Latest CASP Questions Flashcards
Users have been reporting unusual automated phone calls, including names and phone numbers, that appear
to come from devices internal to the company. Which of the following should the systems administrator do to
BEST address this problem?
- Add ACL to firewall to block VoIP.
- Change the settings on the phone system to use SIP-TLS,
- Have the phones download new configurations over TFTP.
- Enable QoS configuration on the phone VLAN.
- Change the settings on the phone system to use SIP-TLS
The Chief Information Security Officer (CISO) is concerned that certain system administrators with privileged access may be reading others users’ emails. Review of a tool’s output shows the administrators have used webmail to log into other users’ inboxes. Which of the followings tools would show this type of output?
- Log analysis tool
- Password cracker
- Command-line tool
- File integrity monitoring tool
- Log analysis tool
While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security office inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the services the human resources department is required to use. Additionally, each password has specific complexity requirements and different expiration time frames. Which of the following would be the BEST solution for the information security officer to recommend?
- Utilize MFA
- Implementing SSO
- Deploying 802.1X
- Pushing SAML adoption
- Implementing TACACS
- Implementing SSO
A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats. Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques?
- Attend hacking conventions.
- Research methods using TOR.
- Interviewing current read team members .
- Attend web-based training.
- Attend hacking conventions.
Following a recent network intrusion, a company wants to determine the current security awareness of all its employees. Which of the following is the BEST way to test awareness?
- Conduct a series of security training events with comprehensive tests at the end.
- Hire an external company to provide an independent audit of network security posture.
- Review the social media of all employees to see how much proprietary information is shared.
- Send an email from a corporate account requesting users to log into a site with their enterprise account.
- Hire an external company to provide an independent audit of network security posture.
A company’s chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect’s goals?
- Utilize a challenge-response prompt as required input at username/password entry.
- Implement TLS and require the clients to use its own certificate during handshake.
- Configure a web application proxy and institute monitoring of HTTPS transactions.
- Install a reverse proxy in the corporate DMZ configured to decrypt TLS session.
- Implement TLS and require the clients to use its own certificate during handshake.
While investigating suspicious activity on a server a security administrator runs the following report.
File system integrity check report Total numbers of files: 3321 Added files: 12 Removed files: 0 Changed Files: 1 Changed files: changed: /etc/passwd --------------------------------------------------------- Detailed information about changes: File: /etc/ Perm: -rw-r--r-- , -rw-r---rw- Hash: md5:ab0e9acb928dfac35de2ac2bef918cae, md5:def9a24cdbeaf4cb15acfed93eedb
In addition, the administrator notices changes to the /etc/shadow file that were not listed in the report. Which of the following BEST describe this scenerio? (Select TWO)
- An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file.
- An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file.
- An attacker compromised the server and may have installed a rootkit to always generate valid MD5 hashes to hide the changes to the /etc/shadow file.
- An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server.
- An attacker compromised the server and may have used SELinux mandatory access controls to hide the changes to the /etc/shadow file.
- An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the
changes to the /etc/shadow file. - An attacker compromised the server and may have used MD5 collision hashes to generate valid
passwords, allowing further access to administrator accounts on the server.
A security engineer is attempting to convey the importance of including job rotation in a company’s standard security policies. Which of the following would be the BEST justification?
- Making employees rotate through jobs ensures succession plans can be implemented and prevents single points of failure.
- Forcing different people to perform the same job minimizes the amount of time malicious actions go
undetected by forcing malicious actors to attempt collusion between two or more people. - Administrators and engineers who perform multiple job functions throughout the day benefit from being
cross-trained in new job areas. - It eliminates the new to share administrative account passwords because employees gain administrative
rights as they rotate into new job areas.
- Forcing different people to perform the same job minimizes the amount of time malicious actions go
undetected by forcing malicious actors to attempt collusion between two or more people.
The Chief Financial Officer (CFO) of a major hospital system has received a ransom letter that demands a
large sum of cryptocurrency be transferred to an anonymous account. If the transfer does not take place within ten hours, the letter states that patient information will be released on the dark web. A partial listing of recent patients is included in the letter. This is the first indication that a breach took place. Which of the following steps should be done FIRST?
