cas-003 dumps comptia advanced security practitioner (casp)

100% Valid and Newest Version CAS-003 Questions & Answers shared by Certleaderhttps://www.certleader.com/CAS-003-dumps.html (443 Q&As)

CAS-003 Dumps

CompTIA Advanced Security Practitioner (CASP)

https://www.certleader.com/CAS-003-dumps.html

The Leader of IT Certification visit - https://www.certleader.com


NEW QUESTION 1A security engineer is attempting to increase the randomness of numbers used in key generation in a system. The goal of the effort is to strengthen the keysagainst predictive analysis attacks.Which of the following is the BEST solution?

A. Use an entropy-as-a-service vendor to leverage larger entropy pools.B. Loop multiple pseudo-random number generators in a series to produce larger numbers.C. Increase key length by two orders of magnitude to detect brute forcing.D. Shift key generation algorithms to ECC algorithm

Answer: A

NEW QUESTION 2The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics. The board of directors will use the dashboard tomonitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections forthe board to review.Which of the following BEST meets the needs of the board?

A. KRI:- Compliance with regulations- Backlog of unresolved security investigations- Severity ofthreats and vulnerabilities reported by sensors- Time to patchcritical issues on a monthly basisKPI:- Time to resolve open security items- % of suppliers with approved security control frameworks- EDR coverage across thefileet- Threat landscape ratingB. KRI:- EDR coverage across the fileet- Backlog of unresolved security investigations- Time to patch critical issues on a monthly basis- Threat landscaperatingKPI:- Time to resolve open security items- Compliance with regulations- % of suppliers with approved security control frameworks- Severity of threats andvulnerabilities reported by sensorsC. KRI:- EDR coverage across the fileet- % of suppliers with approved security control framework- Backlog of unresolved security investigations- Threat landscaperatingKPI:- Time to resolve open security items- Compliance with regulations- Time to patch critical issues on a monthly basis- Severity of threats andvulnerabilities reported by sensorsD. KPI:- Compliance with regulations- % of suppliers with approved security control frameworks- Severity of threats and vulnerabilities reported by sensors- Threatlandscape ratingKRI:- Time to resolve open security items- Backlog of unresolved security investigations- EDR coverage across the fileet- Time to patch criticalissues on a monthly basis

Answer: A

NEW QUESTION 3The Chief Executive Officer (CEO) of a small startup company has an urgent need for a security policy and assessment to address governance, risk management,and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed inthree months.Which of the following would be the MOST cost-effective solution to meet the company’s needs?

A. Select one of the IT personnel to obtain information security training, and then develop all necessary policies and documents in-house.B. Accept all risks associated with information security, and then bring up the issue again at next year’s annual board meeting.C. Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the requirements.D. Hire an experienced, full-time information security team to run the startup company’s information security department.

Answer: C

NEW QUESTION 4An administrator is working with management to develop policies related to the use of the cloudbased resources that contain corporate data. Management plans torequire some control overorganizational data stored on personal devices, such as tablets. Which of the following controls would BEST support management’s policy?

A. MDMB. SandboxingC. Mobile tokenizationD. FDEE. MFA

Answer: A

NEW QUESTION 5A consulting firm was hired to conduct assessment for a company. During the first stage, a penetration tester used a tool that provided the following output:TCP 80 openTCP 443 openTCP 1434 filteredThe penetration tester then used a different tool to make the following requests:GET / script/login.php?token=45$MHT000MND876GET / script/login.php?token=@#984DCSPQ%091DFWhich of the following tools did the penetration tester use?

A. Protocol analyzerB. Port scannerC. FuzzerD. Brute forcerE. Log analyzerF. HTTP interceptor

Answer: C



NEW QUESTION 6A company has adopted and established a continuous-monitoring capability, which has proven to be effective in vulnerability management, diagnostics, andmitigation. The company wants to increasethe likelihood that it is able to discover and therefore respond to emerging threats earlier in the life cycle.Which of the following methodologies would BEST help the company to meet this objective? (Choose two.)

A. Install and configure an IPS.B. Enforce routine GPO reviews.C. Form and deploy a hunt team.D. Institute heuristic anomaly detection.E. Use a protocol analyzer with appropriate connector

Answer: AD

NEW QUESTION 7An administrator wants to install a patch to an application. INSTRUCTIONSGiven the scenario, download, verify, and install the patch in the most secure manner. The last install that is completed will be the final submission.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.



A. In this case the second link should be used (This may vary in actual exam). The first link showed the following error so it should not be used.



Also, Two of the link choices used HTTP and not HTTPS as shown when hovering over the links as shown:

Since we need to do this in the most secure manner possible, they should not be used.Finally, the second link was used and the MD5 utility of MD5sum should beused on the install.exe file as showB. Make sure that the hash matches.

Finally,type in install.exe to install it and make sure there are no signature verification errors.C. In this case the second link should be used (This may vary in actual exam). The first link showed the following error so it should not be used.

Also, Two of the link choices used HTTP and not HTTPS as shown when hovering over the links as shown.Since we need to do this in the most secure mannerpossible, they should not be used.Finally, the second link was used and the MD5 utility of MD5sum should be used on the install.exe file as showD. Make sure that the hash matches.Finally, type in install.exe to install it and make sure there are no signature verification error

Answer: A

NEW QUESTION 8DRAG DROPDrag and drop the cloud deployment model to the associated use-case scenario. Options may be used only once or not at all.



A. MasteredB. Not Mastered

Answer: A

Explanation:



NEW QUESTION 9Given the following output from a local PC:

Which of the following ACLs on a stateful host-based firewall would allow the PC to serve an intranet website?

A. Allow 172.30.0.28:80 -> ANYB. Allow 172.30.0.28:80 -> 172.30.0.0/16C. Allow 172.30.0.28:80 -> 172.30.0.28:443D. Allow 172.30.0.28:80 -> 172.30.0.28:53

Answer: B

NEW QUESTION 10A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environmentsecurely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the followingsolutions BEST balances security requirements with business need?

A. Set up a VDI environment that prevents copying and pasting to the local workstations ofoutsourced staff membersB. Install a client-side VPN on the staff laptops and limit access to the development networkC. Create an IPSec VPN tunnel from the development network to the office of the outsourced staffD. Use online collaboration tools to initiate workstation-sharing sessions with local staff who have access to the development network



Answer: D

NEW QUESTION 10A recent penetration test identified that a web server has a major vulnerability. The web server hosts a critical shipping application for the company and requires99.99% availability. Attempts to fix the vulnerability would likely break the application. The shipping application is due to be replaced in the next three months.Which of the following would BEST secure the web server until the replacement web server is ready?

A. Patch managementB. AntivirusC. Application firewallD. Spam filtersE. HIDS

Answer: E

NEW QUESTION 13To prepare for an upcoming audit, the Chief Information Security Officer (CISO) asks for all 1200 vulnerabilities on production servers to be remediated. Thesecurity engineer must determine which vulnerabilities represent real threats that can be explogted so resources can be prioritized to migrate the most dangerousrisks. The CISO wants the security engineer to act in the same manner as would an external threat, while using vulnerability scan results to prioritize any actions.Which of the following approaches is described?

A. Blue teamB. Red teamC. Black boxD. White team

Answer: C

NEW QUESTION 16A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server wasreimaged and patched offline. Which of the following tools should be implemented to detect similar attacks?

A. Vulnerability scannerB. TPMC. Host-based firewallD. File integrity monitorE. NIPS

Answer: CD

NEW QUESTION 17An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discoversan issue that must be corrected before the page goes live. The web host administrator collects the log files below and gives them to the development team soimprovements can be made to the security design of the website.

Which of the following types of attack vector did the penetration tester use?

A. SQLiB. CSRFC. Brute forceD. XSS



E. TOC/TOU

Answer: B

NEW QUESTION 21A user workstation was infected with a new malware variant as a result of a drive-by download. The security administrator reviews key controls on the infectedworkstation and discovers the following:

Which of the following would BEST prevent the problem from reoccurring in the future? (Choose two.)

A. Install HIPSB. Enable DLPC. Install EDRD. Install HIDSE. Enable application blacklistingF. Improve patch management processes

Answer: BE

NEW QUESTION 24After investigating virus outbreaks that have cost the company $1,000 per incident, the company’s Chief Information Security Officer (CISO) has been researchingnew antivirus software solutions to use and be fully supported for the next two years. The CISO has narrowed down the potential solutions to four candidates thatmeet all the company’s performance and capability requirements:

Using the table above, which of the following would be the BEST business-driven choice among five possible solutions?

A. Product AB. Product BC. Product CD. Product DE. Product E

Answer: E

NEW QUESTION 25A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the company’sclient-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information viaSNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to preventreconnaissance activity?

A. Install a HIPS on the web servers



B. Disable inbound traffic from offending sourcesC. Disable SNMP on the web serversD. Install anti-DDoS protection in the DMZ

Answer: A

NEW QUESTION 29One of the objectives of a bank is to instill a security awareness culture. Which of the following are techniques that could help to achieve this? (Choose two.)

A. Blue teamingB. Phishing simulationsC. Lunch-and-learnD. Random auditsE. Continuous monitoringF. Separation of duties

Answer: BE

NEW QUESTION 32An insurance company has two million customers and is researching the top transactions on its customer portal. It identifies that the top transaction is currentlypassword reset. Due to users not remembering their secret questions, a large number of calls are consequently routed to the contact center for manual passwordresets. The business wants to develop a mobile application to improve customer engagement in the future, continue with a single factor of authentication, minimizemanagement overhead of the solution, remove passwords, and eliminate to the contact center. Which of the following techniques would BEST meet therequirements? (Choose two.)

