CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 301:

  A small company is developing a new Internet-facing web application. The security requirements are:

  Users of the web application must be uniquely identified and authenticated.

  Users of the web application will not be added to the company's directory services.

  Passwords must not be stored in the code.

  Which of the following meets these requirements?

  A. Use OpenID and allow a third party to authenticate users.

  B. Use TLS with a shared client certificate for all users.

  C. Use SAML with federated directory services.

  D. Use Kerberos and browsers that support SAML.

  Correct Answer: A

  Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website which accepts OpenID authentication. OpenID is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows users to be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service. This eliminates the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities. In other words, users can log into multiple unrelated websites without having to register with their information over and over again. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation: AOL, Blogger, Flickr, France Telecom, Google, Hyves, LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, Orange, Sears, Sun, Telecom Italia, Universal Music Group, VeriSign, WordPress, and Yahoo!. Other providers include BBC, IBM, PayPal, and Steam.

• Question 302:

  An organization is implementing a project to simplify the management of its firewall network flows and implement security controls. The following requirements exist. Drag and drop the BEST security solution to meet the given requirements. Options may be used once or not at all. All placeholders must be filled.

  Select and Place:

  

  Correct Answer:

  

  To permit users to work securely from home, we can use a VPN. A VPN is used to provide secure access for remote users by encrypting data sent between the remote location and the local network.

  To permit users to access their account only from certain countries, we need to implement risk profiling of any connecting device. Risk profiling uses rules to determine ‘risk Rules can include source IP which would determine the country.

  To detect credit card information leaving the organization, we can implement a DLP (Data Loss Prevention) solution. Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside

  the corporate network.

  The infrastructure we should deploy to permit users to access the Internet should include a forward proxy server. A forward proxy server retrieves data from external sources on behalf of users internal to the organization. For example, a user's

  web browser will send a request for a web page to the forward proxy, the proxy will then request the web page from an Internet web server and then the proxy will return the web page to the web browser.

  The infrastructure we should deploy to permit customers to access their account balance should include a reverse proxy server. A reverse proxy server retrieves data from internal sources on behalf of users (customers) external to the

  organization. The reverse proxy server receives the request from an external user, retrieves the data from an internal server then returns the information to the customer.

  References:

  http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy

• Question 303:

  Company A has experienced external attacks on their network and wants to minimize the attacks from reoccurring. Modify the network diagram to prevent SQL injections, XSS attacks, smurf attacks, e-mail spam, downloaded malware, viruses and ping attacks. The company can spend a MAXIMUM of $50,000 USD. A cost list for each item is listed below: Anti-Virus Server - $10,000 Firewall-$15,000 Load Balanced Server - $10,000 NIDS/NIPS-$10,000 Packet Analyzer - $5,000 Patch Server-$15,000 Proxy Server-$20,000 Router-$10,000 Spam Filter-$5,000 Traffic Shaper - $20,000 Web Application Firewall - $10,000 Instructions: Not all placeholders in the diagram need to be filled and items can only be used once. If you place an object on the network diagram, you can remove it by clicking the (x) in the upper right-hand of the object.

  Select and Place:

  

  Correct Answer:

  

  The firewall and NIDS/NIPS will prevent the ping attacks and the smurf attacks.

  The web application firewall (WAF) will prevent the cross-site scripting (XSS) and SQL injection attacks.

  The spam filter will prevent e-mail spam.

  The anti-virus server will prevent downloaded malware and viruses.

• Question 304:

  A manufacturer is planning to build a segregated network. There are requirements to segregate development and test infrastructure from production and the need to support multiple entry points into the network depending on the service

  being accessed. There are also strict rules in place to only permit user access from within the same zone. Currently, the following access requirements have been identified:

  Developers have the ability to perform technical validation of development applications.

  End users have the ability to access internal web applications.

  Third-party vendors have the ability to support applications.

  In order to meet segregation and access requirements, drag and drop the appropriate network zone that the user would be accessing and the access mechanism to meet the above criteria. Options may be used once or not at all. All

  placeholders must be filled.

  Select and Place:

  

  Correct Answer:

  

• Question 305:

  CORRECT TEXT

  An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner.

  Instructions: The last install that is completed will be the final submission.

  

  A.

  Correct Answer: A

  Answer: Please check the explanation part for full details on solution. In this case the second link should be used (This may vary in actual exam). The first link showed the following error so it should not be used.

