CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 711:

  An organization is concerned with potential data loss in the event of a disaster, and created a backup datacenter as a mitigation strategy. The current storage method is a single NAS used by all servers in both datacenters. Which of the following options increases data availability in the event of a datacenter failure?

  A. Replicate NAS changes to the tape backups at the other datacenter.

  B. Ensure each server has two HBAs connected through two routes to the NAS.

  C. Establish deduplication across diverse storage paths.

  D. Establish a SAN that replicates between datacenters.

  Correct Answer: D

  A SAN is a Storage Area Network. It is an alternative to NAS storage. SAN replication is a technology that replicates the data on one SAN to another SAN; in this case, it would replicate the data to a SAN in the backup datacenter. In the event of a disaster, the SAN in the backup datacenter would contain all the data on the original SAN.

  Array-based replication is an approach to data backup in which compatible storage arrays use built-in software to automatically copy data from one storage array to another. Array-based replication software runs on one or more storage controllers resident in disk storage systems, synchronously or asynchronously replicating data between similar storage array models at the logical unit number (LUN) or volume block level. The term can refer to the creation of local copies of data within the same array as the source data, as well as the creation of remote copies in an array situated off site.

• Question 712:

  A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual machines, this virtual hardware is indistinguishable from real hardware. By implementing virtualized TPMs, which of the following trusted system concepts can be implemented?

  A. Software-based root of trust

  B. Continuous chain of trust

  C. Chain of trust with a hardware root of trust

  D. Software-based trust anchor with no root of trust

  Correct Answer: C

  A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.

  A vTPM is a virtual Trusted Platform Module; a virtual instance of the TPM.

  IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout

  its lifetime on the platform.

  The TPM is the hardware root of trust.

  Chain of trust means to extend the trust boundary from the root(s) of trust, in order to extend the collection of trustworthy functions. Implies/entails transitive trust.

  Therefore a virtual TPM is a chain of trust from the hardware TPM (root of trust).

• Question 713:

  An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of $24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant?

  A. $4,800

  B. $24,000

  C. $96,000

  D. $120,000

  Correct Answer: C

  The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) Thus if SLE = $ 24,000 and EF = 25% then the Asset value is SLE/EF = $ 96,000 References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

• Question 714:

  A bank is in the process of developing a new mobile application. The mobile client renders content and communicates back to the company servers via REST/JSON calls. The bank wants to ensure that the communication is stateless between the mobile application and the web services gateway. Which of the following controls MUST be implemented to enable stateless communication?

  A. Generate a one-time key as part of the device registration process.

  B. Require SSL between the mobile application and the web services gateway.

  C. The jsession cookie should be stored securely after authentication.

  D. Authentication assertion should be stored securely on the client.

  Correct Answer: D

  JSON Web Tokens (JWTs) are a great mechanism for persisting authentication information in a verifiable and stateless way, but that token still needs to be stored somewhere.

  Login forms are one of the most common attack vectors. We want the user to give us a username and password, so we know who they are and what they have access to. We want to remember who the user is, allowing them to use the UI

  without having to present those credentials a second time. And we want to do all that securely. How can JWTs help?

  The traditional solution is to put a session cookie in the user's browser. This cookie contains an identifier that references a "session" in your server, a place in your database where the server remembers who this user is.

  However there are some drawbacks to session identifiers:

  They're stateful. Your server has to remember that ID, and look it up for every request. This can become a burden with large systems.

  They're opaque. They have no meaning to your client or your server. Your client doesn't know what it's allowed to access, and your server has to go to a database to figure out who this session is for and if they are allowed to perform the

  requested operation.

  JWTs address all of these concerns by being a self-contained, signed, and stateless authentication assertion that can be shared amongst services with a common data format.

  JWTs are self-contained strings signed with a secret key. They contain a set of claims that assert an identity and a scope of access. They can be stored in cookies, but all those rules still apply. In fact, JWTs can replace your opaque session

  identifier, so it's a complete win.

  How To Store JWTs In The Browser

  Short answer: use cookies, with the HttpOnly; Secure flags. This will allow the browser to send along the token for authentication purposes, but won't expose it to the JavaScript environment.

• Question 715:

  Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE).

  A. Check log files for logins from unauthorized IPs.

  B. Check /proc/kmem for fragmented memory segments.

  C. Check for unencrypted passwords in /etc/shadow.

  D. Check timestamps for files modified around time of compromise.

  E. Use lsof to determine files with future timestamps.

  F. Use gpg to encrypt compromised data files.

  G. Verify the MD5 checksum of system binaries.

  H. Use vmstat to look for excessive disk I/O.

  Correct Answer: ADG

  The MD5 checksum of the system binaries will allow you to carry out a forensic analysis of the compromised Linux system. Together with the log files of logins into the compromised system from unauthorized IPs and the timestamps for those files that were modified around the time that the compromise occurred will serve as useful forensic tools.

• Question 716:

  The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO's budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?

  A. The company should mitigate the risk.

  B. The company should transfer the risk.

  C. The company should avoid the risk.

  D. The company should accept the risk.

  Correct Answer: B

  To transfer the risk is to deflect it to a third party, by taking out insurance for example.

• Question 717:

  A member of the software development team has requested advice from the security team to implement a new secure lab for testing malware. Which of the following is the NEXT step that the security team should take?

  A. Purchase new hardware to keep the malware isolated.

  B. Develop a policy to outline what will be required in the secure lab.

  C. Construct a series of VMs to host the malware environment.

  D. Create a proposal and present it to management for approval.

  Correct Answer: D

  Before we can create a solution, we need to motivate why the solution needs to be created and plan the best implementation with in the company's business operations. We therefore need to create a proposal that explains the intended implementation and allows for the company to budget for it.

• Question 718:

  A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security now has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings?

  A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects.

  B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution.

  C. Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness.

  D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

  Correct Answer: D

  Checking whether control effectiveness complies with the complexity of the solution and then determining if there is not an alternative simpler solution would be the first procedure to follow in the light of the findings.

• Question 719:

  An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?

  A. Independent verification and validation

  B. Security test and evaluation

  C. Risk assessment

  D. Ongoing authorization

  Correct Answer: D

  Ongoing assessment and authorization is often referred to as continuous monitoring. It is a process that determines whether the set of deployed security controls in an information system continue to be effective with regards to planned and unplanned changes that occur in the system and its environment over time.

  Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Continuous monitoring enables the enterprise to detect control failures quickly because it transpires immediately or closely after events in which the key controls are utilized.

• Question 720:

  A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal server access with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in data confidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company

  A. Company B is not in the same industry as company A and the two are not competitors. Which of the following has MOST likely occurred?

  B. Both VMs were left unsecured and an attacker was able to exploit network vulnerabilities to access each and move the data.

  C. A stolen two factor token was used to move data from one virtual guest to another host on the same network segment.

  D. A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to

  E. gain unauthorized access.

  F. An employee with administrative access to the virtual guests was able to dump the guest memory onto a mapped disk.

  Correct Answer: A

  In this question, two virtual machines have been accessed by an attacker. The question is asking what is MOST likely to have occurred.

  It is common for operating systems to not be fully patched. Of the options given, the most likely occurrence is that the two VMs were not fully patched allowing an attacker to access each of them. The attacker could then copy data from one VM and hide it in a hidden folder on the other VM.