CASP Study Deck 3 (Questions 51 - 75) Flashcards
A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm’s expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO).
A. Code review B. Penetration testing C. Grey box testing D. Code signing E. White box testing
A. Code review
E. White box testing
Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company’s purchased application? (Select TWO).
A. Code review B. Sandbox C. Local proxy D. Fuzzer E. Port scanner
C. Local proxy
D. Fuzzer
The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the
Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:
11: 16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11: 16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11: 16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11: 16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11: 16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?
A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company’s ISP should be contacted and instructed to block the malicious packets.
B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.
C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks.
D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company’s external router to block incoming UDP port 19 traffic.
A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company’s ISP should be contacted and instructed to block the malicious packets.
An external penetration tester compromised one of the client organization’s authentication servers and retrieved the password database. Which of the following methods allows the penetration tester to MOST efficiently use any obtained administrative credentials on the client organization’s other systems, without impacting the integrity of any of the systems?
A. Use the pass the hash technique
B. Use rainbow tables to crack the passwords
C. Use the existing access to change the password
D. Use social engineering to obtain the actual password
A. Use the pass the hash technique
A web services company is planning a one-time high-profile event to be hosted on the corporate website. An outage, due to an attack, would be publicly embarrassing, so Joe, the Chief Executive Officer (CEO), has requested that his security engineers put temporary preventive controls in place. Which of the following would MOST appropriately address Joe’s concerns?
A. Ensure web services hosting the event use TCP cookies and deny_hosts.
B. Configure an intrusion prevention system that blocks IPs after detecting too many incomplete sessions.
C. Contract and configure scrubbing services with third-party DDoS mitigation providers.
D. Purchase additional bandwidth from the company’s Internet service provider.
C. Contract and configure scrubbing services with third-party DDoS mitigation providers.
The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company’s contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO).
A. Block traffic from the ISP’s networks destined for blacklisted IPs.
B. Prevent the ISP’s customers from querying DNS servers other than those hosted by the ISP.
C. Scan the ISP’s customer networks using an up-to-date vulnerability scanner.
D. Notify customers when services they run are involved in an attack.
E. Block traffic with an IP source not allocated to customers from exiting the ISP’s network.
D. Notify customers when services they run are involved in an attack.
E. Block traffic with an IP source not allocated to customers from exiting the ISP’s network.
Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology. Which of the following would be the advantage of conducting this kind of penetration test?
A. The risk of unplanned server outages is reduced.
B. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.
C. The results will show an in-depth view of the network and should help pin-point areas of internal weakness.
D. The results should reflect what attackers may be able to learn about the company.
D. The results should reflect what attackers may be able to learn about the company.
Ann, a systems engineer, is working to identify an unknown node on the corporate network. To begin her investigative work, she runs the following nmap command string:
user@hostname:~$ sudo nmap –O 192.168.1.54
Based on the output, nmap is unable to identify the OS running on the node, but the following ports are open on the device:
TCP/22 TCP/111 TCP/512-514 TCP/2049 TCP/32778
Based on this information, which of the following operating systems is MOST likely running on the
unknown node?
A. Linux
B. Windows
C. Solaris
D. OSX
C. Solaris
A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news?
A. Update company policies and procedures
B. Subscribe to security mailing lists
C. Implement security awareness training
D. Ensure that the organization vulnerability management plan is up-to-date
B. Subscribe to security mailing lists
The Chief Executive Officer (CEO) of a small start-up company wants to set up offices around the country for the sales staff to generate business. The company needs an effective communication solution to remain in constant contact with each other, while maintaining a secure business environment. A junior-level administrator suggests that the company and the sales staff stay connected via free social media. Which of the following decisions is BEST for the CEO to make?
A. Social media is an effective solution because it is easily adaptable to new situations.
B. Social media is an ineffective solution because the policy may not align with the business.
C. Social media is an effective solution because it implements SSL encryption.
D. Social media is
B. Social media is an ineffective solution because the policy may not align with the business.
News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial exploit, network mapping and fingerprinting is conducted to prepare for further exploitation. Which of the following is the MOST effective solution to protect against unrecognized malware infections?
A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology.
B. Implement an application whitelist at all levels of the organization.
C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring.
D. Update router configuration to pass all network traffic through a new proxy server with advanced
malware detection.
B. Implement an application whitelist at all levels of the organization.
A security administrator notices a recent increase in workstations becoming compromised by malware. Often, the malware is delivered via drive-by downloads, from malware hosting websites, and is not being detected by the corporate antivirus. Which of the following solutions would provide the BEST protection for the company?
A. Increase the frequency of antivirus downloads and install updates to all workstations.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
C. Deploy a WAF to inspect and block all web traffic which may contain malware and exploits.
D. Deploy a web based gateway antivirus server to intercept viruses before they enter the network.
B. Deploy a cloud-based content filter and enable the appropriate category to prevent further
infections.
A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI
expressed as a percentage for the first year?
A. -45 percent
B. 5.5 percent
C. 45 percent
D. 82 percent
D. 82 percent
A new internal network segmentation solution will be implemented into the enterprise that consists
of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three
changes to deploy a new application onto the network before it is operational. Security now has a
significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings?
A. Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could
be met by another solution. Reuse the firewall infrastructure on other projects.
B. Perform a cost benefit analysis and implement the solution as it stands as long as the risks are
understood by the business owners around the availability issues. Decrease the current SLA
expectations to match the new solution.
C. Engage internal auditors to perform a review of the project to determine why and how the project
did not meet the security requirements. As part of the review ask them to review the control
effectiveness.
D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine
if the requirements can be met with a simpler solution.
D. Review to determine if control effectiveness is in line with the complexity of the solution. Determine
if the requirements can be met with a simpler solution.
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some
systems were missing patches. Which of the following statements BEST describes this situation?
A. The CFO is at fault because they are responsible for patching the systems and have already been
given patch management and SOE hardening products.
B. The audit findings are invalid because remedial steps have already been applied to patch servers
and the remediation takes time to complete.
C. The CISO has not selected the correct controls and the audit findings should be assigned to them
instead of the CFO.
D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
