CAS-005 Exam Dumps - CompTIA SecurityX Certification Exam

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
Next
Last >>

Question # 33

A security configure isbuilding a solution to disable weak CBC configuration for remote access connections lo Linux systems. Which of the following should the security engineer modify?

The /etc/openssl.conf file, updating the virtual site parameter

The /etc/nsswith.conf file, updating the name server

The /etc/hosts file, updating the IP parameter

The /etc/etc/sshd, configure file updating the ciphers

Full Access

Question # 34

A security analyst wants to use lessons learned from a poor incident response to reduce dwell lime in the future The analyst is using the following data points

Which of the following would the analyst most likely recommend?

Adjusting the SIEM to alert on attempts to visit phishing sites

Allowing TRACE method traffic to enable better log correlation

Enabling alerting on all suspicious administrator behavior

utilizing allow lists on the WAF for all users using GFT methods

Full Access

Answer:

Explanation:

In the context of improving incident response and reducing dwell time, the security analyst needs to focus on proactive measures that can quickly detect and alert on potential security breaches. Hereâ€™s a detailed analysis of the options provided:

A. Adjusting the SIEM to alert on attempts to visit phishing sites: While this is a useful measure to prevent phishing attacks, it primarily addresses external threats and doesnâ€™t directly impact dwell time reduction, which focuses on the time a threat remains undetected within a network.

B. Allowing TRACE method traffic to enable better log correlation: The TRACE method in HTTP is used for debugging purposes, but enabling it can introduce security vulnerabilities. Itâ€™s not typically recommended for enhancing security monitoring or incident response.

C. Enabling alerting on all suspicious administrator behavior: This option directly targets the potential misuse of administrator accounts, which are often high-value targets for attackers. By monitoring and alerting on suspicious activities from admin accounts, the organization can quickly identify and respond to potential breaches, thereby reducing dwell time significantly. Suspicious behavior could include unusual login times, access to sensitive data not usually accessed by the admin, or any deviation from normal behavior patterns. This proactive monitoring is crucial for quick detection and response, aligning well with best practices in incident response.

D. Utilizing allow lists on the WAF for all users using GET methods: This measure is aimed at restricting access based on allowed lists, which can be effective in preventing unauthorized access but doesnâ€™t specifically address the need for quick detection and response to internal threats.

[References:, CompTIA SecurityX Study Guide: Emphasizes the importance of monitoring and alerting on admin activities as part of a robust incident response plan., NIST Special Publication 800-61 Revision 2,"Computer Security Incident Handling Guide": Highlights best practices for incident response, including the importance of detecting and responding to suspicious activities quickly., "Incident Response & Computer Forensics" by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia: Discusses techniques for reducing dwell time through effective monitoring and alerting mechanisms, particularly focusing on privileged account activities., By focusing on enabling alerting for suspicious administrator behavior, the security analyst addresses a critical area that can help reduce the time a threat goes undetected, thereby improving the overall security posture of the organization., Top of Form, Bottom of Form, , , ]

Question # 35

A hospital provides tablets to its medical staff to enable them to more quickly access and edit patients' charts. The hospital wants to ensure that if a tablet is identified as lost or stolen and a remote command is issued, the risk of data loss can be mitigated within seconds. The tablets are configured as follows:

â€¢ Full disk encryption is enabled.

â€¢ "Always On" corporate VPN is enabled.

â€¢ eFuse-backed keystore is enabled.

â€¢ Wi-Fi 6 is configured with SAE.

â€¢ Location services is disabled.

â€¢ Application allow list is unconfigured.

Assuming the hospital policy cannot be changed, which of the following is the best way to meet the hospital's objective?

Revoke the user VPN and Wi-Fi certificates

Cryptographically erase FDE volumes

Issue new MFA credentials to all users

Configure the application allow list

Full Access

Question # 36

An organization plans to deploy new software. The project manager compiles a list of roles that will be involved in different phases of the deployment life cycle. Which of the following should the project manager use to track these roles?

