CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 281:

  A company decides to purchase commercially available software packages. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true?

  A. Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits.

  B. Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.

  C. Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers.

  D. Commercially available software packages are well known and widely available. Information concerning vulnerabilities and viable attack patterns are always shared within the IT community.

  Correct Answer: B

  Commercially available software packages are often widely available. Huge companies like Microsoft develop software packages that are widely available and in use on most computers. Most companies that develop commercial software make their software available through many commercial outlets (computer stores, online stores etc). Information concerning vulnerabilities is often kept internal to the company that developed the software. The large companies that develop commercial software packages are accountable for the software. Information concerning vulnerabilities being made available could have a huge financial cost to the company in terms of loss of reputation and lost revenues. Information concerning vulnerabilities is often kept internal to the company at least until a patch is available to fix the vulnerability.

• Question 282:

  Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful application server. Which of the following security tools would be required to assess the security between the mobile web application and the RESTful application server? (Select TWO).

  A. Jailbroken mobile device

  B. Reconnaissance tools

  C. Network enumerator

  D. HTTP interceptor

  E. Vulnerability scanner

  F. Password cracker

  Correct Answer: DE

  Communications between a mobile web application and a RESTful application server will use the HTTP protocol. To capture the HTTP communications for analysis, you should use an HTTP Interceptor.

  To assess the security of the application server itself, you should use a vulnerability scanner.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a

  database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the

  scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

• Question 283:

  A security administrator is performing VDI traffic data collection on a virtual server which migrates from one host to another. While reviewing the data collected by the protocol analyzer, the security administrator notices that sensitive data is present in the packet capture. Which of the following should the security administrator recommend to ensure the confidentiality of sensitive information during live VM migration, while minimizing latency issues?

  A. A separate physical interface placed on a private VLAN should be configured for live host operations.

  B. Database record encryption should be used when storing sensitive information on virtual servers.

  C. Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data.

  D. Sensitive data should be stored on a backend SAN which uses an isolated fiber channel network.

  Correct Answer: A

  VDI virtual machines can be migrated across physical hosts while the virtual machines are still powered on. In VMware, this is called vMotion. In Microsoft Hyper-V, this is called Live Migration.

  When a virtual machine is migrated between hosts, the data is unencrypted as it travels across the network. To prevent access to the data as it travels across the network, a dedicated network should be created for virtual machine migrations.

  The dedicated migration network should only be accessible by the virtual machine hosts to maximize security.

• Question 284:

  The organization has an IT driver on cloud computing to improve delivery times for IT solution provisioning. Separate to this initiative, a business case has been approved for replacing the existing banking platform for credit card processing with a newer offering. It is the security practitioner's responsibility to evaluate whether the new credit card processing platform can be hosted within a cloud environment. Which of the following BEST balances the security risk and IT drivers for cloud computing?

  A. A third-party cloud computing platform makes sense for new IT solutions. This should be endorsed going forward so as to align with the IT strategy. However, the security practitioner will need to ensure that the third-party cloud provider does regular penetration tests to ensure that all data is secure.

  B. Using a third-party cloud computing environment should be endorsed going forward. This aligns with the organization's strategic direction. It also helps to shift any risk and regulatory compliance concerns away from the company's internal IT department. The next step will be to evaluate each of the cloud computing vendors, so that a vendor can then be selected for hosting the new credit card processing platform.

  C. There may be regulatory restrictions with credit cards being processed out of country or processed by shared hosting providers. A private cloud within the company should be considered. An options paper should be created which outlines the risks, advantages, disadvantages of relevant choices and it should recommended a way forward.

  D. Cloud computing should rarely be considered an option for any processes that need to be significantly secured. The security practitioner needs to convince the stakeholders that the new platform can only be delivered internally on physical infrastructure.

  Correct Answer: C

• Question 285:

  Company ABC's SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternative to buying a new SAN?

  A. Enable multipath to increase availability

  B. Enable deduplication on the storage pools

  C. Implement snapshots to reduce virtual disk size

  D. Implement replication to offsite datacenter

  Correct Answer: B

  Storage-based data deduplication reduces the amount of storage needed for a given set of files. It is most effective in applications where many copies of very similar or even identical data are stored on a single disk.