A. Magic link sent to an email addressB. Customer ID sent via push notificationC. SMS with OTP sent to a mobile numberD. Third-party social loginE. Certificate sent to be installed on a deviceF. Hardware tokens sent to customers

Answer: CE

NEW QUESTION 37A security engineer has implemented an internal user access review tool so service teams can baseline user accounts and group memberships. The tool isfunctional and popular among its initial set of onboarded teams. However, the tool has not been built to cater to a broader set of internal teams yet. The engineerhas sought feedback from internal stakeholders, and a list of summarized requirements is as follows:The tool needs to be responsive so service teams can query it, and then perform an automated response action.The tool needs to be resilient to outages so service teams can perform the user access review at any point in time and meet their own SLAs.The tool will become the system-of-record for approval, reapproval, and removal life cycles of group memberships and must allow for data retrieval after failure.Which of the following need specific attention to meet the requirements listed above? (Choose three.)

A. ScalabilityB. LatencyC. AvailabilityD. UsabilityE. RecoverabilityF. Maintainability

Answer: BCE

NEW QUESTION 41The board of a financial services company has requested that the senior security analyst acts as a cybersecurity advisor in order to comply with recent federallegislation. The analyst is required to give a report on current cybersecurity and threat trends in the financial services industry at the next board meeting. Which ofthe following would be the BEST methods to prepare this report? (Choose two.)

A. Review the CVE database for critical explogts over the past yearB. Use social media to contact industry analystsC. Use intelligence gathered from the Internet relay chat channelsD. Request information from security vendors and government agenciesE. Perform a penetration test of the competitor’s network and share the results with the board

Answer: AD

NEW QUESTION 43The Chief Information Security Officer (CISO) has asked the security team to determine whether the organization is susceptible to a zero-day explogt utilized in thebanking industry and whether attribution is possible. The CISO has asked what process would be utilized to gather the information, and then wants to applysignatureless controls to stop these kinds of attacks in the future. Which of the following are the MOST appropriate ordered steps to take to meet the CISO’srequest?

A. 1. Perform the ongoing research of the best practices2. Determine current vulnerabilities and threats3. Apply Big Data techniques4. Use antivirus controlB. 1. Apply artificial intelligence algorithms for detection2. Inform the CERT team3. Research threat intelligence and potential adversaries4. Utilize threatintelligence to apply Big Data techniquesC. 1. Obtain the latest IOCs from the open source repositories2. Perform a sweep across the network to identify positive matches3. Sandbox any suspicious files4.Notify the CERT team to apply a future proof threat modelD. 1. Analyze the current threat intelligence2. Utilize information sharing to obtain the latest industry IOCs3. Perform a sweep across the network to identifypositive matches4. Apply machine learning algorithms



Answer: C

NEW QUESTION 46Management is reviewing the results of a recent risk assessment of the organization’s policies and procedures. During the risk assessment it is determined thatprocedures associated with background checks have not been effectively implemented. In response to this risk, the organization elects to revise policies andprocedures related to background checks and use a third-party to perform background checks on all new employees. Which of the following risk managementstrategies has the organization employed?

A. TransferB. MitigateC. AcceptD. AvoidE. Reject

Answer: B

NEW QUESTION 51A security engineer must establish a method to assess compliance with company security policies as they apply to the unique configuration of individual endpoints,as well as to the shared configuration policies of common devices.

Which of the following tools is the security engineer using to produce the above output?

A. Vulnerability scannerB. SIEMC. Port scannerD. SCAP scanner

Answer: B

NEW QUESTION 55A newly hired systems administrator is trying to connect a new and fully updated, but very customized, Android device to access corporate resources. However,the MDM enrollment process continually fails. The administrator asks a security team member to look into the issue. Which of the following is the MOST likelyreason the MDM is not allowing enrollment?

A. The OS version is not compatibleB. The OEM is prohibitedC. The device does not support FDED. The device is rooted

Answer: D

NEW QUESTION 56A hospital uses a legacy electronic medical record system that requires multicast for traffic between the application servers and databases on virtual hosts thatsupport segments of the application. Following a switch upgrade, the electronic medical record is unavailable despite physical connectivity between the hypervisorand the storage being in place. The network team must enable multicast traffic to restore access to the electronic medical record. The ISM states that the networkteam must reduce the footprint of multicast traffic on the network.

Using the above information, on which VLANs should multicast be enabled?

A. VLAN201, VLAN202, VLAN400B. VLAN201, VLAN202, VLAN700C. VLAN201, VLAN202, VLAN400, VLAN680, VLAN700D. VLAN400, VLAN680, VLAN700

Answer: D



NEW QUESTION 59An organization is preparing to develop a business continuity plan. The organization is required to meet regulatory requirements relating to confidentiality andavailability, which are well-defined. Management has expressed concern following initial meetings that the organization is not fully aware of the requirementsassociated with the regulations. Which of the following would be MOST appropriate for the project manager to solicit additional resources for during this phase ofthe project?

A. After-action reportsB. Gap assessmentC. Security requirements traceability matrixD. Business impact assessmentE. Risk analysis

Answer: B

NEW QUESTION 61A security architect is implementing security measures in response to an external audit that found vulnerabilities in the corporate collaboration tool suite. The reportidentified the lack of any mechanism to provide confidentiality for electronic correspondence between users and between users and group mailboxes. Which of thefollowing controls would BEST mitigate the identified vulnerability?

A. Issue digital certificates to all users, including owners of group mailboxes, and enable S/MIMEB. Federate with an existing PKI provider, and reject all non-signed emailsC. Implement two-factor email authentication, and require users to hash all email messages upon receiptD. Provide digital certificates to all systems, and eliminate the user group or shared mailboxes

Answer: A

NEW QUESTION 63Which of the following BEST represents a risk associated with merging two enterprises during an acquisition?

A. The consolidation of two different IT enterprises increases the likelihood of the data loss because there are now two backup systemsB. Integrating two different IT systems might result in a successful data breach if threat intelligence is not shared between the two enterprisesC. Merging two enterprise networks could result in an expanded attack surface and could cause outages if trust and permission issues are not handled carefullyD. Expanding the set of data owners requires an in-depth review of all data classification decisions, impacting availability during the review

Answer: C

NEW QUESTION 67Two competing companies experienced similar attacks on their networks from various threat actors. To improve response times, the companies wish to sharesome threat intelligence about the sources and methods of attack. Which of the following business documents would be BEST to document this engagement?

A. Business partnership agreementB. Memorandum of understandingC. Service-level agreementD. Interconnection security agreement

Answer: D

NEW QUESTION 70A software development team has spent the last 18 months developing a new web-based front-end that will allow clients to check the status of their orders as theyproceed through manufacturing. The marketing team schedules a launch party to present the new application to the client base in two weeks. Before the launch,the security team discovers numerous flaws that may introduce dangerous vulnerabilities, allowing direct access to a database used by manufacturing. Thedevelopment team did not plan to remediate these vulnerabilities during development. Which of the following SDLC best practices should the development teamhave followed?

A. Implementing regression testingB. Completing user acceptance testingC. Verifying system design documentationD. Using a SRTM

Answer: D

NEW QUESTION 74An engineer maintains a corporate-owned mobility infrastructure, and the organization requires that all web browsing using corporate-owned resources bemonitored. Which of the following would allow the organization to meet its requirement? (Choose two.)

A. Exempt mobile devices from the requirement, as this will lead to privacy violationsB. Configure the devices to use an always-on IPSec VPNC. Configure all management traffic to be tunneled into the enterprise via TLSD. Implement a VDI solution and deploy supporting client apps to devicesE. Restrict application permissions to establish only HTTPS connections outside of the enterprise boundary

Answer: BE

NEW QUESTION 79After multiple service interruptions caused by an older datacenter design, a company decided to migrate away from its datacenter. The company has successfullycompleted the migration of all datacenter servers and services to a cloud provider. The migration project includes the following phases:



Selection of a cloud provider Architectural design Microservice segmentation Virtual private cloud Geographic service redundancy Service migrationThe Chief Information Security Officer (CISO) is still concerned with the availability requirements of critical company applications. Which of the following should thecompany implement NEXT?

A. Multicloud solutionB. Single-tenancy private cloudC. Hybrid cloud solutionD. Cloud access security broker

Answer: D

NEW QUESTION 82Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able touse the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protectagainst the second attack?

A. Key risk indicatorsB. Lessons learnedC. Recovery point objectivesD. Tabletop exercise

Answer: A

NEW QUESTION 87A web developer has implemented HTML5 optimizations into a legacy web application. One of the modifications the web developer made was the following clientside optimization: localStorage.setItem(“session-cookie”, document.cookie);Which of the following should the security engineer recommend?

A. SessionStorage should be used so authorized cookies expire after the session endsB. Cookies should be marked as “secure” and “HttpOnly”C. Cookies should be scoped to a relevant domain/pathD. Client-side cookies should be replaced by server-side mechanisms

Answer: C

NEW QUESTION 92During a security event investigation, a junior analyst fails to create an image of a server’s hard drive before removing the drive and sending it to the forensicsanalyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following shouldthe junior analyst have followed?

A. Continuity of operationsB. Chain of custodyC. Order of volatilityD. Data recovery

Answer: C

NEW QUESTION 96A company contracts a security engineer to perform a penetration test of its client-facing web portal. Which of the following activities would be MOST appropriate?

A. Use a protocol analyzer against the site to see if data input can be replayed from the browserB. Scan the website through an interception proxy and identify areas for the code injectionC. Scan the site with a port scanner to identify vulnerable services running on the web serverD. Use network enumeration tools to identify if the server is running behind a load balancer

Answer: C

NEW QUESTION 97A large enterprise with thousands of users is experiencing a relatively high frequency of malicious activity from the insider threats. Much of the activity appears toinvolve internal reconnaissance that results in targeted attacks against privileged users and network file shares. Given this scenario, which of the following wouldMOST likely prevent or deter these attacks? (Choose two.)

A. Conduct role-based training for privileged users that highlights common threats against them and covers best practices to thwart attacksB. Increase the frequency at which host operating systems are scanned for vulnerabilities, and decrease the amount of time permitted between vulnerabilityidentification and the application of corresponding patchesC. Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for useD. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/oraccessing visible resources that do not directly pertain to their job functionsE. For all workstations, implement full-disk encryption and configure UEFI instances to require complex passwords for authenticationF. Implement application blacklisting enforced by the operating systems of all machines in the enterprise

Answer: CD

NEW QUESTION 102A software development manager is running a project using agile development methods. The company cybersecurity engineer has noticed a high number ofvulnerabilities have been making it into production code on the project.Which of the following methods could be used in addition to an integrated development environment to reduce the severity of the issue?



