communications

  Correct Answer: B

  VDI stands for Virtual Desktop Infrastructure. Virtual desktop infrastructure is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.

  Company ABC can configure virtual desktops with the required restrictions and required access to systems that the users in company XYZ require. The users in company XYZ can then log in to the virtual desktops over a secure encrypted

  connection and then access authorized systems only.

• Question 247:

  An organization has implemented an Agile development process for front end web application development. A new security architect has just joined the company and wants to integrate security activities into the SDLC.

  Which of the following activities MUST be mandated to ensure code quality from a security perspective? (Select TWO).

  A. Static and dynamic analysis is run as part of integration

  B. Security standards and training is performed as part of the project

  C. Daily stand-up meetings are held to ensure security requirements are understood

  D. For each major iteration penetration testing is performed

  E. Security requirements are story boarded and make it into the build

  F. A security design is performed at the end of the requirements phase

  Correct Answer: AD

  SDLC stands for systems development life cycle. An agile project is completed in small sections called iterations. Each iteration is reviewed and critiqued by the project team. Insights gained from the critique of an iteration are used to

  determine what the next step should be in the project. Each project iteration is typically scheduled to be completed within two weeks.

  Static and dynamic security analysis should be performed throughout the project. Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs

  is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.

  For each major iteration penetration testing is performed. The output of a major iteration will be a functioning part of the application. This should be penetration tested to ensure security of the application.

• Question 248:

  An organization is concerned with potential data loss in the event of a disaster, and created a backup datacenter as a mitigation strategy. The current storage method is a single NAS used by all servers in both datacenters. Which of the following options increases data availability in the event of a datacenter failure?

  A. Replicate NAS changes to the tape backups at the other datacenter.

  B. Ensure each server has two HBAs connected through two routes to the NAS.

  C. Establish deduplication across diverse storage paths.

  D. Establish a SAN that replicates between datacenters.

  Correct Answer: D

  A SAN is a Storage Area Network. It is an alternative to NAS storage. SAN replication is a technology that replicates the data on one SAN to another SAN; in this case, it would replicate the data to a SAN in the backup datacenter. In the event of a disaster, the SAN in the backup datacenter would contain all the data on the original SAN. Array-based replication is an approach to data backup in which compatible storage arrays use built-in software to automatically copy data from one storage array to another. Array- based replication software runs on one or more storage controllers resident in disk storage systems, synchronously or asynchronously replicating data between similar storage array models at the logical unit number (LUN) or volume block level. The term can refer to the creation of local copies of data within the same array as the source data, as well as the creation of remote copies in an array situated off site.

• Question 249:

  The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur.

  Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices?

  A. Revise the corporate policy to include possible termination as a result of violations

  B. Increase the frequency and distribution of the USB violations report

  C. Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense

  D. Implement group policy objects

  Correct Answer: D

  A Group Policy Object (GPO) can apply a common group of settings to all computers in Windows domain.

  One GPO setting under the Removable Storage Access node is: All removable storage classes: Deny all access.

  This setting can be applied to all computers in the network and will disable all USB storage devices on the computers.

• Question 250:

  A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period?

  A. Online password testing

  B. Rainbow tables attack

  C. Dictionary attack

  D. Brute force attack

  Correct Answer: B

  The passwords in a Windows (Active Directory) domain are encrypted. When a password is "tried" against a system it is "hashed" using encryption so that the actual password is never sent in clear text across the communications line. This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your password might be "shitzu" but the hash of your password would look something like "7378347eedbfdd761619451949225ec1". To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If the hashes match, then the user is authenticated and granted access. Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password. Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The Rainbow Tables essentially allow hackers to reverse the hashing function to determine what the plaintext password might be. The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.