CAS-003 : CompTIA Advanced Security Practitioner (CASP+) CAS-003 : Part 18

CAS-003 : CompTIA Advanced Security Practitioner (CASP+) CAS-003 : Part 18

1. After an employee was terminated, the company discovered the employee still had access to emails and attached content that should have been destroyed during the off-boarding. The employee’s laptop and cell phone were confiscated and accounts were disabled promptly. Forensic investigation suggests the company’s DLP was effective, and the content in question was not sent outside of work or transferred to removable media. Personality owned devices are not permitted to access company systems or information.

   Which of the following would be the MOST efficient control to prevent this from occurring in the future?

   • Install application whitelist on mobile devices.
   • Disallow side loading of applications on mobile devices.
   • Restrict access to company systems to expected times of day and geographic locations.
   • Prevent backup of mobile devices to personally owned computers.
   • Perform unannounced insider threat testing on high-risk employees.

2. A cybersecurity consulting company supports a diverse customer base. Which of the following types of constraints is MOST important for the consultancy to consider when advising a regional healthcare provider versus a global conglomerate?

   • Return on investment
   • Regulatory standards
   • Pre-existing service agreements
   • Insider threats

3. A systems administrator has deployed the latest patches for Windows-based machines. However, the users on the network are experiencing exploits from various threat actors, which the patches should have corrected. Which of the following is the MOST likely scenario?

   • The machines were infected with malware.
   • The users did not reboot the computer after the patches were deployed.
   • The systems administrator used invalid credentials to deploy the patches.
   • The patches were deployed on non-Windows-based machines.

4. A newly hired Chief Information Security Officer (CISO) wants to understand how the organization’s CIRT handles issues brought to their attention, but needs to be very cautious about impacting any systems. The MOST appropriate method to use would be:

   • an internal vulnerability assessment.
   • a red-team threat-hunt exercise.
   • a white-box penetration test.
   • a guided tabletop exercise.

5. A systems analyst is concerned that the current authentication system may not provide the appropriate level of security. The company has integrated WAYF within its federation system and implemented a mandatory two-step authentication system. Some accounts are still becoming compromised via phishing attacks that redirect users to a fake portal, which is automatically collecting and replaying the stolen credentials. Which of the following is a technical solution that would BEST reduce the risk of similar compromises?

   • Security awareness training
   • Push-based authentication
   • Software-based TOTP
   • OAuth tokens
   • Shibboleth

6. A security architect has designated that a server segment of an enterprise network will require each server to have secure and measured boot capabilities. The architect now wishes to ensure service consumers and peers can verify the integrity of hosted services. Which of the following capabilities must the architect consider for enabling the verification?

   • Centralized attestation server
   • Enterprise HSM
   • vTPM
   • SIEM

7. SIMULATION

   As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit.
   This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server, and it does not need to print.
   The command window will be provided along with root access. You are connected via a secure shell with root access.
   You may query help for a list of commands.

   Instructions:

   You need to disable and turn off unrelated services and processes.
   It is possible to simulate a crash of your server session. The simulation can be reset, but the server cannot be rebooted.

   If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

   • For correct answers: see the explanation below

   

   

   

8. A company recently experienced a security incident in which its domain controllers were the target of a DoS attack. In which of the following steps should technicians connect domain controllers to the network and begin authenticating users again?

   • Preparation
   • Identification
   • Containment
   • Eradication
   • Recovery
   • Lessons learned

9. A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the following technical solutions was MOST likely deployed by the company to ensure only known-good software can be installed on corporate desktops?

   • Network access control
   • Configuration Manager
   • Application whitelisting
   • File integrity checks

10. A government contracting company issues smartphones to employees to enable access to corporate resources. Several employees will need to travel to a foreign country for business purposes and will require access to their phones. However, the company recently received intelligence that its intellectual property is highly desired by the same country’s government. Which of the following MDM configurations would BEST reduce the risk of compromise while on foreign soil?

    • Disable firmware OTA updates.
    • Disable location services.
    • Disable push notification services.
    • Disable wipe

11. A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

    • PCI DSS
    • GDPR
    • NIST
    • ISO 31000

12. A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement?

    • Asymmetric
    • Symmetric
    • Homomorphic
    • Ephemeral

13. A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch?

    • Set up an air gap for the switch.
    • Change the default password for the switch.
    • Place the switch in a Faraday cage.
    • Install a cable lock on the switch.

14. Which of the following attacks can be used to exploit a vulnerability that was created by untrained users?

    • A spear-phishing email with a file attachment
    • A DoS using IoT devices
    • An evil twin wireless access point
    • A domain hijacking of a bank website

15. An organization is struggling to differentiate threats from normal traffic and access to systems. A security engineer has been asked to recommend a system that will aggregate data and provide metrics that will assist in identifying malicious actors or other anomalous activity throughout the environment. Which of the following solutions should the engineer recommend?

    • Web application firewall
    • SIEM
    • IPS
    • UTM
    • File integrity monitor

16. Which of the following attacks can be mitigated by proper data retention policies?

    • Dumpster diving
    • Man-in-the browser
    • Spear phishing
    • Watering hole

17. Which of the following may indicate a configuration item has reached end-of-life?

    • The device will no longer turn on and indicated an error.
    • The vendor has not published security patches recently.
    • The object has been removed from the Active Directory.
    • Logs show a performance degradation of the component.

18. The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would BEST to improve the incident response process?

    • Updating the playbook with better decision points
    • Dividing the network into trusted and untrusted zones
    • Providing additional end-user training on acceptable use
    • Implementing manual quarantining of infected hosts

19. A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

    • Segmentation
    • Firewall whitelisting
    • Containment
    • Isolation

20. Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company’s final software releases? (Choose two.)

    • Unsecure protocols
    • Use of penetration-testing utilities
    • Weak passwords
    • Included third-party libraries
    • Vendors/supply chain
    • Outdated anti-malware software