CompTIA CompTIA Certifications CAS-003 Questions & Answers

• Question 771:

  An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost. After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow?

  A. File system information, swap files, network processes, system processes and raw disk blocks.

  B. Raw disk blocks, network processes, system processes, swap files and file system information.

  C. System processes, network processes, file system information, swap files and raw disk blocks.

  D. Raw disk blocks, swap files, network processes, system processes, and file system information.

  Correct Answer: C

  The order in which you should collect evidence is referred to as the Order of volatility. Generally, evidence should be collected from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows: Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives Logs stored on remote systems Archive media

• Question 772:

  News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit, network mapping and fingerprinting is conducted to prepare for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections?

  A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology.

  B. Implement an application whitelist at all levels of the organization.

  C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring.

  D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.

  Correct Answer: B

  In essence a whitelist screening will ensure that only acceptable applications are passed / or granted access.

• Question 773:

  A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

  A. Insecure direct object references, CSRF, Smurf

  B. Privilege escalation, Application DoS, Buffer overflow

  C. SQL injection, Resource exhaustion, Privilege escalation

  D. CSRF, Fault injection, Memory leaks

  Correct Answer: A

  Insecure direct object references are used to access data. CSRF attacks the functions of a web site which could access data. A Smurf attack is used to take down a system.

  A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data.

  Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.

  A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.

  Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

• Question 774:

  The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router's external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company's external router's IP which is 128.20.176.19:

  11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400 11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400 Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?

  A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company's ISP should be contacted and instructed to block the malicious packets.

  B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.

  C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks.

  D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company's external router to block incoming UDP port 19 traffic.

  Correct Answer: A

  The exhibit displays logs that are indicative of an active fraggle attack. A Fraggle attack is similar to a smurf attack in that it is a denial of service attack, but the difference is that a fraggle attack makes use of ICMP and UDP ports 7 and 19. Thus when the senior engineer uses a network analyzer to identify the attack he should contact the company's ISP to block those malicious packets.

• Question 775:

  After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position?

  A. Least privilege

  B. Job rotation

  C. Mandatory vacation

  D. Separation of duties

  Correct Answer: B

  Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.

• Question 776:

  A security manager looked at various logs while investigating a recent security breach in the data center from an external source. Each log below was collected from various security devices compiled from a report through the company's

  security information and event management server.

  Logs:

  Log 1:

  Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets Log 2:

  HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

  Log 3:

  Security Error Alert

  Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client

  Log 4:

  Encoder oe = new OracleEncoder ();

  String query = "Select user_id FROM user_data WHERE user_name = ` "

  + oe.encode ( req.getParameter("userID") ) + " ` and user_password = ` "

  + oe.encode ( req.getParameter("pwd") ) +" ` ";

  Vulnerabilities

  Buffer overflow

  SQL injection

  ACL

  XSS

  Which of the following logs and vulnerabilities would MOST likely be related to the security breach? (Select TWO).

  A. Log 1

  B. Log 2

  C. Log 3

  D. Log 4

  E. Buffer overflow

  F. ACL

  G. XSS

  H. SQL injection

  Correct Answer: BE

  Log 2 indicates that the security breach originated from an external source. And the vulnerability that can be associated with this security breach is a buffer overflow that happened when the amount of data written into the buffer exceeded the limit of that particular buffer.

• Question 777:

  A security engineer on a large enterprise network needs to schedule maintenance within a fixed window of time. A total outage period of four hours is permitted for servers. Workstations can undergo maintenance from

  8:00

  pm to 6:00 am daily. Which of the following can specify parameters for the maintenance work? (Select TWO).

  A.

  Managed security service

  B.

  Memorandum of understanding

  C.

  Quality of service

  D.

  Network service provider

  E.

  Operating level agreement

  Correct Answer: BE

  B: A memorandum of understanding (MOU) documents conditions and applied terms for outsourcing partner organizations that must share data and information resources. It must be signed by a re presentative from each organization that has the legal authority to sign and are typically secured, as they are considered confidential.

  E: An operating level agreement (O LA) defines the responsibilities of each partner's internal support group and what group and resources are used to meet the specified goal. It is used in conjunction with service level agreements (SLAs).

• Question 778:

  Company A has noticed abnormal behavior targeting their SQL server on the network from a rogue IP address. The company uses the following internal IP address ranges: 192.10.1.0/24 for the corporate site and 192.10.2.0/24 for the remote

  site. The Telco router interface uses the 192.10.5.0/30 IP range.

  Instructions: Click on the simulation button to refer to the Network Diagram for Company A.

  Click on Router 1, Router 2, and the Firewall to evaluate and configure each device.

  Task 1: Display and examine the logs and status of Router 1, Router 2, and Firewall interfaces.

  Task 2: Reconfigure the appropriate devices to prevent the attacks from continuing to target the SQL server and other servers on the corporate network.

  

  Hot Area:

  

  Correct Answer:

  

  We have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

  

• Question 779:

  IT staff within a company often conduct remote desktop sharing sessions with vendors to troubleshoot vendor product-related issues. Drag and drop the following security controls to match the associated security concern. Options may be used once or not at all.

  Select and Place:

  

  Correct Answer:

  

  Vendor may accidentally or maliciously make changes to the IT system - Allow view-only access.

  With view-only access, the third party can view the desktop but cannot interact with it. In other words, they cannot control the keyboard or mouse to make any changes.

  Desktop sharing traffic may be intercepted by network attackers - Use SSL for remote sessions.

  SSL (Secure Sockets Layer) encrypts data in transit between computers. If an attacker intercepted the traffic, the data would be encrypted and therefore unreadable to the attacker.

  No guarantees that shoulder surfing attacks are not occurring at the vendor - Identified control gap.

  Shoulder surfing is where someone else gains information by looking at your computer screen. This should be identified as a risk. A control gap occurs when there are either insufficient or no actions taken to avoid or mitigate a significant risk.

  Vendor may inadvertently see confidential material from the company such as email and IMs - Limit desktop session to certain windows.

  The easiest way to prevent a third party from viewing your emails and IMs is to close the email and IM application windows for the duration of the desktop sharing session.

• Question 780:

  A security consultant is considering authentication options for a financial institution. The following authentication options are available security mechanism to the appropriate use case. Options may be used once.

  Select and Place:

  

  Correct Answer: