CompTIA RC0-C02 Online Practice
Questions and Exam Preparation
RC0-C02 Exam Details
Exam Code
:RC0-C02
Exam Name
:CompTIA Advanced Security Practitioner (CASP) Recertification Exam for Continuing Education
Certification
:CompTIA Advanced Security Practitioner
Vendor
:CompTIA
Total Questions
:308 Q&As
Last Updated
:May 26, 2026
CompTIA RC0-C02 Online Questions &
Answers
Question 121:
An administrator has enabled salting for users' passwords on a UNIX box. A penetration tester must attempt to retrieve password hashes. Which of the following files must the penetration tester use to eventually obtain passwords on the system? (Select TWO).
A. /etc/passwd B. /etc/shadow C. /etc/security D. /etc/password E. /sbin/logon F. /bin/bash
A. /etc/passwd B. /etc/shadow
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. In this question, enabling salting for users' passwords means to store the passwords in an encrypted format.
Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentially, this can be somewhat of a security risk. Another method of storing account information is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc.
Question 122:
A security auditor suspects two employees of having devised a scheme to steal money from the company. While one employee submits purchase orders for personal items, the other employee approves these purchase orders. The auditor has contacted the human resources director with suggestions on how to detect such illegal activities. Which of the following should the human resource director implement to identify the employees involved in these activities and reduce the risk of this activity occurring in the future?
A. Background checks B. Job rotation C. Least privilege D. Employee termination procedures
B. Job rotation
Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.
Question 123:
A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it is an e-discovery firm where chain of custody is important, which of the following scenarios should they consider?
A. Offload some data processing to a public cloud B. Aligning their client intake with the resources available C. Using a community cloud with adequate controls D. Outsourcing the service to a third party cloud provider
C. Using a community cloud with adequate controls
We can use a cloud service to expand the compute resources. "Adequate controls" are controls that ensure that no one else including the cloud provider can access the data. A community cloud is a multi-tenant infrastructure that is shared among several organizations from a specific group with common computing concerns. Such concerns might be related to regulatory compliance, such as audit requirements, or may be related to performance requirements, such as hosting applications that require a quick response time, for example. The goal of a community cloud is to have participating organizations realize the benefits of a public cloud -- such as multi-tenancy and a pay-as-you-go billing structure -- but with the added level of privacy, security and policy compliance usually associated with a private cloud. The community cloud can be either on-premises or off-premises, and can be governed by the participating organizations or by a third-party managed service provider (MSP).
Question 124:
A facilities manager has observed varying electric use on the company's metered service lines. The facility management rarely interacts with the IT department unless new equipment is being delivered. However, the facility manager thinks that there is a correlation between spikes in electric use and IT department activity. Which of the following business processes and/or practices would provide better management of organizational resources with the IT department's needs? (Select TWO).
A. Deploying a radio frequency identification tagging asset management system B. Designing a business resource monitoring system C. Hiring a property custodian D. Purchasing software asset management software E. Facility management participation on a change control board F. Rewriting the change board charter G. Implementation of change management best practices
E. Facility management participation on a change control board G. Implementation of change management best practices
The purpose of the change management process is to ensure that: Standardized methods and procedures are used for efficient and prompt handling of all changes All changes to service assets and configuration items are recorded in the configuration management system Business risk is managed and minimized All authorized changes support business needs and goals
Changes should be managed to: Reduce risk exposure Minimize the severity of any impact and disruption Be successful on the first attempt
The implementation of change management processes should involve a change control board. The change control board is a committee that makes decisions regarding whether or not proposed changes to a project should be implemented. In this question, there is a correlation between spikes in electric use and IT department activity. Therefore, someone from facility management should be part of the change control board.
Question 125:
Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows:
Please download and install software from the site below to maintain full access to your account.
www.examplesite.com
Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11.
The network's subnet is 192.168.2.0/25.
Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO).
A. Identify the origination point for malicious activity on the unauthorized mail server. B. Block port 25 on the firewall for all unauthorized mail servers. C. Disable open relay functionality. D. Shut down the SMTP service on the unauthorized mail server. E. Enable STARTTLS on the spam filter.
B. Block port 25 on the firewall for all unauthorized mail servers. D. Shut down the SMTP service on the unauthorized mail server.
In this question, we have an unauthorized mail server using the IP: 192.168.2.55. Blocking port 25 on the firewall for all unauthorized mail servers is a common and recommended security step. Port 25 should be open on the firewall to the IP addresses of the authorized email servers only (192.168.2.10 and 192.168.2.11). This will prevent unauthorized email servers sending email or receiving and relaying email.
