# [Free] 2018(May) EnsurePass Dumpsleader CompTIA RC0-C02 Dumps with VCE and PDF 151-160

Ensurepass.com : Ensure you pass the IT Exams
2018 May CompTIA Official New Released RC0-C02

CompTIA Advanced Security Practitioner (CASP) Recertification Exam for Continuing Education

#### Question No: 151 – (Topic 3)

An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of \$24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant?

A. \$4,800 B. \$24,000 C. \$96,000 D. \$120,000

The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE

Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF)

Thus if SLE = \$ 24,000 and EF = 25% then the Asset value is SLE/EF = \$ 96,000

References: http://www.financeformulas.net/Return_on_Investment.html https://en.wikipedia.org/wiki/Risk_assessment

#### Question No: 152 – (Topic 3)

A large company is preparing to merge with a smaller company. The smaller company has been very profitable, but the smaller company’s main applications were created in-house. Which of the following actions should the large company’s security administrator take in preparation for the merger?

1. A review of the mitigations implemented from the most recent audit findings of the smaller company should be performed.

2. An ROI calculation should be performed to determine which company#39;s application should be used.

3. A security assessment should be performed to establish the risks of integration or co- existence.

4. A regression test should be performed on the in-house software to determine security risks associated with the software.

With any merger regardless of the monetary benefit there is always security risks and prior to the merger the security administrator should assess the security risks to as to mitigate these.

#### Question No: 153 – (Topic 3)

The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack. Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and notices that the incoming bandwidth on the router’s external interface is maxed out. The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company’s external router’s IP which is 128.20.176.19:

11:16:22.110343 IP 90.237.31.27.19 gt; 128.20.176.19.19: UDP, length 1400

11:16:22.110351 IP 23.27.112.200.19 gt; 128.20.176.19.19: UDP, length 1400

11:16:22.110358 IP 192.200.132.213.19 gt; 128.20.176.19.19: UDP, length 1400

11:16:22.110402 IP 70.192.2.55.19 gt; 128.20.176.19.19: UDP, length 1400

11:16:22.110406 IP 112.201.7.39.19 gt; 128.20.176.19.19: UDP, length 1400

Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?

1. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company’s ISP should be contacted and instructed to block the malicious packets.

2. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.

3. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks.

4. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company’s external router to block incoming UDP port 19 traffic.

The exhibit displays logs that are indicative of an active fraggle attack. A Fraggle attack is similar to a smurf attack in that it is a denial of service attack, but the difference is that a fraggle attack makes use of ICMP and UDP ports 7 and 19. Thus when the senior engineer uses a network analyzer to identify the attack he should contact the company’s ISP to block those malicious packets.

#### Question No: 154 – (Topic 3)

There have been some failures of the company’s internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations.

One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month’s performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?

1. 92.24 percent

2. 98.06 percent

3. 98.34 percent

4. 99.72 percent

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as

cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.

14h of down time in a period of 772 supposed uptime = 14/772 x 100 = 1.939 % Thus the % of uptime = 100% – 1.939% = 98.06%

References:

Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley amp; Sons, Indianapolis, 2012, pp. 43, 116

#### Question No: 155 – (Topic 3)

A small company’s Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the company’s security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST?

1. Survey threat feeds from services inside the same industry.

2. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.

3. Conduct an internal audit against industry best practices to perform a qualitative analysis.

4. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Security posture refers to the overall security plan from planning through to implementation and comprises technical and non-technical policies, procedures and controls to protect from both internal and external threats. From a security standpoint, one of the first questions that must be answered in improving the overall security posture of an organization is to identify where data resides. All the advances that were made by technology make this very difficult. The best way then to improve your company’s security posture is to first survey threat feeds from services inside the same industry.

#### Question No: 156 – (Topic 3)

The helpdesk is receiving multiple calls about slow and intermittent Internet access from

the finance department. The following information is compiled:

Caller 1, IP 172.16.35.217, NETMASK 255.255.254.0

Caller 2, IP 172.16.35.53, NETMASK 255.255.254.0

Caller 3, IP 172.16.35.173, NETMASK 255.255.254.0

All callers are connected to the same switch and are routed by a router with five built-in interfaces. The upstream router interface’s MAC is 00-01-42-32-ab-1a

A packet capture shows the following:

09:05:15.934840 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

09:06:16.124850 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

09:07:25.439811 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

09:08:10.937590 IP 172.16.35.1 gt; 172.16.35.255: ICMP echo request, id 2305, seq 1,

length 65534

09:08:10.937591 IP 172.16.35.1 gt; 172.16.35.255: ICMP echo request, id 2306, seq 2,

length 65534

09:08:10.937592 IP 172.16.35.1 gt; 172.16.35.255: ICMP echo request, id 2307, seq 3,

length 65534

Which of the following is occurring on the network?

1. A man-in-the-middle attack is underway on the network.

2. An ARP flood attack is targeting at the router.

3. The default gateway is being spoofed on the network.

4. A denial of service attack is targeting at the router.

The above packet capture shows an attack where the attacker is busy consuming your resources (in this case the router) and preventing normal use. This is thus a Denial Of Service Attack.

#### Question No: 157 – (Topic 3)

Due to compliance regulations, a company requires a yearly penetration test. The Chief Information Security Officer (CISO) has asked that it be done under a black box methodology.

Which of the following would be the advantage of conducting this kind of penetration test?

1. The risk of unplanned server outages is reduced.

2. Using documentation provided to them, the pen-test organization can quickly determine areas to focus on.

3. The results will show an in-depth view of the network and should help pin-point areas of internal weakness.

4. The results should reflect what attackers may be able to learn about the company.

A black box penetration test is usually done when you do not have access to the code, much the same like an outsider/attacker. This is then the best way to run a penetration test that will also reflect what an attacker/outsider can learn about the company. A black box test simulates an outsiders attack.

#### Question No: 158 – (Topic 3)

A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?

1. The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.

2. The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.

3. The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO.

4. Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.

#### Question No: 159 – (Topic 3)

The following has been discovered in an internally developed application:

Error – Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) {

*myBuffer = STRING_WELCOME_MESSAGE; printf(“Welcome to: %s\n”, myBuffer);

}

exit(0);

Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO).

1. Static code analysis

2. Memory dumping

3. Manual code review

4. Application sandboxing

5. Penetration testing

6. Black box testing

A Code review refers to the examination of an application (the new network based software product in this case) that is designed to identify and assess threats to the organization.

Application code review – whether manual or static will reveal the type of security weakness as shown in the exhibit.

#### Question No: 160 – (Topic 3)

A security manager is looking into the following vendor proposal for a cloud-based SIEM solution. The intention is that the cost of the SIEM solution will be justified by having reduced the number of incidents and therefore saving on the amount spent investigating incidents.

Proposal:

External cloud-based software as a service subscription costing \$5,000 per month. Expected to reduce the number of current incidents per annum by 50%.

The company currently has ten security incidents per annum at an average cost of \$10,000 per incident. Which of the following is the ROI for this proposal after three years?

A. -\$30,000 B. \$120,000 C. \$150,000 D. \$180,000

Return on investment = Net profit / Investment where:Net profit = gross profit expenses.

or

Return on investment = (gain from investment – cost of investment) / cost of investment Subscriptions = 5,000 x 12 = 60,000 per annum

10 incidents @ 10,000 = 100.000 per annumreduce by 50% = 50,000 per annum Thus the rate of Return is -10,000 per annum and that makes for -\$30,000 after three years.