×

Quiz Session - Attempts With Random Questions

CompTIA CASP+ Exam Questions

Page 7 of 50

121.

Which of the following is NOT a data classification under GDPR?

  • Symmetric

  • Public

  • Confidential

  • Internal only

Correct answer: Symmetric

GDPR (General Data Protection Regulation) is an EU (European Union) data privacy law that grants data subjects multiple rights and enforces data security and privacy requirements related to how organizations handle data belonging to citizens of the EU. 

GDPR has four data classifications; they are:

  • Public
  • Internal only
  • Confidential
  • Restricted

122.

Acme Inc.'s web app was recently attacked and some data was leaked as a result. You are tasked with identifying the security issues related to input fields before redeployment. What tool should you use?

  • Fuzzer

  • Protocol analyzer

  • Port scanner

  • Password cracker

Correct answer: Fuzzer

Fuzzers are tools that find and exploit vulnerabilities in applications using a process called fuzzing. Fuzzing works by injecting random data (dumb fuzzers) as input or a specific type of data (smart fuzzer) as input to an application. 

A protocol analyzer is a tool that analyzes data sent over a specific protocol(s) or medium(s). 

A port scanner scans network endpoints to determine what ports are open and services are running. 

Password crackers are automated tools for guessing—or "cracking"—passwords.

123.

What technique enables multiple isolated user-space instances but all instances share the same underlying operating system kernel?

  • Containerization

  • Server virtualization

  • DBMS

  • MPLS

Correct answer: Containerization

Containerization isolates applications on the same operating system. It enables multiple isolated applications to run on a single operating system. Unlike traditional server virtualization, containerization does not provide kernel isolation. 

A DBMS (database management system) is an application that enables data storage and retrieval.

124.

A company has started turning to more cloud services for its operations. In order to ensure that they still have compliance, threat protection, and data loss prevention when using cloud services, they would like to implement middleware. What type of solution acts as middleware between the end-user organization and its cloud services?

  • CASB

  • VDI

  • VPN

  • SaaS

Correct answer: CASB

A Cloud Access Security Broker (CASB) acts as middleware between an end-user organization and cloud services. Examples include Microsoft Cloud App and Cisco Cloudlock.

Virtual Desktop Infrastructure (VDI) is used to manage users' virtual desktops on centralized servers. A Virtual Private Network (VPN) is an encrypted tunnel between two endpoints. Software as a Service (SaaS) is used to provide a software package in the cloud.

125.

Acme Inc. wants to create and secure several associated websites, such as "rewards.acmeinc.com" and "returns.acmeinc.com," and it has plans to create more. For some subdomains, the desired subdomain name has not been determined yet.

Of the following options, which would be the MOST appropriate solution for certificates for Acme Inc.?

  • Wildcard certificate

  • Broad individual certificate

  • Revocation certificate

  • Self-signed certificate

Correct answer: Wildcard certificate

A wildcard certificate is a public key certificate used for multiple subdomains, enabling an organization to more easily manage and control its certificates. Since a wildcard certificate is valid for unlimited subdomains, some organizations will find wildcard certificates to be a cheaper solution than individual certificates for each other subdomain.

"Broad individual certificate" is not a standard term for SSL/TLS certificates. An individual certificate would not be suitable for multiple subdomains and would not account for the case of undetermined subdomain names. 

Revocation certificate is not a valid type of SSL/TLS certificate for a public website. Certificates are revoked to make them invalid. 

A self-signed certificate is not signed by a certificate authority (CA), cannot be revoked, and is susceptible to connection hijacking. 

126.

Which of the following firewall types is aware of all the proper functioning of the TCP handshake, keeps track of the current status of all connections, and can recognize erroneous packets trying to enter the network?

  • Stateful inspection firewall

  • Packet-filtering firewall

  • Circuit-level proxy firewall

  • Application-level proxy firewall

Correct answer: Stateful inspection firewall

Firewalls can be discussed on the basis of their type and their architecture. When we discuss different types, we're discussing how they operate differently from one another.

