CASP CAS 003 Practice Questions And Answers With Complete Solutions The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO's budget does not allow for ful l system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss? ✔✔The company shoul d transfer the risk. The latest independent research shows that cyber -attacks involving SCADA systems grew an average of 15% per year in each of the last four years, but that this year's growth has slowed to around 7%. Over the same time period, the numbe r of attacks against applications has decreased or stayed flat each year. At the start of the measure period, the incidence of PC boot loader or BIOS based attacks was negligible. Starting two years ago, the growth in the number of PC boot loader attacks h as grown exponentially. Analysis of these trends would seem to suggest which of the following strategies should be employed? ✔✔Spending on SCADA security controls should stay steady; application control spending should decrease slightly and spending on PC boot loader protections should increase substantially A security administrator has noticed that an increased number of employees' workstations are becoming infected with malware. The company deploys an enterprise antivirus system as well as a web content filter, which blocks access to malicious web sites wher e malware files can be downloaded. Additionally, the company implements technical measures to disable external storage. Which of the following is a technical control that the security administrator should implement next to reduce malware infection? ✔✔Block cloud -based storage software on the company network A security manager is looking into the following vendor proposal for a cloud -based SIEM solution. The intention is that the cost of the SIEM solution will be justified by having reduced the number of in cidents and therefore saving on the amount spent investigating incidents. Proposal: External cloud -based software as a service subscription costing $5,000 per month and is expected to reduce the number of current incidents per annum by 50%. The company cur rently has ten security incidents per annum at an average cost of $10,000 per incident. Which of the following is the ROI for this proposal after three years? ✔✔-$30,000 (50% Reduction; 5 incidents per year x $10,000 = $50,000 x 3 years = $150,000 (GAIN) $5,000 per month x 12 = $60,000 per year x 3 years = $180,000 (COST) ROI = $150,000 - $180,000 = -$30,00) The risk manager at a small bank wants to use quantitative analysis to determine the ALE of running a business system at a location which is subject t o fires during the year. A risk analyst reports to the risk manager that the asset value of the business system is $120,000. Based on industry data, the exposure factor to fires is only 20% due to the fire suppression system installed at the site. Fires oc cur in the area on average every four years. Which of the following is the ALE? ✔✔$6,000 (Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF = $120,000 x 20% = $ 24,000 (this is over 4 years) Thus ALE = $24, = $6,000) An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including: -1. Indemnity clauses have identified the max imum liability -2. The data will be hosted and managed outside of the company's geographical location The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, w hich of the following should the project's security consultant recommend as the NEXT step? ✔✔Require the solution owner to accept the identified risks and consequences Two new technical SMB security settings have been enforced and have also become policie s that increase secure communications. Network Client: Digitally sign communication Network Server: Digitally sign communication A storage administrator in a remote location with a legacy storage array, which contains time -sensitive data, reports employees can no longer connect to their department shares. Which of the following mitigation strategies should an information security manager recommend to the data owner? ✔✔Accept the risk, reverse the settings for the remote location, and have the remote locatio n file a risk exception until the legacy storage device can be upgraded An organization has employed the services of an auditing firm to perform a gap assessment in preparation for an upcoming audit. As part of the gap assessment, the auditor supporting t he assessment recommends the organization engage with other industry partners to share information about emerging attacks to organizations in the industry in which the organization functions. Which of the following types of information could be drawn from such participation? ✔✔Exploit frameworks The generalized format for expressing the security category, SC, of an information type is ✔✔SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable valu es for potential impact are LOW, MODERATE, HIGH Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the results of the assessment and evaluating potential risk treatment strategies. As part of the CISO's evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing? ✔✔Quantitative risk assessment A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap analysis reviewed all procedural and technical contr ols and found the following: High -impact controls implemented: 6 out of 10 Medium -impact controls implemented: 409 out of 472 Low -impact controls implemented: 97 out of 1000 The report includes a cost -benefit analysis for each control gap. The analysis yie lded the following information: Average high -impact control implementation cost: $15,000; Probable ALE for each high -impact control gap: $95,000 Average medium -impact control implementation cost: $6,250; Probable ALE for each medium -impact control gap: $11 ,000 Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium -impact controls will take two years to fully implement. Which of the following conclusions could the CISO draw from the analysis? ✔✔Because of the significant ALE for each high -risk vulnerability, efforts should be focused on those controls Management is reviewing the results of a recent risk assessment of the organization's policies and procedures. During the risk assessment it is det ermined that procedures associated with background checks have not been effectively implemented. In response to this risk, the organization elects to revise policies and procedures related to background checks and use a third -party to perform background ch ecks on all new employees. Which of the following risk management strategies has the organization employed? ✔✔Mitigate An organization is preparing to develop a business continuity plan. The organization is required to meet regulatory requirements relatin g to confidentiality and availability, which are welldefined. Management has expressed concern following initial meetings that the organization is not fully aware of the requirements associated with the regulations. Which of the following would be MOST app ropriate for the project manager to solicit additional resources for during this phase of the project? ✔✔Gap assessment Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks. Which of the following would have allowed the security team to use historical information to protect against the second attack? ✔✔Key risk indicators Company XYZ has p urchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration t ester MOST likely to use while performing black box testing of the security of the company's purchased application? (Select TWO). ✔✔(1)Fuzzer (2)Local proxy A human resources manager at a software development company has been tasked with recruiting personnel for a new cyber defense division in the company. This division will require personnel to have high technology skills and industry certifications. Which of the following is the BEST method for this manager to gain insight into this industry to execute the task? ✔✔Attend conferences, webinars, and training to remain current with the industry and job requirements A vulnerability scanner report shows that a cl ient-server host monitoring solution operating in the credit card corporate environment is managing SSL sessions with a weak algorithm which does not meet corporate policy. Which of the following are true statements? (Select TWO) ✔✔(1)The client -server han dshake is configured with a wrong priority. (2)The client -server handshake could not negotiate strong ciphers. Joe, a penetration tester, is tasked with testing the security robustness of the protocol between a mobile web application and a RESTful applica tion server. Which of the following security tools would be required to assess the security between the mobile web application and the RESTful application server? (Select TWO). ✔✔(1)Vulnerability scanner (2)HTTP interceptor A security services company is scoping a proposal with a client. They want to perform a general security audit of their environment within a two week period and consequently have the following requirements: Requirement 1 Ensure their server infrastructure operating systems are at their latest patch levels Requirement 2 Test the behavior between the application and database Requirement 3 Ensure that customer data cannot be exfiltrated Which of the following is the BEST solution to meet the above requirements? ✔✔Perform dynamic code analys is, penetration test and run a vulnerability scanner A senior network security engineer has been tasked to decrease the attack surface of the corporate network. Which of the following actions would protect the external network interfaces from external att ackers performing network scanning? ✔✔Test external interfaces to see how they function when they process fragmented IP packets. A business wants to start using social media to promote the corporation and to ensure that customers have a good experience wi th their products. Which of the following security items should the company have in place before implementation? (Select TWO). ✔✔(1)The company must dedicate specific staff to act as social media representatives of the company. (2)The security policy needs to be reviewed to ensure that social media policy is properly implemented. The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. Th e CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third -party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO