CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 741:

  A security administrator notices the following line in a server's security log:

  ') + "';

  The administrator is concerned that it will take the developer a lot of time to fix the application that is running on the server. Which of the following should the security administrator implement to prevent this particular attack?

  A. WAF

  B. Input validation

  C. SIEM

  D. Sandboxing

  E. DAM

  Correct Answer: A

  The attack in this question is an XSS (Cross Site Scripting) attack. We can prevent this attack by using a Web Application Firewall.

  A WAF (Web Application Firewall) protects a Web application by controlling its input and output and the access to and from the application. Running as an appliance, server plug-in or cloud-based service, a WAF inspects every HTML, HTTPS, SOAP and XML-RPC data packet. Through customizable inspection, it is able to prevent attacks such as XSS, SQL injection, session hijacking and buffer overflows, which network firewalls and intrusion detection systems are often not capable of doing. A WAF is also able to detect and prevent new unknown attacks by watching for unfamiliar patterns in the traffic data.

  A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. In real time or near-real time, it monitors traffic before it reaches the Web application, analyzing all requests using a rule base to filter out potentially harmful traffic or traffic patterns. Web application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits, impersonation and known vulnerabilities and attackers.

• Question 742:

  A network administrator with a company's NSP has received a CERT alert for targeted adversarial behavior at the company. In addition to the company's physical security, which of the following can the network administrator use to detect the presence of a malicious actor physically accessing the company's network or information systems from within? (Select TWO).

  A. RAS

  B. Vulnerability scanner

  C. HTTP intercept

  D. HIDS

  E. Port scanner

  F. Protocol analyzer

  Correct Answer: DF

  A protocol analyzer can be used to capture and analyze signals and data traffic over a communication channel which makes it ideal for use to assess a company's network from within under the circumstances.

  HIDS is used as an intrusion detection system that can monitor and analyze the internal company network especially the dynamic behavior and the state of the computer systems; behavior such as network packets targeted at that specific host, which programs accesses what resources etc.

• Question 743:

  An IT manager is concerned about the cost of implementing a web filtering solution in an effort to mitigate the risks associated with malware and resulting data leakage. Given that the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after implementing the web filter is $15,000. The web filtering solution will cost the organization $10,000 per year. Which of the following values is the single loss expectancy of a data leakage event after implementing the web filtering solution?

  A. $0

  B. $7,500

  C. $10,000

  D. $12,500

  E. $15,000

  Correct Answer: B

  The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF - Thus the Single Loss Expectancy (SLE) = ALE/ARO = $15,000 / 2 = $ 7,500 References: http://www.financeformulas.net/Return_on_Investment.html

  https://en.wikipedia.org/wiki/Risk_assessment

• Question 744:

  A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool?

  A. The tool could show that input validation was only enabled on the client side

  B. The tool could enumerate backend SQL database table and column names

  C. The tool could force HTTP methods such as DELETE that the server has denied

  D. The tool could fuzz the application to determine where memory leaks occur

  Correct Answer: A

  A HTTP Interceptor is a program that is used to assess and analyze web traffic thus it can be used to indicate that input validation was only enabled on the client side.

• Question 745:

  The Information Security Officer (ISO) is reviewing a summary of the findings from the last COOP tabletop exercise. The Chief Information Officer (CIO) wants to determine which additional controls must be implemented to reduce the risk of an extended customer service outage due to the VoIP system being unavailable. Which of the following BEST describes the scenario presented and the document the ISO is reviewing?

  A. The ISO is evaluating the business implications of a recent telephone system failure within the BIA.

  B. The ISO is investigating the impact of a possible downtime of the messaging system within the RA.

  C. The ISO is calculating the budget adjustment needed to ensure audio/video system redundancy within the RFQ.

  D. The ISO is assessing the effect of a simulated downtime involving the telecommunication system within the AAR.

  Correct Answer: D

  VoIP is an integral part of network design and in particular remote access, that enables customers accessing and communicating with the company. If VoIP is unavailable then the company is in a situation that can be compared to downtime. And since the ISO is reviewing he summary of findings from the last COOP tabletop exercise, it can be said that the ISO is assessing the effect of a simulated downtime within the AAR.