CMDB

Recall tree

ITIL

RACI matrix

Full Access

Question # 37

Operational technology often relies upon aging command, control, and telemetry subsystems that were created with the design assumption of:

operating in an isolated/disconnected system.

communicating over distributed environments

untrustworthy users and systems being present.

an available EtherneVIP network stack for flexibility.

anticipated eavesdropping from malicious actors.

Full Access

Answer:

Explanation:

Comprehensive and Detailed Step by Step Explanation:

Understanding the Scenario: The question focuses on the historical design assumptions behind older operational technology (OT)systems, particularly in the context of command, control, and telemetry.

Analyzing the Answer Choices:

A. operating in an isolated/disconnected system: This is the most accurate assumption for many legacy OT systems. Historically, these systems weredesigned to operate in air-gapped environments, completely isolated from external networks (including the internet).

[Reference: This aligns with the historical evolution of OT security. Initially, security was based on physical isolation rather than network security controls. This is a common topic in CASP+ discussions on OT security challenges., B. communicating over distributed environments: While OT systems can be distributed, the core design assumption, especially for older systems, wasn't centered around interconnectivity in the way modern IT systems are., C. untrustworthy users and systems being present: This is a more modern security principle (Zero Trust). Older OT systems often operated under a model of implicit trust within their isolated environment., D. an available EtherneVIP network stack for flexibility: Ethernet/IP is a relatively newer industrial protocol. Older OT systems often used proprietary or less flexible communication protocols. Also, there is no such thing as EtherneVIP., E. anticipated eavesdropping from malicious actors: While security was a concern, the primary threat model for older, isolated OT systems didn't heavily emphasize external malicious actors due to the assumed isolation., Why A is the Correct Answer:, Air Gap: The concept of an air gap (physical isolation) was the cornerstone of security for many legacy OT systems. These systems were not connected to the internet or corporate networks, making them less susceptible to remote attacks., Legacy Protocols: Older OT systems often used proprietary or serial communication protocols, not designed for internet connectivity., Implicit Trust: Within the isolated environment, there was often an assumption of trust among the connected components., CASP+ Relevance: The challenges of securing legacy OT systems, especially in the face of increasing connectivity, are a key area of focus in CASP+. Understanding the historical context and the shift in security paradigms is crucial., Modern OT Security Considerations (Elaboration):, Convergence: Today, the lines between IT and OT are blurring. OT systems are increasingly connected to corporate networks and the internet, necessitating a shift from isolation-based security to a more comprehensive approach., Threat Landscape: Modern OT systems face a wider range of threats, including targeted attacks from sophisticated actors., Security Controls: Modern OT security involves implementing network segmentation, intrusion detection, access controls, and other measures to protect against these evolving threats., In conclusion, the primary design assumption for many older OT systems was that they would operate in isolated or disconnected environments. This historical context is important for understanding the security challenges faced by organizations today as they integrate these legacy systems into modern, connected environments. This is a core concept discussed in CASP+ in the context of OT security and risk management., =================, , ]

Question # 38

A security analyst is reviewing the following authentication logs:

Which of thefollowing should the analyst do first?

Disable User2's account

Disable User12's account

Disable User8's account

Disable User1's account

Full Access

Question # 39

A user reports application access issues to the help desk. The help desk reviews the logs for the user:

Which of the following is most likely the reason for the issue?

The user inadvertently tripped the geoblock rule in NGFW.

A threat actor has compromised the user's account and attempted to log in.

The user is not allowed to access the human resources system outside of business hours.

The user did not attempt to connect from an approved subnet.

Full Access

Question # 40

A company is preparing to move a new version of a web application to production. No issues were reported during security scanning or quality assurance in the CI/CD pipeline. Which of the following actions should thecompany take next?

Merge the test branch to the main branch

Perform threat modeling on the production application

Conduct unit testing on the submitted code

Perform a peer review on the test branch

Full Access