  • Stateful firewalls - These firewalls are aware of the proper functioning of the TCP handshake, keep track of the state of all connections with respect to this process, and can recognize erroneous packets trying to enter the network.
  • Packet-filtering firewalls - These firewalls are the least detrimental to throughput as they only inspect the header of the packet for allowed IP addresses or port numbers. While performing this function slows traffic, it involves only looking at the beginning of the packet and making a quick decision.
  • Proxy firewalls - This type of firewall actually stands between an internal-to-external connection and makes the connection on behalf of the endpoints.
    • Circuit-level proxies operate at the session layer (Layer 5) of the OSI model. This type of proxy makes decisions based on the protocol header and session layer information.
    • Application-level proxies perform a type of deep packet inspection (up to Layer 7). This type of firewall understands the details of the communication process at Layer 7 for the application.
  • Dynamic packet filtering - Although this isn't actually a type of firewall, dynamic packet filtering is a process that a firewall may or may not handle and deserves a mention.
  • Kernel proxy firewalls - This type of firewall is an example of a fifth-generation firewall. It inspects a packet at every layer of the OSI model but does not introduce the same performance hit as an application-layer firewall because it does this at the kernel layer.

127.

Which of the following is a document that details security requirements and supporting documentation?

  • SRTM

  • SAST

  • DAST

  • CDN

Correct answer: SRTM

An SRTM (security requirements traceability matrix) is a document that contains security requirements and supporting documentation. It includes details such as requirement numbers, descriptions, and how to validate the requirements. 

SAST (static application security testing) tooling scans source code for vulnerabilities, while DAST (dynamic application security testing) tooling checks an application for vulnerabilities at runtime.

A CDN (content delivery network) is a network of servers that provides content like images, videos, and web pages to help improve website speed and availability.

128.

Of the following, which refers to the average time to restore service after an interruption occurs?

  • MTTR

  • MTD

  • MTBF

  • FRR

Correct answer: MTTR

MTTR (mean time to recovery) is the average time it takes to recover a system after a service disruption.

MTD (maximum tolerable downtime) is the maximum tolerable time for an asset being offline. 

MTBF (mean time between failures) is an estimated time for failures to occur on a system under standard use.

FRR (false rejection rate), also known as Type 1 errors, are false negatives. They occur when a legitimate user is rejected by a biometric system.

129.

An organization implements a type of encryption that enables each digital document creator to create, control, and sign their own key to the digital documents to provide security. What type of encryption is this?

  • File

  • Block

  • Disk

  • Record

Correct answer: File

File-level encryption is as it sounds: the encryption and decryption process is performed per file, and each file owner has a key.

Block-level encryption, though sometimes synonymous with disk-level, refers more to encryption of the partitions or the files acting as a virtual partition. This term is also used when discussing types of encryption algorithms.

Disk-level encryption encrypts an entire volume or disk and may use the same key for the entire disk or, in some cases, a different key for each partition or volume. 

Record-level encryption is encryption done at the record level. Each record can be encrypted, or not, and this type of encryption allows more granularity in who possess the keys, since a single key does not decrypt the entire disk or volume.

130.

Acme Inc. is decommissioning a server. The CISO wants to ensure that the data remnants on the hard drive are completely eliminated. What are the BEST methods to achieve this goal?

Choose TWO.

  • Shredding the hard drive

  • Incinerating of the hard dive

  • Storage in a secure location

  • 256-bit AES encryption

  • Zeroing out the data

Data remnants are data left over after standard deletion processes. The best way to completely eliminate data remnants is physical destruction, which can be accomplished with techniques such as shredding or incinerating. 

The other options could help reduce the probability of data leakage, but destruction eliminates the data completely.

131.

Of the following remote control solutions, which is proprietary to Microsoft and can control the remote host as if you were logged into it?

  • RDP

  • SSH

  • Telnet

  • VPN

Correct answer: RDP

The Remote Desktop Protocol (RDP) is a proprietary Microsoft technology that enables administrators to remotely control their Microsoft systems as if they were sitting in front of them, unlike telnet and SSH, which only provide command line functionality. RDP sessions use built-in RDP encryption but do not authenticate the session host server. To mitigate this, you can use SSL for server authentication and encrypting session host server communications.

VPN (virtual private network) refers to a private network—often implemented via secure tunnels—that runs over an insecure "public" network.

132.

A user reports that a web server's certificate has expired, although the certificate is still within its validity period. What could be causing this issue? 

  • Wrong date and time on the computer

  • The certificate is self-signed

  • Server needs to be restarted

  • Root CA is invalid

Correct answer: Wrong date and time on the computer

One of the most common reasons for this error is that the device has the wrong date and time. Have the user check that their system date is correct.

A self-signed certificate may give an error the certificate was not issued by a trusted provider. Restarting the server would not affect the issue. An invalid root CA error can occur if there is an error with the certificate chain.

