최신CompTIA Advanced Security Practitioner (CASP+) - CAS-004무료샘플문제

문제1
The Chief Information Security Officer of a large multinational organization has asked the security risk manager to use risk scenarios during a risk analysis. Which of the following is the most likely reason for this approach?

정답: B
문제2
A product development team has submitted code snippets for review prior to release.
INSTRUCTIONS
Analyze the code snippets, and then select one vulnerability, and one fix for each code snippet.
Code Snippet 1

Code Snippet 2

Vulnerability 1:
SQL injection
Cross-site request forgery
Server-side request forgery
Indirect object reference
Cross-site scripting
Fix 1:
Perform input sanitization of the userid field.
Perform output encoding of queryResponse,
Ensure usex:ia belongs to logged-in user.
Inspect URLS and disallow arbitrary requests.
Implement anti-forgery tokens.
Vulnerability 2
1) Denial of service
2) Command injection
3) SQL injection
4) Authorization bypass
5) Credentials passed via GET
Fix 2
A) Implement prepared statements and bind
variables.
B) Remove the serve_forever instruction.
C) Prevent the "authenticated" value from being overridden by a GET parameter.
D) HTTP POST should be used for sensitive parameters.
E) Perform input sanitization of the userid field.
정답:
See the solution below in explanation.
Explanation:
Code Snippet 1
Vulnerability 1: SQL injection
SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a database. An attacker can inject malicious SQL commands into the input fields, such asusername or password, and execute them on the database server. This can result in data theft, data corruption, or unauthorized access.
Fix 1: Perform input sanitization of the userid field.
Input sanitization is a technique that prevents SQL injection by validating and filtering the user input values before passing them to the database. The input sanitization should remove any special characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query. Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values.
Code Snippet 2
Vulnerability 2: Cross-site request forgery
Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that handles web requests. An attacker can trick a user into sending a malicious web request to a server that performs an action on behalf of the user, such as changing their password, transferring funds, or deleting data. This can result in unauthorized actions, data loss, or account compromise.
Fix 2: Implement anti-forgery tokens.
Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each web request that is generated by the server and verified by the server before performing the action. The anti- forgery token should be different for each user and each session, and should not be predictable or reusable by an attacker. This way, only legitimate web requests from the user's browser can be accepted by the server.
문제3
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output?

정답: B
설명: (ITDumpsKR 회원만 볼 수 있음)
문제4
The Chief information Officer (CIO) wants to implement enterprise mobility throughout the organization. The goal is to allow employees access to company resources. However the CIO wants the ability to enforce configuration settings, manage data, and manage both company-owned and personal devices. Which of the following should the CIO implement to achieve this goal?

정답: D
설명: (ITDumpsKR 회원만 볼 수 있음)
문제5
A company recently deployed new servers to create an additional cluster to support a new application. The corporate security policy states that all new servers must be resilient. The new cluster has a high-availability configuration for a smooth failover. The failover was successful following a recent power outage, but both clusters lost critical data, which impacted recovery time. Which of the following needs to be configured to help ensure minimal delays when power outages occur in the future?

정답: B
설명: (ITDumpsKR 회원만 볼 수 있음)
문제6
Which of the following BEST describes a common use case for homomorphic encryption ?

정답: B
설명: (ITDumpsKR 회원만 볼 수 있음)
문제7
An organization found a significant vulnerability associated with a commonly used package in a variety of operating systems. The organization develops a registry of software dependencies to facilitate incident response activities. As part of the registry, the organization creates hashes of packages that have been formally vetted. Which of the following attack vectors does this registry address?

정답: D
문제8
Which of the following BEST sets expectation between the security team and business units within an organization?

정답: E
설명: (ITDumpsKR 회원만 볼 수 있음)
문제9
A recent audit discovered that multiple employees had been using their badges to walk through the secured data center to get to the employee break room. Most of the employees were given access during a previous project, but the access was not removed in a timely manner when the project was complete. Which of the following would reduce the likelihood of this scenario occurring again?

정답: A
설명: (ITDumpsKR 회원만 볼 수 있음)
문제10
The security analyst discovers a new device on the company's dedicated loT subnet during the most recent vulnerability scan. The scan results show numerous open ports and insecure protocols in addition to default usernames and passwords. A camera needs to transmit video to the security server in the loT subnet. Which of the following should the security analyst recommend to securely operate the camera?

정답: C
설명: (ITDumpsKR 회원만 볼 수 있음)
문제11
A developer is creating a new mobile application for a company. The application usesREST APIandTLS 1.2to communicate securely with the external back-end server. Due to this configuration, the company is concerned aboutHTTPS interception attacks. Which of the following would be thebestsolution against this type of attack?

정답: C
설명: (ITDumpsKR 회원만 볼 수 있음)

자격증의 중요성:

ITDumpsKR 경쟁율이 심한 IT시대에 인증시험을 패스함으로 IT업계 관련 직종에 종사하고자 하는 분들에게는 아주 큰 가산점이 될수 있고 자신만의 위치를 보장할수 있으며 더욱이는 한층 업된 삶을 누릴수 있을수도 있습니다.

ITDumpsKR 제품의 가치:

ITDumpsKR에는 IT인증시험의 최신 학습가이드가 있습니다. ITDumpsKR의 IT전문가들이 자신만의 경험과 끊임없는 노력으로 최고의 학습자료를 작성해 여러분들이 시험에서 패스하도록 도와드립니다.

무료샘플 받아보기:

관심있는 인증시험과목 덤프의 무료샘플을 원하신다면 덤프구매사이트의 PDF Version Demo 버튼을 클릭하고 메일주소를 입력하시면 바로 다운받아 덤프의 일부분 문제를 체험해 보실수 있습니다.

완벽한 서비스 제공:

ITDumpsKR는 한국어로 온라인상담과 메일상담을 받습니다. 덤프구매후 일년동안 무료 업데이트 서비스를 제공해드리며 구매일로 부터 60일내에 시험에서 떨어지는 경우 덤프비용 전액을 환불해드려 고객님의 부담을 덜어드립니다.