  

  Also, two of the link choices used HTTP and not HTTPS as shown when hovering over the links as shown:

  

  Since we need to do this in the most secure manner possible, they should not be used.

  Finally, the second link was used and the MD5 utility of MD5sum should be used on the install.exe file as shown. Make sure that the hash matches.

  

  Finally, type in install.exe to install it and make sure there are no signature verification errors.

  We use the MD5Sum utility to view the hash of the downloaded file. If the hash matches the hash shown on the download page, then we know that the file we are downloading has not been modified.

  md5sum is a computer program that calculates and verifies 128-bit MD5 hashes, as described in RFC 1321. The MD5 hash (or checksum) functions as a compact digital fingerprint of a file.

  Virtually any non-malicious change to a file will cause its MD5 hash to change; therefore md5sum is used to verify the integrity of files. Most commonly, md5sum is used to verify that a file has not changed as a result of a faulty file transfer, a

  disk error or non-malicious meddling. The md5sum program is installed by default in most Unix, Linux, and Unix-like operating systems or compatibility layers. Other operating systems, including Microsoft Windows and BSD variants -- such as

  Mac OS X - have similar utilities.

  References:

  https://en.wikipedia.org/wiki/Md5sum

• Question 306:

  Company A has noticed abnormal behavior targeting their SQL server on the network from a rogue IP address. The company uses the following internal IP address ranges:

  192.10.1.0/24 for the corporate site and 192.10.2.0/24 for the remote site. The Telco router interface uses the 192.10.5.0/30 IP range.

  Instructions: Click on the simulation button to refer to the Network Diagram for Company A.

  Click on Router 1, Router 2, and the Firewall to evaluate and configure each device.

  Task 1: Display and examine the logs and status of Router 1, Router 2, and Firewall interfaces.

  Task 2: Reconfigure the appropriate devices to prevent the attacks from continuing to target the SQL server and other servers on the corporate network.

  

  

  Correct Answer:

  

  We have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

• Question 307:

  Compliance with company policy requires a quarterly review of firewall rules. A new administrator is asked to conduct this review on the internal firewall sitting between several internal networks. The intent of this firewall is to make traffic more

  restrictive. Given the following information answer the questions below:

  User Subnet: 192.168.1.0/24 Server Subnet: 192.168.2.0/24 Finance

  Subnet:192.168.3.0/24

  Instructions: To perform the necessary tasks, please modify the DST port, Protocol, Action, and/or Rule Order columns. Firewall ACLs are read from the top down

  Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue.

  Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.

  Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.

  Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

  

  

  

  Correct Answer:

  

  Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue. The rule shown in the image below is the rule in question. It is not working because the action is set to Deny. This needs to be set to Permit.

  Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications. The web servers rule is shown in the image below. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).

  Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue. The SQL Server rule is shown in the image below. It is not working because the protocol is wrong. It should be TCP, not UDP.

  Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed. The network time rule is shown in the image below.

  However, this rule is not being used because the rule shown below allows all traffic and the rule is placed above the network time rule. To block all other traffic, the rule needs to be set to Deny, not Permit and the rule needs to be placed below all the other rules (it needs to be placed at the bottom of the list to the rule is enumerated last).

• Question 308:

  IT staff within a company often conduct remote desktop sharing sessions with vendors to troubleshoot vendor product-related issues. Drag and drop the following security controls to match the associated security concern. Options may be used once or not at all.

  

  

  

  

  

  Select and Place:

  

  Correct Answer:

  

  Vendor may accidentally or maliciously make changes to the IT system Allow view-only access.

  With view-only access, the third party can view the desktop but cannot interact with it. In other words, they cannot control the keyboard or mouse to make any changes.

  Desktop sharing traffic may be intercepted by network attackers Use SSL for remote sessions.

  SSL (Secure Sockets Layer) encrypts data in transit between computers. If an attacker intercepted the traffic, the data would be encrypted and therefore unreadable to the attacker.

  No guarantees that shoulder surfing attacks are not occurring at the vendor Identified control gap.

  Shoulder surfing is where someone else gains information by looking at your computer screen. This should be identified as a risk. A control gap occurs when there are either insufficient or no actions taken to avoid or mitigate a significant risk.

  Vendor may inadvertently see confidential material from the company such as email and IMs Limit desktop session to certain windows.

  The easiest way to prevent a third party from viewing your emails and IMs is to close the email and IM application windows for the duration of the desktop sharing session.