CompTIA Advanced Security Practitioner (CASP) Recertification Exam for Continuing Education v7.0

Page:    1 / 21   
Exam contains 316 questions

At 9:00 am each morning, all of the virtual desktops in a VDI implementation become extremely slow and/or unresponsive. The outage lasts for around 10 minutes, after which everything runs properly again. The administrator has traced the problem to a lab of thin clients that are all booted at 9:00 am each morning. Which of the following is the MOST likely cause of the problem and the BEST solution? (Select TWO).

  • A. Add guests with more memory to increase capacity of the infrastructure.
  • B. A backup is running on the thin clients at 9am every morning.
  • C. Install more memory in the thin clients to handle the increased load while booting.
  • D. Booting all the lab desktops at the same time is creating excessive I/O.
  • E. Install 10-Gb uplinks between the hosts and the lab to increase network capacity.
  • F. Install faster SSD drives in the storage system used in the infrastructure.
  • G. The lab desktops are saturating the network while booting.
  • H. The lab desktops are using more memory than is available to the host systems.

Answer : D,F

The problem lasts for 10 minutes at 9am every day and has been traced to the lab desktops. This question is asking for the MOST likely cause of the problem. The most likely cause of the problem is that the lab desktops being started at the same time at the beginning of the day is causing excessive disk I/O as the operating systems are being read and loaded from disk storage.
The solution is to install faster SSD drives in the storage system that contains the desktop operating systems.

A security administrator has noticed that an increased number of employees workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites where malware files can be downloaded. Additionally, the company implements technical measures to disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection?

  • A. Implement an Acceptable Use Policy which addresses malware downloads.
  • B. Deploy a network access control system with a persistent agent.
  • C. Enforce mandatory security awareness training for all employees and contractors.
  • D. Block cloud-based storage software on the company network.

Answer : D

The question states that the company implements technical measures to disable external storage. This is storage such as USB flash drives and will help to ensure that the users to do not bring unauthorized data that could potentially contain malware into the network.
We should extend this by blocking cloud-based storage software on the company network.
This would block access to cloud-based storage services such as Dropbox or OneDrive.

ABC Company must achieve compliance for PCI and SOX. Which of the following would
BEST allow the organization to achieve compliance and ensure security? (Select THREE).

  • A. Establish a list of users that must work with each regulation
  • B. Establish a list of devices that must meet each regulation
  • C. Centralize management of all devices on the network
  • D. Compartmentalize the network
  • E. Establish a company framework
  • F. Apply technical controls to meet compliance with the regulation

Answer : B,D,F

Payment card industry (PCI) compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands.
There are six main requirements for PCI compliance. The vendor must:
Build and maintain a secure network

Protect cardholder data -
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
To achieve PCI and SOX compliance you should:
Establish a list of devices that must meet each regulation. List all the devices that contain the sensitive data.
Compartmentalize the network. Compartmentalize the devices that contain the sensitive data to form a security boundary.
Apply technical controls to meet compliance with the regulation. Secure the data as required.

A security tester is testing a website and performs the following manual query:
The following response is received in the payload:
ORA-000001: SQL command not properly ended
Which of the following is the response an example of?

  • A. Fingerprinting
  • B. Cross-site scripting
  • C. SQL injection
  • D. Privilege escalation

Answer : A

This is an example of Fingerprinting. The response to the code entered includes ORA-
000001 which tells the attacker that the database software being used is Oracle.
Fingerprinting can be used as a means of ascertaining the operating system of a remote computer on a network. Fingerprinting is more generally used to detect specific versions of applications or protocols that are run on network servers. Fingerprinting can be accomplished passively by sniffing network packets passing between hosts, or it can be accomplished actively by transmitting specially created packets to the target machine and analyzing the response.

A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations?

  • A. vTPM
  • B. HSM
  • C. TPM
  • D. INE

Answer : A

A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
A vTPM is a virtual Trusted Platform Module.
IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.

An organization uses IP address block on its internal network. At the border router, the network administrator sets up rules to deny packets with a source address in this subnet from entering the network, and to deny packets with a destination address in this subnet from leaving the network. Which of the following is the administrator attempting to prevent?

