CompTIA Advanced Security Practitioner (CASP) Recertification Exam for Continuing Education
Question No: 71 – (Topic 2)
A security analyst has been asked to develop a quantitative risk analysis and risk assessment for the company’s online shopping application. Based on heuristic information from the Security Operations Center (SOC), a Denial of Service Attack (DoS) has been successfully executed 5 times a year. The Business Operations department has determined the loss associated to each attack is $40,000. After implementing application caching, the number of DoS attacks was reduced to one time a year. The cost of the countermeasures was $100,000. Which of the following is the monetary value earned during the first year of operation?
A. $60,000 B. $100,000 C. $140,000 D. $200,000
Answer: A Explanation:
ALE before implementing application caching: ALE = ARO x SLE
ALE = 5 x $40,000 ALE = $200,000
ALE after implementing application caching: ALE = ARO x SLE
ALE = 1 x $40,000 ALE = $40,000
The monetary value earned would be the sum of subtracting the ALE calculated after implementing application caching and the cost of the countermeasures, from the ALE calculated before implementing application caching.
Monetary value earned = $200,000 – $40,000 – $100,000 Monetary value earned = $60,000
Question No: 72 – (Topic 2)
During an incident involving the company main database, a team of forensics experts is
hired to respond to the breach. The team is in charge of collecting forensics evidence from the company’s database server. Which of the following is the correct order in which the forensics team should engage?
Notify senior management, secure the scene, capture volatile storage, capture non- volatile storage, implement chain of custody, and analyze original media.
Take inventory, secure the scene, capture RAM, capture hard drive, implement chain of custody, document, and analyze the data.
Implement chain of custody, take inventory, secure the scene, capture volatile and non- volatile storage, and document the findings.
Secure the scene, take inventory, capture volatile storage, capture non-volatile storage, document, and implement chain of custody.
Answer: D Explanation:
The scene has to be secured first to prevent contamination. Once a forensic copy has been created, an analyst will begin the process of moving from most volatile to least volatile information. The chain of custody helps to protect the integrity and reliability of the evidence by keeping an evidence log that shows all access to evidence, from collection to appearance in court.
Question No: 73 – (Topic 2)
In an effort to reduce internal email administration costs, a company is determining whether to outsource its email to a managed service provider that provides email, spam, and malware protection. The security manager is asked to provide input regarding any security implications of this change. Which of the following BEST addresses risks associated with disclosure of intellectual property?
Require the managed service provider to implement additional data separation.
Require encrypted communications when accessing email.
Enable data loss protection to minimize emailing PII and confidential data.
Establish an acceptable use policy and incident response policy.
Question No: 74 – (Topic 2)
Wireless users are reporting issues with the company’s video conferencing and VoIP
systems. The security administrator notices internal DoS attacks from infected PCs on the network causing the VoIP system to drop calls. The security administrator also notices that the SIP servers are unavailable during these attacks. Which of the following security controls will MOST likely mitigate the VoIP DoS attacks on the network? (Select TWO).
Install a HIPS on the SIP servers
Configure 802.1X on the network
Update the corporate firewall to block attacking addresses
Configure 802.11e on the network
Configure 802.1q on the network
Answer: A,D Explanation:
Host-based intrusion prevention system (HIPS) is an installed software package that will monitor a single host for suspicious activity by analyzing events taking place within that host.
IEEE 802.11e is deemed to be of significant consequence for delay-sensitive applications, such as Voice over Wireless LAN and streaming multimedia.
Question No: 75 – (Topic 2)
A new piece of ransomware got installed on a company’s backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives. During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?
Determining how to install HIPS across all server platforms to prevent future incidents
Preventing the ransomware from re-infecting the server upon restore
Validating the integrity of the deduplicated data
Restoring the data will be difficult without the application configuration
Answer: D Explanation:
Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.
Since the backup application configuration is not accessible, it will require more effort to recover the data.
Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.
Question No: 76 – (Topic 2)
A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following could reduce the overall risk to the company from this issue?
Establish a policy that only allows filesystem encryption and disallows the use of individual file encryption.
Require each user to log passwords used for file encryption to a decentralized repository.
Permit users to only encrypt individual files using their domain password and archive all old user passwords.
Allow encryption only by tools that use public keys from the existing escrowed corporate PKI.
Answer: D Explanation:
Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network.
An e-discovery policy would define how data is archived and encrypted. If the data is archived in an insecure manor, a user could be able to delete data that the user does not want to be searched. Therefore, we need to find a way of securing the data in a way that only authorized people can access the data.
