CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 701:

  During a recent audit of servers, a company discovered that a network administrator, who required remote access, had deployed an unauthorized remote access application that communicated over common ports already allowed through the firewall. A network scan showed that this remote access application had already been installed on one third of the servers in the company. Which of the following is the MOST appropriate action that the company should take to provide a more appropriate solution?

  A. Implement an IPS to block the application on the network

  B. Implement the remote application out to the rest of the servers

  C. Implement SSL VPN with SAML standards for federation

  D. Implement an ACL on the firewall with NAT for remote access

  Correct Answer: C

  A Secure Sockets Layer (SSL) virtual private network (VPN) would provide the network administrator who requires remote access a secure and reliable method of accessing the system over the Internet. Security Assertion Markup Language (SAML) standards for federation will provide cross-web service authentication and authorization.

• Question 702:

  Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows:

  Delivered-To: [email protected]

  Received: by 10.14.120.205

  Mon, 1 Nov 2010 11:15:24 -0700 (PDT)

  Received: by 10.231.31.193

  Mon, 01 Nov 2010 11:15:23 -0700 (PDT)

  Return-Path:

  Received: from 127.0.0.1 for ; Mon, 1 Nov 2010 13:15:14 -0500 (envelope-from )

  Received: by smtpex.example.com (SMTP READY)

  with ESMTP (AIO); Mon, 01 Nov 2010 13:15:14 -0500 Received: from 172.18.45.122 by 192.168.2.55; Mon, 1 Nov 2010 13:15:14 -0500 From: Company To: "[email protected]" Date: Mon, 1 Nov 2010 13:15:11 -0500 Subject: New Insurance Application Thread-Topic: New Insurance Application Please download and install software from the site below to maintain full access to your account. www.examplesite.com

  Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11.

  The network's subnet is 192.168.2.0/25.

  Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO).

  A. Identify the origination point for malicious activity on the unauthorized mail server.

  B. Block port 25 on the firewall for all unauthorized mail servers.

  C. Disable open relay functionality.

  D. Shut down the SMTP service on the unauthorized mail server.

  E. Enable STARTTLS on the spam filter.

  Correct Answer: BD

  In this question, we have an unauthorized mail server using the IP: 192.168.2.55.

  Blocking port 25 on the firewall for all unauthorized mail servers is a common and recommended security step. Port 25 should be open on the firewall to the IP addresses of the authorized email servers only (192.168.2.10 and 192.168.2.11).

  This will prevent unauthorized email servers sending email or receiving and relaying email.

  Email servers use SMTP (Simple Mail Transfer Protocol) to send email to other email servers. Shutting down the SMTP service on the unauthorized mail server is effectively disabling the mail server functionality of the unauthorized server.

• Question 703:

  A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable?

  A. Spiral model

  B. Incremental model

  C. Waterfall model

  D. Agile model

  Correct Answer: C

  The waterfall model is a sequential software development processes, in which progress is seen as flowing steadily downwards through identified phases.

• Question 704:

  A storage as a service company implements both encryption at rest as well as encryption in transit of customers' data. The security administrator is concerned with the overall security of the encrypted customer data stored by the company servers and wants the development team to implement a solution that will strengthen the customer's encryption key. Which of the following, if implemented, will MOST increase the time an offline password attack against the customers' data would take?

  A. key = NULL ; for (int i=0; i<5000; i++) { key = sha(key + password) }

  B. password = NULL ; for (int i=0; i<10000; i++) { password = sha256(key) }

  C. password = password + sha(password+salt) + aes256(password+salt)

  D. key = aes128(sha256(password), password))

  Correct Answer: A

  References: http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms

• Question 705:

  An educational institution would like to make computer labs available to remote students. The labs are used for various IT networking, security, and programming courses. The requirements are:

  Each lab must be on a separate network segment.

  Labs must have access to the Internet, but not other lab networks.

  Student devices must have network access, not simple access to hosts on the lab networks.

  Students must have a private certificate installed before gaining access.

  Servers must have a private certificate installed locally to provide assurance to the students.

  All students must use the same VPN connection profile.

  Which of the following components should be used to achieve the design in conjunction with directory services?

  A. L2TP VPN over TLS for remote connectivity, SAML for federated authentication, firewalls between each lab segment

  B. SSL VPN for remote connectivity, directory services groups for each lab group, ACLs on routing equipment

  C. IPSec VPN with mutual authentication for remote connectivity, RADIUS for authentication, ACLs on network equipment

  D. Cloud service remote access tool for remote connectivity, OAuth for authentication, ACL on routing equipment

  Correct Answer: C

  IPSec VPN with mutual authentication meets the certificates requirements.

  RADIUS can be used with the directory service for the user authentication.

  ACLs (access control lists) are the best solution for restricting access to network hosts.

• Question 706:

  Which of the following technologies prevents an unauthorized HBA from viewing iSCSI target information?

