CAS-003 Free Practice Test

An information security manager is concerned that connectivity used to configure and troubleshoot critical network devices could be attacked. The manager has tasked a network security engineer with meeting the following requirements:
Encrypt all traffic between the network engineer and critical devices. Segregate the different networking planes as much as possible.
Do not let access ports impact configuration tasks.
Which of the following would be the BEST recommendation for the network security engineer to present?

1. A. Deploy control plane protections.
2. B. Use SSH over out-of-band management.
3. C. Force only TACACS to be allowed.
4. D. Require the use of certificates for AAA.

Correct Answer: B

The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day explogts. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats?

1. A. Cloud-based antivirus solution, running as local admin, with push technology for definition updates.
2. B. Implementation of an offsite data center hosting all company data, as well as deployment of VDI for all client computing needs.
3. C. Host based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewall ACLs.
4. D. Behavior based IPS with a communication link to a cloud based vulnerability and threat fee

Correct Answer: D
Good preventive security practices are a must. These include installing and keeping firewall policies carefully matched to business and application needs, keeping antivirus software updated, blocking
potentially harmful file attachments and keeping all systems patched against known vulnerabilities. Vulnerability scans are a good means of measuring the effectiveness of preventive procedures. Real- time protection: Deploy inline intrusion-prevention systems (IPS) that offer comprehensive protection. When considering an IPS, seek the following capabilities: network-level protection, application integrity checking, application protocol Request for Comment (RFC) validation, content validation and forensics capability. In this case it would be behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed.
Incorrect Answers:
A: A cloud-based anti-virus solution will not protect against a zero-day explogt.
B: Due to the nature of zero-day explogts an off-site data center hosting solution for the company data is not the best protection against a zero-day explogt.
C: The best protection against zero-day explogts are behavior-based IPS and not hos-based heuristic IPS.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 194
https://en.wikipedia.orHYPERLINK "https://en.wikipedia.org/wiki/Zeroday_( computing)"g/wiki/Zero-day_(computing)

The following has been discovered in an internally developed application: Error - Memory allocated but not freed:
char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) {
*myBuffer = STRING_WELCOME_MESSAGE; printf(“Welcome to: %sn”, myBuffer);
}
exit(0);
Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO).

1. A. Static code analysis
2. B. Memory dumping
3. C. Manual code review
4. D. Application sandboxing
5. E. Penetration testing
6. F. Black box testing

Correct Answer: AC
A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization.
Application code review – whether manual or static will reveal the type of security weakness as shown in the exhibit.
Incorrect Answers:
B: Memory dumping is a penetration test. Applications work by storing information such as sensitive data, passwords, user names and encryption keys in the memory. Conducting memory dumping will allow you to analyze the memory content. You already have the memory content that you require in this case.
D: Application Sandboxing is aimed at detecting malware code by running it in a computer-based system to analyze it for behavior and traits that indicates malware. Application sandboxing refers to the process of writing files to a temporary storage are (the so-called sandbox) so that you limit the ability of possible malicious code to execute on your computer.
E: Penetration testing is designed to simulate an attack. This is not what is required in this case. F: Black box testing is used when the security team is provided with no knowledge of the system, network, or application. In this case the code of the application is already available.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 168-169, 174

The security administrator finds unauthorized tables and records, which were not present before, on a Linux database server. The database server communicates only with one web server, which connects to the database server via an account with SELECT only privileges. Web server logs show
the following:
90.76.165.40 – - [08/Mar/2014:10:54:04] “GET calendar.php?create table hidden HTTP/1.1” 200 5724
90.76.165.40 – - [08/Mar/2014:10:54:05] “GET ../../../root/.bash_history HTTP/1.1” 200 5724 90.76.165.40 – - [08/Mar/2014:10:54:04] “GET index.php?user=[removed]Create[removed] HTTP/1.1” 200 5724
The security administrator also inspects the following file system locations on the database server using the command ‘ls -al /root’
drwxrwxrwx 11 root root 4096 Sep 28 22:45 .
drwxr-xr-x 25 root root 4096 Mar 8 09:30 ..
-rws------ 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .bash_history
-rw------- 25 root root 4096 Mar 8 09:30 .profile
-rw------- 25 root root 4096 Mar 8 09:30 .ssh
Which of the following attacks was used to compromise the database server and what can the security administrator implement to detect such attacks in the future? (Select TWO).

1. A. Privilege escalation
2. B. Brute force attack
3. C. SQL injection
4. D. Cross-site scripting
5. E. Using input validation, ensure the following characters are sanitized: <>
6. F. Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh
7. G. Implement the following PHP directive: $clean_user_input = addslashes($user_input)
8. H. Set an account lockout policy

Correct Answer: AF
This is an example of privilege escalation.
Privilege escalation is the act of explogting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
The question states that the web server communicates with the database server via an account with SELECT only privileges. However, the privileges listed include read, write and execute (rwx). This suggests the privileges have been ‘escalated’.
Now that we know the system has been attacked, we should investigate what was done to the system.
The command “Update crontab with: find / \( -perm -4000 \) –type f –print0 | xargs -0 ls –l | email.sh” is used to find all the files that are setuid enabled. Setuid means set user ID upon execution. If the setuid bit is turned on for a file, the user executing that executable file gets the permissions of the individual or group that owns the file.
Incorrect Answers:
B: A brute force attack is used to guess passwords. This is not an example of a brute force attack. C: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). This is not an example of a SQL Injection attack.
D: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. This is not an example of an XSS attack.
E: Sanitizing just the <> characters will not prevent such an attack. These characters should not be sanitized in a web application.
G: Adding slashes to the user input will not protect against the input; it will just add slashes to it.
H: An account lockout policy is useful to protect against password attacks. After a number of incorrect passwords, the account will lockout. However, the attack in this question is not a password attack so a lockout policy won’t help.

The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO’s budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?

1. A. The company should mitigate the risk.
2. B. The company should transfer the risk.
3. C. The company should avoid the risk.
4. D. The company should accept the ris

Correct Answer: B
To transfer the risk is to defilect it to a third party, by taking out insurance for example. Incorrect Answers:
A: Mitigation is not an option as the CIO’s budget does not allow for the purchase of additional compensating controls.
C: Avoiding the risk is not an option as the business unit depends on the critical business function. D: Accepting the risk would not reduce financial loss.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 218