133.

Which of the following is a symmetric encryption mode of operation?

  • GCM

  • 3DES

  • Salsa20

  • ChaCha

Correct answer: GCM

GCM (Galois/counter mode) is a mode of operation for symmetric encryption. The other 3 options (3DES, Salsa20, and ChaCha) are stream and block options for symmetric encryption. 

134.

What metric determines the maximum tolerable amount of lost data in the event of a service disruption?

  • RPO

  • RTO

  • DRP

  • BIA

Correct answer: RPO

RPO (recovery point objective) is the maximum amount of allowable lost data in the event of a service disruption.

RTO (recovery time objective) is the maximum amount of allowable downtime before service is restored in the event of a service disruption.

A DRP (disaster recovery plan) details how an organization can restore operations and recover from a disaster.

A BIA (business impact analysis) is a process that identifies the critical functions and systems that must be restored in the event of a disaster. 

135.

A software development company wants to take a development approach that is incremental and iterative. They want to produce a prototype and do a risk analysis at each stage. What developmental approach should they take?

  • Spiral

  • Waterfall

  • SecDevOps

  • Agile

Correct answer: Spiral

The spiral model has each phase start with a design goal and end with a client review. It can be good for large projects, but it is slower than some other models.

The Waterfall method does not return to previous stages after they are completed. The SecDevOps approach incorporates security into each phase. The Agile method focuses on continuous feedback.

136.

At times, applications may use the actual name or key of an element when generating a web page. Applications don't always verify that a user is authorized for the target. What type of vulnerability does this result in?

  • Insecure direct object reference

  • Direct reference insecurity

  • Application specific allocation

  • Direct link bypassing

Correct answer: Insecure direct object reference

An insecure direct object reference (IDOR) vulnerability occurs when a web application attempts to access an object directly by the name or key of the object without any additional access controls. The attack can come from an authorized user, meaning that the user has permission to use the application but is accessing information to which they should not have access. To prevent this problem, each direct object reference should undergo an access check. Code review of the application with this specific issue in mind is also recommended.

Direct reference insecurity, application specific allocation, and direct link bypassing are incorrect answers.

137.

What type of number is assigned to publicly disclosed cybersecurity vulnerabilities? 

  • CVE ID

  • NIST ID

  • RFC ID

  • NVD ID

Correct answer: CVE ID 

The CVE Numbering Authority (CNA) assigns publicly disclosed cybersecurity vulnerabilities a unique Common Vulnerabilities and Exposures (CVE) ID (CVE ID). CVE IDs are also known as CVE records and CVE numbers. 

NIST is the National Institute for Standards, and NIST number is a distractor option.

Request For Comments publications (RFCs) are Internet Engineering Task Force (IETF) publications that detail technical standards, best practices, and recommendations. The National Vulnerability Database (NVD) is a database of CVEs maintained by NIST.

138.

What term describes information about data like EXIF information in a .jpeg file?

  • Metadata

  • Superdata

  • XOR data

  • CMDB data

Correct answer: Metadata 

Metadata is information about data. EXIF information in a .jpeg file is one example of metadata. Another example is email headers.

A CMDB (configuration management database) includes all the CI and relationships between the CI in a given environment. 

Superdata and XOR data are distractor answers.

139.

Which of the following options is a benefit of a network design that places a VPN appliance in parallel with a firewall appliance?

  • It is highly scalable

  • It provides centralized content inspection

  • It is energy efficient 

  • It eliminates the need for a DNS server

Correct answer: It is highly scalable

There are multiple options for VPN placement in a network. The different options include:

  • VPN in parallel with the firewall
  • VPN inside a screened subnet
  • An integrated VPN and firewall appliance

A key benefit of running a VPN in parallel with a firewall is scalability. With this design, you can use multiple VPN appliances in parallel with your firewall. A tradeoff with this approach is that there is no central content inspection point. 

This design approach is not necessarily energy efficient and does not eliminate the need for a DNS server.

140.

A company wants to test a new application for security holes. All of the following are exploit frameworks they could use EXCEPT: 

  • Nmap

  • Metasploit

  • CANVAS

  • IMPACT

Correct answer: Nmap

Nmap is an open-source network scanning and discovery tool. It is not used to perform active exploits against targets.

Metasploit is an open-source exploit framework that ships with many exploits and payloads. CANVAS is an exploit framework made by Immunity and available as a subscription. IMPACT, or Core Impact, is a commercially available exploit framework.

×