Download CAS-003 Exam Questions and Answers 2021

NEW QUESTION 1
An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?

• A. Independent verification and validation
• B. Security test and evaluation
• C. Risk assessment
• D. Ongoing authorization

Answer: D

Explanation: Ongoing assessment and authorization is often referred to as continuous monitoring. It is a process
that determines whether the set of deployed security controls in an information system continue to be effective with regards to planned and unplanned changes that occur in the system and its environment over time.
Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Continuous monitoring enables the enterprise to detect control failures quickly because it transpires immediately or closely after events in which the key controls are utilized.
Incorrect Answers:
A: Independent verification and validation (IV&V) is executed by a third party organization not involved in the development of a product. This is not considered continuous monitoring of authorized information systems.
B: Security test and evaluation is not considered continuous monitoring of authorized information systems.
C: Risk assessment is the identification of potential risks and threats. It is not considered continuous monitoring of authorized information systems.
References:
http://www.fedramp.net/ongoHYPERLINK "http://www.fedramp.net/ongoing-assessment-andauthorization- continuous-monitoring"ing-assessment-andHYPERLINK
"http://www.fedramp.net/ongoing-assessment-and-authorization-continuous-monitoring"- authorization-continuous-monitoring https://www.techopedia.com/definition/24836/independent-verification-and-validation--
iHYPERLINK "https://www.techopedia.com/definition/24836/independent-verification-andvalidation-- iv&v"vHYPERLINK "https://www.techopedia.com/definition/24836/independentverification-
and-validation--iv&v"&HYPERLINK "https://www.techopedia.com/definition/24836/independent-verification-and-validation--iv&v"v
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 213, 219

NEW QUESTION 2
Company.org has requested a black-box security assessment be performed on key cyber terrain. On area of concern is the company’s SMTP services. The security assessor wants to run reconnaissance before taking any additional action and wishes to determine which SMTP server is Internet-facing. Which of the following commands should the assessor use to determine this information?

• A. dnsrecon –d company.org –t SOA
• B. dig company.org mx
• C. nc –v company.org
• D. whois company.org

Answer: A

NEW QUESTION 3
A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of-concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond?

• A. Assess the reliability of the information source, likelihood of explogtability, and impact to hosted dat
• B. Attempt to explogt via the proof-of-concept cod
• C. Consider remediation options.
• D. Hire an independent security consulting agency to perform a penetration test of the web server
• E. Advise management of any ‘high’ or ‘critical’ penetration test findings and put forward recommendations for mitigation.
• F. Review vulnerability write-ups posted on the Interne
• G. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software.
• H. Notify all customers about the threat to their hosted dat
• I. Bring the web servers down into“maintenance mode” until the vulnerability can be reliably mitigated through a vendor patc

Answer: A

Explanation: The first thing you should do is verify the reliability of the claims. From there you can assess the likelihood of the vulnerability affecting your systems. If it is determined that your systems are likely to be affected by the explogt, you need to determine what impact an attack will have on your hosted dat
A. Now that you know what the impact will be, you can test the explogt by using the proof-ofconcept code. That should help you determine your options for dealing with the threat
(remediation). Incorrect Answers:
B: While penetration testing your system is a good idea, it is unnecessary to hire an independent security consulting agency to perform a penetration test of the web servers. You know what the vulnerability is so you can test it yourself with the proof-of-concept code.
C: Security response should be proactive. Waiting for the threat to be verified by the software vendor will leave the company vulnerable if the vulnerability is real.
D: Bringing down the web servers would prevent the vulnerability but would also render the system useless. Furthermore, customers would expect a certain level of service and may even have a service level agreement in place with guarantees of uptime.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 375-376

NEW QUESTION 4
A consulting firm was hired to conduct assessment for a company. During the first stage, a penetration tester used a tool that provided the following output:
TCP 80 open
TCP 443 open
TCP 1434 filtered
The penetration tester then used a different tool to make the following requests:
GET / script/login.php?token=45$MHT000MND876
GET / script/login.php?token=@#984DCSPQ%091DF
Which of the following tools did the penetration tester use?

• A. Protocol analyzer
• B. Port scanner
• C. Fuzzer
• D. Brute forcer
• E. Log analyzer
• F. HTTP interceptor

Answer: C

NEW QUESTION 5
Using SSL, an administrator wishes to secure public facing server farms in three subdomains: dc1.east.company.com, dc2.central.company.com, and dc3.west.company.com. Which of the following is the number of wildcard SSL certificates that should be purchased?

