CompTIA CompTIA Advanced Security Practitioner RC0-C02 Questions & Answers

• Question 41:

  An information security assessor for an organization finished an assessment that identified critical issues with the human resource new employee management software application. The assessor submitted the report to senior management but nothing has happened. Which of the following would be a logical next step?

  A. Meet the two key VPs and request a signature on the original assessment.

  B. Include specific case studies from other organizations in an updated report.

  C. Schedule a meeting with key human resource application stakeholders.

  D. Craft an RFP to begin finding a new human resource application.

  Correct Answer: C

  You have submitted the report to senior management. It could be that the senior management are not that bothered about the HR application or they are just too busy to respond.

  This question is asking for the logical next step. The next step should be to inform people that are interested in the HR application about your findings. To ensure that the key human resource application stakeholders fully understand the

  implications of your findings, you should arrange a face-to-face meeting to discuss your report.

• Question 42:

  Customer Need:

  "We need the system to produce a series of numbers with no discernible mathematical progression for use by our Java based, PKI-enabled, customer facing website."

  Which of the following BEST restates the customer need?

  A. The system shall use a pseudo-random number generator seeded the same every time.

  B. The system shall generate a pseudo-random number upon invocation by the existing Java program.

  C. The system shall generate a truly random number based upon user PKI certificates.

  D. The system shall implement a pseudo-random number generator for use by corporate customers.

  Correct Answer: B

• Question 43:

  The risk committee has endorsed the adoption of a security system development life cycle (SSDLC) designed to ensure compliance with PCI-DSS, HIPAA, and meet the organization's mission. Which of the following BEST describes the correct order of implementing a five phase SSDLC?

  A. Initiation, assessment/acquisition, development/implementation, operations/maintenance and sunset.

  B. Initiation, acquisition/development, implementation/assessment, operations/maintenance and sunset.

  C. Assessment, initiation/development, implementation/assessment, operations/maintenance and disposal.

  D. Acquisition, initiation/development, implementation/assessment, operations/maintenance and disposal.

  Correct Answer: B

• Question 44:

  A facilities manager has observed varying electric use on the company's metered service lines. The facility management rarely interacts with the IT department unless new equipment is being delivered. However, the facility manager thinks that there is a correlation between spikes in electric use and IT department activity. Which of the following business processes and/or practices would provide better management of organizational resources with the IT department's needs? (Select TWO).

  A. Deploying a radio frequency identification tagging asset management system

  B. Designing a business resource monitoring system

  C. Hiring a property custodian

  D. Purchasing software asset management software

  E. Facility management participation on a change control board

  F. Rewriting the change board charter

  G. Implementation of change management best practices

  Correct Answer: EG

  The purpose of the change management process is to ensure that: Standardized methods and procedures are used for efficient and prompt handling of all changes All changes to service assets and configuration items are recorded in the configuration management system Business risk is managed and minimized All authorized changes support business needs and goals

  Changes should be managed to: Reduce risk exposure Minimize the severity of any impact and disruption Be successful on the first attempt

  The implementation of change management processes should involve a change control board. The change control board is a committee that makes decisions regarding whether or not proposed changes to a project should be implemented. In this question, there is a correlation between spikes in electric use and IT department activity. Therefore, someone from facility management should be part of the change control board.

• Question 45:

  A company sales manager received a memo from the company's financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department's change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble?

  A. Discuss the issue with the software product's user groups

  B. Consult the company's legal department on practices and law

  C. Contact senior finance management and provide background information

  D. Seek industry outreach for software practices and law

  Correct Answer: B

  To ensure that the company stays out of trouble, the sales manager should enquire about the legal ramifications of the change by consulting with the company's legal department, particularly as the marketing material is not being amended.

• Question 46:

  A company has a difficult time communicating between the security engineers, application developers, and sales staff. The sales staff tends to overpromise the application deliverables. The security engineers and application developers are falling behind schedule. Which of the following should be done to solve this?