- Review audit logs to determine the extent of the breach.
- Pay the hacker under the condition that all information is destroyed.
- Engage a counter-hacking team to retrieve the data.
- Notify the appropriate legal authorities and legal counsel.
- Notify the appropriate legal authorities and legal counsel.
A security administrator is updating a company’s SCADA authentication system with a new application. To ensure interoperability between the legacy system and the new application, which of the following stakeholders should be involved in the configuration process before deployment? (Select TWO)
- Network engineer
- Service desk personnel
- Human resources administrator
- Incident response coordinator
- Facilities manager
- Compliance manager
- Network engineer
- Compliance manager
Given the code snippet below #include #include int main(void) { char username[8]; printf("Enter your username" "); gets(username) printf("/n"); if (username == NULL){ printf("you did not enter a username\n"); } if strcmp(username, "admin") { printf("%s". "Admin user, enter your physical token value: "); // rest of conditional logic here has been snipped for brevity } else { printf("Standard user, enter your password" "); // rest of conditional logic here has been snipped for brevity } } Which of the following vulnerability types is MOST concerning?
- Only short names are supported, which could result in brute forcing of credentials.
- Buffer overflow in the username parameter could lead to a memory corruption vulnerability.
- Hardcoding usernames with different code paths taken depend on which user is entered.
- Format string vulnerability is present for admin users but not for standard users.
- Buffer overflow in the username parameter could lead to a memory corruption vulnerability.
During the decommissioning phase of a hardware project, a security administrator is tasked with insuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shedder, and the waste will be burned. The system drives and removable media have been removed prior to e-cycling the hardware. Which of the following would ensure that no data is recovered from the system drives once they are disposed of?
- Overwriting all HDD blocks with an alternating series of data.
- Physically disabling the HDDs by removing the drive head.
- Demagnetizing the hard drive using a degausser,
- Deleting the UEFI boot loaders from each HDD.
- Demagnetizing the hard drive using a degausser,
The Chief Executive Officer (CEO) of a small startup company has a need for a security policy and assessment to address governance, risk management, and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed in three months. Which o the following would be the MOST cost-effective solution to meet the company’s needs?
- Select one of the IT personnel to obtain information security training, and then develop all necessary
policies and documents in house. - Accept all risks associated with information security, and bring up the issue again at next years’ annual
board meeting. - Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
requirements. - Hire an experienced, full-time information security team to run the startup company’s information security
department.
- Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
requirements.
An engineer needs to provide access to company resources for several offshore contractors. The contractors require:
- Access to a number of applications, including internal websites.
- Access to database data and the ability to manipulate it.
- The ability to log into Linux and Windows servers remotely,
Which of the following remote access technologies are the BEST choices to provide all of this access securely?
(Select TWO)
- VTC
- VRRP
- VLAN
- VDI
- VPN
- Telnet
- VDI
- VPN
Which of the following is the GREATEST security concern with respect to BYOD?
- The filtering of sensitive data out of data flows a geographic boundaries.
- Removing potential bottlenecks in data transmissions paths.
- The transfer of corporate data onto mobil corporate devices.
- The migration of data into and out of the network in an uncontrolled manner.
- The migration of data into and out of the network in an uncontrolled manner.
Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to
them. Ann emails her previous manager and asks to get her personal photos back. Which of the following
BEST describes how the manager should respond?
- Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups.
- Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset.
- Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company’s laptop.
- Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.
- Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.
A security engineer has been hired to design a device that will enable the exfiltration of data from within a well-defended network perimeter during an authorized test. The device must bypass all firewalls and NIDS in place, as well as allow for upload of commands from a centralized command and control server. The total cost of the device must be kept to a minimum in case the device is discovered during an assessment. Which of the following tools should the engineer load onto the device being designed?
- Custom firmware with rotating key generation.
- Automatic MITM proxy.
- TCP beacon broadcast software.
- Reverse shell endpoint listener.
- Reverse shell endpoint listener.
An enterprise is trying to secure a specific web-based application by forcing the use of multifactor authentication. Currently, the enterprise cannot change the application’s sign-in page to include an extra field. However, the web-based application supports SAML. Which of the following would BEST secure the application?
