CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 551:

  The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make?

  A. Social media is an effective solution because it is easily adaptable to new situations.

  B. Social media is an ineffective solution because the policy may not align with the business.

  C. Social media is an effective solution because it implements SSL encryption.

  D. Social media is an ineffective solution because it is not primarily intended for business applications.

  Correct Answer: B

  Social media networks are designed to draw people's attention quickly and to connect people is thus the main focus; security is not the main concern. Thus the CEO should decide that it would be ineffective to use social media in the company as it does not align with the company business.

• Question 552:

  A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year?

  A. -45 percent

  B. 5.5 percent

  C. 45 percent

  D. 82 percent

  Correct Answer: D

  Return on investment = Net profit / Investment where:Net profit = gross profit ?expenses investment = stock + market outstanding[when defined as?] + claims

  or Return on investment = (gain from investment ?cost of investment) / cost of investment Thus (100 000 ?55 000)/50 000 = 0,82 = 82 % References: Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, p. 337 http://www.financeformulas.net/Return_on_Investment.html

• Question 553:

  A security administrator was doing a packet capture and noticed a system communicating with an unauthorized address within the 2001::/32 prefix. The network administrator confirms there is no IPv6 routing into or out of the network. Which of the following is the BEST course of action?

  A. Investigate the network traffic and block UDP port 3544 at the firewall

  B. Remove the system from the network and disable IPv6 at the router

  C. Locate and remove the unauthorized 6to4 relay from the network

  D. Disable the switch port and block the 2001::/32 traffic at the firewall

  Correct Answer: A

  The 2001::/32 prefix is used for Teredo tunneling.

  Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols, it can perform its function even from behind

  network address translation (NAT) devices such as home routers.

  Teredo provides IPv6 (Internet Protocol version 6) connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. Teredo routes these datagrams on the IPv4 Internet and through NAT devices.

  Teredo nodes elsewhere on the IPv6 network (called Teredo relays) receive the packets, decapsulate them, and pass them on. The Teredo server listens on UDP port 3544.

  Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001::/32).

  In this question, the BEST course of action would be to block UDP port 3544 at the firewall. This will block the unauthorized communication. You can then investigate the traffic within the network.

• Question 554:

  Joe, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim's privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue?

  A. Integer overflow

  B. Click-jacking

  C. Race condition

  D. SQL injection

  E. Use after free

  F. Input validation

  Correct Answer: E

  Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code.

  Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.

  According to the Use After Free definition on the Common Weakness Enumeration (CWE) website, a Use After Free scenario can occur when "the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process."

• Question 555:

  A security administrator has been asked to select a cryptographic algorithm to meet the criteria of a new application. The application utilizes streaming video that can be viewed both on computers and mobile devices. The application designers have asked that the algorithm support the transport encryption with the lowest possible performance overhead. Which of the following recommendations would BEST meet the needs of the application designers? (Select TWO).

  A. Use AES in Electronic Codebook mode

  B. Use RC4 in Cipher Block Chaining mode

  C. Use RC4 with Fixed IV generation

  D. Use AES with cipher text padding

  E. Use RC4 with a nonce generated IV

  F. Use AES in Counter mode

  Correct Answer: EF

  In cryptography, an initialization vector (IV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message.

  Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a nonce (number used once), and the primitives are described as stateful as opposed to randomized. This is because the IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. An example of stateful encryption schemes is the counter mode of operation, which uses a sequence number as a nonce.

  AES is a block cipher. Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular.

• Question 556:

  A network engineer wants to deploy user-based authentication across the company's wired and wireless infrastructure at layer 2 of the OSI model. Company policies require that users be centrally managed and authenticated and that each user's network access be controlled based on the user's role within the company. Additionally, the central authentication system must support hierarchical trust and the ability to natively authenticate mobile devices and workstations. Which of the following are needed to implement these requirements? (Select TWO).

  A. SAML

  B. WAYF

  C. LDAP

  D. RADIUS

  E. Shibboleth

  F. PKI

  Correct Answer: CD

  RADIUS is commonly used for the authentication of WiFi connections. We can use LDAP and RADIUS for the authentication of users and devices.

  LDAP and RADIUS have something in common. They`re both mainly protocols (more than a database) which uses attributes to carry information back and forth. They`re clearly defined in RFC documents so you can expect products from different vendors to be able to function properly together. RADIUS is NOT a database. It's a protocol for asking intelligent questions to a user database. LDAP is just a database. In recent offerings it contains a bit of intelligence (like Roles, Class of Service and so on) but it still is mainly just a rather stupid database. RADIUS (actually RADIUS servers like FreeRADIUS) provide the administrator the tools to not only perform user authentication but also to authorize users based on extremely complex checks and logic. For instance you can allow access on a specific NAS only if the user belongs to a certain category, is a member of a specific group and an outside script allows access. There's no way to perform any type of such complex decisions in a user database.

• Question 557:

  A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?

  A. The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.

  B. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.

  C. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO.

  D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

  Correct Answer: D

  Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.

• Question 558:

  After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes the following piece of code used by a web based shopping cart.

  SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT);

  The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a name which is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-YYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which of the following is MOST likely being exploited to manipulate the price of a shopping cart's items?

  A. Input validation

  B. SQL injection

  C. TOCTOU

  D. Session hijacking

  Correct Answer: C

  In this question, TOCTOU is being exploited to allow the user to modify the temp file that contains the price of the item.

  In software development, time of check to time of use (TOCTOU) is a class of software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. This is one example of a race condition.

  A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which should prevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When the user began editing, the appropriate authorization was checked, and the user was indeed allowed to edit. However, the authorization was used later, at a time when edits should no longer have been allowed.

  TOCTOU race conditions are most common in Unix between operations on the file system, but can occur in other contexts, including local sockets and improper use of database transactions.

• Question 559:

  The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements?

  A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

  B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud.

  C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team.

  D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

  Correct Answer: A

  Security in depth is the concept of creating additional layers of security. The traditional approach of securing the IT infrastructure is no longer enough. Today's threats are multifaceted and often persistent, and traditional network perimeter security controls cannot effectively mitigate them. Organizations need to implement more effective, multi-level security controls that are embedded with their electronic assets. They need to protect key assets from both external and internal threats. This security in depth approach is meant to sustain attacks even when perimeter and traditional controls have been breached.

  In this question, using two firewalls to secure the DMZ from both external and internal attacks is the best approach. Having each firewall managed by a separate administrator will reduce the chance of a configuration error being made on both firewalls. The remote logging will enable incident reconstruction.

• Question 560:

  Which of the following activities is commonly deemed "OUT OF SCOPE" when undertaking a penetration test?

  A. Test password complexity of all login fields and input validation of form fields

  B. Reverse engineering any thick client software that has been provided for the test

  C. Undertaking network-based denial of service attacks in production environment

  D. Attempting to perform blind SQL injection and reflected cross-site scripting attacks

  E. Running a vulnerability scanning tool to assess network and host weaknesses

  Correct Answer: C

  Penetration testing is done to look at a network in an adversarial fashion with the aim of looking at what an attacker will use. Penetration testing is done without malice and undertaking a network-based denial of service attack in the production environment is as such `OUT OF SCOPE'.