cas-003 Flashcards
study questions
A forensics analyst suspects that a breach has occurred. Security logs show the company’s OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server. Which of the following should the analyst use to confirm this suspicion?
A. File size
B. Digital signature
C. Checksums
D. Anti-malware software
E. Sandboxing
Answer: B
A company wants to perform analysis of a tool that is suspected to contain a malicious payload. A forensic analyst is given the following snippet:
A32A[34fda 19(fdA43gfd/home/user/lib/module_so_343jkArfvv(342fds43g
Which of the following did the analyst use to determine the location of the malicious payload?
A. Code deduplicators
B. Binary reverse-engineering
C. Fuzz testing
D. Security containers
Answer: B
The board of a financial services company has requested that the senior security analyst acts as a cybersecurity advisor in order to comply with recent federal legislation. The analyst is required to give a report on current cybersecurity and threat trends in the financial services industry at the next board meeting.
Which of the following would be the BEST methods to prepare this report? (Choose two.)
A. Review the CVE database for critical exploits over the past year
B. Use social media to contact industry analysts
C. Use intelligence gathered from the Internet relay chat channels
D. Request information from security vendors and government agencies
E. Perform a penetration test of the competitor’s network and share the results with the board
Answer: A, D
An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including:
1. Indemnity clauses have identified the maximum liability
2. he data will be hosted and managed outside of the company’s geographical location
The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project’s security consultant recommend as the NEXT step?
A. Develop a security exemption, as it does not meet the security policies
B. Mitigate the risk by asking the vendor to accept the in-country privacy principles
C. Require the solution owner to accept the identified risks and consequences
D. Review the entire procurement process to determine the lessons learned
Answer: C
An agency has implemented a data retention policy that requires tagging data according to type before storing it in the data repository. The policy requires all business emails be automatically deleted after two years. During an open records investigation, information was found on an employee’s work computer concerning a conversation that occurred three years prior and proved damaging to the agency’s reputation.
Which of the following MOST likely caused the data leak?
A. The employee manually changed the email client retention settings to prevent deletion of emails
B. The file that contained the damaging information was mistagged and retained on the server for longer than it should have been
C. The email was encrypted and an exception was put in place via the data classification application
D. The employee saved a file on the computer’s hard drive that contained archives of emails, which were more than two years old
Answer: D
Due to a recent breach, the Chief Executive Officer (CEO) has requested the following activities be conducted during incident response planning:
• Involve business owners and stakeholders
• Create an applicable scenario
• Conduct a biannual verbal review of the incident response plan
• Report on the lessons learned and gaps identified
Which of the following exercises has the CEO requested?
A. Parallel operations
B. Full transition
C. Internal review
D. Tabletop
E. Partial simulation
Answer: C
Given the following code snippet:
Sec Cond = “1SS”
SecStatus = false
try (
if (SecStatus)
SecCond = “2SS”
console.log (“ship to ship”)
else
SecCond = “normal operations”
console. log ( “nothing to see here”)
} catch (e) {
SecCond = “normal operations”
console.log (e)
console.log (“Exception logged”)
}
Which of the following failure modes would the code exhibit?
A. Open
B. Secure
C. Halt
D. Exception
Answer: D
An insurance company has buo million customers and is researching the top transactions on its customer portal. It identifies that the top transaction is currently password reset.
Due to users not remembering their secret questions, a large number of calls are consequently routed to the contact center for manual password resets. The business wants to develop a mobile application to improve customer engagement in the future, continue with a single factor of authentication, minimize management overhead of the solution, remove passwords, and eliminate to the contact center.
Which of the following techniques would BEST meet the requirements? (Choose two.)
A. Magic link sent to an email address
B. Customer ID sent via push notification
C. SMS with OTP sent to a mobile number
D. Third-party social login
E. Certificate sent to be installed on a device
F. Hardware tokens sent to customers
Answer: C, E
A forensics analyst suspects that a breach has occurred. Security logs show the company’s OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication bebueen a client computer and the patch server.
Which of the following should the analyst use to confirm this suspicion?
A. File size
B. Digital signature
C. Checksums
D. Anti-malware somvare
E. Sandboxing
Answer: B
Given the following code snippet:
< FORM ACTION=”http://192.168.51. 10/cgi—bin/order.pl” method=”port”>
QUANTITY:
< /FORM>
Of which of the following is this snippet an example?
A. Data execution prevention
B. Buffer overflow
C. Failure to use standard libraries
D. Improper filed usage
E. Input validation
Answer: D
A software development team is conducting functional and user acceptance testing of internally developed web applications using a COTS solution. For automated testing, the solution uses valid user credentials from the enterprise directory to authenticate to each application. The solution stores the username in plain text and the corresponding password as an encoded string in a script within a file, located on a globally accessible network share. The account credentials used belong to the development team lead.
To reduce the risks associated with this scenario while minimizing disruption to ongoing testing, which of the following are the BEST actions to take? (Choose two.)
A. Restrict access to the network share by adding a group only for developers to the share’s ACL
B. Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services
C. Obfuscate the username within the script file with encoding to prevent easy identification and the account used
D. Provision a new user account within the enterprise directory and enable its use for authentication to the target applications. Share the username and password with all developers for use in their individual scripts
E. Redesign the web applications to accept single-use, local account credentials for authentication
Answer: A, B
Which of the following is the GREATEST security concern with respect to BYOD?
A. The filtering of sensitive data out of data flows at geographic boundaries.
B. Removing potential bottlenecks in data transmission paths.
C. The transfer of corporate data onto mobile corporate devices.
D. The migration of data into and out of the network in an uncontrolled manner.
Answer: D
As a result of an acquisition, a new development team is being integrated into the company. The development team has BYOD laptops with IDES installed, build severs, and code repositories that utilize SaaS. To have the team up and running effectively, a separate Internet connection has been procured. A stand up has identified the following additional requirements:
- Reuse of the existing network infrastructure
- Acceptable use policies to be enforced
- Protection of sensitive files
- Access to the corporate applications
Which of the following solution components should be deployed to BEST meet the requirements? (Select three.)
