An Association is preparing to upgrade their firewalls at five locations around the United States. Each of the three vendor's RFP responses is in-line with the security and other requirements. Which of the following should the security administrator do to ensure the firewall platform is appropriate for the Association?
A. Correlate current industry research with the RFP responses to ensure validity.
B. Create a lab environment to evaluate each of the three firewall platforms.
C. Benchmark each firewall platform's capabilities and experiences with similar sized companies.
D. Develop criteria and rate each firewall platform based on information in the RFP responses.
The organization has an IT driver on cloud computing to improve delivery times for IT solution provisioning. Separate to this initiative, a business case has been approved for replacing the existing banking platform for credit card processing with a newer offering. It is the security practitioner's responsibility to evaluate whether the new credit card processing platform can be hosted within a cloud environment. Which of the following BEST balances the security risk and IT drivers for cloud computing?
A. A third-party cloud computing platform makes sense for new IT solutions. This should be endorsed going forward so as to align with the IT strategy. However, the security practitioner will need to ensure that the third-party cloud provider does regular penetration tests to ensure that all data is secure.
B. Using a third-party cloud computing environment should be endorsed going forward. This aligns with the organization's strategic direction. It also helps to shift any risk and regulatory compliance concerns away from the company's internal IT department. The next step will be to evaluate each of the cloud computing vendors, so that a vendor can then be selected for hosting the new credit card processing platform.
C. There may be regulatory restrictions with credit cards being processed out of country or processed by shared hosting providers. A private cloud within the company should be considered. An options paper should be created which outlines the risks, advantages, disadvantages of relevant choices and it should recommended a way forward.
D. Cloud computing should rarely be considered an option for any processes that need to be significantly secured. The security practitioner needs to convince the stakeholders that the new platform can only be delivered internally on physical infrastructure.
A company has recently implemented a video conference solution that uses the H.323 protocol. The security engineer is asked to make recommendations on how to secure video conferences to protect confidentiality. Which of the following should the security engineer recommend?
A. Implement H.235 extensions with DES to secure the audio and video transport.
B. Recommend moving to SIP and RTP as those protocols are inherently secure.
C. Recommend implementing G.711 for the audio channel and H.264 for the video.
D. Encapsulate the audio channel in the G.711 codec rather than the unsecured Speex.
Capital Reconnaissance, LLC is building a brand new research and testing location, and the physical security manager wants to deploy IP-based access control and video surveillance. These two systems are essential for keeping the building open for operations. Which of the following controls should the security administrator recommend to determine new threats against the new IP-based access control and video surveillance systems?
A. Develop a network traffic baseline for each of the physical security systems.
B. Air gap the physical security networks from the administrative and operational networks.
C. Require separate non-VLANed networks and NIPS for each physical security system network.
D. Have the Network Operations Center (NOC) review logs and create a CERT to respond to breaches.
What of the following vulnerabilities is present in the below source code file named `AuthenticatedArea.php'?
$username = $_REQUEST[`username'];
if ($username != "") {
echo "Your username is: " . $_REQUEST[`username']; }else { header)("location: /login.php"
}
?>
A. Header manipulation
B. Account disclosure
C. Unvalidated file inclusion
D. Cross-site scripting
The security manager is in the process of writing a business case to replace a legacy secure web gateway so as to meet an availability requirement of 99.9% service availability. According to the vendor, the newly acquired firewall has been rated with an MTBF of 10,000 hours and has an MTTR of 2 hours. This equates to 1.75 hours per year of downtime. Based on this, which of the following is the MOST accurate statement?
A. The firewall will meet the availability requirement because availability will be 99.98%.
B. The firewall will not meet the availability requirement because availability will be 85%.
C. The firewall will meet the availability requirement because availability will be 99.993%.
D. The firewall will not meet the availability requirement because availability will be 99.2%.
A firm's Chief Executive Officer (CEO) is concerned that its IT staff lacks the knowledge to identify complex vulnerabilities that may exist in the payment system being internally developed. The payment system being developed will be sold to a number of organizations and is in direct competition with another leading product. The CEO highlighted, in a risk management meeting that code base confidentiality is of upmost importance to allow the company to exceed the competition in terms of product reliability, stability and performance. The CEO also highlighted that company reputation for secure products is extremely important. Which of the following will provide the MOST thorough testing and satisfy the CEO's requirements?
A. Use the security assurance team and development team to perform Grey box testing.
B. Sign a NDA with a large consulting firm and use the firm to perform Black box testing.
C. Use the security assurance team and development team to perform Black box testing.
D. Sign a NDA with a small consulting firm and use the firm to perform Grey box testing.
As part of a new wireless implementation, the Chief Information Officer's (CIO's) main objective is to immediately deploy a system that supports the 802.11r standard, which will help wireless VoIP devices in moving vehicles. However, the 802.11r standard was not ratified by the IETF. The wireless vendor's products do support the pre-ratification version of 802.11r. The security and network administrators have tested the product and do not see any security or compatibility issues; however, they are concerned that the standard is not yet final. Which of the following is the BEST way to proceed?
A. Purchase the equipment now, but do not use 802.11r until the standard is ratified.
B. Do not purchase the equipment now as the client devices do not yet support 802.11r.
C. Purchase the equipment now, as long as it will be firmware upgradeable to the final 802.11r standard.
D. Do not purchase the equipment now; delay the implementation until the IETF has ratified the final 802.11r standard.
The security administrator reports that the physical security of the Ethernet network has been breached, but the fibre channel storage network was not breached. Why might this still concern the storage administrator? (Select TWO).
A. The storage network uses FCoE.
B. The storage network uses iSCSI.
C. The storage network uses vSAN.
D. The storage network uses switch zoning.
E. The storage network uses LUN masking.
A system architect has the following constraints from the customer: Confidentiality, Integrity, and Availability (CIA) are all of equal importance.
Average availability must be at least 6 nines (99.9999%).
All devices must support collaboration with every other user device.
All devices must be VoIP and teleconference ready.
Which of the following security controls is the BEST to apply to this architecture?
A. Deployment of multiple standard images based on individual hardware configurations, employee choice of hardware and software requirements, triple redundancy of all processing equipment.
B. Enforcement of strict network access controls and bandwidth minimization techniques, a single standard software image, high speed processing, and distributed backups of all equipment in the datacenter.
C. Deployment of a unified VDI across all devices, SSD RAID in all servers, multiple identical hot sites, granting administrative rights to all users, backup of system critical data.
D. Enforcement of security policies on mobile/remote devices, standard images and device hardware configurations, multiple layers of redundancy, and backup on all storage devices.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.