×

Quiz Session - Attempts With Random Questions

CompTIA CASP+ Exam Questions

Page 8 of 50

141.

Which of the following about data sovereignty is TRUE?

  • Data sovereignty is determined by where the data is physically stored

  • Under GDPR, data sovereignty and data ownership are equivalent

  • Data sovereignty is determined by the data's source

  • Data sovereignty is determined by the data's transmission medium

Correct answer: Data sovereignty is determined by where the data is physically stored

Data sovereignty means that data is subject to the laws of the country where it physically resides. 

Data sovereignty and data ownership are not the same. Data ownership refers to both possession and responsibility. 

Data source and transmission medium do not directly impact data sovereignty.

142.

What is the oldest type of encryption?

  • Symmetric

  • Asymmetric

  • Hashing

  • Poly1305

Correct answer: Symmetric

Symmetric encryption is the oldest type of encryption. Caesar ciphers are a historical example of symmetric encryption.

Asymmetric encryption and hashing are newer technologies and Poly1305 is a specific type of hashing algorithm. 

143.

Which of the following serves as an information source that brings together a diverse array of companies that share a common concern for cyber security?

  • ISACs

  • OWASP

  • OVAL

  • NIST

Correct answer: ISACs

Information Sharing and Analysis Centers (ISACs) is specifically mentioned in the exam objectives, and it refers to a website that grows "a diverse community of companies that leverage information technology and have in common a commitment to cyber-security." Its website is at www.it-isac.org.

The Open Web Application Security Project (OWASP) is mainly focused on web application security. The Open Vulnerability and Assessment Language (OVAL) is used for sharing information about vulnerabilities. The National Institute of Technology (NIST) focuses on measurements, standards, and research.

144.

What term refers to an organization's willingness to accept risk?

  • Risk appetite

  • ARO

  • FRAP

  • ALE

Correct answer: Risk appetite 

Risk appetite is an organization's willingness to accept risk. 

ARO (annual rate of occurrence) and ALE (annualized loss expectancy) are quantitative risk assessment variables. 

FRAP (Facilitated Risk Assessment Process) is a qualitative risk assessment technique.

145.

Which of the following is the process of recovering evidence from electronic devices?

  • E-discovery

  • E-recovery

  • E-restoration

  • E-collection

Correct answer: E-discovery

E-discovery is the term applied to gathering evidence from electronic devices. Because data on electronic devices is volatile, it's important to recover it systematically and thoroughly. Appropriate training ensures that the data is collected and preserved in the proper manner. E-discovery encompasses gathering all data, written and digital, regarding an incident.

E-recovery, e-restoration, and e-collection are not standard cybersecurity terms.

146.

A company has a website that uses AJAX. Which of the following security features should be used to prevent access to the DOM from other sites?

  • Same-origin policy

  • Encryption

  • Session management

  • Input validation

Correct answer: Same-origin policy

AJAX is a technology for creating web pages that update asynchronously. A same-origin policy only allows scripts that run within the same domain to make updates.

Encryption is used to keep unauthorized users from reading data. Session management is used to prevent session hijacking attempts. Input validation is used to prevent XSS or SQL injection attacks.

147.

Which of the following is a data subject's right under GDPR?

  • The right to erasure

  • The right to decrypt

  • The right to authenticate

  • The right to encrypt

Correct answer: The right to erasure 

A data subject's rights under GDPR include:

  • Rights related to automatic profiling and decisions
  • The right to object
  • The right to be informed
  • The right to access data
  • The right to rectification
  • The right to data portability
  • The right to erasure
  • The right to restrict processing

The other answers are distractor responses.

148.

The HR department is concerned that their in-house IT staff is not adequate for all services needed to maintain their server. The organization has a dedicated IT department that is outside of HR but has an agreement in place to provide necessary services when HR's in-house team is incapable. This has been coupled with an SLA to define the necessary services. 

What type of agreement is this?

  • Operational level agreement

  • Nondisclosure agreement

  • Interoperability agreement

  • Interconnection security agreement

Correct answer: Operational level agreement

An operational level agreement (OLA) is an internal organizational document that details the relationships that exist between departments to support activities. OLAs are often used with SLAs. A good example of an OLA is an agreement between the IT department and the accounting department in which the IT department agrees to be responsible for the backup services of the accounting server while daily operations are covered by the accounting department.

An interoperability agreement (IA) is an agreement between multiple organizations that will exchange sensitive information. 

A nondisclosure agreement (NDA) is an agreement between two parties that defines and limits the sharing of confidential information. 

An interconnection security agreement (ISA) is an agreement which details specific security requirements for interconnected systems controlled by different parties. 

149.

A company wants to implement APIs to better connect with consumers. All of the following are security issues they should be aware of when managing these APIs EXCEPT:

  • Response formats

  • Authentication

  • Authorization

  • Data scoping

Correct answer: Rate limits

Using APIs to let clients can open up vulnerabilities. However, response formats, such as JSON or XML, are not related to security.

APIs (Application Programming Interfaces) use authentication to make sure that only allowed parties can connect. APIs use authorization to allow certain resources to authenticate users. APIs use data scoping to ensure that too much data isn't exposed.

150.

Acme, Inc. set up an insecure web server with the intent of attracting malicious users and observing their behavior. What term best describes the insecure web server?

  • Honeypot

  • Watering hole

  • SNMP manager

  • SMTP server

Correct answer: Honeypot

In cybersecurity, honeypots are systems intended to attract malicious users. In this example, Acme, Inc.'s insecure web server is a honeypot. 

