CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 21:

  A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN is currently configured to authenticate VPN users against a backend RADIUS server. New company policies require a second factor of authentication, and the Information Security Officer has selected PKI as the second factor. Which of the following should the security administrator configure and implement on the VPN concentrator to implement the second factor and ensure that no error messages are displayed to the user during the VPN connection? (Select TWO).

  A. The user's certificate private key must be installed on the VPN concentrator.

  B. The CA's certificate private key must be installed on the VPN concentrator.

  C. The user certificate private key must be signed by the CA.

  D. The VPN concentrator's certificate private key must be signed by the CA and installed on the VPN concentrator.

  E. The VPN concentrator's certificate private key must be installed on the VPN concentrator.

  F. The CA's certificate public key must be installed on the VPN concentrator.

  Correct Answer: EF

  A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party. A

  typical PKI includes the following key elements:

  A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities A registration authority, often called a subordinate CA, certified by a root

  CA to issue certificates for specific uses permitted by the root A certificate database, which stores certificate requests and issues and revokes certificates A certificate store, which resides on a local computer as a place to store issued

  certificates and private keys

  A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates using its private key; its public key is made available to all interested parties in a self-signed CA certificate.

  In this question, we have implemented a PKI. The Certificate Authority is the trusted root and supplies certificates to all devices that require one. Every device that trusts the CA will have the CA's public installed... This includes the VPN

  concentrator. With the VPN concentrator trusting the CA, the VPN concentrator will trust users with certificates supplied by the CA.

  For the users and their devices to trust the VPN concentrator (to ensure that no error messages are displayed to the user during the VPN connection), the VPN concentrator must have a certificate that includes a private key installed.

• Question 22:

  Due to a new regulatory requirement, ABC Company must now encrypt all WAN transmissions. When speaking with the network administrator, the security administrator learns that the existing routers have the minimum processing power to do the required level of encryption. Which of the following solutions minimizes the performance impact on the router?

  A. Deploy inline network encryption devices

  B. Install an SSL acceleration appliance

  C. Require all core business applications to use encryption

  D. Add an encryption module to the router and configure IPSec

  Correct Answer: A

  All WAN transmissions must be encrypted. Encryption uses a lot of processing power on a router to encrypt the outgoing data and decrypt the incoming data. In this question, the routers do not have much processing power. We can minimize the performance impact on the router by offloading the encryption function to another device: an inline network encryption device. This is a hardware device specifically designed to perform the function of data encryption and decryption.

• Question 23:

  In an effort to minimize costs, the management of a small candy company wishes to explore a cloud service option for the development of its online applications. The company does not wish to invest heavily in IT infrastructure. Which of the following solutions should be recommended?

  A. A public IaaS

  B. A public PaaS

  C. A public SaaS

  D. A private SaaS

  E. A private IaaS

  F. A private PaaS

  Correct Answer: B

  To develop online applications, you need a platform (a computer or virtual machine) to develop and test the application on. For this you would use a PaaS (Platform as a Service) offering. A public PaaS is cheaper than a private PaaS

  because the underlying hardware is shared by multiple customers. This is different to a private PaaS offering where the cloud provider hosts hardware dedicated for use by a single customer. PaaS can be defined as a computing platform that

  allows the creation of web applications quickly and easily and without the complexity of buying and maintaining the software and infrastructure underneath it.

  PaaS is analogous to SaaS except that, rather than being software delivered over the web, it is a platform for the creation of software, delivered over the web.

  There are a number of different takes on what constitutes PaaS but some basic characteristics include:

  Services to develop, test, deploy, host and maintain applications in the same integrated development environment. All the varying services needed to fulfil the application development process

  Web based user interface creation tools help to create, modify, test and deploy different UI scenarios

  Multi-tenant architecture where multiple concurrent users utilize the same development application

  Built in scalability of deployed software including load balancing and failover Integration with web services and databases via common standards Support for development team collaboration ?some PaaS solutions include project planning and

  communication tools

  Tools to handle billing and subscription management

• Question 24:

  Three companies want to allow their employees to seamlessly connect to each other's wireless corporate networks while keeping one consistent wireless client configuration. Each company wants to maintain its own authentication infrastructure and wants to ensure that an employee who is visiting the other two companies is authenticated by the home office when connecting to the other companies' wireless network. All three companies have agreed to standardize on 802.1x EAP-PEAP-MSCHAPv2 for client configuration. Which of the following should the three companies implement?

  A. The three companies should agree on a single SSID and configure a hierarchical RADIUS system which implements trust delegation.

  B. The three companies should implement federated authentication through Shibboleth connected to an LDAP backend and agree on a single SSID.

  C. The three companies should implement a central portal-based single sign-on and agree to use the same CA when issuing client certificates.

  D. All three companies should use the same wireless vendor to facilitate the use of a shared cloud based wireless controller.

  Correct Answer: A

  To enable "employees to seamlessly connect to each other's wireless corporate networks while keeping one consistent wireless client configuration", the wireless networks must all use the same SSID.

  We should use RADIUS (Remote Authentication Dial-In User Service). RADIUS is a protocol that was originally used to authenticate users over dialup connections, but is increasingly used for other authentication scenarios, including the

  wireless network. A RADIUS hierarchy with delegated trust will enable a user connecting to one company wireless network (not his home company network) to be authenticated by the RADIUS server in his home network. For example: if a

  user from Company A connects to the wireless network in Company C, the Company C RADIUS server will see that the user is not from Company A and forward the authentication request to the RADIUS server in Company A.