A. Conduct a penetration test on each function as it is developedB. Develop a set of basic checks for common coding errorsC. Adopt a waterfall method of software developmentD. Implement unit tests that incorporate static code analyzers

Answer: D

NEW QUESTION 104Exhibit:

A. Step 1: Verify that the certificate is valid or noB. In case of any warning message, cancel the download.Step 2: If certificate issue is not there then, download the file in your system.Step 3: Match the hashvalue of the downloaded file with the one which you selected on the websitC. Step 4: Install the file if the hash value matches.D. Step 1: Verify that the certificate is valid or noE. In case of any warning message, cancel the download.Step 2: If certificate issue is not there then, download the file in your systeF. Step 3: Calculate the hash value of the downloaded file.Step 4: Match the hash value of the downloaded file with the one which you selected on the websitG. Step 5: Install the file if the hash value matches.

Answer: B



NEW QUESTION 107To meet a SLA, which of the following document should be drafted, defining the company’s internal interdependent unit responsibilities and delivery timelines.

A. BPAB. OLAC. MSAD. MOU

Answer: B

Explanation: OLA is an agreement between the internal support groups of an institution that supports SLA. According to the Operational Level Agreement, each internal supportgroup has certain responsibilities to the other group. The OLA clearly depicts the performance and relationship of the internal service groups. The main objective ofOLA is to ensure that all the support groups provide the intended ServiceLevelAgreement.

NEW QUESTION 108An organization has established the following controls matrix:

The following control sets have been defined by the organization and are applied in aggregate fashion:Systems containing PII are protected with the minimum control set. Systems containing medical data are protected at the moderate level. Systems containingcardholder data are protected at the high level.The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controlsclassification, which of the following controls would BEST meet these requirements?

A. Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server.B. Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code.C. Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system.D. Intrusion detection capabilities, network-based IPS, generator, and context-based authenticatio

Answer: D

NEW QUESTION 110A company’s existing forward proxies support software-based TLS decryption, but are currently at 60% load just dealing with AV scanning and content analysis forHTTP traffic. More than 70% outbound web traffic is currently encrypted. The switching and routing network infrastructure precludes adding capacity, preventingthe installation of a dedicated TLS decryption system. The network firewall infrastructure is currently at 30% load and has software decryption modules thatcan be activated by purchasing additional license keys. An existing project is rolling out agent updates to end-user desktops as part of an endpoint security refresh.Which of the following is the BEST way to address these issues and mitigate risks to the organization?

A. Purchase the SSL, decryption license for the firewalls and route traffic back to the proxies for enduser categorization and malware analysis.B. Roll out application whitelisting to end-user desktops and decommission the existing proxies, freeing up network ports.C. Use an EDP solution to address the malware issue and accept the diminishing role of the proxy for URL categorization in the short team.D. Accept the current risk and seek possible funding approval in the next budget cycle to replace the existing proxies with ones with more capacity.

Answer: B

NEW QUESTION 112A network engineer is attempting to design-in resiliency characteristics for an enterprise network’s VPN services.If the engineer wants to help ensure some resilience against zero-day vulnerabilities explogted against the VPN implementation, which of the following decisionswould BEST support this objective?

A. Implement a reverse proxy for VPN traffic that is defended and monitored by the organization’s SOC with near-real-time alerting to administrators.B. Subscribe to a managed service provider capable of supporting the mitigation of advanced DDoS attacks on the enterprise’s pool of VPN concentrators.C. Distribute the VPN concentrators across multiple systems at different physical sites to ensure some backup services are available in the event of primary siteloss.D. Employ a second VPN layer concurrently where the other layer’s cryptographic implementation is sourced from a different vendor.

Answer: D

NEW QUESTION 114A Chief Information Security Officer (CISO is reviewing and revising system configuration and hardening guides that were developed internally and have beenused several years to secure the organization’s systems. The CISO knows improvements can be made to the guides.



Which of the following would be the BEST source of reference during the revision process?

A. CVE databaseB. Internal security assessment reportsC. Industry-accepted standardsD. External vulnerability scan reportsE. Vendor-specific implementation guides

Answer: A

NEW QUESTION 118Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees.Source records will be email, PC, network shares, and applications.After all restrictions have been lifted, which of the following should the information manager review?

A. Data retention policyB. Legal holdC. Chain of custodyD. Scope statement

Answer: B

NEW QUESTION 121A new cluster of virtual servers has been set up in a lab environment and must be audited before being allowed on the production network. The security managerneeds to ensure unnecessary services are disabled and all system accounts are using strong credentials. Which of the following tools should be used? (Choosetwo.)

A. FuzzerB. SCAP scannerC. Packet analyzerD. Password crackerE. Network enumeratorF. SIEM

Answer: BF

NEW QUESTION 126During a security assessment, activities were divided into two phases; internal and external explogtation. The security assessment team set a hard time limit onexternal activities before moving to a compromised box within the enterprise perimeter.Which of the following methods is the assessment team most likely to employ NEXT?

A. Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices.B. Conducting a social engineering attack attempt with the goal of accessing the compromised box physically.C. Exfiltrating network scans from the compromised box as a precursor to social media reconnaissanceD. Open-source intelligence gathering to identify the network perimeter and scope to enable further system compromises.

Answer: A

NEW QUESTION 128While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username andpassword written on a memo pad to log into a specific service. When the information security officer inquires further as to why passwords are being written down,the response is that there are too many passwords to remember for all the different services the human resources department is required to use.Additionally, each password has specific complexity requirements and different expiration time frames. Which of the following would be the BEST solution for theinformation security officer to recommend?

A. Utilizing MFAB. Implementing SSOC. Deploying 802.1XD. Pushing SAML adoptionE. Implementing TACACS

Answer: B

NEW QUESTION 129A security administrator wants to implement two-factor authentication for network switches and routers. The solution should integrate with the company’s RADIUSserver, which is used for authentication to the network infrastructure devices. The security administrator implements the following:An HOTP service is installed on the RADIUS server.The RADIUS server is configured to require the HOTP service for authentication.The configuration is successfully tested using a software supplicant and enforced across all network devices. Network administrators report they are unable to logonto the network devices because they are not being prompted for the second factor.Which of the following should be implemented to BEST resolve the issue?

A. Replace the password requirement with the second factoB. Network administrators will enter their username and then enter the token in place of their password in the password field.C. Configure the RADIUS server to accept the second factor appended to the passworD. Network administrators will enter a password followed by their token in the password field.E. Reconfigure network devices to prompt for username, password, and a tokeF. Network administrators will enter their username and password, and then they will enter the token.



G. Install a TOTP service on the RADIUS server in addition to the HOTP servicH. Use the HOTP on older devices that do not support two-factor authenticatioI. Network administrators will use a web portalto log onto these device

Answer: B

NEW QUESTION 134A security analyst is attempting to break into a client’s secure network. The analyst was not given prior information about the client, except for a block of public IPaddresses that are currently in use. After network enumeration, the analyst’s NEXT step is to perform:

A. a gray-box penetration testB. a risk analysisC. a vulnerability assessmentD. an external security auditE. a red team exercise

Answer: A

NEW QUESTION 135Which of the following is an external pressure that causes companies to hire security assessors and penetration testers?

A. Lack of adequate in-house testing skills.B. Requirements for geographically based assessmentsC. Cost reduction measuresD. Regulatory insistence on independent review

Answer: D

NEW QUESTION 140The marketing department has developed a new marketing campaign involving significant social media outreach. The campaign includes allowing employees andcustomers to submit blog posts and pictures of their day-to-day experiences at the company. The information security manager has been asked to provide aninformative letter to all participants regarding the security risks and how to avoid privacy and operational security issues. Which of the following is the MOSTimportant information to reference in the letter?

A. After-action reports from prior incidents.B. Social engineering techniquesC. Company policies and employee NDAsD. Data classification processes

Answer: C

NEW QUESTION 142A systems administrator has installed a disk wiping utility on all computers across the organization and configured it to perform a seven-pass wipe and anadditional pass to overwrite the disk with zeros. The company has also instituted a policy that requires users to erase files containing sensitive information whenthey are no longer needed.To ensure the process provides the intended results, an auditor reviews the following content from a randomly selected decommissioned hard disk:

Which of the following should be included in the auditor’s report based in the above findings?

A. The hard disk contains bad sectorsB. The disk has been degaussed.C. The data represents part of the disk BIOS.D. Sensitive data might still be present on the hard drive

Answer: A

NEW QUESTION 145The Chief Information Officer (CISO) is concerned that certain systems administrators will privileged access may be reading other user’s emails. Review of atool’s output shows the administrators have used web mail to log into other users’ inboxes. Which of the following tools would show this type of output?

A. Log analysis toolB. Password crackerC. Command-line toolD. File integrity monitoring tool

Answer: A

NEW QUESTION 150The director of sales asked the development team for some small changes to increase the usability of an application used by the sales team. Prior security reviews



of the code showed no significant vulnerabilities, and since the changes were small, they were given a peer review and then pushed to the live environment.Subsequent vulnerability scans now show numerous flaws that were not present in the previous versions of the code. Which of the following is an SDLC bestpractice that should have been followed?

A. VersioningB. Regression testingC. Continuous integrationD. Integration testing

Answer: B

NEW QUESTION 151An organization is engaged in international business operations and is required to comply with various legal frameworks. In addition to changes in legalframeworks, which of the following is a primary purpose of a compliance management program?

A. Following new requirements that result from contractual obligationsB. Answering requests from auditors that relate to e-discoveryC. Responding to changes in regulatory requirementsD. Developing organizational policies that relate to hiring and termination procedures

Answer: C

NEW QUESTION 154Company.org has requested a black-box security assessment be performed on key cyber terrain. On area of concern is the company’s SMTP services. Thesecurity assessor wants to run reconnaissance before taking any additional action and wishes to determine which SMTP server is Internet-facing. Which of thefollowing commands should the assessor use to determine this information?