A watering hole attack is almost the reverse of a honeypot. In a waterhole attack, an attacker deploys malware at sites they expect target users to visit. An SNMP manager is a tool used to query and receive messages from an SNMP agent, often for the purpose of network monitoring. An SMTP server is a type of email server. 

151.

Which of the following configurations for a WiFi network is the MOST secure?

  • WPA3 with MAC filtering

  • WEP with MAC filtering

  • WEP without MAC filtering

  • WPA3 without MAC filtering

Correct answer: WPA3 with MAC filtering

WPA in general is more secure than WEP for wireless security. MAC filtering adds additional security to wireless networks by only allowing a predetermined set of devices to connect to a network. Therefore, WPA3 with MAC filtering is the most secure WiFi implementation of the four options. 

152.

An analyst wants to avoid detection while scanning a network for pertinent information. Which type of technique will gather information based on captured packets rather than sending packets to a system and analyzing the results?

  • Passive vulnerability scanning

  • Active vulnerability scanning

  • Agent-based vulnerability scanning

  • Credentialed vulnerability scanning 

Correct answer: Passive vulnerability scanning

Passive vulnerability scanning avoids detection because it does not send packets to the target server. Instead, it evaluates packets that are captured on the network. This type of vulnerability scanning is less accurate than active scanning.

Active vulnerability scanning sends packets to a system to evaluate its response. Agent-based vulnerability scanning uses a small piece of software installed on the target machine. Credentialed vulnerability scanning tests vulnerabilities while logged in as a user.

153.

Which of the following is NOT a standard type of software testing?

  • Pipeline testing

  • Unit testing

  • User acceptance testing

  • Regression testing

Correct answer: Pipeline testing

Pipeline testing is not a standard type of software testing. 

Unit testing is the testing of individual blocks ("units") of code during development.

User acceptance testing is software testing performed by users to confirm the software meets their needs.

Regression testing is a form of testing that occurs after changes to confirm software still works as expected.

154.

Of the following, which is a bidding-process document issued by an organization that outlines their requirements for a supplier to potentially fulfill?

  • RFP

  • MOU

  • ISA

  • SLA

Correct answer: RFP

An RFP (request for proposal) is a bidding-process document an organization issues that outlines their requirements for a supplier. It details the specifics of a product or service the organization wants to purchase. Suppliers use the RFP as a guideline for submitting a formal proposal.

An SLA (service level agreement) is a minimum guaranteed service level a provider commits to. For example, an SLA may specify 99.9% uptime and 1 hour support response times.

An MOU (memorandum of understanding) is an agreement between multiple parties that is often non-binding, but formally details a shared understanding or agreement.

An ISA (interconnection security agreement) is a specific contract related to network connections and exchanging traffic.

155.

Which of the following statements are true about Zenmap?

Choose THREE.

  • It is a GUI for Nmap.

  • It displays output from port scans.

  • It lets users create custom scan profiles.

  • It lists vulnerabilities of scanned systems.

  • It captures data for analysis.

Zenmap is a GUI for Nmap. It has all the functionality of Nmap, and also lets users create custom scan profiles.

Zenmap does not do vulnerability scanning like Nessus or capture data like Wireshark.

156.

What advantage does PAT have for a network?

  • To enable devices with private IP addresses to connect to the internet

  • To allow different software applications to interact with each other

  • To detect and prevent attacks against a network

  • To protect web application servers from various types of attacks

Correct answer: To enable devices with private IP addresses to connect to the internet

Port Address Translation (PAT) is a one-to-many mapping of Network Address Translation (NAT) that allows one device to represent an entire private network. This saves on IPv4 addresses, which is useful because IPv4 does not have as large an address space as IPv6.

An API (Application Programming Interface) allows different software applications to interact with each other. An IPS (Intrusion Prevention System) detects and prevents attacks against a network. A WAF (Web Application Firewall) is used to protect web application servers from various types of attacks.

157.

Which standard is used by SCAP for the consistent use of data in reports and correlations?

  • ARF

  • CCE

  • CVSS

  • XCCDF

Correct answer: ARF

The Asset Reporting Format (ARF) is a data model used to express information about assets and the relationships between assets and reports. 

Common Configuration Enumeration (CCE) is a set of configuration best practices. The Common Vulnerability Scoring System (CVSS) is a rating system for vulnerabilities. The eXtensible Configuration Checklist Description Format (XCCDF) is used for security checklists and benchmarks.

158.

Of the following, which was introduced to solve the issues of a previously insecure wireless security method and utilizes the Temporal Key Integrity Protocol for encryption?

  • WPA

  • RC4

  • WEP

  • PSK

Correct answer: WPA

WPA was introduced to address security issues with WEP. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption.

WEP was the first security measure used with 802.11 wireless networks. A problem with WEP is how it implements the RC4 encryption algorithm.

PSK stands for pre-shared key, which could be used with WEP.

159.

What is the lowest (least mature) level in CMMI?

  • Initial

  • Defined

  • Qualitatively Managed

  • Managed

Correct answer: Initial

CMMI (Capability Maturity Model Integration) is a method improvement tool that groups projects and organizational units into one of five maturity levels. From lowest to highest, the five maturity levels are:

  1. Initial
  2. Managed
  3. Defined
  4. Qualitatively Managed
  5. Optimized

160.

Which of the following is the code that results from compiling source code from a high-level language like Java and is the intermediary between machine code and source code?

  • Byte

  • Script

  • Unknown environment

  • Object-oriented

Correct answer: Byte

Byte code is the intermediary code that results from compiling source code. 

Script code is a generic term for code in a script file. Computer scripts are written in scripting languages like Bash, Python, and PowerShell.

Object-oriented programming is a type of programming where code is organized using data objects.

Unknown environment is not a type of code. 

×