  A. Deduplication

  B. Data snapshots

  C. LUN masking

  D. Storage multipaths

  Correct Answer: C

  A logical unit number (LUN) is a unique identifier that designates individual hard disk devices or grouped devices for address by a protocol associated with a SCSI, iSCSI, Fibre Channel (FC) or similar interface. LUNs are central to the management of block storage arrays shared over a storage area network (SAN).

  LUN masking subdivides access to a given port. Then, even if several LUNs are accessed through the same port, the server masks can be set to limit each server's access to the appropriate LUNs. LUN masking is typically conducted at the host bus adapter (HBA) or switch level.

• Question 707:

  After the install process, a software application executed an online activation process. After a few months, the system experienced a hardware failure. A backup image of the system was restored on a newer revision of the same brand and model device. After the restore, the specialized application no longer works. Which of the following is the MOST likely cause of the problem?

  A. The binary files used by the application have been modified by malware.

  B. The application is unable to perform remote attestation due to blocked ports.

  C. The restored image backup was encrypted with the wrong key.

  D. The hash key summary of hardware and installed software no longer match.

  Correct Answer: D

  Different software vendors have different methods of identifying a computer used to activate software. However, a common component used in software activations is a hardware key (or hardware and software key). This key is a hash value generated based on the hardware (and possibly software) installed on the system.

  For example, when Microsoft software is activated on a computer, the software generates an installation ID that consists of the software product key used during the installation and a hardware key (hash value generated from the computer's hardware). The installation ID is submitted to Microsoft for software activation.

  Changing the hardware on a system can change the hash key which makes the software think it is installed on another computer and is therefore not activated for use on that computer. This is most likely what has happened in this question.

• Question 708:

  A company has issued a new mobile device policy permitting BYOD and company-issued devices. The company-issued device has a managed middleware client that restricts the applications allowed on company devices and provides those that are approved. The middleware client provides configuration standardization for both company owned and BYOD to secure data and communication to the device according to industry best practices. The policy states that, "BYOD clients must meet the company's infrastructure requirements to permit a connection." The company also issues a memorandum separate from the policy, which provides instructions for the purchase, installation, and use of the middleware client on BYOD. Which of the following is being described?

  A. Asset management

  B. IT governance

  C. Change management

  D. Transference of risk

  Correct Answer: B

  It governance is aimed at managing information security risks. It entails educating users about risk and implementing policies and procedures to reduce risk.

• Question 709:

  A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level.

  Various security requirements were also documented.

  Organize the following security requirements into the correct hierarchy required for an SRTM.

  Requirement 1: The system shall provide confidentiality for data in transit and data at rest.

  Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.

  Requirement 3: The system shall implement a file-level encryption scheme.

  Requirement 4: The system shall provide integrity for all data at rest.

  Requirement 5: The system shall perform CRC checks on all files.

  A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5

  B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4

  C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level 3: Requirement 3 under 2

  D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5

  Correct Answer: B

  Confidentiality and integrity are two of the key facets of data security. Confidentiality ensures that sensitive information is not disclosed to unauthorized users; while integrity ensures that data is not altered by unauthorized users. These are

  Level 1 requirements.

  Confidentiality is enforced through encryption of data at rest, encryption of data in transit, and access control. Encryption of data in transit is accomplished by using secure protocols such as PSec, SSL, PPTP, SSH, and SCP, etc.

  Integrity can be enforced through hashing, digital signatures and CRC checks on the files.

  In the SRTM hierarchy, the enforcement methods would fall under the Level requirement.

  References:

  Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, pp. 17-19, 20, 27-29

• Question 710:

  An organization uses IP address block 203.0.113.0/24 on its internal network. At the border router, the network administrator sets up rules to deny packets with a source address in this subnet from entering the network, and to deny packets with a destination address in this subnet from leaving the network. Which of the following is the administrator attempting to prevent?

  A. BGP route hijacking attacks

  B. Bogon IP network traffic

  C. IP spoofing attacks

  D. Man-in-the-middle attacks

  E. Amplified DDoS attacks

  Correct Answer: C

  The IP address block 203.0.113.0/24 is used on the internal network. Therefore, there should be no traffic coming into the network claiming to be from an address in the 203.0.113.0/24 range. Similarly, there should be no outbound traffic destined for an address in the 203.0.113.0/24 range. So this has been blocked at the firewall. This is to protect against IP spoofing attacks where an attacker external to the network sends data claiming to be from an internal computer with an address in the 203.0.113.0/24 range.

  IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source.

  When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform Resource Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For example, if the hijacker spoofed the Library of Congress Web site, then any Internet user who typed in the URL www.loc.gov would see spoofed content created by the hijacker.

  If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware. The hijacker would also be able to take control of a compromised computer to use it as part of a zombie army in order to send out spam.