A public key infrastructure (PKI) supports the distribution and identification of public encryption keys for the encryption of data. The data can only be decrypted by the private key.
In this question, we have an escrowed corporate PKI. Escrow is an independent and licensed third party that holds something (money, sensitive data etc.) and releases it only when predefined conditions have been met. In this case, Escrow is holding the private key of the PKI.
By encrypting the e-discovery data by using the PKI public key, we can ensure that the data can only be decrypted by the private key held in Escrow and this will only happen when the predefined conditions are met.
Question No: 77 – (Topic 2)
A small customer focused bank with implemented least privilege principles, is concerned about the possibility of branch staff unintentionally aiding fraud in their day to day interactions with customers. Bank staff has been encouraged to build friendships with customers to make the banking experience feel more personal. The security and risk team have decided that a policy needs to be implemented across all branches to address the risk. Which of the following BEST addresses the security and risk team’s concerns?
Information disclosure policy
Separation of duties
Question No: 78 – (Topic 2)
After the install process, a software application executed an online activation process. After a few months, the system experienced a hardware failure. A backup image of the system was restored on a newer revision of the same brand and model device. After the restore, the specialized application no longer works. Which of the following is the MOST likely cause of the problem?
The binary files used by the application have been modified by malware.
The application is unable to perform remote attestation due to blocked ports.
The restored image backup was encrypted with the wrong key.
The hash key summary of hardware and installed software no longer match.
Answer: D Explanation:
Different software vendors have different methods of identifying a computer used to activate software. However, a common component used in software activations is a hardware key (or hardware and software key). This key is a hash value generated based on the hardware (and possibly software) installed on the system.
For example, when Microsoft software is activated on a computer, the software generates an installation ID that consists of the software product key used during the installation and a hardware key (hash value generated from the computer’s hardware). The installation ID is submitted to Microsoft for software activation.
Changing the hardware on a system can change the hash key which makes the software think it is installed on another computer and is therefore not activated for use on that
computer. This is most likely what has happened in this question.
Question No: 79 – (Topic 2)
Customers are receiving emails containing a link to malicious software. These emails are subverting spam filters. The email reads as follows:
Delivered-To: firstname.lastname@example.org Received: by 10.14.120.205
Mon, 1 Nov 2010 11:15:24 -0700 (PDT)
Received: by 10.231.31.193
Mon, 01 Nov 2010 11:15:23 -0700 (PDT)
Received: by smtpex.example.com (SMTP READY) with ESMTP (AIO); Mon, 01 Nov 2010 13:15:14 -0500
Received: from 172.18.45.122 by 192.168.2.55; Mon, 1 Nov 2010 13:15:14 -0500
To: quot;email@example.com; lt;firstname.lastname@example.org; Date: Mon, 1 Nov 2010 13:15:11 -0500
Subject: New Insurance Application Thread-Topic: New Insurance Application
Please download and install software from the site below to maintain full access to your account.
Additional information: The authorized mail servers IPs are 192.168.2.10 and 192.168.2.11. The network’s subnet is 192.168.2.0/25.
Which of the following are the MOST appropriate courses of action a security administrator could take to eliminate this risk? (Select TWO).
Identify the origination point for malicious activity on the unauthorized mail server.
Block port 25 on the firewall for all unauthorized mail servers.
Disable open relay functionality.
Shut down the SMTP service on the unauthorized mail server.
Enable STARTTLS on the spam filter.
Answer: B,D Explanation:
In this question, we have an unauthorized mail server using the IP: 192.168.2.55. Blocking port 25 on the firewall for all unauthorized mail servers is a common and recommended security step. Port 25 should be open on the firewall to the IP addresses of the authorized email servers only (192.168.2.10 and 192.168.2.11). This will prevent unauthorized email servers sending email or receiving and relaying email.
Email servers use SMTP (Simple Mail Transfer Protocol) to send email to other email servers. Shutting down the SMTP service on the unauthorized mail server is effectively disabling the mail server functionality of the unauthorized server.
Question No: 80 – (Topic 2)
Which of the following activities could reduce the security benefits of mandatory vacations?
Have a replacement employee run the same applications as the vacationing employee.
Have a replacement employee perform tasks in a different order from the vacationing employee.
Have a replacement employee perform the job from a different workstation than the vacationing employee.
Have a replacement employee run several daily scripts developed by the vacationing employee.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|