  • A. BGP route hijacking attacks
  • B. Bogon IP network traffic
  • C. IP spoofing attacks
  • D. Man-in-the-middle attacks
  • E. Amplified DDoS attacks

Answer : C

The IP address block is used on the internal network. Therefore, there should be no traffic coming into the network claiming to be from an address in the range. Similarly, there should be no outbound traffic destined for an address in the range. So this has been blocked at the firewall. This is to protect against IP spoofing attacks where an attacker external to the network sends data claiming to be from an internal computer with an address in the range.
IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker obtains the
IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source.
When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform
Resource Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For example, if the hijacker spoofed the Library of Congress Web site, then any
Internet user who typed in the URL would see spoofed content created by the hijacker.
If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware. The hijacker would also be able to take control of a compromised computer to use it as part of a zombie army in order to send out spam.

An administrator has four virtual guests on a host server. Two of the servers are corporate
SQL servers, one is a corporate mail server, and one is a testing web server for a small group of developers. The administrator is experiencing difficulty connecting to the host server during peak network usage times. Which of the following would allow the administrator to securely connect to and manage the host server during peak usage times?

  • A. Increase the virtual RAM allocation to high I/O servers.
  • B. Install a management NIC and dedicated virtual switch.
  • C. Configure the high I/O virtual servers to use FCoE rather than iSCSI.
  • D. Move the guest web server to another dedicated host.

Answer : B

A senior network security engineer has been tasked to decrease the attack surface of the corporate network. Which of the following actions would protect the external network interfaces from external attackers performing network scanning?

  • A. Remove contact details from the domain name registrar to prevent social engineering attacks.
  • B. Test external interfaces to see how they function when they process fragmented IP packets.
  • C. Enable a honeynet to capture and facilitate future analysis of malicious attack vectors.
  • D. Filter all internal ICMP message traffic, forcing attackers to use full-blown TCP port scans against external network interfaces.

Answer : B

Fragmented IP packets are often used to evade firewalls or intrusion detection systems.
Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network
(LAN) or Internet run many services that listen at well-known and not so well known ports.
A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port).
One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan techniques to avoid this. One method is a fragmented port scan.

Fragmented packet Port Scan -
The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments, but many networks cannot afford the performance loss caused by the queuing.

An organization has implemented an Agile development process for front end web application development. A new security architect has just joined the company and wants to integrate security activities into the SDLC.
Which of the following activities MUST be mandated to ensure code quality from a security perspective? (Select TWO).

  • A. Static and dynamic analysis is run as part of integration
  • B. Security standards and training is performed as part of the project
  • C. Daily stand-up meetings are held to ensure security requirements are understood
  • D. For each major iteration penetration testing is performed
  • E. Security requirements are story boarded and make it into the build
  • F. A security design is performed at the end of the requirements phase

Answer : A,D

SDLC stands for systems development life cycle. An agile project is completed in small sections called iterations. Each iteration is reviewed and critiqued by the project team.
Insights gained from the critique of an iteration are used to determine what the next step should be in the project. Each project iteration is typically scheduled to be completed within two weeks.
Static and dynamic security analysis should be performed throughout the project. Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.
For each major iteration penetration testing is performed. The output of a major iteration will be a functioning part of the application. This should be penetration tested to ensure security of the application.

IT staff within a company often conduct remote desktop sharing sessions with vendors to troubleshoot vendor product-related issues. Drag and drop the following security controls to match the associated security concern. Options may be used once or not at all.

Answer :


Vendor may accidentally or maliciously make changes to the IT system Allow view-only access.
With view-only access, the third party can view the desktop but cannot interact with it. In other words, they cannot control the keyboard or mouse to make any changes.
Desktop sharing traffic may be intercepted by network attackers Use SSL for remote sessions.
SSL (Secure Sockets Layer) encrypts data in transit between computers. If an attacker intercepted the traffic, the data would be encrypted and therefore unreadable to the attacker.
No guarantees that shoulder surfing attacks are not occurring at the vendor Identified control gap.
Shoulder surfing is where someone else gains information by looking at your computer screen. This should be identified as a risk. A control gap occurs when there are either insufficient or no actions taken to avoid or mitigate a significant risk.
Vendor may inadvertently see confidential material from the company such as email and
IMs Limit desktop session to certain windows.
The easiest way to prevent a third party from viewing your emails and IMs is to close the email and IM application windows for the duration of the desktop sharing session.