  A. Allow the sales staff to shadow the developers and engineers to see how their sales impact the deliverables.

  B. Allow the security engineering team to do application development so they understand why it takes so long.

  C. Allow the application developers to attend a sales conference so they understand how business is done.

  D. Allow the sales staff to learn application programming and security engineering so they understand the whole lifecycle.

  Correct Answer: A

  This is a common problem in business. Sales staff just wants to sell, sell, sell as they are usually paid on a commission basis.

  Sales users rarely understand exactly what is involved in developing a product for them to sell or the time it takes so it's easy for them to make promises that are difficult to deliver. If the sales staff had a better understanding of the processes

  involved in developing a product, then they might think more about whether what they are promising is deliverable. By allowing the sales staff to shadow the developers and engineers, the sales staff would gain a better understanding of the

  time it takes to develop a product.

• Question 47:

  Within an organization, there is a known lack of governance for solution designs. As a result there are inconsistencies and varying levels of quality for the artifacts that are produced. Which of the following will help BEST improve this situation?

  A. Ensure that those producing solution artifacts are reminded at the next team meeting that quality is important.

  B. Introduce a peer review process that is mandatory before a document can be officially made final.

  C. Introduce a peer review and presentation process that includes a review board with representation from relevant disciplines.

  D. Ensure that appropriate representation from each relevant discipline approves of the solution documents before official approval.

  Correct Answer: C

• Question 48:

  A manager who was attending an all-day training session was overdue entering bonus and payroll information for subordinates. The manager felt the best way to get the changes entered while in training was to log into the payroll system, and then activate desktop sharing with a trusted subordinate. The manager granted the subordinate control of the desktop thereby giving the subordinate full access to the payroll system. The subordinate did not have authorization to be in the payroll system. Another employee reported the incident to the security team. Which of the following would be the MOST appropriate method for dealing with this issue going forward?

  A. Provide targeted security awareness training and impose termination for repeat violators.

  B. Block desktop sharing and web conferencing applications and enable use only with approval.

  C. Actively monitor the data traffic for each employee using desktop sharing or web conferencing applications.

  D. Permanently block desktop sharing and web conferencing applications and do not allow its use at the company.

  Correct Answer: A

• Question 49:

  A trust relationship has been established between two organizations with web based services. One organization is acting as the Requesting Authority (RA) and the other acts as the Provisioning Service Provider (PSP). Which of the following is correct about the trust relationship?

  A. The trust relationship uses SAML in the SOAP header. The SOAP body transports the SPML requests / responses.

  B. The trust relationship uses XACML in the SAML header. The SAML body transports the SOAP requests / responses.

  C. The trust relationship uses SPML in the SOAP header. The SOAP body transports the SAML requests / responses.

  D. The trust relationship uses SPML in the SAML header. The SAML body transports the SPML requests / responses.

  Correct Answer: A

• Question 50:

  A security services company is scoping a proposal with a client. They want to perform a general security audit of their environment within a two week period and consequently have the following requirements: Requirement 1 ?Ensure their server infrastructure operating systems are at their latest patch levels

  Requirement 2 ?Test the behavior between the application and database

  Requirement 3 ?Ensure that customer data cannot be exfiltrated

  Which of the following is the BEST solution to meet the above requirements?

  A. Penetration test, perform social engineering and run a vulnerability scanner

  B. Perform dynamic code analysis, penetration test and run a vulnerability scanner

  C. Conduct network analysis, dynamic code analysis, and static code analysis

  D. Run a protocol analyzer perform static code analysis and vulnerability assessment

  Correct Answer: B

  Requirement 1: To ensure their server infrastructure operating systems are at their latest patch levels, we can run a vulnerability scanner. A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. This includes ensuring the latest patches are installed. Requirement 2: To test the behavior between the application and database, we can perform dynamic code analysis. Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline. Requirement 3: To ensure that customer data cannot be exfiltrated, we can run a penetration test. A penetration test is used to test for vulnerabilities to exploit to gain access to systems. If a malicious user can access a system, the user can exfiltrate the data.