CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 751:

  An administrator is tasked with securing several website domains on a web server. The administrator elects to secure www.example.com, mail.example.org, archive.example.com, and www.example.org with the same certificate. Which of the following would allow the administrator to secure those domains with a single issued certificate?

  A. Intermediate Root Certificate

  B. Wildcard Certificate

  C. EV x509 Certificate

  D. Subject Alternative Names Certificate

  Correct Answer: D

  Subject Alternative Names let you protect multiple host names with a single SSL certificate. Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate. When you order the certificate, you will specify one fully qualified domain name in the common name field. You can then add other names in the Subject Alternative Names field.

• Question 752:

  There have been some failures of the company's internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month's performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?

  A. 92.24 percent

  B. 98.06 percent

  C. 98.34 percent

  D. 99.72 percent

  Correct Answer: B

  A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing

  the rules to your application, many attacks can be identified and blocked.

  14h of down time in a period of 772 supposed uptime = 14/772 x 100 = 1.939 %

  Thus the % of uptime = 100% - 1.939% = 98.06%

  References:

  Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, pp. 43, 116

• Question 753:

  An attacker attempts to create a DoS event against the VoIP system of a company. The attacker uses a tool to flood the network with a large number of SIP INVITE traffic. Which of the following would be LEAST likely to thwart such an attack?

  A. Install IDS/IPS systems on the network

  B. Force all SIP communication to be encrypted

  C. Create separate VLANs for voice and data traffic

  D. Implement QoS parameters on the switches

  Correct Answer: D

  Quality of service (QoS) is a mechanism that is designed to give priority to different applications, users, or data to provide a specific level of performance. It is often used in networks to prioritize certain types of network traffic. It is not designed to block traffic, per se, but to give certain types of traffic a lower or higher priority than others. This is least likely to counter a denial of service (DoS) attack.

• Question 754:

  The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point?

  A. Capture process ID data and submit to anti-virus vendor for review.

  B. Reboot the Linux servers, check running processes, and install needed patches.

  C. Remove a single Linux server from production and place in quarantine.

  D. Notify upper management of a security breach.

  E. Conduct a bit level image, including RAM, of one or more of the Linux servers.

  Correct Answer: E

  Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes.

  In this question, an attack has been identified and confirmed. When a server is compromised or used to commit a crime, it is often necessary to seize it for forensics analysis. Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.

  Evidence retention is a problem when the investigator wants to retain RAM content. For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker.

  A full a bit level image, including RAM should be taken of one or more of the Linux servers. In many cases, if your environment has been deliberately attacked, you may want to take legal action against the perpetrators. In order to preserve this option, you should gather evidence that can be used against them, even if a decision is ultimately made not to pursue such action. It is extremely important to back up the compromised systems as soon as possible. Back up the systems prior to performing any actions that could affect data integrity on the original media.

• Question 755:

  An insurance company has an online quoting system for insurance premiums. It allows potential customers to fill in certain details about their car and obtain a quote. During an investigation, the following patterns were detected:

  Pattern 1 -Analysis of the logs identifies that insurance premium forms are being filled in but only single fields are incrementally being updated.

  Pattern 2 -For every quote completed, a new customer number is created; due to legacy systems, customer numbers are running out.

  Which of the following is the attack type the system is susceptible to, and what is the BEST way to defend against it? (Select TWO).

  A. Apply a hidden field that triggers a SIEM alert

  B. Cross site scripting attack

  C. Resource exhaustion attack

  D. Input a blacklist of all known BOT malware IPs into the firewall

  E. SQL injection

  F. Implement an inline WAF and integrate into SIEM

  G. Distributed denial of service

  H. Implement firewall rules to block the attacking IP addresses

  Correct Answer: CF

  A resource exhaustion attack involves tying up predetermined resources on a system, thereby making the resources unavailable to others.