A. dnsrecon –d company.org –t SOAB. dig company.org mxC. nc –v company.orgD. whois company.org

Answer: A

NEW QUESTION 155A company has gone through a round of phishing attacks. More than 200 users have had their workstation infected because they clicked on a link in an email. Anincident analysis has determined an executable ran and compromised the administrator account on each workstation. Management is demanding the informationsecurity team prevent this from happening again. Which of the following would BEST prevent this from happening again?

A. AntivirusB. Patch managementC. Log monitoringD. Application whitelistingE. Awareness training

Answer: A

NEW QUESTION 157A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The providerexpects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated they want on-premisesand cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service, is deciding how to segment customers. Whichof the following is the BEST statement for the engineer to take into consideration?

A. Single-tenancy is often more expensive and has less efficient resource utilizatioB. Multi-tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.C. The managed service provider should outsource security of the platform to an existing cloud companD. This will allow the new log service to be launched faster and with well-tested security controls.E. Due to the likelihood of large log volumes, the service provider should use a multi-tenancy model for the data storage tier, enable data deduplication for storagecost efficiencies, and encrypt data at rest.F. The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via aVPN.

Answer: A

NEW QUESTION 158At a meeting, the systems administrator states the security controls a company wishes to implement seem excessive, since all of the information on thecompany’s web servers can be obtained publicly and is not proprietary in any way. The next day the company’s website is defaced as part of an SQL injectionattack, and the company receives press inquiries about the message the attackers displayed on the website. Which of the following is the FIRST action thecompany should take?

A. Refer to and follow procedures from the company’s incident response plan.B. Call a press conference to explain that the company has been hacked.C. Establish chain of custody for all systems to which the systems administrator has access.D. Conduct a detailed forensic analysis of the compromised system.E. Inform the communications and marketing department of the attack detail

Answer: A



NEW QUESTION 159A user asks a security practitioner for recommendations on securing a home network. The user recently purchased a connected home assistant and multiple IoTdevices in an effort to automate the home. Some of the IoT devices are wearables, and other are installed in the user’s automobiles. The current home network isconfigured as a single flat network behind an ISP-supplied router. The router has a single IP address, and the router performs NAT on incoming traffic to route it toindividual devices.Which of the following security controls would address the user’s privacy concerns and provide the BEST level of security for the home network?

A. Ensure all IoT devices are configured in a geofencing mode so the devices do not work when removed from the home networB. Disable the home assistant unless actively using it, and segment the network so each IoT device has its own segment.C. Install a firewall capable of cryptographically separating network traffic require strong authentication to access all IoT devices, and restrict network access forthe home assistant based on time-of-day restrictions.D. Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limitedrecording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible.E. Change all default passwords on the IoT devices, disable Internet access for the IoT devices and the home assistant, obtain routable IP addresses for alldevices, and implement IPv6 and IPSec protections on all network traffic.

Answer: B

NEW QUESTION 164A company has created a policy to allow employees to use their personally owned devices. The Chief Information Officer (CISO) is getting reports of company dataappearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk ofexposure?

A. Disk encryption on the local driveB. Group policy to enforce failed login lockoutC. Multifactor authenticationD. Implementation of email digital signatures

Answer: A

NEW QUESTION 167After a large organization has completed the acquisition of a smaller company, the smaller company must implement new host-based security controls to connectits employees’ devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should thesecurity administrator do to integrate the new employees’ devices into the network securely?

A. Distribute a NAC client and use the client to push the company’s private key to all the new devices.B. Distribute the device connection policy and a unique public/private key pair to each new employee’s device.C. Install a self-signed SSL certificate on the company’s RADIUS server and distribute the certificate’s public key to all new client devices.D. Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access.

Answer: D

NEW QUESTION 169Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to them. Ann emails her previous manager and asks toget her personal photos back. Which of the following BEST describes how the manager should respond?

A. Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups.B. Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset.C. Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company laptop.D. Consult with the legal and/or human resources department and check company policies around employment and termination procedures.

Answer: D

NEW QUESTION 171A cybersecurity analyst is hired to review the security the posture of a company. The cybersecurity analyst notice a very high network bandwidth consumption dueto SYN floods from a small number of IP addresses. Which of the following would be the BEST action to take to support incident response?

A. Increase the company's bandwidth.B. Apply ingress filters at the routers.C. Install a packet capturing tool.D. Block all SYN packet

Answer: B

NEW QUESTION 174During a routine network scan, a security administrator discovered an unidentified service running on a new embedded and unmanaged HVAC controller, which isused to monitor the company's datacenterPort state 161/UDP open 162/UDP open 163/TCP openThe enterprise monitoring service requires SNMP and SNMPTRAP connectivity to operate. Which of the following should the security administrator implement toharden the system?

A. Patch and restart the unknown services.B. Segment and firewall the controller's networkC. Disable the unidentified service on the controller.D. Implement SNMPv3 to secure communication.E. Disable TCP/UDP PORTS 161 THROUGH 163

Answer: D



NEW QUESTION 176Which of the following system would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect ... secrecy?

A. EndpointsB. VPN concentratorsC. Virtual hostsD. SIEME. Layer 2 switches

Answer: B

NEW QUESTION 178An organization is attempting to harden its web servers and reduce the information that might be disclosed by potential attackers. A security anal... reviewingvulnerability scan result from a recent web server scan.Portions of the scan results are shown below: Finding# 5144322First time detected 10 nov 2015 09:00 GMT_0600Last time detected 10 nov 2015 09:00 GMT_0600CVSS base: 5Access path: http://myorg.com/mailinglist.htmRequest: GET http://mailinglist.aspx?content=volunteer Response: C:\Docments\MarySmith\malinglist.pdfWhich of the following lines indicates information disclosure about the host that needs to be remediated?

A. Response: C:\Docments\marysmith\malinglist.pdfB. Finding#5144322C. First Time detected 10 nov 2015 09:00 GMT_0600D. Access path: http//myorg.com/mailinglist.htmE. Request: GET http://myorg.come/mailinglist.aspx?content=volunteer

Answer: A

NEW QUESTION 182The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The sec… analystnotices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adversereaction, server functionality does not seem to be affected, and no malware was found after a scan. Which of the following action should the analyst take?

A. Reschedule the automated patching to occur during business hours.B. Monitor the web application service for abnormal bandwidth consumption.C. Create an incident ticket for anomalous activity.D. Monitor the web application for service interruptions caused from the patchin

Answer: C

NEW QUESTION 186An administrator wants to enable policy based filexible mandatory access controls on an open source OS to prevent abnormal application modifications orexecutions. Which of the following would BESTaccomplish this?

A. Access control listsB. SELinuxC. IPtables firewallD. HIPS

Answer: B

Explanation: The most common open source operating system is LINUX.Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides amechanism for supporting access controlsecurity policies, including United States Department of Defense–style mandatory access controls (MAC).NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, filexible mandatory access control (MAC)architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality andintegrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement ofdamage that canbe caused by malicious or flawed applications. Incorrect Answers:A: An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, aswell as what operations are allowed on given objects. ACLs do not enable policy based filexible mandatory access controls to prevent abnormal applicationmodifications or executions.C: A firewall is used to control data leaving a network or entering a network based on source and destination IP address and port numbers. IPTables is a Linuxfirewall. However, it does not enable policy based filexible mandatory access controls to prevent abnormal application modifications or executions.D: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing eventsoccurring within that host. It does not enable policy based filexible mandatory access controls to prevent abnormal application modifications or executions.References:https://en.wikipedia.org/wiki/SeHYPERLINK "https://en.wikipedia.org/wiki/Security- Enhanced_Linux"curity-Enhanced_Linux

NEW QUESTION 191Company ABC’s SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternativeto buying a new SAN?



A. Enable multipath to increase availabilityB. Enable deduplication on the storage poolsC. Implement snapshots to reduce virtual disk sizeD. Implement replication to offsite datacenter

Answer: B

Explanation: Storage-based data deduplication reduces the amount of storage needed for a given set of files. It is most effective in applications where many copies of verysimilar or even identical data are stored on a single disk.It is common for multiple copies of files to exist on a SAN. By eliminating (deduplicating) repeated copies of the files, we can reduce the disk space used on theexisting SAN. This solution is a cost effective alternative to buying a new SAN.Incorrect Answers:A: Multipathing enables multiple links to transfer the data to and from the SAN. This improves performance and link redundancy. However, it has no effect on theamount of data on the SAN. C: Snapshots would not reduce the amount of data stored on the SAN.D: Replicating the data on the SAN to an offsite datacenter will not reduce the amount of data stored on the SAN. It would just create another copy of the data onthe SAN in the offsite datacenter. References:https://en.wikipedia.org/wiki/Data_deduplication

NEW QUESTION 193A user has a laptop configured with multiple operating system installations. The operating systems are all installed on a single SSD, but each has its own partitionand logical volume. Which of the following is the BEST way to ensure confidentiality of individual operating system data?

A. Encryption of each individual partitionB. Encryption of the SSD at the file levelC. FDE of each logical volume on the SSDD. FDE of the entire SSD as a single disk

Answer: A

Explanation: In this question, we have multiple operating system installations on a single disk. Some operating systems store their boot loader in the MBR of the disk. However,some operating systems install their boot loader outside the MBR especially when multiple operating systems are installed. We need to encrypt as much data aspossible but we cannot encrypt the boot loaders. This would prevent the operating systems from loading.Therefore, the solution is to encrypt each individual partition separately. Incorrect Answers:B: The question is asking for the BEST way to ensure confidentiality of individual operating system datA. Individual file encryption could work but if files are ever added to the operating systems (for updates etc.), you would have to manually encrypt the new files aswell. A better solution would be to encrypt the entire partition. That way any new files added to the operating system would be automatically encrypted.C: You cannot perform full disk encryption on an individual volume. Full disk encryption encrypts the entire disk.D: FDE of the entire SSD as a single disk would encrypt the boot loaders which would prevent the operating systems from booting.

