CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 571:

  The finance department for an online shopping website has discovered that a number of customers were able to purchase goods and services without any payments. Further analysis conducted by the security investigations team indicated that the website allowed customers to update a payment amount for shipping. A specially crafted value could be entered and cause a roll over, resulting in the shipping cost being subtracted from the balance and in some instances resulted in a negative balance. As a result, the system processed the negative balance as zero dollars. Which of the following BEST describes the application issue?

  A. Race condition

  B. Click-jacking

  C. Integer overflow

  D. Use after free

  E. SQL injection

  Correct Answer: C

  Integer overflow errors can occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value.

• Question 572:

  A security administrator is assessing a new application. The application uses an API that is supposed to encrypt text strings that are stored in memory. How might the administrator test that the strings are indeed encrypted in memory?

  A. Use fuzzing techniques to examine application inputs

  B. Run nmap to attach to application memory

  C. Use a packet analyzer to inspect the strings

  D. Initiate a core dump of the application

  E. Use an HTTP interceptor to capture the text strings

  Correct Answer: D

  Applications store information in memory and this information include sensitive data, passwords, and usernames and encryption keys. Conducting memory/core dumping will allow you to analyze the memory content and then you can test that the strings are indeed encrypted.

• Question 573:

  A security administrator has noticed that an increased number of employees' workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites where malware files can be downloaded. Additionally, the company implements technical measures to disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection?

  A. Implement an Acceptable Use Policy which addresses malware downloads.

  B. Deploy a network access control system with a persistent agent.

  C. Enforce mandatory security awareness training for all employees and contractors.

  D. Block cloud-based storage software on the company network.

  Correct Answer: D

  The question states that the company implements technical measures to disable external storage. This is storage such as USB flash drives and will help to ensure that the users to do not bring unauthorized data that could potentially contain malware into the network.

  We should extend this by blocking cloud-based storage software on the company network. This would block access to cloud-based storage services such as Dropbox or OneDrive.

• Question 574:

  A vulnerability scanner report shows that a client-server host monitoring solution operating in the credit card corporate environment is managing SSL sessions with a weak algorithm which does not meet corporate policy. Which of the following are true statements? (Select TWO).

  A. The X509 V3 certificate was issued by a non trusted public CA.

  B. The client-server handshake could not negotiate strong ciphers.

  C. The client-server handshake is configured with a wrong priority.

  D. The client-server handshake is based on TLS authentication.

  E. The X509 V3 certificate is expired.

  F. The client-server implements client-server mutual authentication with different certificates.

  Correct Answer: BC

  The client-server handshake could not negotiate strong ciphers. This means that the system is not configured to support the strong ciphers provided by later versions of the SSL protocol. For example, if the system is configured to support only SSL version 1.1, then only a weak cipher will be supported.

  The client-server handshake is configured with a wrong priority. The client sends a list of SSL versions it supports and priority should be given to the highest version it supports. For example, if the client supports SSL versions 1.1, 2 and 3, then the server should use version 3. If the priority is not configured correctly (if it uses the lowest version) then version 1.1 with its weak algorithm will be used.

• Question 575:

  A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system?

  A. Isolate the system on a secure network to limit its contact with other systems

  B. Implement an application layer firewall to protect the payroll system interface

  C. Monitor the system's security log for unauthorized access to the payroll application

  D. Perform reconciliation of all payroll transactions on a daily basis

  Correct Answer: A

  The payroll system is not meeting security policy due to missing OS security patches. We cannot apply the patches to the system because the vendor states that the system is only supported on the current OS patch level. Therefore, we need another way of securing the system.

  We can improve the security of the system and the other systems on the network by isolating the payroll system on a secure network to limit its contact with other systems. This will reduce the likelihood of a malicious user accessing the payroll system and limit any damage to other systems if the payroll system is attacked.

• Question 576:

  The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats?

  A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates.

  B. Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs.

  C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs.

  D. Behavior based IPS with a communication link to a cloud based vulnerability and threat feed.

  Correct Answer: D

  Good preventive security practices are a must. These include installing and keeping firewall policies carefully matched to business and application needs, keeping antivirus software updated, blocking potentially harmful file attachments and keeping all systems patched against known vulnerabilities. Vulnerability scans are a good means of measuring the effectiveness of preventive procedures. Real-time protection: Deploy inline intrusion-prevention systems (IPS) that offer comprehensive protection. When considering an IPS, seek the following capabilities: network-level protection, application integrity checking, application protocol Request for Comment (RFC) validation, content validation and forensics capability. In this case it would be behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed.

• Question 577:

  Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company's purchased application? (Select TWO).

  A. Code review

  B. Sandbox

  C. Local proxy

  D. Fuzzer

  E. Port scanner

  Correct Answer: CD

  C: Local proxy will work by proxying traffic between the web client and the web server. This is a tool that can be put to good effect in this case.

  D: Fuzzing is another form of blackbox testing and works by feeding a program multiple input iterations that are specially written to trigger an internal error that might indicate a bug and crash it.

• Question 578:

  The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject to fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000 and, based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires occur in the area on average every four years. Which of the following is the ALE?

  A. $6,000

  B. $24,000

  C. $30,000

  D. $96,000

  Correct Answer: A

  Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF)

  SLE = AV x EF = $120 000 x 20% = $ 24,000 (this is over 4 years)

  Thus ALE = $ 24,000 / 4 = $ 6,000

  References:

  http://www.financeformulas.net/Return_on_Investment.html

  https://en.wikipedia.org/wiki/Risk_assessment Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 5th Edition, Project Management Institute, Inc., Newtown Square, 2013, p. 198

  McMillan, Troy and Robin Abernathy, CompTIA Advanced Security Practitioner (CASP) CAS-002 Cert Guide, Pearson Education, Indianapolis, 2015, p. 305

• Question 579:

  The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Which of the following issues may potentially occur?

  A. The data may not be in a usable format.

  B. The new storage array is not FCoE based.

  C. The data may need a file system check.

  D. The new storage array also only has a single controller.

  Correct Answer: B

  Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol.

  When moving the disks to another storage array, you need to ensure that the array supports FCoE, not just regular Fiber Channel. Fiber Channel arrays and Fiber Channel over Ethernet arrays use different network connections, hardware and protocols. Fiber Channel arrays use the Fiber Channel protocol over a dedicated Fiber Channel network whereas FCoE arrays use the Fiber Channel protocol over an Ethernet network.

• Question 580:

  Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string: user@hostname:~$ sudo nmap 192.168.1.54 Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device: TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778 Based on this information, which of the following operating systems is MOST likely running on the unknown node?

  A. Linux

  B. Windows

  C. Solaris

  D. OSX

  Correct Answer: C

  TCP/22 is used for SSH; TCP/111 is used for Sun RPC; TCP/512-514 is used by CMD like exec, but automatic authentication is performed as with a login server, etc. These are all ports that are used when making use of the Sun Solaris operating system.