Instant Access CompTIA.CAS-003.v2022-06-25.q354 Actual Practice Test Engine for Free (Page 48)

Question 231

An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including:
1. Indemnity clauses have identified the maximum liability
2. The data will be hosted and managed outside of the company's geographical location The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project's security consultant recommend as the NEXT step?

A.Develop a security exemption, as it does not meet the security policies
B.Mitigate the risk by asking the vendor to accept the in-country privacy principles
C.Review the entire procurement process to determine the lessons learned
D.Require the solution owner to accept the identified risks and consequences

Question 232

The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server. A vulnerability scan found a collection of Linux servers that are missing OS level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers. What would be a key FIRST step for the data security team to undertake at this point?

A.Capture process ID data and submit to anti-virus vendor for review.
B.Reboot the Linux servers, check running processes, and install needed patches.
C.Remove a single Linux server from production and place in quarantine.
D.Notify upper management of a security breach.
E.Conduct a bit level image, including RAM, of one or more of the Linux servers.

Correct Answer: E

Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes.
In this question, an attack has been identified and confirmed. When a server is compromised or used to commit a crime, it is often necessary to seize it for forensics analysis. Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.
Evidence retention is a problem when the investigator wants to retain RAM content. For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker.
A full a bit level image, including RAM should be taken of one or more of the Linux servers. In many cases, if your environment has been deliberately attacked, you may want to take legal action against the perpetrators. In order to preserve this option, you should gather evidence that can be used against them, even if a decision is ultimately made not to pursue such action. It is extremely important to back up the compromised systems as soon as possible. Back up the systems prior to performing any actions that could affect data integrity on the original media.
Incorrect Answers:
A: Capturing process ID data and submitting it to anti-virus vendor for review would not be the first step. Furthermore, it is unlikely that a virus is the cause of the problem on the LINUX servers. It is much more likely that the missing OS level patches left the systems vulnerable.
B: Rebooting the Linux servers would lose the contents of the running RAM. This may be needed for litigation so a full backup including RAM should be taken first. Then the servers can be cleaned and patched.
C: Removing a single Linux server from production and placing it in quarantine would probably involve powering off the server. Powering off the server would lose the contents of the running RAM. This may be needed for litigation so a full backup including RAM should be taken first.
D: Notifying upper management of a security breach probably should be done after the security breach is contained. You should follow standard incident management procedures first. Reporting on the incident is one of the later steps in the process.
References:
http://whatis.techtarget.com/reference/Five-Steps-to-Incident-Management-in-a-Virtualized-Environment
https://technet.microsoft.com/en-us/library/cc700825.aspx

Question 233

A company is implementing a new secure identity application, given the following requirements
* The cryptographic secrets used in the application must never be exposed to users or the OS
* The application must work on mobile devices.
* The application must work with the company's badge reader system
Which of the following mobile device specifications are required for this design? (Select TWO).

A.Biometrics
B.NFC
C.UEFI
D.HSM
E.Secure element
F.SEAndroid

Question 234

A penetration testing manager is contributing to an RFP for the purchase of a new platform. The manager has provided the following requirements:
* Must be able to MITM web-based protocols
* Must be able to find common misconfigurations and security holes
Which of the following types of testing should be included in the testing platform? (Choose two.)

A.Reverse engineering tool
B.HTTP intercepting proxy
C.File integrity monitor
D.Password cracker
E.Vulnerability scanner
F.Fuzzer

Question 235

A security tester is testing a website and performs the following manual query:
https://www.comptia.com/cookies.jsp?products=5%20and%201=1
The following response is received in the payload:
"ORA-000001: SQL command not properly ended"
Which of the following is the response an example of?

A.Fingerprinting
B.Cross-site scripting
C.SQL injection
D.Privilege escalation

Question 231

Question 232

Question 233

Question 234

Question 235

Download PDF File