CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 691:

  The IT Security Analyst for a small organization is working on a customer's system and identifies a possible intrusion in a database that contains PII. Since PII is involved, the analyst wants to get the issue addressed as soon as possible. Which of the following is the FIRST step the analyst should take in mitigating the impact of the potential intrusion?

  A. Contact the local authorities so an investigation can be started as quickly as possible.

  B. Shut down the production network interfaces on the server and change all of the DBMS account passwords.

  C. Disable the front-end web server and notify the customer by email to determine how the customer would like to proceed.

  D. Refer the issue to management for handling according to the incident response process.

  Correct Answer: D

  The database contains PII (personally identifiable information) so the natural response is to want to get the issue addressed as soon as possible. However, in this question we have an IT Security Analyst working on a customer's system. Therefore, this IT Security Analyst does not know what the customer's incident response process is. In this case, the IT Security Analyst should refer the issue to company management so they can handle the issue (with your help if required) according to their incident response procedures.

• Question 692:

  Which of the following provides the BEST risk calculation methodology?

  A. Annual Loss Expectancy (ALE) x Value of Asset

  B. Potential Loss x Event Probability x Control Failure Probability

  C. Impact x Threat x Vulnerability

  D. Risk Likelihood x Annual Loss Expectancy (ALE)

  Correct Answer: B

  Of the options given, the BEST risk calculation methodology would be Potential Loss x Event Probability x Control Failure Probability. This exam is about computer and data security so `loss' caused by risk is not necessarily a monetary value.

  For example:

  Potential Loss could refer to the data lost in the event of a data storage failure.

  Event probability could be the risk a disk drive or drives failing.

  Control Failure Probability could be the risk of the storage RAID not being able to handle the number of failed hard drives without losing data.

• Question 693:

  ABC Corporation has introduced token-based authentication to system administrators due to the risk of password compromise. The tokens have a set of HMAC counter-based codes and are valid until they are used. Which of the following types of authentication mechanisms does this statement describe?

  A. TOTP

  B. PAP

  C. CHAP

  D. HOTP

  Correct Answer: D

  The question states that the HMAC counter-based codes and are valid until they are used. These are "one-time" use codes.

  HOTP is an HMAC-based one-time password (OTP) algorithm.

  HOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out (the server calculates subsequent OTP value and sends/displays it to the user who checks it against subsequent

  OTP value calculated by his token), the user can also authenticate the validation server.

  Both hardware and software tokens are available from various vendors. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms. Some products can be used for

  strong passwords as well as OATH HOTP.

  Software tokens are available for (nearly) all major mobile/smartphone platforms.

• Question 694:

  A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations?

  A. vTPM

  B. HSM

  C. TPM

  D. INE

  Correct Answer: A

  A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the

  remainder of the system by using a hardware bus.

  A vTPM is a virtual Trusted Platform Module.

  IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout

  its lifetime on the platform.

• Question 695:

  The Information Security Officer (ISO) is reviewing new policies that have been recently made effective and now apply to the company. Upon review, the ISO identifies a new requirement to implement two-factor authentication on the company's wireless system. Due to budget constraints, the company will be unable to implement the requirement for the next two years. The ISO is required to submit a policy exception form to the Chief Information Officer (CIO). Which of the following are MOST important to include when submitting the exception form? (Select THREE).

  A. Business or technical justification for not implementing the requirements.

  B. Risks associated with the inability to implement the requirements.

  C. Industry best practices with respect to the technical implementation of the current controls.

  D. All sections of the policy that may justify non-implementation of the requirements.

  E. A revised DRP and COOP plan to the exception form.

  F. Internal procedures that may justify a budget submission to implement the new requirement.

  G. Current and planned controls to mitigate the risks.

  Correct Answer: ABG

  The Exception Request must include:

  A description of the non-compliance.

  The anticipated length of non-compliance (2-year maximum).

  The proposed assessment of risk associated with non-compliance.

  The proposed plan for managing the risk associated with non-compliance.

  The proposed metrics for evaluating the success of risk management (if risk is significant).

  The proposed review date to evaluate progress toward compliance.