• A. 1
• B. 3
• C. 6

Answer: C

Explanation: You would need three wildcard certificates:
*. east.company.com
*. central.company.com
*. west.company.com
The common domain in each of the domains is company.com. However, a wildcard covers only one level of subdomain. For example: *. company.com will cover “<anything>.company.com” but it won’t
cover “<anything>.<anything>.company.com”.
You can only have one wildcard in a domain. For example: *.company.com. You cannot have
*.*.company.com. Only the leftmost wildcard (*) is counted. Incorrect Answers:
A: You cannot secure public facing server farms without any SSL certificates.
B: You need three wildcard certificates, not one. A wildcard covers only one level of subdomain. D: You do not need six wildcard certificates to secure three domains.
References:
https://uk.godaddy.com/help/what-is-a-wildcard-ssl-certifiHYPERLINK "https://uk.godaddy.com/help/what-is-a-wildcard-ssl-certificate-567"cate-567

NEW QUESTION 6
A system worth $100,000 has an exposure factor of eight percent and an ARO of four. Which of the following figures is the system’s SLE?

• A. $2,000
• B. $8,000
• C. $12,000
• D. $32,000

Answer: B

Explanation: Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF = $100 000 x 8% = $ 8 000
References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

NEW QUESTION 7
It has come to the IT administrator’s attention that the “post your comment” field on the company blog page has been explogted, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the “post your comment” field from being explogted?

• A. Update the blog page to HTTPS
• B. Filter metacharacters
• C. Install HIDS on the server
• D. Patch the web application
• E. Perform client side input validation

Answer: B

Explanation: A general rule of thumb with regards to XSS is to "Never trust user input and always filter metacharacters." Incorrect Answers:
A: Updating the blog page to HTTPS will not resolve this issue.
C: HIDS are designed to monitor a computer system, not the network. IT will, therefore, not resolve this issue.
D: Simply installing a web application patch will not work, as the patch may be susceptible to XSS. Testing of the patch has to take place first.
E: Performing client side input validation is a valid method, but it is not the MOST effective. References:
https://community.qualys.com/docs/DOC-1186
http://www.computerweHYPERLINK "http://www.computerweekly.com/tip/The-true-test-of-a-Webapplication- patch"ekly.com/tip/The-truHYPERLINK "http://www.computerweekly.com/tip/The-truetest-
of-a-Web-application-patch"e-test-of-a-Web-application-patch
httpHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-cross-sitehttps:// certkingdom.com
scripting/"://www.techreHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-crosssite- scripting/"pHYPERLINK "http://www.techrepublic.com/blog/it-security/what-is-cross-sitescripting/" ublic.com/blog/it-security/what-is-cross-site-scripting/
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 137

NEW QUESTION 8
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative.
A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?

• A. The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.
• B. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.
• C. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO.
• D. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

Answer: D

Explanation: Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.
Incorrect Answers:
A: The CFO’s main concern would be of a monetary nature as per the job description and not the IT security infrastructure or patch management per se.
B: The audit findings are not invalid since the audit actually found more missing patches on some systems.
C: The chief information security officer is the executive in the company that has the responsibility over information security in the organization; the CISO does not necessarily select controls. References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 204, 213

NEW QUESTION 9
A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer’s AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that
because the vendors were required to have site to site VPN’s no other security action was taken.
To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed?

• A. Residual Risk calculation
• B. A cost/benefit analysis
• C. Quantitative Risk Analysis
• D. Qualitative Risk Analysis

Answer: C

Explanation: Performing quantitative risk analysis focuses on assessing the probability of risk with a metric measurement which is usually a numerical value based on money or time.
Incorrect Answers:
A: A residual risk is one that still remains once the risk responses are applied. Thus a Residual risk calculation is not required.
B: Cost Benefit Analysis is used for Quality Planning. This is not what is required.
D: A qualitative risk analysis entails a subjective assessment of the probability of risks. The scenario warrants a quantitative risk.
References:
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 5th Edition, Project Management Institute, Inc., Newtown Square, 2013, pp. 373, 585, 589 Schwalbe, Kathy, Managing Information Technology Projects, Revised 6th Edition, Course Technology, Andover, 2011, pp. 421-447
Whitaker, Sean, PMP Training Kit, O’Reilly Media, Sebastopol, 2013, pp. 335-375

NEW QUESTION 10
A hospital’s security team recently determined its network was breached and patient data was accessed by an external entity. The Chief Information Security Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital’s brand reputation and asks the CISO when the incident should be disclosed to the affected patients. Which of the following is the MOST appropriate response?

• A. When it is mandated by their legal and regulatory requirements
• B. As soon as possible in the interest of the patients
• C. As soon as the public relations department is ready to be interviewed
• D. When all steps related to the incident response plan are completed
• E. Upon the approval of the Chief Executive Officer (CEO) to release information to the public

Answer: A

NEW QUESTION 11
A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user’s age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for the developer to implement?

• A. IF $AGE == “!@#%^&*()_+<>?”:{}[]” THEN ERROR
• B. IF $AGE == [1234567890] {1,3} THEN CONTINUE
• C. IF $AGE != “a-bA-Z!@#$%^&*()_+<>?”{}[]”THEN CONTINUE
• D. IF $AGE == [1-0] {0,2} THEN CONTINUE

Answer: B

NEW QUESTION 12
Following a merger, the number of remote sites for a company has doubled to 52. The company has decided to secure each remote site with an NGFW to provide web filtering, NIDS/NIPS, and network antivirus. The Chief Information Officer (CIO) has requested that the security engineer provide recommendations on sizing for the firewall with the requirements that it be easy to manage and provide capacity for growth.
The tables below provide information on a subset of remote sites and the firewall options:


Which of the following would be the BEST option to recommend to the CIO?