A. IPSec VPN
B. HIDS
C. Wireless controller
D. Rights management
E. SSL VPN
F. NAC
G. WAF
H. Load balancer
Answer: D, E, F
A threat advisory alert was just emailed to the IT security staff. The alert references specific types of host operating systems that can allow an unauthorized person to access files on a system remotely. A fix was recently published, but it requires a recent endpoint protection engine to be installed prior to running the fix.
Which of the following MOST likely need to be configured to ensure the system are mitigated accordingly? (Select two)
A. Antivirus
B. HIPS
C. Application whitelisting
D. Patch management
E. Group policy implementation
F. Firmware updates
Answer: D, F
A server (10.0.0.2) on the corporate network is experiencing a DOS from a number of marketing desktops that have been compromised
and are connected to a separate nebuork segment. The security engineer implements the following configuration on the management
router:
Router (config) # ip route 192.168.3.1 2ss.2ss.2ss.2SS Null0
Router (config) # route—map DATA
Router (config—route—map) #match tag 101
Router (config—route—map) #set ip next—hop 192.168.3.1
Router (config—route—map) # set cornrnunity no—export
Router (config—router) #redistribute static route—map DATA
Router (config) ip route 10.0.0.2 255. 2SS .2SS.2SS Null 0 tag 101
Which of the following is the engineer implementing?
A. Remotely triggered black hole
B. Route protection
C. Port security
D. Transport security
F. Address space layout randomization
Answer: B
A security controls assessor intends to perform a holistic configuration compliance test of networked assets. The assessor has been
handed a package of definitions provided in XML format, and many of the files have two common tags within them: “<object>/>” and “<state>".</state></object>
Which of the following tools BEST supports the use of these definitions?
A. HTTP interceptor
B. Static code analyzer
C. SCAP scanner
D. XML fuzzer
Answer: D
An organization is preparing to develop a business continuity plan. The organization is required to meet regulatory requirements relating to
confidentiality and availability, which are well-defined. Management has expressed concern following initial meetings that the organization is not fully aware of the requirements associated with the regulations. Which of the following would be MOST appropriate for the project manager to solicit additional resources for during this phase of the project?
A. After-action reports
B. Gap assessment
C. Security requirements traceability matrix
D. Business impact assessment
E. Risk analysis
Answer: B
A web developer has implemented HTML5 optimizations into a legacy web application. One of the modifications the web developer made
was the following client side optimization:
localStorage.setltem(“session-cookie”, document.cookie);
Which of the following should the security engineer recommend?
A. SessionStorage should be used so authorized cookies expire after the session ends
B. Cookies should be marked as “secure” and “HttpOnly”
C. Cookies should be scoped to a relevant domain/path
D. Client-side cookies should be replaced by sever-side mechanisms
Answer: C
During a security event investigation, a junior analyst fails to create an image of a server’s hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering.
Which of the following should the junior analyst have followed?
A. Continuity of operations
B. Chain of custody
C. Order of volatility
D. Data recovery
Answer: C
Reference: https://mw_computer-forensics-recruiter_com/order-of-volatility/
Which of the following is the GREATEST security concern with respect to BYOD?
A. The filtering of sensitive data out of data flows at geographic boundaries.
B. Removing potential bottlenecks in data transmission paths.
C. The transfer of corporate data onto mobile corporate devices.
D. The migration of data into and out of the network in an uncontrolled manner.
Answer: D
The Chief Information Security Officer (CISO) for an organization wants to develop custom IDS rulesets faster, prior to new rules being released by IDS vendors. Which of the following BEST meets this
objective?
A. Identify a third-party source for IDS rules and change the configuration on the applicable IDSs to pull in the new rulesets
B. Encourage cybersecurity analysts to review open-source intelligence products and threat database to generate new IDS rules based on those sources
C. Leverage the latest TCP- and UDP-related RFCs to arm sensors and IDSs with appropriate heuristics for anomaly detection
D. Use annual hacking conventions to document the latest attacks and threats, and then develop IDS rules to counter those threats
Answer: B
A company has decided to lower costs by conducting an internal assessment on specific devices and various internal and external subnets. The assessment will be done during regular office hours, but it must not affect any production servers.
Which of the following would MOST likely be used to complete the assessment? (Select two)
A. Agent-based vulnerability scan
B. Black-box penetration testing
C. Configuration review
D. Social engineering
E. Malware sandboxing
F. Tabletop exercise
Answer: A, C
A hospital’s security team recently determined its nebuork was breached and patient data was accessed by an external entity. The Chief Information Security Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has
already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital’s brand reputation and asks the CISO when the incident should be disclosed to the affected patients.
Which of the following is the MOST appropriate response?
A. When it is mandated by their legal and regulatory requirements
B. As soon as possible in the interest of the patients
C. As soon as the public relations department is ready to be interviewed
D. When all steps related to the incident response plan are completed
E. Upon the approval of the Chief Executive Officer (CEO) to release information to the public
Answer: A
An organization is preparing to develop a business continuity plan. The organization is required to meet regulatory requirements relating to confidentiality and availability, which are well-defined. Management
has expressed concern following initial meetings that the organization is not fully aware of the requirements associated with the regulations.
Which of the following would be MOST appropriate for the project manager to solicit additional resources for during this phase of the project?
A. After-action reports
B. Gap assessment
C. Security requirements traceability matrix
D. Business impact assessment
E. Risk analysis
Answer: B
