CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 761:

  A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period?

  A. Online password testing

  B. Rainbow tables attack

  C. Dictionary attack

  D. Brute force attack

  Correct Answer: B

  The passwords in a Windows (Active Directory) domain are encrypted.

  When a password is "tried" against a system it is "hashed" using encryption so that the actual password is never sent in clear text across the communications line. This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your password might be "shitzu" but the hash of your password would look something like "7378347eedbfdd761619451949225ec1".

  To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If the hashes match, then the user is authenticated and granted access.

  Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password.

  Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The Rainbow Tables essentially allow hackers to reverse the hashing function to determine what the plaintext password might be.

  The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.

• Question 762:

  A developer has implemented a piece of client-side JavaScript code to sanitize a user's provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log:

  10.235.62.11 ?- [02/Mar/2014:06:13:04] "GET /site/script.php?user=admiand;pass=pass%20or%201=1 HTTP/1.1" 200 5724

  Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

  A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters.

  B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side.

  C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

  D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

  Correct Answer: C

  The code in the question is an example of a SQL Injection attack. The code `1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table.

  In this question, the administrator has implemented client-side input validation. Client-side validation can be bypassed. It is much more difficult to bypass server-side input validation.

  SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

• Question 763:

  It has come to the IT administrator's attention that the "post your comment" field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the "post your comment" field from being exploited?

  A. Update the blog page to HTTPS

  B. Filter metacharacters

  C. Install HIDS on the server

  D. Patch the web application

  E. Perform client side input validation

  Correct Answer: B

  A general rule of thumb with regards to XSS is to "Never trust user input and always filter meta-characters."

• Question 764:

  An organization is selecting a SaaS provider to replace its legacy, in house Customer Resource Management (CRM) application. Which of the following ensures the organization mitigates the risk of managing separate user credentials?

  A. Ensure the SaaS provider supports dual factor authentication.

  B. Ensure the SaaS provider supports encrypted password transmission and storage.

  C. Ensure the SaaS provider supports secure hash file exchange.

  D. Ensure the SaaS provider supports role-based access control.

  E. Ensure the SaaS provider supports directory services federation.

  Correct Answer: E

  A SaaS application that has a federation server within the customer's network that interfaces with the customer's own enterprise user-directory service can provide single sign-on authentication. This federation server has a trust relationship with a corresponding federation server located within the SaaS provider's network.

  Single sign-on will mitigate the risk of managing separate user credentials.

• Question 765:

  In a situation where data is to be recovered from an attacker's location, which of the following are the FIRST things to capture? (Select TWO).

  A. Removable media

  B. Passwords written on scrap paper

  C. Snapshots of data on the monitor

  D. Documents on the printer

  E. Volatile system memory

  F. System hard drive

  Correct Answer: CE

  An exact copy of the attacker's system must be captured for further investigation so that the original data can remain unchanged. An analyst will then start the process of capturing data from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows: Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives Logs stored on remote systems Archive media

• Question 766:

  ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators. Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone?

  A. Ensure hypervisor layer firewalling between all VM hosts regardless of security zone.

  B. Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s).

  C. Organize VM hosts into containers based on security zone and restrict access using an ACL.

  D. Require multi-factor authentication when accessing the console at the physical VM host.

  Correct Answer: C

  Access Control Lists (ACLs) are used to restrict access to the console of a virtual host. Virtual hosts are often managed by centralized management servers (for example: VMware vCenter Server). You can create logical containers that can contain multiple hosts and you can configure ACLs on the containers to provide access to the hosts within the container.

• Question 767:

  An analyst connects to a company web conference hosted on www.webconference.com/meetingID#01234 and observes that numerous guests have been allowed to join, without providing identifying information. The topics covered during the web conference are considered proprietary to the company. Which of the following security concerns does the analyst present to management?

  A. Guest users could present a risk to the integrity of the company's information.

  B. Authenticated users could sponsor guest access that was previously approved by management.

  C. Unauthenticated users could present a risk to the confidentiality of the company's information.

  D. Meeting owners could sponsor guest access if they have passed a background check.

  Correct Answer: C

  The issue at stake in this question is confidentiality of information. Topics covered during the web conference are considered proprietary and should remain confidential, which means it should not be shared with unauthorized users.

• Question 768:

  A company that must comply with regulations is searching for a laptop encryption product to use for its 40,000 end points. The product must meet regulations but also be flexible enough to minimize overhead and support in regards to password resets and lockouts. Which of the following implementations would BEST meet the needs?

  A. A partition-based software encryption product with a low-level boot protection and authentication

  B. A container-based encryption product that allows the end users to select which files to encrypt

  C. A full-disk hardware-based encryption product with a low-level boot protection and authentication

  D. A file-based encryption product using profiles to target areas on the file system to encrypt

  Correct Answer: D

  The question is asking for a solution that will minimize overhead and support in regards to password resets and lockouts.

  File based encryption products operate under the context of the computer user's user account. This means that the user does not need to remember a separate password for the encryption software. If the user forgets his user account

  password or is locked out due to failed login attempts, the support department can reset his password from a central database of user accounts (such as Active Directory) without the need to visit the user's computer.

  Profiles can be used to determine areas on the file system to encrypt such as Document folders.

• Question 769:

  A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news?

  A. Update company policies and procedures

  B. Subscribe to security mailing lists

  C. Implement security awareness training

  D. Ensure that the organization vulnerability management plan is up-to-date

  Correct Answer: B

  Subscribing to bug and vulnerability, security mailing lists is a good way of staying abreast and keeping up to date with the latest in those fields.

• Question 770:

  A Chief Information Security Officer (CISO) has requested that a SIEM solution be implemented. The CISO wants to know upfront what the projected TCO would be before looking further into this concern. Two vendor proposals have been

  received:

  Vendor A: product-based solution which can be purchased by the pharmaceutical company. Capital expenses to cover central log collectors, correlators, storage and management consoles expected to be $150,000. Operational expenses are

  expected to be a 0.5 full time employee (FTE) to manage the solution, and 1 full time employee to respond to incidents per year.

  Vendor B: managed service-based solution which can be the outsourcer for the pharmaceutical company's needs.

  Bundled offering expected to be $100,000 per year.

  Operational expenses for the pharmaceutical company to partner with the vendor are expected to be a 0.5 FTE per year.

  Internal employee costs are averaged to be $80,000 per year per FTE. Based on calculating TCO of the two vendor proposals over a 5 year period, which of the following options is MOST accurate?

  A. Based on cost alone, having an outsourced solution appears cheaper.

  B. Based on cost alone, having an outsourced solution appears to be more expensive.

  C. Based on cost alone, both outsourced an in-sourced solutions appear to be the same.

  D. Based on cost alone, having a purchased product solution appears cheaper.

  Correct Answer: A

  The costs of making use of an outsources solution will actually be a savings for the company thus the outsourced solution is a cheaper option over a 5 year period because it amounts to 0,5 FTE per year for the company and at present the

  company expense if $80,000 per year per FTE.

  For the company to go alone it will cost $80,000 per annum per FTE = $400,000 over 5 years.

  With Vendor a $150,000 + $200,000 (?FTE) = $350,000

  With Vendor B = $100,000 it will be more expensive.

  References:

  Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, p. 130