NEW QUESTION 197After being notified of an issue with the online shopping cart, where customers are able to arbitrarily change the price of listed items, a programmer analyzes thefollowing piece of code used by a web based shopping cart.SELECT ITEM FROM CART WHERE ITEM=ADDSLASHES($USERINPUT);The programmer found that every time a user adds an item to the cart, a temporary file is created on the web server /tmp directory. The temporary file has a namewhich is generated by concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-YYYY, (e.g. smartphone-12-25-2013.tmp)containing the price of the item being purchased. Which of the following is MOST likely being explogted to manipulate the price of a shopping cart’s items?

A. Input validationB. SQL injectionC. TOCTOUD. Session hijacking

Answer: C

Explanation: In this question, TOCTOU is being explogted to allow the user to modify the temp file that contains the price of the item.In software development, time of check to time of use (TOCTOU) is a class of software bug caused bychanges in a system between the checking of a condition (such as a security credential) and the use of the results of that check. This is one example of a racecondition.A simple example is as follows: Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A userrequests to edit a page, getting a form which can be used to alter its content. Before the user submits the form, an administrator locks the page, which shouldprevent editing. However, since editing has already begun, when the user submits the form, those edits (which have already been made) are accepted. When theuser began editing, the appropriate authorization was checked, and the user was indeed allowed to edit. However, the authorization was used later, at a time whenedits should no longer have been allowed. TOCTOU race conditions are most common in Unix between operations on the file system, but can occur in othercontexts, including local sockets and improper use of database transactions.Incorrect Answers:A: Input validation is used to ensure that the correct data is entered into a field. For example, input validation would prevent letters typed into a field that expectsnumber from being accepted. The explogt in this question is not an example of input validation.B: SQL injection is a type of security explogt in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access toresources or make changes to datA. The explogtin this question is not an example of a SQL injection attack.D: Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by obtaining the session ID and masquerading as theauthorized user. The explogt in this question is not an example of session hijacking.References: https://en.wikipedia.org/wikiHYPERLINK"https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use"/Time_of_check_to_time_of_use

NEW QUESTION 200



A popular commercial virtualization platform allows for the creation of virtual hardware. To virtual machines, this virtual hardware is indistinguishable from realhardware. By implementing virtualized TPMs, which of the following trusted system concepts can be implemented?

A. Software-based root of trustB. Continuous chain of trustC. Chain of trust with a hardware root of trustD. Software-based trust anchor with no root of trust

Answer: C

Explanation: A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usuallyinstalled on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.A vTPM is a virtual Trusted Platform Module; a virtual instance of the TPM.IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each createdinstance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.The TPM is the hardware root of trust.Chain of trust means to extend the trust boundary from the root(s) of trust, in order to extend the collection of trustworthy functions. Implies/entails transitive trust.Therefore a virtual TPM is a chain of trust from the hardware TPM (root of trust). Incorrect Answers:A: A vTPM is a virtual instance of the hardware TPM. Therefore, the root of trust is a hardware root of trust, not a software-based root of trust.B: The chain of trust needs a root. In this case, the TPM is a hardware root of trust. This answer has no root of trust.D: There needs to be a root of trust. In this case, the TPM is a hardware root of trust. This answer has no root of trust.References: https://www.cylab.cmu.edu/tiw/slides/martin-tiw101.pdf

NEW QUESTION 204An application present on the majority of an organization’s 1,000 systems is vulnerable to a buffer overflow attack. Which of the following is the MOSTcomprehensive way to resolve the issue?

A. Deploy custom HIPS signatures to detect and block the attacks.B. Validate and deploy the appropriate patch.C. Run the application in terminal services to reduce the threat landscape.D. Deploy custom NIPS signatures to detect and block the attack

Answer: B

Explanation: If an application has a known issue (such as susceptibility to buffer overflow attacks) and a patch is released to resolve the specific issue, then the best solution isalways to deploy the patch.A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffersare created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers,corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common typeof security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending newinstructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks aresaid to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.Incorrect Answers:A: This question is asking for the MOST comprehensive way to resolve the issue. A HIPS (Host Intrusion Prevention System) with custom signatures may offersome protection against an application that is vulnerable to buffer overflow attacks. However, an application that is NOT vulnerable to buffer overflow attacks (apatched application) is a better solution.C: This question is asking for the MOST comprehensive way to resolve the issue. Running the application in terminal services may reduce the threat landscape.However, it doesn’t resolve the issue. Patching the application to eliminate the threat is a better solution.D: This question is asking for the MOST comprehensive way to resolve the issue. A NIPS (Network Intrusion Prevention System) with custom signatures may offersome protection against an application that is vulnerable to buffer overflow attacks. However, an application that is NOT vulnerable to buffer overflow attacks (apatched application) is a better solution.References: http://searchsecurity.techtarget.com/definition/buffer-overflow

NEW QUESTION 207A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encryptedand is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement?

A. SANB. NASC. Virtual SAND. Virtual storage

Answer: B

Explanation: A NAS is an inexpensive storage solution suitable for small offices. Individual files can be encrypted by using the EFS (Encrypted File System) functionalityprovided by the NTFS file system.NAS typically uses a common Ethernet network and can provide storage services to any authorized devices on that network.Two primary NAS protocols are used in most environments. The choice of protocol depends largely on the type of computer or server connecting to the storage.Network File System (NFS) protocol usually used by servers to access storage in a NAS environment. Common Internet File System (CIFS), also sometimescalled Server Message Block (SMB), is usually used for desktops, especially those running Microsoft Windows.Unlike DAS and SAN, NAS is a file-level storage technology. This means the NAS appliance maintains and controls the files, folder structures, permission, andattributes of the data it holds. A typical NAS deployment integrates the NAS appliance with a user database, such as Active Directory, so file permissions can beassigned based on established users and groups. With Active Directoryintegration, most Windows New Technology File System (NTFS) permissions can be set on the files contained on a NAS device.Incorrect Answers:A: A SAN is expensive compared to a NAS and is more suitable for enterprise storage for largernetworks.C: A Virtual SAN is the combined local storage of multiple hypervisor servers (VMware ESXi for example) to create one virtual storage pool. This is not the best



solution for a small office.D: Virtual storage is storage presented by an underlying SAN or group of servers. This is not the best solution for a small office.References:hHYPERLINK "http://infrastructuretechnologypros.com/understanding-storage-technology-part-2- alphabet-soup-storage/"ttp://infrastructuretechnoloHYPERLINK"http://infrastructuretechnologypros.com/understanding-storage-technology-part-2-alphabet-soupstorage/" gypros.com/understanding-storage-technology-part-2-alphabet-soup-storage/

NEW QUESTION 212A security administrator is shown the following log excerpt from a Unix system:2013 Oct 10 07:14:57 web14 sshd[1632]: Failed password for root from 198.51.100.23 port 37914 ssh22013 Oct 10 07:14:57 web14 sshd[1635]: Failed password for root from 198.51.100.23 port 37915 ssh22013 Oct 10 07:14:58 web14 sshd[1638]: Failed password for root from 198.51.100.23 port 37916 ssh22013 Oct 10 07:15:59 web14 sshd[1640]: Failed password for root from 198.51.100.23 port 37918 ssh22013 Oct 10 07:16:00 web14 sshd[1641]: Failed password for root from 198.51.100.23 port 37920 ssh22013 Oct 10 07:16:00 web14 sshd[1642]: Successful login for root from 198.51.100.23 port 37924 ssh2Which of the following is the MOST likely explanation of what is occurring and the BEST immediate response? (Select TWO).

A. An authorized administrator has logged into the root account remotely.B. The administrator should disable remote root logins.C. Isolate the system immediately and begin forensic analysis on the host.D. A remote attacker has compromised the root account using a buffer overflow in sshd.E. A remote attacker has guessed the root password using a dictionary attack.F. Use iptables to immediately DROP connections from the IP 198.51.100.23.G. A remote attacker has compromised the private key of the root account.H. Change the root password immediately to a password not found in a dictionar

Answer: CE

Explanation: The log shows six attempts to log in to a system. The first five attempts failed due to ‘failed password’. The sixth attempt was a successful login. Therefore, theMOST likely explanation of what is occurring is that a remote attacker has guessed the root password using a dictionary attack.The BEST immediate response is to isolate the system immediately and begin forensic analysis on the host. You should isolate the system to prevent any furtheraccess to it and prevent it from doing any damage to other systems on the network. You should perform a forensic analysis on the system to determine what theattacker did on the system after gaining access.Incorrect Answers:A: It is unlikely that an authorized administrator has logged into the root account remotely. It is unlikely that an authorized administrator would enter an incorrectpassword five times.B: Disabling remote root logins is not the best course of action. The attacker has already gained access to the system so potentially the damage is already done.D: The log does not suggest a buffer overflow attack; the failed passwords suggest a dictionary attack. F: Using iptables to immediately DROP connections fromthe IP 198.51.100.23 is not the best course of action. The attacker has already gained access to the system so potentially the damage is already done.G: The log does not suggest a remote attacker has compromised the private key of the root account; the failed passwords suggest a dictionary attack.H: Changing the root password is a good idea but it is not the best course of action. The attacker has already gained access to the system so potentially thedamage is already done.

NEW QUESTION 216A developer has implemented a piece of client-side JavaScript code to sanitize a user’s provided input to a web page login screen. The code ensures that only theupper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator isconcerned with the following web server log:10.235.62.11 – - [02/Mar/2014:06:13:04] “GET/site/script.php?user=admin&pass=pass%20or%201=1 HTTP/1.1” 200 5724Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintablecharacters.B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side.C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

Answer: C

Explanation: The code in the question is an example of a SQL Injection attack. The code ‘1=1’ will always provide a value of true. This can be included in statement designedto return all rows in a SQL table.In this question, the administrator has implemented client-side input validation. Client-side validation can be bypassed. It is much more difficult to bypass server-side input validation.SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution(e.g. to dump the database contents to the attacker). SQL injection must explogt a security vulnerability in an application's software, for example, when user inputis either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQLinjection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.Incorrect Answers:A: The code in this question does not contain non-printable characters.B: The code in this question is not an example of cross site scripting (XSS).D: The code in this question is an example of a SQL injection attack. It is not simply someone attempting to log on as administrator.References: http://en.wikipedia.org/wiki/SQL_injection

NEW QUESTION 219Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful application server. Whichof the following security tools would be required to assess the security between the mobile web application and the RESTful application server? (Select TWO).