Email servers use SMTP (Simple Mail Transfer Protocol) to send email to other email servers. Shutting down the SMTP service on the unauthorized mail server is effectively disabling the mail server functionality of the unauthorized server.
Question 126:
A security analyst, Ann, states that she believes Internet facing file transfer servers are being attacked. Which of the following is evidence that would aid Ann in making a case to management that action needs to be taken to safeguard these servers?
A. Provide a report of all the IP addresses that are connecting to the systems and their locations B. Establish alerts at a certain threshold to notify the analyst of high activity C. Provide a report showing the file transfer logs of the servers D. Compare the current activity to the baseline of normal activity
D. Compare the current activity to the baseline of normal activity
In risk assessment a baseline forms the foundation for how an organization needs to increase or enhance its current level of security. This type of assessment will provide Ann with the necessary information to take to management.
Question 127:
A security manager has received the following email from the Chief Financial Officer (CFO):
"While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things
currently stand, we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group?"
Based on the information provided, which of the following would be the MOST appropriate response to the CFO?
A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed. B. Allow VNC access to corporate desktops from personal computers for the users working from home. C. Allow terminal services access from personal computers after the CFO provides a list of the users working from home. D. Work with the executive management team to revise policies before allowing any remote access.
D. Work with the executive management team to revise policies before allowing any remote access.
The Chief Financial Officer (CFO) wants to change company policy to allow employees to work from home. Before the new policy is implemented, the relevant documented company policies should be updated to reflect the new policy. Company policies are rarely defined by a single person in a company; they are usually defined by executive management. Therefore, you should work with the executive management team to revise the policies.
Question 128:
A security administrator notices the following line in a server's security log:
') + "';
The administrator is concerned that it will take the developer a lot of time to fix the application that is running on the server. Which of the following should the security administrator implement to prevent this particular attack?
A. WAF B. Input validation C. SIEM D. Sandboxing E. DAM
A. WAF
The attack in this question is an XSS (Cross Site Scripting) attack. We can prevent this attack by using a Web Application Firewall.
A WAF (Web Application Firewall) protects a Web application by controlling its input and output and the access to and from the application. Running as an appliance, server plug-in or cloud-based service, a WAF inspects every HTML,
HTTPS, SOAP and XML-RPC data packet. Through customizable inspection, it is able to prevent attacks such as XSS, SQL injection, session hijacking and buffer overflows, which network firewalls and intrusion detection systems are often
not capable of doing. A WAF is also able to detect and prevent new unknown attacks by watching for unfamiliar patterns in the traffic data. A WAF can be either network-based or host-based and is typically deployed through a proxy and
placed in front of one or more Web applications. In real time or near-real time, it monitors traffic before it reaches the Web application, analyzing all requests using a rule base to filter out potentially harmful traffic or traffic patterns. Web
application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits, impersonation and known vulnerabilities and attackers.
Question 129:
A company with 2000 workstations is considering purchasing a HIPS to minimize the impact of a system compromise from malware. Currently, the company projects a total cost of $50,000 for the next three years responding to and
eradicating workstation malware. The Information Security Officer (ISO) has received three quotes from different companies that provide HIPS.
The first quote requires a $10,000 one-time fee, annual cost of $6 per workstation, and a 10% annual support fee based on the number of workstations.
The second quote requires a $15,000 one-time fee, an annual cost of $5 per workstation, and a 12% annual fee based on the number of workstations.
The third quote has no one-time fee, an annual cost of $8 per workstation, and a 15% annual fee based on the number of workstations.
Which solution should the company select if the contract is only valid for three years?
A. First quote B. Second quote C. Third quote D. Accept the risk
B. Second quote
We have 2000 workstations and a budget of $50,000 for the next three years. An annual fee of $5 per workstation works out to $10,000 per year. An additional 12% annual support fee adds another $1,200, which makes it $11,200 a year and $33,600 over three years. The $15,000 one-time fee pushes the total up to $48,600 over the tree years.
Question 130:
A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via an HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by the developers?
A. SSL certificate revocation B. SSL certificate pinning C. Mobile device root-kit detection D. Extended Validation certificates
B. SSL certificate pinning
Users, developers, and applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation. Specifically, channels built using well known protocols such as VPN, SSL, and TLS can be
vulnerable to a number of attacks.
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.
A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since preloading the
certificate or public key out of band usually means the attacker cannot taint the pin. If the certificate or public key is added upon first encounter, you will be using key continuity. Key continuity can fail if the attacker has a privileged position
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your RC0-C02 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.