• A. Vendor C for small remote sites, and Vendor B for large sites.
• B. Vendor B for all remote sites
• C. Vendor C for all remote sites
• D. Vendor A for all remote sites
• E. Vendor D for all remote sites

Answer: D

NEW QUESTION 13
A security manager looked at various logs while investigating a recent security breach in the data center from an external source. Each log below was collected from various security devices compiled from a report through the company’s security information and event management server.
Logs: Log 1:
Feb 5 23:55:37.743: %SEC-6-IPACCESSLOGS: list 10 denied 10.2.5.81 3 packets
Log 2: HTTP://www.company.com/index.php?user=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Log 3:
Security Error Alert
Event ID 50: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client
Log 4:
Encoder oe = new OracleEncoder ();
String query = “Select user_id FROM user_data WHERE user_name = ‘ ”
+ oe.encode ( req.getParameter(“userID”) ) + “ ‘ and user_password = ‘ “
+ oe.encode ( req.getParameter(“pwd”) ) +” ‘ “; Vulnerabilities
Buffer overflow SQL injection ACL
XSS
Which of the following logs and vulnerabilities would MOST likely be related to the security breach? (Select TWO).

• A. Log 1
• B. Log 2
• C. Log 3
• D. Log 4
• E. Buffer overflow
• F. ACL
• G. XSS
• H. SQL injection

Answer: BE

Explanation: Log 2 indicates that the security breach originated from an external source. And the vulnerability that can be associated with this security breach is a buffer overflow that happened when the amount of data written into the buffer exceeded the limit of that particular buffer.
Incorrect Answers:
A: Log 1 is not indicative of a security breach from an outside source
C: Log 3 will not be displayed if the breach in security came from an outside source. D: Log 4 does not indicate an outside source responsible for the security breach.
F: The access control lists are mainly used to configure firewall rules and is thus not related to the security breach.
G: XSS would be indicative of an application issue and not a security breach that originated from the outside.
H: A SQL Injection is a type of attack that makes use of a series of malicious SQL queries in an attempt to directly manipulates the SQL database. This is not necessarily a security breach that originated from the outside.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 110-112, 151. 153, 162

NEW QUESTION 14
An administrator believes that the web servers are being flooded with excessive traffic from time to time. The administrator suspects that these traffic floods correspond to when a competitor makes major announcements. Which of the following should the administrator do to prove this theory?

• A. Implement data analytics to try and correlate the occurrence times.
• B. Implement a honey pot to capture traffic during the next attack.
• C. Configure the servers for high availability to handle the additional bandwidth.
• D. Log all traffic coming from the competitor's public IP addresse

Answer: A

Explanation: There is a time aspect to the traffic flood and if you correlate the data analytics with the times that the incidents happened, you will be able to prove the theory.
Incorrect Answers:
B: A honey pot is designed to attract traffic and this will not prove the theory.
C: Configuring any of your servers for high availability will only accommodate the competitor and not prove your theory.
D: Logging all incoming traffic will not prove the theory as you want to check whether the incidents occur when the competitor makes major announcement a not all of the incoming traffic, even it if is from the competitor.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 114-115

NEW QUESTION 15
A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review:
Which of the following tools is the engineer utilizing to perform this assessment?

• A. Vulnerability scanner
• B. SCAP scanner
• C. Port scanner
• D. Interception proxy

Answer: B

NEW QUESTION 16
A company sales manager received a memo from the company’s financial department which stated that the company would not be putting its software products through the same security testing as previous years to reduce the research and development cost by 20 percent for the upcoming year. The memo also stated that the marketing material and service level agreement for each product would remain unchanged. The sales manager has reviewed the sales goals for the upcoming year and identified an increased target across the software products that will be affected by the financial department’s change. All software products will continue to go through new development in the coming year. Which of the following should the sales manager do to ensure the company stays out of trouble?

• A. Discuss the issue with the software product's user groups
• B. Consult the company’s legal department on practices and law
• C. Contact senior finance management and provide background information
• D. Seek industry outreach for software practices and law

Answer: B

Explanation: To ensure that the company stays out of trouble, the sales manager should enquire about the legal ramifications of the change by consulting with the company’s legal department, particularly as the marketing material is not being amended.
Incorrect Answers:
A: The software product's user groups would not have insight on the legal ramifications of the change by the company, and they might not have knowledge of the service-level agreements or any contracts that the company has with other customers.
C: The sales manager does not have additional background information to provide.
D: Legal information pertaining to internal operations should be obtained from the company’s legal department.