A. Jailbroken mobile device



B. Reconnaissance toolsC. Network enumeratorD. HTTP interceptorE. Vulnerability scannerF. Password cracker

Answer: DE

Explanation: Communications between a mobile web application and a RESTful application server will use theHTTP protocol. To capture the HTTP communications for analysis, you should use an HTTP Interceptor.To assess the security of the application server itself, you should use a vulnerability scanner.A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and wherea system can be explogted and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door topotential security breaches by threat agents, such as malicious hackers.Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws andgenerating a report of the findings that an individual or an enterprise can use to tighten the network's security.Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that arenot connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.Incorrect Answers:A: A jailbroken mobile device is a mobile device with an operating system that has any built-in security restrictions removed. This enables you to install softwareand perform actions that the manufacturer did not intend. However, a jailbroken mobile device is not a suitable security tool to assess the security between themobile web application and the RESTful application server.B: Reconnaissance in terms of IT security is the process of learning as much as possible about a target business usually over a long period of time with a view todiscovering security flaws. It is not used by security administrators for security assessment of client-server applications.C: Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It is not usedto assess the security between the mobile web application and the RESTful application server.F: A password cracker is used to guess passwords. It is not a suitable security tool to assess the security between the mobile web application and the RESTfulapplication server.References: http://www.webopedia.com/TERM/V/vulneHYPERLINK"http://www.webopedia.com/TERM/V/vulnerability_scanning.html"rability_scanning.html

NEW QUESTION 224Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request:POST /login.aspx HTTP/1.1 Host: comptia.orgContent-type: text/html txtUsername=ann&txtPassword=ann&alreadyLoggedIn=false&submit=trueWhich of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass?

A. Remove all of the post data and change the request to /login.aspx from POST to GETB. Attempt to brute force all usernames and passwords using a password crackerC. Remove the txtPassword post data and change alreadyLoggedIn from false to trueD. Remove the txtUsername and txtPassword post data and toggle submit from true to false

Answer: C

Explanation: The text “txtUsername=ann&txtPassword=ann” is an attempted login using a username of ‘ann’ and also a password of ‘ann’.The text “alreadyLoggedIn=false” is saying that Ann is not already logged in.To test whether we can bypass the authentication, we can attempt the login without the passwordand we can see if we can bypass the ‘alreadyloggedin’ check by changing alreadyLoggedIn from false to true. If we are able to log in, then we have bypassed theauthentication check.Incorrect Answers:A: GET /login.aspx would just return the login form. This does not test whether the website is susceptible to a simple authentication bypass.B: We do not want to guess the usernames and passwords. We want to see if we can get into the site without authentication.D: We need to submit the data so we cannot toggle submit from true to false.

NEW QUESTION 227A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOSTpasswords in the shortest time period?

A. Online password testingB. Rainbow tables attackC. Dictionary attackD. Brute force attack

Answer: B

Explanation: The passwords in a Windows (Active Directory) domain are encrypted.When a password is "tried" against a system it is "hashed" using encryption so that the actual password is never sent in clear text across the communications line.This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length thanthe original password. Your password might be "shitzu" but the hash of your password would look something like "7378347eedbfdd761619451949225ec1".To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in atable on the server. If the hashes match, thenthe user is authenticated and granted access.Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hashalgorithm, such as MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked thepassword.Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are prematched to possible plaintext passwords. The Rainbow Tablesessentially allow hackers to reversethe hashing function to determine what the plaintext password might be.



The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that ittakes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.Incorrect Answers:A: Online password testing cannot be used to crack passwords on a windows domain.C: The question states that the domain enforces strong complex passwords. Strong complex passwords must include upper and lowercase letters, numbers andpunctuation marks. A word in the dictionary would not meet the strong complex passwords requirement so a dictionary attack would be ineffective at cracking thepasswords in this case.D: Brute force attacks against complex passwords take much longer than a rainbow tables attack. References:http://netsecuriHYPERLINK "http://netsecurity.about.com/od/hackertools/a/Rainbow- Tables.htm"ty.about.com/od/hackertoHYPERLINK"http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm"ols/a/Rainbow- TableHYPERLINK "http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm"s.htm

NEW QUESTION 230An administrator has enabled salting for users' passwords on a UNIX box. A penetration tester must attempt to retrieve password hashes. Which of the followingfiles must the penetration tester use to eventually obtain passwords on the system? (Select TWO).

A. /etc/passwdB. /etc/shadowC. /etc/securityD. /etc/passwordE. /sbin/logonF. /bin/bash

Answer: AB

Explanation: In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. In this question, enablingsalting for users' passwords means to store the passwords in an encrypted format.Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by manytools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentially, this can besomewhat of a security risk.Another method of storing account information is with the shadow password format. As with the traditional method, this method stores account information in the/etc/passwd file in a compatibleformat. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encryptedpassword as well as other information such as account or password expiration values, etc.Incorrect Answers:C: The /etc/security file contains group information. It does not contain usernames or passwords. D: There is no /etc/password file. Usernames are stored in the/etc/passwd file.E: There is no /sbin/logon file. Usernames are stored in the /etc/passwd file.F: /bin/bash is a UNIX shell used to run a script. It is not where usernames or passwords are stored. References:http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.HYPERLINK "http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html"html

NEW QUESTION 232A small company is developing a new Internet-facing web application. The security requirements are: Users of the web application must be uniquely identified andauthenticated.Users of the web application will not be added to the company’s directory services. Passwords must not be stored in the code.Which of the following meets these requirements?

A. Use OpenID and allow a third party to authenticate users.B. Use TLS with a shared client certificate for all users.C. Use SAML with federated directory services.D. Use Kerberos and browsers that support SAM

Answer: A

Explanation: Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website which accepts OpenID authentication.OpenID is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows users to be authenticated by certain co-operating sites(known as Relying Parties or RP) using a third party service. This eliminates the need for webmasters to provide their own ad hoc systems and allowing users toconsolidate their digital identities. In other words, users can log into multiple unrelated websites without having to register with their information over and overagain.Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation: AOL, Blogger, Flickr, France Telecom, Google,Hyves, LiveJournal, Microsoft (provider name Microsoft account), Mixi, Myspace, Novell, Orange, Sears, Sun, Telecom Italia, Universal Music Group, VeriSign,WordPress, and Yahoo!. Other providers include BBC, IBM, PayPal, and Steam. Incorrect Answers:B: The question states that users of the web application must be uniquely identified and authenticated. A shared client certificate for all users does not meet thisrequirement.C: The question states that users of the web application will not be added to the company’s directory services. SAML with federated directory services wouldrequire that the users are added to the directory services.D: The question states that users of the web application must be uniquely identified and authenticated. Kerberos and browsers that support SAML provides noauthentication mechanism. References:https://en.wikipedia.org/wiki/OpenID

NEW QUESTION 235A multi-national company has a highly mobile workforce and minimal IT infrastructure. The company utilizes a BYOD and social media policy to integrate presencetechnology into global collaboration tools by individuals and teams. As a result of the dispersed employees and frequent international travel, the company isconcerned about the safety of employees and their families when moving in and out of certain countries. Which of the following could the company view as adownside of using presence technology?

A. Insider threat



B. Network reconnaissanceC. Physical securityD. Industrial espionage

Answer: C

Explanation: If all company users worked in the same office with one corporate network and using company supplied laptops, then it is easy to implement all sorts of physicalsecurity controls. Examples of physical security include intrusion detection systems, fire protection systems, surveillance cameras or simply a lock on the officedoor.However, in this question we have dispersed employees using their own devices and frequently traveling internationally. This makes it extremely difficult toimplement any kind of physical security. Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances andevents that could cause serious losses or damage to an enterprise,agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.Incorrect Answers:A: An insider threat is a malicious hacker (also called a cracker or a black hat) who is an employee or officer of a business, institution, or agency. Dispersedemployees using presence technology does not increase the risk of insider threat when compared to employees working together in an office.B: The risk of network reconnaissance is reduced by having dispersed employees using presence technology. The risk of network reconnaissance would be higherwith employees working together in a single location such as an office.D: Industrial espionage is a threat to any business whose livelihood depends on information. However, this threat is not increased by having dispersed employeesusing presence technology. The risk would be the same with dispersed employees using presence technology or employees working together in a single locationsuch as an office.References: http://searchsecurity.techtarget.com/deHYPERLINK"http://searchsecurity.techtarget.com/definition/physical-security"finition/physical-security

NEW QUESTION 239A network engineer wants to deploy user-based authentication across the company’s wired and wireless infrastructure at layer 2 of the OSI model. Companypolicies require that users be centrally managed and authenticated and that each user’s network access be controlled based on the user’s role within thecompany. Additionally, the central authentication system must support hierarchical trust and the ability to natively authenticate mobile devices and workstations.Which of the following are needed to implement these requirements? (Select TWO).