  An endorsement of the request by the appropriate Information Trustee (VP or Dean).

• Question 696:

  Wireless users are reporting issues with the company's video conferencing and VoIP systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).

  A. Install a HIPS on the SIP servers

  B. Configure 802.1X on the network

  C. Update the corporate firewall to block attacking addresses

  D. Configure 802.11e on the network

  E. Configure 802.1q on the network

  Correct Answer: AD

  Host-based intrusion prevention system (HIPS) is an installed software package that will monitor a single host for suspicious activity by analyzing events taking place within that host. IEEE 802.11e is deemed to be of significant consequence for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia.

• Question 697:

  Company ABC's SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternative to buying a new SAN?

  A. Enable multipath to increase availability

  B. Enable deduplication on the storage pools

  C. Implement snapshots to reduce virtual disk size

  D. Implement replication to offsite datacenter

  Correct Answer: B

  Storage-based data deduplication reduces the amount of storage needed for a given set of files. It is most effective in applications where many copies of very similar or even identical data are stored on a single disk.

  It is common for multiple copies of files to exist on a SAN. By eliminating (deduplicating) repeated copies of the files, we can reduce the disk space used on the existing SAN. This solution is a cost effective alternative to buying a new SAN.

• Question 698:

  Which of the following describes a risk and mitigation associated with cloud data storage?

  A. Risk: Shared hardware caused data leakage

  B. Mitigation: Strong encryption at rest

  C. Risk: Offsite replication Mitigation: Multi-site backups

  D. Risk: Data loss from de-duplication Mitigation: Dynamic host bus addressing

  E. Risk: Combined data archiving

  Mitigation: Two-factor administrator authentication

  Correct Answer: A

  With cloud data storage, the storage provider will have large enterprise SANs providing large pools of storage capacity. Portions of the storage pools are assigned to customers. The risk is that multiple customers are storing their data on the same physical hardware storage devices. This presents a risk (usually a very small risk, but a risk all the same) of other customers using the same cloud storage hardware being able to view your data.

  The mitigation of the risk is to encrypt your data stored on the SAN. Then the data would be unreadable even if another customer was able to access it.

• Question 699:

  Which of the following represents important technical controls for securing a SAN storage infrastructure? (Select TWO).

  A. Synchronous copy of data

  B. RAID configuration

  C. Data de-duplication

  D. Storage pool space allocation

  E. Port scanning

  F. LUN masking/mapping

  G. Port mapping

  Correct Answer: FG

  A logical unit number (LUN) is a unique identifier that designates individual hard disk devices or grouped devices for address by a protocol associated with a SCSI, iSCSI, Fibre Channel (FC) or similar interface. LUNs are central to the management of block storage arrays shared over a storage area network (SAN).

  LUN masking subdivides access to a given port. Then, even if several LUNs are accessed through the same port, the server masks can be set to limit each server's access to the appropriate LUNs. LUN masking is typically conducted at the host bus adapter (HBA) or switch level.

  Port mapping is used in `Zoning'. In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN makes available several devices and/or ports to a single device, each system connected to the SAN should only be allowed access to a controlled subset of these devices/ports.

  Zoning can be applied to either the switch port a device is connected to OR the WWN World Wide Name on the host being connected. As port based zoning restricts traffic flow based on the specific switch port a device is connected to, if the device is moved, it will lose access. Furthermore, if a different device is connected to the port in question, it will gain access to any resources the previous host had access to.

• Question 700:

  The following has been discovered in an internally developed application:

  Error - Memory allocated but not freed:

  char *myBuffer = malloc(BUFFER_SIZE);

  if (myBuffer != NULL) {

  *myBuffer = STRING_WELCOME_MESSAGE;

  printf("Welcome to: %s\n", myBuffer);

  }

  exit(0);

  Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO).

  A. Static code analysis

  B. Memory dumping

  C. Manual code review

  D. Application sandboxing

  E. Penetration testing

  F. Black box testing

  Correct Answer: AC

  A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization. Application code review ?whether manual or static will reveal the type of security weakness as shown in the exhibit.