  It is common for multiple copies of files to exist on a SAN. By eliminating (deduplicating) repeated copies of the files, we can reduce the disk space used on the existing SAN. This solution is a cost effective alternative to buying a new SAN.

• Question 286:

  A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code, would be the MOST effective in protecting the fields from malformed input?

  A. Client side input validation

  B. Stored procedure

  C. Encrypting credit card details

  D. Regular expression matching

  Correct Answer: D

  Regular expression matching is a technique for reading and validating input, particularly in web software. This question is asking about securing input fields where customers enter their credit card details. In this case, the expected input into the credit card number field would be a sequence of numbers of a certain length. We can use regular expression matching to verify that the input is indeed a sequence of numbers. Anything that is not a sequence of numbers could be malicious code.

• Question 287:

  An administrator is tasked with securing several website domains on a web server. The administrator elects to secure www.example.com, mail.example.org, archive.example.com, and www.example.org with the same certificate. Which of the following would allow the administrator to secure those domains with a single issued certificate?

  A. Intermediate Root Certificate

  B. Wildcard Certificate

  C. EV x509 Certificate

  D. Subject Alternative Names Certificate

  Correct Answer: D

  Subject Alternative Names let you protect multiple host names with a single SSL certificate. Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate. When you order the certificate, you will specify one fully qualified domain name in the common name field. You can then add other names in the Subject Alternative Names field.

• Question 288:

  A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

  A. Insecure direct object references, CSRF, Smurf

  B. Privilege escalation, Application DoS, Buffer overflow

  C. SQL injection, Resource exhaustion, Privilege escalation

  D. CSRF, Fault injection, Memory leaks

  Correct Answer: A

  Insecure direct object references are used to access data. CSRF attacks the functions of a web site which could access data. A Smurf attack is used to take down a system.

  A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data. Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed. A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

• Question 289:

  Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request:

  POST /login.aspx HTTP/1.1

  Host: comptia.org

  Content-type: text/html

  txtUsername=annandtxtPassword=annandalreadyLoggedIn=falseandsubmit=true

  Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass?

  A. Remove all of the post data and change the request to /login.aspx from POST to GET

  B. Attempt to brute force all usernames and passwords using a password cracker

  C. Remove the txtPassword post data and change alreadyLoggedIn from false to true

  D. Remove the txtUsername and txtPassword post data and toggle submit from true to false

  Correct Answer: C

  The text "txtUsername=annandtxtPassword=ann" is an attempted login using a username of `ann' and also a password of `ann'.

  The text "alreadyLoggedIn=false" is saying that Ann is not already logged in. To test whether we can bypass the authentication, we can attempt the login without the password and we can see if we can bypass the `alreadyloggedin' check by

  changing alreadyLoggedIn from false to true. If we are able to log in, then we have bypassed the authentication check.

• Question 290:

  A security administrator is shown the following log excerpt from a Unix system:

  2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh2

  2013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh2

  2013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh2

  2013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh2

  2013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh2

  2013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2

  Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).

  A. An authorized administrator has logged into the root account remotely.

  B. The administrator should disable remote root logins.

  C. Isolate the system immediately and begin forensic analysis on the host.

  D. A remote attacker has compromised the root account using a buffer overflow in sshd.

  E. A remote attacker has guessed the root password using a dictionary attack.

  F. Use iptables to immediately DROP connections from the IP 198.51.100.23.

  G. A remote attacker has compromised the private key of the root account.

  H. Change the root password immediately to a password not found in a dictionary.

  Correct Answer: CE

  The log shows six attempts to log in to a system. The first five attempts failed due to `failed password'. The sixth attempt was a successful login. Therefore, the MOST likely explanation of what is occurring is that a remote attacker has

  guessed the root password using a dictionary attack.

  The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any further access to it and prevent it from doing any damage to other systems on the

  network. You should perform a forensic analysis on the system to determine what the attacker did on the system after gaining access.