CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 561:

  Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request: POST /login.aspx HTTP/1.1 Host: comptia.org Content-type: text/html txtUsername=annandtxtPassword=annandalreadyLoggedIn=falseandsubmit=true Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass?

  A. Remove all of the post data and change the request to /login.aspx from POST to GET

  B. Attempt to brute force all usernames and passwords using a password cracker

  C. Remove the txtPassword post data and change alreadyLoggedIn from false to true

  D. Remove the txtUsername and txtPassword post data and toggle submit from true to false

  Correct Answer: C

  The text "txtUsername=annandtxtPassword=ann" is an attempted login using a username of `ann' and also a password of `ann'.

  The text "alreadyLoggedIn=false" is saying that Ann is not already logged in.

  To test whether we can bypass the authentication, we can attempt the login without the password and we can see if we can bypass the `alreadyloggedin' check by changing alreadyLoggedIn from false to true. If we are able to log in, then we

  have bypassed the authentication check.

• Question 562:

  The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage, and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?

  A. Avoid

  B. Accept

  C. Mitigate

  D. Transfer

  Correct Answer: C

  Mitigation means that a control is used to reduce the risk. In this case, the control is training.

• Question 563:

  During an incident involving the company main database, a team of forensics experts is hired to respond to the breach. The team is in charge of collecting forensics evidence from the company's database server. Which of the following is the correct order in which the forensics team should engage?

  A. Notify senior management, secure the scene, capture volatile storage, capture non-volatile storage, implement chain of custody, and analyze original media.

  B. Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data.

  C. Implement chain of custody, take inventory, secure the scene, capture volatile and non-volatile storage, and document the findings.

  D. Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.

  Correct Answer: D

  The scene has to be secured first to prevent contamination. Once a forensic copy has been created, an analyst will begin the process of moving from most volatile to least volatile information. The chain of custody helps to protect the integrity and reliability of the evidence by keeping an evidence log that shows all access to evidence, from collection to appearance in court.

• Question 564:

  Company policy requires that all unsupported operating systems be removed from the network. The security administrator is using a combination of network based tools to identify such systems for the purpose of disconnecting them from the network. Which of the following tools, or outputs from the tools in use, can be used to help the security administrator make an approximate determination of the operating system in use on the local company network? (Select THREE).

  A. Passive banner grabbing

  B. Password cracker

  C. http://www.company.org/documents_private/index.php?search=string# andtopic=windowsandtcp=packet%20captureandcookie=wokdjwalkjcnie61lkasdf2aliser4

  D. 443/tcp open http

  E. dig host.company.com

  F. 09:18:16.262743 IP (tos 0x0, ttl 64, id 9870, offset 0, flags [none], proto TCP (6), length 40) 192.168.1.3.1051 > 10.46.3.7.80: Flags [none], cksum 0x1800 (correct), win 512, length 0

  G. Nmap

  Correct Answer: AFG

  Banner grabbing and operating system identification can also be defined as fingerprinting the TCP/IP stack. Banner grabbing is the process of opening a connection and reading the banner or response sent by the application. The output displayed in option F includes information commonly examined to fingerprint the OS.

  Nmap provides features that include host discovery, as well as service and operating system detection.

• Question 565:

  A small company is developing a new Internet-facing web application. The security requirements are:

  Users of the web application must be uniquely identified and authenticated.

  Users of the web application will not be added to the company's directory services.

  Passwords must not be stored in the code.

  Which of the following meets these requirements?

  A. Use OpenID and allow a third party to authenticate users.

  B. Use TLS with a shared client certificate for all users.

  C. Use SAML with federated directory services.

  D. Use Kerberos and browsers that support SAML.

  Correct Answer: A

  Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website which accepts OpenID authentication.

  OpenID is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows users to be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service. This eliminates the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities. In other words, users can log into multiple unrelated websites without having to register with their information over and over again.

  Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation: AOL, Blogger, Flickr, France Telecom, Google, Hyves, LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, Orange, Sears, Sun, Telecom Italia, Universal Music Group, VeriSign, WordPress, and Yahoo!. Other providers include BBC, IBM, PayPal, and Steam.