• Question 25:

  An administrator is implementing a new network-based storage device. In selecting a storage protocol, the administrator would like the data in transit's integrity to be the most important concern. Which of the following protocols meets these needs by implementing either AES-CMAC or HMAC-SHA256 to sign data?

  A. SMB

  B. NFS

  C. FCoE

  D. iSCSI

  Correct Answer: A

  Server Message Block (SMB) is a protocol that has long been used by Windows computers for sharing files, printers and other resources among computers on the network. The server message blocks are the requests that an SMB client

  sends to a server and the responses that the server sends back to the client.

  Microsoft has improved the SMB protocol over the years. In 2006, they came out with a new version, SMB 2.0, in conjunction with Vista, and SMB 2.1 with Windows 7. Version 2 was a major revision with significant changes, including a

  completely different packet format. Windows 8 introduces another new version, SMB 3.0. Microsoft has made a number of security improvements in SMB 3.0, which will be introduced in the Windows 8 client and Windows Server 2012. A new

  algorithm is used for SMB signing. SMB 2.x uses HMAC-SHA256. SMB 3.0 uses AES-CMAC. CMAC is based on a symmetric key block cipher (AES), whereas HMAC is based on a hash function (SHA). AES (Advanced Encryption Standard)

  is the specification adopted by the U.S. government in 2002 and was approved by the National Security Agency (NSA) for encryption of top secret information.

• Question 26:

  An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-the-middle attack. Which of the following controls should be implemented to mitigate the attack in the future?

  A. Use PAP for secondary authentication on each RADIUS server

  B. Disable unused EAP methods on each RADIUS server

  C. Enforce TLS connections between RADIUS servers

  D. Use a shared secret for each pair of RADIUS servers

  Correct Answer: C

  A man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in- the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certification authority. Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

• Question 27:

  A security solutions architect has argued consistently to implement the most secure method of encrypting corporate messages. The solution has been derided as not being cost effective by other members of the IT department. The proposed solution uses symmetric keys to encrypt all messages and is very resistant to unauthorized decryption. The method also requires special handling and security for all key material that goes above and beyond most encryption systems.

  Which of the following is the solutions architect MOST likely trying to implement?

  A. One time pads

  B. PKI

  C. Quantum cryptography

  D. Digital rights management

  Correct Answer: A

  In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of

  the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely

  secret, then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used.

  The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so that the top sheet could be easily torn off and destroyed after use.

  The one-time pad has serious drawbacks in practice because it requires:

  Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement.

  Secure generation and exchange of the one-time pad values, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad exchange).

  Careful treatment to make sure that it continues to remain secret, and is disposed of correctly preventing any reuse in whole or part--hence "one time".

  Because the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as

  both can be the same size and have to be sent securely).

  Distributing very long one-time pad keys is inconvenient and usually poses a significant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too difficult for humans

  to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is

  a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). The key material must be securely

  disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more

  vulnerable to forensic recovery than the transient plaintext it protects.

• Question 28:

  A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via an HTTP intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by the developers?

  A. SSL certificate revocation

  B. SSL certificate pinning

  C. Mobile device root-kit detection

  D. Extended Validation certificates

  Correct Answer: B

  Users, developers, and applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation. Specifically, channels built using well known protocols such as VPN, SSL, and TLS can be

  vulnerable to a number of attacks.

  Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.

  A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since preloading the

  certificate or public key out of band usually means the attacker cannot taint the pin. If the certificate or public key is added upon first encounter, you will be using key continuity. Key continuity can fail if the attacker has a privileged position

  during the first encounter.

• Question 29:

  An IT Manager is concerned about errors made during the deployment process for a new model of tablet. Which of the following would suggest best practices and configuration parameters that technicians could follow during the deployment process?

  A. Automated workflow

  B. Procedure

  C. Corporate standard

  D. Guideline

  E. Policy

  Correct Answer: D

  A guideline is defined as a detailed plan or explanation to guide you in setting standards or determining a course of action. A guideline is not mandatory but it would suggest the best practices and configuration parameters required in this question.

• Question 30:

  Company XYZ provides hosting services for hundreds of companies across multiple industries including healthcare, education, and manufacturing. The security architect for company XYZ is reviewing a vendor proposal to reduce company XYZ's hardware costs by combining multiple physical hosts through the use of virtualization technologies. The security architect notes concerns about data separation, confidentiality, regulatory requirements concerning PII, and administrative complexity on the proposal. Which of the following BEST describes the core concerns of the security architect?

  A. Most of company XYZ's customers are willing to accept the risks of unauthorized disclosure and access to information by outside users.

  B. The availability requirements in SLAs with each hosted customer would have to be re- written to account for the transfer of virtual machines between physical platforms for regular maintenance.

  C. Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.

  D. Not all of company XYZ's customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.

  Correct Answer: C

  The hosting company (Company XYZ) is responsible for the data separation of customer data. If a malicious user gained access to a customer's sensitive data, the customer could sue the hosting company for damages. The result of such a lawsuit could be catastrophic for the hosting company in terms of compensation paid to the customer and loss of revenue due to the damaged reputation of the hosting company.