• Question 746:

  A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:

  POST

  http://www.example.com/resources/NewBankAccount HTTP/1.1

  Content-type: application/json

  {

  "account":

  [

  { "creditAccount":"Credit Card Rewards account"}

  { "salesLeadRef":"www.example.com/badcontent/exploitme.exe"}

  ],

  "customer":

  [

  { "name":"Joe Citizen"}

  { "custRef":"3153151"}

  ]

  }

  The banking website responds with:

  HTTP/1.1 200 OK

  {

  "newAccountDetails":

  [

  { "cardNumber":"1234123412341234"}

  { "cardExpiry":"2020-12-31"}

  { "cardCVV":"909"}

  ],

  "marketingCookieTracker":"JSESSIONID=000000001"

  "returnCode":"Account added successfully"

  }

  Which of the following are security weaknesses in this example? (Select TWO).

  A. Missing input validation on some fields

  B. Vulnerable to SQL injection

  C. Sensitive details communicated in clear-text

  D. Vulnerable to XSS

  E. Vulnerable to malware file uploads

  F. JSON/REST is not as secure as XML

  Correct Answer: AC

  The SalesLeadRef field has no input validation. The penetration tester should not be able to enter "www.example.com/badcontent/exploitme.exe" in this field. The credit card numbers are communicated in clear text which makes it vulnerable to an attacker. This kind of information should be encrypted.

• Question 747:

  The helpdesk department desires to roll out a remote support application for internal use on all company computers. This tool should allow remote desktop sharing, system log gathering, chat, hardware logging, inventory management, and remote registry access. The risk management team has been asked to review vendor responses to the RFQ. Which of the following questions is the MOST important?

  A. What are the protections against MITM?

  B. What accountability is built into the remote support application?

  C. What encryption standards are used in tracking database?

  D. What snapshot or "undo" features are present in the application?

  E. What encryption standards are used in remote desktop and file transfer functionality?

  Correct Answer: B

• Question 748:

  A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).

  A. Demonstration of IPS system

  B. Review vendor selection process

  C. Calculate the ALE for the event

  D. Discussion of event timeline

  E. Assigning of follow up items

  Correct Answer: DE

  Lessons learned process is the sixth step in the Incident Response process. Everybody that was involved in the process reviews what happened and why it happened. It is during this step that they determine what changes should be introduced to prevent future problems.

• Question 749:

  A firm's Chief Executive Officer (CEO) is concerned that IT staff lacks the knowledge to identify complex vulnerabilities that may exist in a payment system being internally developed. The payment system being developed will be sold to a number of organizations and is in direct competition with another leading product. The CEO highlighted that code base confidentiality is of critical importance to allow the company to exceed the competition in terms of the product's reliability, stability, and performance. Which of the following would provide the MOST thorough testing and satisfy the CEO's requirements?

  A. Sign a MOU with a marketing firm to preserve the company reputation and use in-house resources for random testing.

  B. Sign a BPA with a small software consulting firm and use the firm to perform Black box testing and address all findings.

  C. Sign a NDA with a large security consulting firm and use the firm to perform Grey box testing and address all findings.

  D. Use the most qualified and senior developers on the project to perform a variety of White box testing and code reviews.

  Correct Answer: C

  Gray box testing has limited knowledge of the system as an attacker would. The base code would remain confidential. This would further be enhanced by a Non-disclosure agreement (NDA) which is designed to protect confidential information.

• Question 750:

  An application present on the majority of an organization's 1,000 systems is vulnerable to a buffer overflow attack. Which of the following is the MOST comprehensive way to resolve the issue?

  A. Deploy custom HIPS signatures to detect and block the attacks.

  B. Validate and deploy the appropriate patch.

  C. Run the application in terminal services to reduce the threat landscape.

  D. Deploy custom NIPS signatures to detect and block the attacks.

  Correct Answer: B

  If an application has a known issue (such as susceptibility to buffer overflow attacks) and a patch is released to resolve the specific issue, then the best solution is always to deploy the patch. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.