  Implementing an inline WAF would allow for protection from attacks, as well as log and alert admins to what's going on. Integrating in into SIEM allows for logs and other security-related documentation to be collected for analysis.

• Question 756:

  Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ's headquarters. Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems?

  A. Require each Company XYZ employee to use an IPSec connection to the required systems

  B. Require Company XYZ employees to establish an encrypted VDI session to the required systems

  C. Require Company ABC employees to use two-factor authentication on the required systems

  D. Require a site-to-site VPN for intercompany communications

  Correct Answer: B

  VDI stands for Virtual Desktop Infrastructure. Virtual desktop infrastructure is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.

  Company ABC can configure virtual desktops with the required restrictions and required access to systems that the users in company XYZ require. The users in company XYZ can then log in to the virtual desktops over a secure encrypted connection and then access authorized systems only.

• Question 757:

  A senior network security engineer has been tasked to decrease the attack surface of the corporate network. Which of the following actions would protect the external network interfaces from external attackers performing network scanning?

  A. Remove contact details from the domain name registrar to prevent social engineering attacks.

  B. Test external interfaces to see how they function when they process fragmented IP packets.

  C. Enable a honeynet to capture and facilitate future analysis of malicious attack vectors.

  D. Filter all internal ICMP message traffic, forcing attackers to use full-blown TCP port scans against external network interfaces.

  Correct Answer: B

  Fragmented IP packets are often used to evade firewalls or intrusion detection systems.

  Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports. A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port). One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan

  techniques to avoid this. One method is a fragmented port scan. Fragmented packet Port Scan The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP

  fragments, but many networks cannot afford the performance loss caused by the queuing.

• Question 758:

  An administrator wants to enable policy based flexible mandatory access controls on an open source OS to prevent abnormal application modifications or executions. Which of the following would BEST accomplish this?

  A. Access control lists

  B. SELinux

  C. IPtables firewall

  D. HIPS

  Correct Answer: B

  The most common open source operating system is LINUX.

  Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defensetyle mandatory access controls (MAC).

  NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.

• Question 759:

  A new piece of ransomware got installed on a company's backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?

  A. Determining how to install HIPS across all server platforms to prevent future incidents

  B. Preventing the ransomware from re-infecting the server upon restore

  C. Validating the integrity of the deduplicated data

  D. Restoring the data will be difficult without the application configuration

  Correct Answer: D

  Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

  Since the backup application configuration is not accessible, it will require more effort to recover the data.

  Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.

• Question 760:

  Since the implementation of IPv6 on the company network, the security administrator has been unable to identify the users associated with certain devices utilizing IPv6 addresses, even when the devices are centrally managed. en1: flags=8863 mtu 1500 ether f8:1e:af:ab:10:a3 inet6 fw80::fa1e:dfff:fee6:9d8%en1 prefixlen 64 scopeid 0x5 inet 192.168.1.14 netmask 0xffffff00 broadcast 192.168.1.255 inet6 2001:200:5:922:1035:dfff:fee6:9dfe prefixlen 64 autoconf inet6 2001:200:5:922:10ab:5e21:aa9a:6393 prefixlen 64 autoconf temporary nd6 options=1 media: autoselect status: active Given this output, which of the following protocols is in use by the company and what can the system administrator do to positively map users with IPv6 addresses in the future? (Select TWO).

  A. The devices use EUI-64 format

  B. The routers implement NDP

  C. The network implements 6to4 tunneling

  D. The router IPv6 advertisement has been disabled

  E. The administrator must disable IPv6 tunneling

  F. The administrator must disable the mobile IPv6 router flag

  G. The administrator must disable the IPv6 privacy extensions

  H. The administrator must disable DHCPv6 option code 1

  Correct Answer: BG

  IPv6 makes use of the Neighbor Discovery Protocol (NDP). Thus if your routers implement NDP you will be able to map users with IPv6 addresses. However to be able to positively map users with IPv6 addresses you will need to disable IPv6 privacy extensions.