A. SAMLB. WAYFC. LDAPD. RADIUSE. ShibbolethF. PKI

Answer: CD

Explanation: RADIUS is commonly used for the authentication of WiFi connections. We can use LDAP and RADIUS for the authentication of users and devices.LDAP and RADIUS have something in common. They‘re both mainly protocols (more than a database) which uses attributes to carry information back and forth.They‘re clearly defined in RFC documents so you can expect products from different vendors to be able to function properly together.RADIUS is NOT a database. It’s a protocol for asking intelligent questions to a user database. LDAP is just a database. In recent offerings it contains a bit ofintelligence (like Roles, Class of Service and so on) but it still is mainly just a rather stupid database. RADIUS (actually RADIUS servers like FreeRADIUS) providethe administrator the tools to not only perform user authentication but also to authorize users based on extremely complex checks and logic. For instance you canallow access on a specific NAS only if the user belongs to a certain category, is a member of a specific group and an outside script allows access. There’s no wayto perform any type of such complex decisions in a user database.Incorrect Answers:A: Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data betweenparties, in particular, between an identity provider and a service provider. It is used for authenticating users, not devices.B: WAYF stands for Where Are You From. It is a third-party authentication provider used by websites of some online institutions. WAYF does not meet therequirements in this question.E: Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access ofprotected online resources. It cannot perform the device authentication required in this question.F: PKI (Public Key Infrastructure) uses digital certificates to affirm the identity of the certificate subject and bind that identity to the public key contained in thecertificate. PKI does not meet the requirements in this question.References: https://kkalev.wordpress.com/2007/03/17/radius-vs-ldap/

NEW QUESTION 242Company A has noticed abnormal behavior targeting their SQL server on the network from a rogue IPaddress. The company uses the following internal IP address ranges: 192.10.1.0/24 for the corporate site and 192.10.2.0/24 for the remote site. The Telco routerinterface uses the 192.10.5.0/30 IP range.Instructions: Click on the simulation button to refer to the Network Diagram for Company A. Click on Router 1, Router 2, and the Firewall to evaluate and configureeach device.Task 1: Display and examine the logs and status of Router 1, Router 2, and Firewall interfaces.Task 2: Reconfigure the appropriate devices to prevent the attacks from continuing to target the SQL server and other servers on the corporate network.



A. Check the answer below

We have traffic coming from two rogue IPaddresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet(192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

B. Check the answer below



We have traffic coming from two rogue IP addresses:192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet(192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

Answer: A

NEW QUESTION 244Compliance with company policy requires a quarterly review of firewall rules. A new administrator is asked to conduct this review on the internal firewall sittingbetween several internal networks. The intent of this firewall is to make traffic more restrictive. Given the following information answer the questions below:User Subnet: 192.168.1.0/24 Server Subnet: 192.168.2.0/24 Finance Subnet:192.168.3.0/24 Instructions: To perform the necessary tasks, please modify the DSTport, Protocol, Action, and/or Rule Order columns. Firewall ACLs are read from the top downTask 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct thisissue.Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.



A. Check the answer below

Task 1) An administrator added a rule to allow their machine terminal server access to the server subneB. This rule is not workinC. Identify the rule and correct this issue.The rule shown in the image below is the rule in questioD. It is not working because the action is set to DenE. This needs to be set to Permit.

Task 2)All web servers have been changed to communicate solely over SSF. Modify the appropriate rule to allow communications.The web servers rule is shown in the image beloG. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).

Task 3) An administrator added a rule to block access to the SQL server from anywhere on the networH. This rule is not workinI. Identify and correct this issue.The SQL Server rule is shown in the image beloJ. It is not working because the protocol is wronK. It should be TCP, not UDP.

Task 4) Other than allowing all

hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.The network time rule is shown in the image below.However, this rule is not being used because the ‘any’ rule shown below allows all traffic and the rule is placed above the network time rulL. To block all other traffic, the ‘any’ rule needs to be set to Deny, not Permit and the rule needs to be placed below all the other rules (it needs to be placed atthebottom of the list to the rule is enumerated last).



M. Check the answer below

Task 1) An administrator added a rule to allow their machine terminal server access to the server subneN. This rule is not workinO. Identify the rule and correct this issue.The rule shown in the image below is the rule in questioP. It is not working because the action is set to DenQ. This needs to be set to Permit.

Task 2)All web servers have been changed to communicate solely over SSR. Modify the appropriate rule to allow communications.The web servers rule is shown in the image beloS. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).Task 3) An administrator added a rule to block access to the SQL server fromanywhere on the networT. This rule is not workin. Identify and correct this issue.The SQL Server rule is shown in the image belo. It is not working because the protocol is wron. It should be TCP, not UDP.

Task 4)Other than allowing all hosts to do network time and SSL, modify a rule to ensure that noother traffic is allowed.The network time rule is shown in the imagebelow.However, this rule is not being used because the ‘any’ rule shown below allows all traffic and the rule is placed above the network time rul. To block all other traffic, the ‘any’ rule needs to be set to Deny, not Permit and the rule needs to be placed below all the other rules (it needs to be placed atthebottom of the list to the rule is enumerated last).

Answer: A

NEW QUESTION 246A new piece of ransomware got installed on a company’s backup server which encrypted the hard drives containing the OS and backup application configurationbut did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Whichof the following is the PRIMARY concern?

A. Determining how to install HIPS across all server platforms to prevent future incidentsB. Preventing the ransomware from re-infecting the server upon restoreC. Validating the integrity of the deduplicated dataD. Restoring the data will be difficult without the application configuration

Answer: D

Explanation: Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operatorsof the malware to remove the restriction.Since the backup application configuration is not accessible, it will require more effort to recover the data.Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.Incorrect Answers:A: Preventing future problems is part of the Lessons Learned step, which is the last step in the incident response process.B: Preventing future problems is part of the Lessons Learned step, which is the last step in the incident response process.C: Since the incident did not affect the deduplicated data, it is not included in the incident response process.References: https://en.wikipedia.org/wiki/RansomwareGregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 249

NEW QUESTION 247The Chief Executive Officer (CEO) of a large prestigious enterprise has decided to reduce business costs by outsourcing to a third party company in anothercountry. Functions to be outsourced include: business analysts, testing, software development and back office functions that deal with the processing of customerdat

A. The Chief Risk Officer (CRO) is concerned about the outsourcingplanB. Which of the following risks are MOST likely to occur if adequate controls are not implemented?C. Geographical regulation issues, loss of intellectual property and interoperability agreement issuesD. Improper handling of client data, interoperability agreement issues and regulatory issuesE. Cultural differences, increased cost of doing business and divestiture issuesF. Improper handling of customer data, loss of intellectual property and reputation damage



Answer: D

Explanation: The risk of security violations or compromised intellectual property (IP) rights is inherently elevated when working internationally. A key concern with outsourcingarrangements is making sure that there is sufficient protection and security in place for personal information being transferred and/or accessed under anoutsourcing agreement.Incorrect Answers:A: Interoperability agreement issues are not a major risk when outsourcing to a third party company in another country.B: Interoperability agreement issues are not a major risk when outsourcing to a third party company in another country.C: Divestiture is the disposition or sale of an asset that is not performing well, and which is not vital to the company's core business, or which is worth more to apotential buyer or as a separate entity than as part of the company.References: http://www.lexology.com/libraryHYPERLINK"http://www.lexology.com/library/detail.aspx?g=e698d613-af77-4e34-b84e- 940e14e94ce4"/detail.aspx?g=e698d613-af77-4e34-b84e-940e14e94ce4http://www.investorwords.com/1508/divestiture.html#ixzz3knAHr58A

NEW QUESTION 250The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a criticalbusiness function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is ahigh probability that a threat will materialize based on historical data. The CIO’s budget does not allow for full system hardware replacement in case of acatastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the financedirector to minimize financial loss?

A. The company should mitigate the risk.B. The company should transfer the risk.C. The company should avoid the risk.D. The company should accept the ris

Answer: B

Explanation: To transfer the risk is to defilect it to a third party, by taking out insurance for example. Incorrect Answers:A: Mitigation is not an option as the CIO’s budget does not allow for the purchase of additional compensating controls.C: Avoiding the risk is not an option as the business unit depends on the critical business function. D: Accepting the risk would not reduce financial loss.References:Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 218

NEW QUESTION 251A large organization has recently suffered a massive credit card breach. During the months of Incident Response, there were multiple attempts to assign blame forwhose fault it was that the incident occurred. In which part of the incident response phase would this be addressed in a controlled and productive manner?

A. During the Identification PhaseB. During the Lessons Learned phaseC. During the Containment PhaseD. During the Preparation Phase

Answer: B

Explanation: The Lessons Learned phase is the final step in the Incident Response process, when everyone involved reviews what happened and why.Incorrect Answers:A: The Identification Phase is the second step in the Incident Response process that deals with the detection of events and incidents.C: The Containment Phase is the third step in the Incident Response process that deals with the planning, training, and execution of the incident response plan.D: The Preparation Phase is the first step in the Incident Response process that deals with policies and procedures required to attend to the potential of securityincidents.References:Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 249

NEW QUESTION 253A security manager for a service provider has approved two vendors for connections to the service provider backbone. One vendor will be providing authenticationservices for its payment card service, and the other vendor will be providing maintenance to the service provider infrastructure sites. Which of the followingbusiness agreements is MOST relevant to the vendors and service provider’s relationship?

A. Memorandum of AgreementB. Interconnection Security AgreementC. Non-Disclosure AgreementD. Operating Level Agreement

Answer: B

Explanation: The Interconnection Security Agreement (ISA) is a document that identifies the requirements for connecting systems and networks and details what securitycontrols are to be used to protect the systems and sensitive data.Incorrect Answers:A: A memorandum of agreement (MOA) is a document composed between parties to cooperate on an agreed upon project or meet an agreed objective.C: A nondisclosure agreement (NDA) is designed to protect confidential information.D: An operating level agreement (OLA) defines the responsibilities of each partner's internal support group.References:Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 237, 238



NEW QUESTION 255Which of the following provides the BEST risk calculation methodology?

A. Annual Loss Expectancy (ALE) x Value of AssetB. Potential Loss x Event Probability x Control Failure ProbabilityC. Impact x Threat x VulnerabilityD. Risk Likelihood x Annual Loss Expectancy (ALE)

Answer: B

Explanation: Of the options given, the BEST risk calculation methodology would be Potential Loss x Event Probability x Control Failure Probability. This exam is about computerand data security so ‘loss’ caused by risk is not necessarily a monetary value.For example:Potential Loss could refer to the data lost in the event of a data storage failure. Event probability could be the risk a disk drive or drives failing.Control Failure Probability could be the risk of the storage RAID not being able to handle the number of failed hard drives without losing data.Incorrect Answers:A: Annual Loss Expectancy (ALE) is a monetary value used to calculate how much is expected to be lost in one year. For example, if the cost of a failure (SingleLoss Expectancy (SLE)) is $1000 and the failure is expected to happen 5 times in a year (Annualized Rate of Occurrence (ARO)), then the Annual LossExpectancy is $5000. ALE is not the best calculation for I.T. risk calculation.C: Impact x Threat x Vulnerability looks like a good calculation at first glance. However, for a risk calculation there needs to be a definition of the likelihood(probability) of the risk.D: Annual Loss Expectancy (ALE) is a monetary value used to calculate how much is expected to be lost in one year. ALE is not the best calculation for I.T. riskcalculation.References:https://iaonline.theiia.org/understanding-the-risk-management-process

NEW QUESTION 259The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ designmust support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BESTsupports the given requirements?

