Comptia (CAS-003) Exam Questions And Answers page 24
The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would BEST to improve the incident response process?
Dividing the network into trusted and untrusted zones
Providing additional end-user training on acceptable use
Implementing manual quarantining of infected hosts
Enterprise Security Operations
Enterprise Security Operations
A network administrator is concerned about a particular server that is attacked occasionally from hosts on the Internet. The server is not critical; however, the attacks impact the rest of the network.
While the company s current ISP is cost effective, the ISP is slow to respond to reported issues. The administrator needs to be able to mitigate the effects of an attack immediately without opening a trouble ticket with the ISP. The ISP is willing to accept a very small network route advertised with a particular BGP community string. Which of the following is the BEST way for the administrator to mitigate the effects of these attacks?
While the company s current ISP is cost effective, the ISP is slow to respond to reported issues. The administrator needs to be able to mitigate the effects of an attack immediately without opening a trouble ticket with the ISP. The ISP is willing to accept a very small network route advertised with a particular BGP community string. Which of the following is the BEST way for the administrator to mitigate the effects of these attacks?
Use the route protection offered by the ISP to accept only BGP routes from trusted hosts on the Internet, which will discard traffic from attacking hosts.
Work with the ISP and subscribe to an IPS filter that can recognize the attack patterns of the attacking hosts, and block those hosts at the local IPS device.
Advertise a /32 route to the ISP to initiate a remotely triggered black hole, which will discard traffic destined to the problem server at the upstream provider.
Add a redundant connection to a second local ISP, so a redundant connection is available for use if the server is being attacked on one connection.
Risk Management
Enterprise Security Operations
A Chief Information Officer (CIO) publicly announces the implementation of a new financial system. As part of a security assessment that includes a social engineering task, which of the following tasks should be conducted to demonstrate the BEST means to gain information to use for a report on social vulnerability details about the financial system?
Call the CIO and ask for an interview, posing as a job seeker interested in an open position
Compromise the email server to obtain a list of attendees who responded to the invitation who is on the IT staff
Notify the CIO that, through observation at events, malicious actors can identify individuals to befriend
Understand the CIO is a social drinker, and find the means to befriend the CIO at establishments the CIO frequents
Enterprise Security Architecture
Enterprise Security Operations
Users have been reporting unusual automated phone calls, including names and phone numbers, that appear to come from devices internal to the company. Which of the following should the systems administrator do to BEST address this problem?
Add an ACL to the firewall to block VoIP.
Change the settings on the phone system to use SIP-TLS.
Have the phones download new configurations over TFTP.
Enable QoS configuration on the phone VLAN.
Enterprise Security Architecture
Enterprise Security Operations
A university s help desk is receiving reports that Internet access on campus is not functioning. The network administrator looks at the management tools and sees the 1Gbps Internet is completely saturated with ingress traffic. The administrator sees the following output on the Internet router:
The administrator calls the university s ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue?
The administrator calls the university s ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue?
The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to resolve this more quickly in the future.
A university web server is under increased load during enrollment. The ISP engineer should immediately increase bandwidth to 2Gbps to restore Internet connectivity. In the future, the university should pay for more bandwidth to handle spikes in web server traffic.
The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again.
The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.
Risk Management
Enterprise Security Operations
A security analyst is troubleshooting a scenario in which an operator should only be allowed to reboot remote hosts but not perform other activities. The analyst inspects the following portions of different configuration files:
Configuration file 1:
Operator ALL=/sbin/reboot
Configuration file 2:
Command= /sbin/shutdown now , no-x11-forwarding, no-pty, ssh-dss
Configuration file 3:
Operator:x:1000:1000::/home/operator:/bin/bash
Which of the following explains why an intended operator cannot perform the intended action?
Configuration file 1:
Operator ALL=/sbin/reboot
Configuration file 2:
Command= /sbin/shutdown now , no-x11-forwarding, no-pty, ssh-dss
Configuration file 3:
Operator:x:1000:1000::/home/operator:/bin/bash
Which of the following explains why an intended operator cannot perform the intended action?
The sudoers file is locked down to an incorrect command
SSH command shell restrictions are misconfigured
The passwd file is misconfigured
The SSH command is not allowing a pty session
Risk Management
Enterprise Security Operations
Within the past six months, a company has experienced a series of attacks directed at various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecure site. As a result, the company is requiring all collaboration tools to comply with the following:
• Secure messaging between internal users using digital signatures
• Secure sites for video-conferencing sessions
• Presence information for all office employees
• Restriction of certain types of messages to be allowed into the network.
Which of the following applications must be configured to meet the new requirements? (Choose two.)
• Secure messaging between internal users using digital signatures
• Secure sites for video-conferencing sessions
• Presence information for all office employees
• Restriction of certain types of messages to be allowed into the network.
Which of the following applications must be configured to meet the new requirements? (Choose two.)
Remote desktop
VoIP
Remote assistance
Email
Instant messaging
Social media websites
Risk Management
Enterprise Security Architecture
Several days after deploying an MDM for smartphone control, an organization began noticing anomalous behavior across the enterprise. Security analysts observed the following:
• Unauthorized certificate issuance
• Access to mutually authenticated resources utilizing valid but unauthorized certificates
• Granted access to internal resources via the SSL VPN
To address the immediate problem, security analysts revoked the erroneous certificates. Which of the following describes the MOST likely root cause of the problem and offers a solution?
• Unauthorized certificate issuance
• Access to mutually authenticated resources utilizing valid but unauthorized certificates
• Granted access to internal resources via the SSL VPN
To address the immediate problem, security analysts revoked the erroneous certificates. Which of the following describes the MOST likely root cause of the problem and offers a solution?
The VPN and web resources are configured with too weak a cipher suite and should be rekeyed to support AES 256 in GCM and ECC for digital signatures and key exchange.
A managed mobile device is rooted, exposing its keystore, and the MDM should be reconfigured to wipe these devices and disallow access to corporate resources.
SCEP is configured insecurely, which should be enabled for device onboarding against a PKI for mobile-exclusive use.
The CA is configured to sign any received CSR from mobile users and should be reconfigured to permit CSR signings only from domain administrators.
Risk Management
Enterprise Security Architecture
A database administrator is required to adhere to and implement privacy principles when executing daily tasks. A manager directs the administrator to reduce the number of unique instances of PII stored within an organization s systems to the greatest extent possible.
Which of the following principles is being demonstrated?
Which of the following principles is being demonstrated?
Administrator accountability
PII security
Record transparency
Data minimization
Risk Management
Enterprise Security Architecture
First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated. Which of the following were missed? (Choose two.)
CPU, process state tables, and main memory dumps
Essential information needed to perform data restoration to a known clean state
Temporary file system and swap space
Indicators of compromise to determine ransomware encryption
Chain of custody information needed for investigation
Enterprise Security Operations
Enterprise Security Operations
Comments