CAS-003 Free Practice Test

A new web based application has been developed and deployed in production. A security engineer decides to use an HTTP interceptor for testing the application. Which of the following problems would MOST likely be uncovered by this tool?

1. A. The tool could show that input validation was only enabled on the client side
2. B. The tool could enumerate backend SQL database table and column names
3. C. The tool could force HTTP methods such as DELETE that the server has denied
4. D. The tool could fuzz the application to determine where memory leaks occur

Correct Answer: A
A HTTP Interceptor is a program that is used to assess and analyze web traffic thus it can be used to indicate that input validation was only enabled on the client side.
Incorrect Answers:
B: Assessing and analyzing web traffic is not used to enumerate backend SQL database tables and column names.
C: HTTP methods such as Delete that the server has denied are not performed by the HTTP interceptor.
D: Application fuzzing is not performed by the HTTP interceptor tool. References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 181

Company A has noticed abnormal behavior targeting their SQL server on the network from a rogue IP
address. The company uses the following internal IP address ranges: 192.10.1.0/24 for the corporate site and 192.10.2.0/24 for the remote site. The Telco router interface uses the 192.10.5.0/30 IP range.
Instructions: Click on the simulation button to refer to the Network Diagram for Company A. Click on Router 1, Router 2, and the Firewall to evaluate and configure each device.
Task 1: Display and examine the logs and status of Router 1, Router 2, and Firewall interfaces.
Task 2: Reconfigure the appropriate devices to prevent the attacks from continuing to target the SQL server and other servers on the corporate network.

1. A. Check the answer belowWe have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:
2. B. Check the answer belowWe have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

Correct Answer: A

An organization has employed the services of an auditing firm to perform a gap assessment in preparation for an upcoming audit. As part of the gap assessment, the auditor supporting the
assessment recommends the organization engage with other industry partners to share information about emerging attacks to organizations in the industry in which the organization functions. Which of the following types of information could be drawn from such participation?

1. A. Threat modeling
2. B. Risk assessment
3. C. Vulnerability data
4. D. Threat intelligence
5. E. Risk metrics
6. F. Explogt frameworks

Correct Answer: F

The risk subcommittee of a corporate board typically maintains a master register of the most prominent risks to the company. A centralized holistic view of risk is particularly important to the corporate Chief Information Security Officer (CISO) because:

1. A. IT systems are maintained in silos to minimize interconnected risks and provide clear risk boundaries used to implement compensating controls
2. B. risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness
3. C. corporate general counsel requires a single system boundary to determine overall corporate risk exposure
4. D. major risks identified by the subcommittee merit the prioritized allocation of scare funding to address cybersecurity concerns

Correct Answer: A

News outlets are beginning to report on a number of retail establishments that are experiencing payment card data breaches. The data exfiltration is enabled by malware on a compromised computer. After the initial explogt, network mapping and fingerprinting is conducted to prepare for further explogtation. Which of the following is the MOST effective solution to protect against unrecognized malware infections?

1. A. Remove local admin permissions from all users and change anti-virus to a cloud aware, push technology.
2. B. Implement an application whitelist at all levels of the organization.
3. C. Deploy a network based heuristic IDS, configure all layer 3 switches to feed data to the IDS for more effective monitoring.
4. D. Update router configuration to pass all network traffic through a new proxy server with advanced malware detection.

Correct Answer: B
In essence a whitelist screening will ensure that only acceptable applications are passed / or granted access.
Incorrect Answers:
A: Removing all local administrator permissions and changing to cloud aware is not going to keep unrecognized malware infections at bay.
C: Heuristic based IDS will only look for deviation of normal behavior of an application or service and thus is useful against unknown and polymorphic viruses.
D: Modifying the router configuration to pass all the network traffic via a new proxy server is not the same as protecting against unrecognized malware infections because the company’s malware detection program in use is still the same.
References:
Conklin, Wm. Arthur, Gregory White and Dwayne Williams, CASP CompTIA Advanced Security Practitioner Certification Study Guide (Exam CAS-001), McGraw-Hill, Columbus, 2012, p. 227 Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 125