- Using a SSO application that supports multifactor authentication.
- Enabling the web application to support LDAP integration.
- Forcing higher-complexity passwords, and frequent changes.
- Deploying Shibboleth to all web-based application in the enterprise.
- Using a SSO application that supports multifactor authentication.
A Chief Information Security Officer (CISO) is reviewing the controls in place to support the organization’s
vulnerability management program. The CISO finds patching and vulnerability scanning policies and
procedures are in place. However, the CISO is concerned the organization is siloed and is not maintaining awareness of new risks to the organization. The CISO determines systems administrators need to participate in industry security events. Which of the following is the CISO looking to improve.
- Vendor diversification
- System hardening standards
- Bounty programs
- Threat awareness
- Vulnerability signatures
- Threat awareness
A large company with a very complex IT environment is considering a move from an on-premises, internally
managed proxy to a cloud-based proxy solution managed by an external vendor. The current proxy provides caching, content filtering, malware analysis, and URL categorization for all staff connected behind the proxy. Staff members connect directly to the Internet outside of the corporate network. The cloud-based version of the solution would provide content filtering, TLS decryption, malware analysis, and URL categorization. After migrating to the cloud solution, all internal proxies would be decommissioned. Which of the following would MOST likely change the company’s RISK profile?
A. 1. There would be a loss of internal intellectual knowledge regarding proxy configurations and application
data flows.
2. There would be a greater likelihood of Internet outages due to lower resilience of cloud gateways.
3. There would be data sovereignty concerns due to changes required in routing and proxy PAC files.
B. 1. The external vendor would have access to inbound and outbound gateway traffic.
- The service would provide some level of protection for staff working from home.
- Outages would be likely to occur for systems or applications with hard-coded proxy information.
C. 1. The loss of local caching would dramatically increase ISP charges and impact existing bandwidth.
- There would be greater likelihood of Internet access outages due to lower resilience of cloud gateways.
- There would be a loss of internal intellectual knowledge regarding proxy configurations an application data flows.
D. 1. Outages would likely occur for systems ad applications with hard-coded proxy information.
- The service would provide some level of protection for staff members working from home.
- Malware detection times would decrease due to third-party management of the service.
B. 1. The external vendor would have access to inbound and outbound gateway traffic.
- The service would provide some level of protection for staff working from home.
- Outages would be likely to occur for systems or applications with hard-coded proxy information.
A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks?
- Vulnerability scanner
- TPM
- Host-based firewall
- File integrity monitor
- NIPS
- File integrity monitor
While reviewing KPIs of the email security appliance with the Chief Information Security Officer (CISO) of an
insurance company, the security engineer notices the following:
Month Encrypted Email Unencrypted Email Contains PII 1 200 0 0 2 230 10 5 3 185 15 10 4 198 60 40 5 204 75 45
Which of the following measures should the security engineer take to ensure PII is not intercepted in transit
while also preventing interruption to business?
- Quarantine emails sent to external domains containing PII and release after inspection.
- Prevent PII from being sent to domains that allow users to sign up for free webmail.
- Enable transport layer security on all outbound email communications and attachments.
- Provide security awareness training regarding transmission of PII.
- Provide security awareness training regarding transmission of PII.
A Chief Security Officer (CISO) recently changed jobs into a new industry. The CISO’s first task is to write a new, relevant risk assessment for the organization. Which of the following would BEST help the CISO find relevant risks to the organization. (Select TWO)
A. Perform a penetration test B. Conduct a regulatory audit C. Hire a third-party consultant D. Define a threat model E. Review the existing BIA F. Perform an attack path analysis
- Define a threat model
- Review the existing BIA
A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user’s age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for developer to implement?
- IF $AGE == “!@#$%^&*()_+<>?”:{}[]” THEN ERROR
- IF $AGE ==[123456790] {1,3} THEN CONTINUE
- IF $AGE != “a-bA-Z!@#$%^&*()_+<>?{}[]” THEN CONTINUE
- IF $AGE == [1-0] {0,2} THEN CONTINUE
- IF $AGE ==[123456790] {1,3} THEN CONTINUE