CASP Study Deck 5 (Questions 101 - 125) Flashcards
A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure. The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following security goals does this meet? (Select TWO).
A. Availability B. Authentication C. Integrity D. Confidentiality E. Encryption
B. Authentication
C. Integrity
The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system operational for the next two years. The legacy system is out of support because the vendor and security patches are no longer released. Additionally, this is a proprietary embedded system and little is documented and known about it. Which of the following should the Information
Technology department implement to reduce the security risk from a compromise of this system?
A. Virtualize the system and migrate it to a cloud provider.
B. Segment the device on its own secure network.
C. Install an antivirus and HIDS on the system.
D. Hire developers to reduce vulnerabilities in the code.
B. Segment the device on its own secure network.
An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the thirdparty? (Select TWO).
A. LDAP/S B. SAML C. NTLM D. OAUTH E. Kerberos
B. SAML
E. Kerberos
An extensible commercial software system was upgraded to the next minor release version to
patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO).
A. The company’s IDS signatures were not updated.
B. The company’s custom code was not patched.
C. The patch caused the system to revert to http.
D. The software patch was not cryptographically signed.
E. The wrong version of the patch was used.
F. Third-party plug-ins were not patched.
B. The company’s custom code was not patched.
F. Third-party plug-ins were not patched.
A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it is an e-discovery firm where chain of custody is important,
which of the following scenarios should they consider?
A. Offload some data processing to a public cloud
B. Aligning their client intake with the resources available
C. Using a community cloud with adequate controls
D. Outsourcing the service to a third party cloud provider
C. Using a community cloud with adequate controls
A company is deploying a new iSCSI-based SAN. The requirements are as follows:
- SAN nodes must authenticate each other.
- Shared keys must NOT be used.
- Do NOT use encryption in order to gain performance.
Which of the following design specifications meet all the requirements? (Select TWO).
A. Targets use CHAP authentication
B. IPSec using AH with PKI certificates for authentication
C. Fiber channel should be used with AES
D. Initiators and targets use CHAP authentication
E. Fiber channel over Ethernet should be used
F. IPSec using AH with PSK authentication and 3DES
G. Targets have SCSI IDs for authentication
B. IPSec using AH with PKI certificates for authentication
D. Initiators and targets use CHAP authentication
Company XYZ provides hosting services for hundreds of companies across multiple industries including healthcare, education, and manufacturing. The security architect for company XYZ is reviewing a vendor proposal to reduce company XYZ’s hardware costs by combining multiple physical hosts through the use of virtualization technologies. The security architect notes concerns about data separation, confidentiality, regulatory requirements concerning PII, and administrative complexity on the proposal. Which of the following BEST describes the core concerns of the
security architect?
A. Most of company XYZ’s customers are willing to accept the risks of unauthorized disclosure and
access to information by outside users.
B. The availability requirements in SLAs with each hosted customer would have to be re-written to
account for the transfer of virtual machines between physical platforms for regular maintenance.
C. Company XYZ could be liable for disclosure of sensitive data from one hosted customer when
accessed by a malicious user who has gained access to the virtual machine of another hosted
customer.
D. Not all of company XYZ’s customers require the same level of security and the administrative
complexity of
C. Company XYZ could be liable for disclosure of sensitive data from one hosted customer when
accessed by a malicious user who has gained access to the virtual machine of another hosted
customer.
A university requires a significant increase in web and database server resources for one week, twice a year, to handle student registration. The web servers remain idle for the rest of the year. Which of the following is the MOST cost effective way for the university to securely handle student registration?
A. Virtualize the web servers locally to add capacity during registration.
B. Move the database servers to an elastic private cloud while keeping the web servers local.
C. Move the database servers and web servers to an elastic private cloud.
D. Move the web servers to an elastic public cloud while keeping the database servers local.
D. Move the web servers to an elastic public cloud while keeping the database servers local.
Due to a new regulatory requirement, ABC Company must now encrypt all WAN transmissions. When speaking with the network administrator, the security administrator learns that the existing routers have the minimum processing power to do the required level of encryption. Which of the following solutions minimizes the performance impact on the router?
A. Deploy inline network encryption devices
B. Install an SSL acceleration appliance
C. Require all core business applications to use encryption
D. Add an encryption module to the router and configure IPSec
A. Deploy inline network encryption devices
In order to reduce costs and improve employee satisfaction, a large corporation is creating a BYOD policy. It will allow access to email and remote connections to the corporate enterprise from personal devices; provided they are on an approved device list. Which of the following security measures would be MOST effective in securing the enterprise under the new policy? (Select TWO).
A. Provide free email software for personal devices.
B. Encrypt data in transit for remote access.
C. Require smart card authentication for all devices.
D. Implement NAC to limit insecure devices access.
E. Enable time of day restrictions for personal devices.
B. Encrypt data in transit for remote access.
D. Implement NAC to limit insecure devices access.
A security administrator is tasked with implementing two-factor authentication for the company VPN. The VPN is currently configured to authenticate VPN users against a backend RADIUS server. New company policies require a second factor of authentication, and the Information
Security Officer has selected PKI as the second factor. Which of the following should the security
administrator configure and implement on the VPN concentrator to implement the second factor
and ensure that no error messages are displayed to the user during the VPN connection? (Select TWO).
A. The user’s certificate private key must be installed on the VPN concentrator.
B. The CA’s certificate private key must be installed on the VPN concentrator.
C. The user certificate private key must be signed by the CA.
D. The VPN concentrator’s certificate private key must be signed by the CA and installed on the VPN
concentrator.
E. The VPN concentrator’s certificate private key must be installed on the VPN concentrator.
F. The CA’s certificate public key must be installed on the VPN concentrator.
E. The VPN concentrator’s certificate private key must be installed on the VPN concentrator.
F. The CA’s certificate public key must be installed on the VPN concentrator.
Ann, a software developer, wants to publish her newly developed software to an online store. Ann wants to ensure that the software will not be modified by a third party or end users before being installed on mobile devices. Which of the following should Ann implement to stop modified copies of her software from running on mobile devices?
A. Single sign-on
B. Identity propagation
C. Remote attestation
D. Secure code review
C. Remote attestation
Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust relationship
between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete?
A. They should logon to the system using the username concatenated with the 6-digit code and their
original password.
B. They should logon to the system using the newly assigned global username: first.lastname####
where #### is the second factor code.
C. They should use the username format: LAN\first.lastname together with their original password
and the next 6-digit code displayed when the token button is depressed.
D. They should use the username format: first.lastname@company.com, together with a password
and their 6-digit code.
D. They should use the username format: first.lastname@company.com, together with a password
and their 6-digit code.
An industry organization has implemented a system to allow trusted authentication between all of its partners. The system consists of a web of trusted RADIUS servers communicating over the Internet. An attacker was able to set up a malicious server and conduct a successful man-in-the middle attack. Which of the following controls should be implemented to mitigate the attack in the
future?
A. Use PAP for secondary authentication on each RADIUS server
B. Disable unused EAP methods on each RADIUS server
C. Enforce TLS connections between RADIUS servers
D. Use a shared secret for each pair of RADIUS servers
C. Enforce TLS connections between RADIUS servers
Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted?
A. The company should develop an in-house solution and keep the algorithm a secret.
B. The company should use the CEO’s encryption scheme.
C. The company should use a mixture of both systems to meet minimum standards.
D. The company should use the method recommended by other respected information security
organizations.
D. The company should use the method recommended by other respected information security
organizations.
