CAS-005 Online Practice Questions and Answers

Correct Answer: A

VPN Concentrator:

AAA Server:

Correct Answer: A

The output shows that multiple systems have outdated or vulnerable software versions (OpenSSL 1.01 and Java 11 runtime). This suggests that the systems are not being patched regularly or effectively. A. Automating the patching system to update base images: Automating the patching process ensures that the latest security updates and patches are applied to all systems, including newly deployed ones. This addresses the root cause by ensuring that base images used for deployment are always up-to-date with the latest security patches.

B. Recompiling the affected programs with the most current patches: While this can fix the immediate vulnerabilities, it does not address the root cause of the problem, which is the lack of regular updates. C. Disabling unused/unneeded ports

on all servers: This improves security but does not address the specific issue of outdated software. D. Deploying a WAF with virtual patching upstream of the affected systems: This can provide a temporary shield but does not resolve the

underlying issue of outdated software. Automating the patching system to update base images ensures that all deployed systems are using the latest, most secure versions of software, addressing the root cause of the vulnerability trend.

References:

CompTIA Security+ Study Guide

NIST SP 800-40 Rev. 3, "Guide to Enterprise Patch Management Technologies" CIS Controls, "Control 7: Continuous Vulnerability Management"

Correct Answer: C

Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here's why:

Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.

Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies. Minimal Disruption: Implementing a span port is a non-intrusive

method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.

Correct Answer: C

In the context of improving incident response and reducing dwell time, the security analyst needs to focus on proactive measures that can quickly detect and alert on potential security breaches. Here's a detailed analysis of the options provided:

A. Adjusting the SIEM to alert on attempts to visit phishing sites: While this is a useful measure to prevent phishing attacks, it primarily addresses external threats and doesn't directly impact dwell time reduction, which focuses on the time a threat remains undetected within a network.

B. Allowing TRACE method traffic to enable better log correlation: The TRACE method in HTTP is used for debugging purposes, but enabling it can introduce security vulnerabilities. It's not typically recommended for enhancing security monitoring or incident response.

C. Enabling alerting on all suspicious administrator behavior: This option directly targets the potential misuse of administrator accounts, which are often high-value targets for attackers. By monitoring and alerting on suspicious activities from admin accounts, the organization can quickly identify and respond to potential breaches, thereby reducing dwell time significantly. Suspicious behavior could include unusual login times, access to sensitive data not usually accessed by the admin, or any deviation from normal behavior patterns. This proactive monitoring is crucial for quick detection and response, aligning well with best practices in incident response. D. Utilizing allow lists on the WAF for all users using GET methods: This measure is aimed at restricting access based on allowed lists, which can be effective in preventing unauthorized access but doesn't specifically address the need for quick detection and response to internal threats. References: CompTIA SecurityX Study Guide: Emphasizes the importance of monitoring and alerting on admin activities as part of a robust incident response plan. NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide": Highlights best practices for incident response, including the importance of detecting and responding to suspicious activities quickly. "Incident Response and Computer Forensics" by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia: Discusses techniques for reducing dwell time through effective monitoring and alerting mechanisms, particularly focusing on privileged account activities. By focusing on enabling alerting for suspicious administrator behavior, the security analyst addresses a critical area that can help reduce the time a threat goes undetected, thereby improving the overall security posture of the organization.

Correct Answer: B

Enabling dashboards for service status monitoring is the best action to support rapid incident response. The table shows various services with different risk, criticality, and alert severity ratings. To ensure timely and effective incident response,

real-time visibility into the status of these services is crucial.

Why Dashboards for Service Status Monitoring?

Real-time Visibility: Dashboards provide an at-a-glance view of the current status of all critical services, enabling rapid detection of issues. Centralized Monitoring: A single platform to monitor the status of multiple services helps streamline

incident response efforts.

Proactive Alerting: Dashboards can be configured to show alerts and anomalies immediately, ensuring that incidents are addressed as soon as they arise. Improved Decision Making: Real-time data helps incident response teams make

informed decisions quickly, reducing downtime and mitigating impact. Other options, while useful, do not offer the same level of comprehensive, real-time visibility and proactive alerting:

A. Automate alerting to IT support for phone system outages: This addresses one service but does not provide a holistic view.

C. Send emails for failed log-in attempts on the public website: This is a specific alert for one type of issue and does not cover all services. D. Configure automated isolation of human resources systems: This is a reactive measure for a

specific service and does not provide real-time status monitoring.

References:

CompTIA SecurityX Study Guide

NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide"

"Best Practices for Implementing Dashboards," Gartner Research

Correct Answer: D

Correct Answer: A

..."To comply with PCI (Payment Card Industry) standards, it is recommended to use TLS 1.1 or higher. Note: Important: Although TLS 1.1 still meets PCI standards, we encourage you to start using TLS 1.2 and higher versions for better security...."

Correct Answer: DE

Correct Answer: BE

Correct Answer: B