A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud.C. A SaaS based firewall which logs to the company’s local storage via SSL, and is managed by the change control team.D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.

Answer: A

Explanation: Security in depth is the concept of creating additional layers of security. The traditional approach of securing the IT infrastructure is no longer enough. Today’sthreats are multifaceted and often persistent, and traditional network perimeter security controls cannot effectively mitigate them. Organizations need to implementmore effective, multi-level security controls that are embedded with their electronic assets. They need to protect key assets from both external and internal threats.This security in depth approach is meant to sustain attacks even when perimeter and traditional controls have been breached.In this question, using two firewalls to secure the DMZ from both external and internal attacks is the best approach. Having each firewall managed by a separateadministrator will reduce the chance of a configuration error being made on both firewalls. The remote logging will enable incident reconstruction.Incorrect Answers:B: Depending on the number of interfaces on the firewall, you could protect from external and internal threats with a single firewall although two firewalls is a bettersolution. However, it is not practical to have separate interfaces on the same firewall managed by different administrators. The firewall rules work together in ahierarchy to determine what traffic is allowed through each interface.C: A SaaS based firewall can be used to protect cloud resources. However, it is not the best solution for protecting the network in this question.D: A virtualized firewall could be used. However, multiple instances of the same firewall should be identical. They should not be configured separately by differentadministrators.References:http://www.oracle.com/technetwork/topics/entarch/oracle-wp-securiHYPERLINK "http://www.oracle.com/technetwork/topics/entarch/oracle-wp-security-ref-arch-1918345.pdf"tyref- arch-1918345.pdf

NEW QUESTION 263A forensic analyst receives a hard drive containing malware quarantined by the antivirus application. After creating an image and determining the directory locationof the malware file, which of the following helps to determine when the system became infected?

A. The malware file’s modify, access, change time properties.B. The timeline analysis of the file system.C. The time stamp of the malware in the swap file.D. The date/time stamp of the malware detection in the antivirus log

Answer: B

Explanation: Timelines can be used in digital forensics to identify when activity occurred on a computer. Timelines are mainly used for data reduction or identifying specific statechanges that have occurred on a computer.Incorrect Answers:A: This option will not help to determine when the system became infected.C: A swap file is a space on a hard disk used as the virtual memory extension of a computer's real memory, which allows your computer's operating system topretend that you have more RAM than you actually do.D: This will tell you when the antivirus detected the malware, not when the system became infected. References:http://www.basistech.com/autopsy-feature-graphical-timeline-analysis-for-cyber-forensics/ http://searchwindowsserver.techtarget.cHYPERLINK"http://searchwindowsserver.techtarget.com/definition/swap-file-swap-space-orpagefile" om/definition/swap-file-swap-space-or-pagefile

NEW QUESTION 267



An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of thefollowing practices satisfy continuous monitoring of authorized information systems?

A. Independent verification and validationB. Security test and evaluationC. Risk assessmentD. Ongoing authorization

Answer: D

Explanation: Ongoing assessment and authorization is often referred to as continuous monitoring. It is a processthat determines whether the set of deployed security controls in an information system continue to be effective with regards to planned and unplanned changesthat occur in the system and its environment over time.Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Continuous monitoring enables theenterprise to detect control failures quickly because it transpires immediately or closely after events in which the key controls are utilized.Incorrect Answers:A: Independent verification and validation (IV&V) is executed by a third party organization not involved in the development of a product. This is not consideredcontinuous monitoring of authorized information systems.B: Security test and evaluation is not considered continuous monitoring of authorized information systems.C: Risk assessment is the identification of potential risks and threats. It is not considered continuous monitoring of authorized information systems.References:http://www.fedramp.net/ongoHYPERLINK "http://www.fedramp.net/ongoing-assessment-andauthorization- continuous-monitoring"ing-assessment-andHYPERLINK"http://www.fedramp.net/ongoing-assessment-and-authorization-continuous-monitoring"- authorization-continuous-monitoringhttps://www.techopedia.com/definition/24836/independent-verification-and-validation--iHYPERLINK "https://www.techopedia.com/definition/24836/independent-verification-andvalidation-- iv&v"vHYPERLINK"https://www.techopedia.com/definition/24836/independentverification-and-validation--iv&v"&HYPERLINK "https://www.techopedia.com/definition/24836/independent-verification-and-validation--iv&v"vGregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 213, 219

NEW QUESTION 268It has come to the IT administrator’s attention that the “post your comment” field on the company blog page has been explogted, resulting in cross-site scriptingattacks against customers reading the blog. Which of the following would be the MOST effective at preventing the “post your comment” field from beingexplogted?

A. Update the blog page to HTTPSB. Filter metacharactersC. Install HIDS on the serverD. Patch the web applicationE. Perform client side input validation

Answer: B

Explanation: A general rule of thumb with regards to XSS is to "Never trust user input and always filter metacharacters." Incorrect Answers:A: Updating the blog page to HTTPS will not resolve this issue.C: HIDS are designed to monitor a computer system, not the network. IT will, therefore, not resolve this issue.D: Simply installing a web application patch will not work, as the patch may be susceptible to XSS. Testing of the patch has to take place first.E: Performing client side input validation is a valid method, but it is not the MOST effective. References:https://community.qualys.com/docs/DOC-1186http://www.computerweHYPERLINK "http://www.computerweekly.com/tip/The-true-test-of-a-Webapplication- patch"ekly.com/tip/The-truHYPERLINK"http://www.computerweekly.com/tip/The-truetest-of-a-Web-application-patch"e-test-of-a-Web-application-patchhttpHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-cross-sitehttps:// certkingdom.comscripting/"://www.techreHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-crosssite- scripting/"pHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-cross-sitescripting/" ublic.com/blog/it-security/what-is-cross-site-scripting/Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 137

NEW QUESTION 273After the install process, a software application executed an online activation process. After a few months, the system experienced a hardware failure. A backupimage of the system was restored on a newer revision of the same brand and model device. After the restore, the specialized application no longer works. Whichof the following is the MOST likely cause of the problem?

A. The binary files used by the application have been modified by malware.B. The application is unable to perform remote attestation due to blocked ports.C. The restored image backup was encrypted with the wrong key.D. The hash key summary of hardware and installed software no longer matc

Answer: D

Explanation: Different software vendors have different methods of identifying a computer used to activate software. However, a common component used in softwareactivations is a hardware key (or hardware and software key). This key is a hash value generated based on the hardware (and possibly software) installed on thesystem.For example, when Microsoft software is activated on a computer, the software generates an installation ID that consists of the software product key used duringthe installation and a hardware key (hash value generated from the computer’s hardware). The installation ID is submitted to Microsoft for software activation.Changing the hardware on a system can change the hash key which makes the software think it is installed on another computer and is therefore not activated foruse on that computer. This is most likely what has happened in this question.Incorrect Answers:A: It is very unlikely that the binary files used by the application have been modified by malware. Malware doesn’t modify application binary files.B: A backup image of the system was restored onto the new hardware. Therefore, the software configuration should be the same as before. It is unlikely that



blocked ports preventing remote attestation is the cause of the problem.C: A backup image of the system was restored onto the new hardware. If the restored image backup was encrypted with the wrong key, you wouldn’t be able torestore the image.References:https://technet.microsoft.com/en-us/library/bb457054.aspx

NEW QUESTION 276A company provides on-demand cloud computing resources for a sensitive project. The company implements a fully virtualized datacenter and terminal serveraccess with two-factor authentication for customer access to the administrative website. The security administrator at the company has uncovered a breach in dataconfidentiality. Sensitive data from customer A was found on a hidden directory within the VM of company B. Company B is not in the same industry as company Aand the two are not competitors. Which of the following has MOST likely occurred?

A. Both VMs were left unsecured and an attacker was able to explogt network vulnerabilities to access each and move the data.B. A stolen two factor token was used to move data from one virtual guest to another host on the same network segment.C. A hypervisor server was left un-patched and an attacker was able to use a resource exhaustion attack to gain unauthorized access.D. An employee with administrative access to the virtual guests was able to dump the guest memory onto a mapped disk.

Answer: A

Explanation: In this question, two virtual machines have been accessed by an attacker. The question is asking what is MOST likely to have occurred.It is common for operating systems to not be fully patched. Of the options given, the most likely occurrence is that the two VMs were not fully patched allowing anattacker to access each of them. The attacker could then copy data from one VM and hide it in a hidden folder on the other VM. Incorrect Answers:B: The two VMs are from different companies. Therefore, the two VMs would use different twofactor tokens; one for each company. For this answer to be correct,the attacker would have to stealboth two-factor tokens. This is not the most likely answer.C: Resource exhaustion is a simple denial of service condition which occurs when the resources necessary to perform an action are entirely consumed, thereforepreventing that action from taking place. A resource exhaustion attack is not used to gain unauthorized access to a system.D: The two VMs are from different companies so it can’t be an employee from the two companies. It is possible (although unlikely) than an employee from thehosting company had administrative access to both VMs. Even if that were the case, the employee would not dump the memory to a mapped disk to copy theinformation. With administrative access, the employee could copy the data using much simpler methods.References: https://www.owasp.org/index.php/Resource_exhaustion

NEW QUESTION 280......



Thank You for Trying Our Product

* 100% Pass or Money Back

All our products come with a 90-day Money Back Guarantee.

* One year free update

You can enjoy free update one year. 24x7 online support.

* Trusted by Millions

We currently serve more than 30,000,000 customers.

* Shop Securely

All transactions are protected by VeriSign!

100% Pass Your CAS-003 Exam with Our Prep Materials Via below:


Powered by TCPDF (www.tcpdf.org)



http://www.tcpdf.org

cas-003 dumps comptia advanced security practitioner (casp)

Documents