• Question 566:

  A large enterprise acquires another company which uses antivirus from a different vendor. The CISO has requested that data feeds from the two different antivirus platforms be combined in a way that allows management to assess and rate the overall effectiveness of antivirus across the entire organization. Which of the following tools can BEST meet the CISO's requirement?

  A. GRC

  B. IPS

  C. CMDB

  D. Syslog-ng

  E. IDS

  Correct Answer: A

  GRC is a discipline that aims to coordinate information and activity across governance, risk management and compliance with the purpose of operating more efficiently, enabling effective information sharing, more effectively reporting activities and avoiding wasteful overlaps. An integrated GRC (iGRC) takes data feeds from one or more sources that detect or sense abnormalities, faults or other patterns from security or business applications.

• Question 567:

  An intruder was recently discovered inside the data center, a highly sensitive area. To gain access, the intruder circumvented numerous layers of physical and electronic security measures. Company leadership has asked for a thorough review of physical security controls to prevent this from happening again. Which of the following departments are the MOST heavily invested in rectifying the problem? (Select THREE).

  A. Facilities management

  B. Human resources

  C. Research and development

  D. Programming

  E. Data center operations

  F. Marketing

  G. Information technology

  Correct Answer: AEG

  A: Facilities management is responsible for the physical security measures in a facility or building.

  E: The breach occurred in the data center, therefore the Data center operations would be greatly concerned.

  G: Data centers are important aspects of information technology (IT) in large corporations. Therefore the IT department would be greatly concerned.

• Question 568:

  The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges. Web server logs show the following:

  90.76.165.40 -- [08/Mar/2014:10:54:04] "GET calendar.php?create%20table%20hidden HTTP/1.1" 200 5724

  90.76.165.40 -- [08/Mar/2014:10:54:05] "GET ../../../root/.bash_history HTTP/1.1" 200 5724

  90.76.165.40 -- [08/Mar/2014:10:54:04] "GET index.php?user<;scrip>;Creat<;/scrip>; HTTP/1.1" 200 5724 The security administrator also inspects the following file system locations on the database server using the command `ls -al /root' drwxrwxrwx 11 root root 4096 Sep 28 22:45 . drwxr-xr-x 25 root root 4096 Mar 8 09:30 .. -rws------ 25 root root 4096 Mar 8 09:30 .bash_history -rw------- 25 root root 4096 Mar 8 09:30 .bash_history -rw------- 25 root root 4096 Mar 8 09:30 .profile -rw------- 25 root root 4096 Mar 8 09:30 .ssh Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).

  A. Privilege escalation

  B. Brute force attack

  C. SQL injection

  D. Cross-site scripting

  E. Using input validation, ensure the following characters are sanitized: <>

  F. Update crontab with: find / \( -perm -4000 \) -type f -print0 | xargs -0 ls -l | email.sh

  G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)

  H. Set an account lockout policy

  Correct Answer: AF

  This is an example of privilege escalation.

  Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

  The question states that the web server communicates with the database server via an account with SELECT only privileges. However, the privileges listed include read, write and execute (rwx). This suggests the privileges have been

  `escalated'.

  Now that we know the system has been attacked, we should investigate what was done to the system.

  The command "Update crontab with: find / \( -perm -4000 \) -type f -print0 | xargs -0 ls -l | email.sh" is used to find all the files that are setuid enabled. Setuid means set user ID upon execution. If the setuid bit is turned on for a file, the user

  executing that executable file gets the permissions of the individual or group that owns the file.

• Question 569:

  A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company?

  A. Increase the frequency of antivirus downloads and install updates to all workstations.

  B. Deploy a cloud-based content filter and enable the appropriate category to prevent further infections.

  C. Deploy a WAF to inspect and block all web traffic which may contain malware and exploits.

  D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.

  Correct Answer: B

  The undetected malware gets delivered to the company via drive-by and malware hosing websites. Display filters and Capture filters when deployed on the cloud-based content should provide the protection required.

• Question 570:

  A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble?

  A. Discuss the issue with the software product's user groups

  B. Consult the company's legal department on practices and law

  C. Contact senior finance management and provide background information

  D. Seek industry outreach for software practices and law

  Correct Answer: B

  To ensure that the company stays out of trouble, the sales manager should enquire about the legal ramifications of the change by consulting with the company's legal department, particularly as the marketing material is not being amended.