A security administrator is performing VDI traffic data collection on a virtual server which migrates from one host to another. While reviewing the data collected by the protocol analyzer, the security administrator notices that sensitive data is present in the packet capture. Which of the following should the security administrator recommend to ensure the confidentiality of sensitive information during live VM migration, while minimizing latency issues?

  • A. A separate physical interface placed on a private VLAN should be configured for live host operations.
  • B. Database record encryption should be used when storing sensitive information on virtual servers.
  • C. Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data.
  • D. Sensitive data should be stored on a backend SAN which uses an isolated fiber channel network.

Answer : A

VDI virtual machines can be migrated across physical hosts while the virtual machines are still powered on. In VMware, this is called vMotion. In Microsoft Hyper-V, this is called Live
When a virtual machine is migrated between hosts, the data is unencrypted as it travels across the network. To prevent access to the data as it travels across the network, a dedicated network should be created for virtual machine migrations. The dedicated migration network should only be accessible by the virtual machine hosts to maximize security.

A developer is determining the best way to improve security within the code being developed. The developer is focusing on input fields where customers enter their credit card details. Which of the following techniques, if implemented in the code, would be the
MOST effective in protecting the fields from malformed input?

  • A. Client side input validation
  • B. Stored procedure
  • C. Encrypting credit card details
  • D. Regular expression matching

Answer : D

Regular expression matching is a technique for reading and validating input, particularly in web software. This question is asking about securing input fields where customers enter their credit card details. In this case, the expected input into the credit card number field would be a sequence of numbers of a certain length. We can use regular expression matching to verify that the input is indeed a sequence of numbers. Anything that is not a sequence of numbers could be malicious code.

Using SSL, an administrator wishes to secure public facing server farms in three subdomains:,, and Which of the following is the number of wildcard SSL certificates that should be purchased?

  • A. 0
  • B. 1
  • C. 3
  • D. 6

Answer : C

You would need three wildcard certificates:
The common domain in each of the domains is However, a wildcard covers only one level of subdomain. For example: *. will cover
<anything> but it wont cover <anything>.<anything>
You can only have one wildcard in a domain. For example: * You cannot have *.* Only the leftmost wildcard (*) is counted.

Ann is testing the robustness of a marketing website through an intercepting proxy. She has intercepted the following HTTP request:

POST /login.aspx HTTP/1.1 -

Host: -

Content-type: text/html -
Which of the following should Ann perform to test whether the website is susceptible to a simple authentication bypass?

  • A. Remove all of the post data and change the request to /login.aspx from POST to GET
  • B. Attempt to brute force all usernames and passwords using a password cracker
  • C. Remove the txtPassword post data and change alreadyLoggedIn from false to true
  • D. Remove the txtUsername and txtPassword post data and toggle submit from true to false

Answer : C

The text txtUsername=ann&txtPassword=ann is an attempted login using a username of ann and also a password of ann.
The text alreadyLoggedIn=false is saying that Ann is not already logged in.
To test whether we can bypass the authentication, we can attempt the login without the password and we can see if we can bypass the alreadyloggedin check by changing alreadyLoggedIn from false to true. If we are able to log in, then we have bypassed the authentication check.

A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

  • A. Insecure direct object references, CSRF, Smurf
  • B. Privilege escalation, Application DoS, Buffer overflow
  • C. SQL injection, Resource exhaustion, Privilege escalation
  • D. CSRF, Fault injection, Memory leaks

Answer : A

Insecure direct object references are used to access data. CSRF attacks the functions of a web site which could access data. A Smurf attack is used to take down a system.
A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data.
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a users Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
A smurf attack is a type of network security breach in which a network connected to the
Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends
PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.
Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

Page:    1 / 21   
Exam contains 316 questions

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy