CASP Sample Questions

I recently learned that I passed the beta exam for CASP that I took back in May. Here are a couple of links to blogs I wrote about CASP, in case you’re interested. CompTIA Advanced Security Practitioner (Beta Exam) , CompTIA Advanced Security Practitioner (CASP).

Update: Get CAS-002 practice test questions here.

If you’re thinking about taking this exam, you may want to see some sample questions. Here are a few questions I wrote just to help me remember what this exam is about.

1. Which of the following methods can be used to detect the use of steganography?

A. Symmetric encryption

B. Asymmetric encryption

C. Integrity checking

D. Authentication

Answers below

2. Which of the following command line tools can you use to create a 128-bit hash?

A. md5sum

B. sha1sum

C. Verify

D. Cipher

Answers below

3. Which of the following can be used to assist in the management of HVAC controls?

A. LDAP

B. NIPS

C. TSIG

D. SCADA

Answers below

4. A web site uses certificates to secure HTTPS transmissions. What can be used to query the CA to verify the certificate is
not revoked?

A. CRL

B. OCSP

C. RA

D. RSA

5. An organization decides to purchase insurance to provide protection against a risk. What are they using?

A. Risk avoidance

B. Risk transference

C. Risk mitigation

D. Risk acceptance

Answers below

6. An organization has created a disaster recovery plan. Additionally, they encrypt valuable data. What basic security principles are they addressing?

A. Confidentiality and integrity

B. Availability and integrity

C. Availability and confidentiality

D. Risk mitigation and risk avoidance

Answers below

7. After a court directed that you need to provide copies of all email sent and received from an employee over the last three years. After investigation, your company realizes it cannot provide all the email copies. Which of the following topics is most relevant?

A. Data ownership policies

B. Offsite storage of data

C. Data retention policies

D. Data backup procedures

Answers below

8. You are researching security requirements for a contract that your company will bid on. You need to get additional information on the security requirements, what would you use?

A. RFP

B. RFQ

C. RFI

D. RFC

Answers below

9. An organization is researching the availability of software to improve internal processes. They want to reduce the potential
risks. What should they use?

A. Develop the software in house

B. Outsource the development of the software

C. Custom develop an available application

D. Use COTS

Answers below

10. The CEO of a company loses his mobile phone and the phone has sensitive data stored on it. What can reduce the risks in this situation?

A. GPS

B. Password protect the phone

C. Remotely wipe the phone

D. Report the loss to the police

Answers below

Answers

1. Which of the following methods can be used to detect the use of steganography?

A. Symmetric encryption

B. Asymmetric encryption

C. Integrity checking

D. Authentication

1. Answer:  C

Explanation: Integrity checking can detect the use of steganography by comparing the hash of file calculated at different times. Steganography is the practice of hiding data within data and is often done by modifying the least significant bits in multiple bytes of large files such as graphics or audio files. While these modifications aren’t easy to see or hear, they will cause significant differences in the hashes produced before and after the modifications. Symmetric encryption (using one key) and asymmetric encryption (using a public and private key) provides confidentiality for data, and authentication provides proof of an identity but none of these can detect steganography.

Domain: 1.0 Enterprise Security

SubDomain: 1.1 Distinguish which cryptographic tools and techniques are appropriate for a given situation.

2. Which of the following command line tools can you use to create a 128-bit hash?

A. md5sum

B. sha1sum

C. Verify

D. Cipher

2. Answer: A

Explanation: MD5 is a hashing algorithm that creates 128-bit hashes and md5sum is a command-line application (available as a free download via the Internet) that can calculate the MD5 hash on files. For example, after downloading a program, you can use md5sum.exe to calculate the hash on the downloaded program and compare it to the hash posted on a Web site. Sha1sum.exe will create 160-bit SHA1 hashes. Verify is a Windows command that can verify if files are written correctly to the disk. Cipher is a Windows command that can encrypt files on a NTFS drive.

Domain: 1.0 Enterprise Security

SubDomain: 1.1 Distinguish which cryptographic tools and techniques are appropriate for a given situation.

3. Which of the following can be used to assist in the management of HVAC controls?

A. LDAP

B. NIPS

C. TSIG

D. SCADA

3. Answer: D

Explanation: Supervisory Control and Data Acquisition (SCADA) refers to industrial control systems (like that infected in Iran’s nuclear facilities) and includes heating ventilation and air conditioning (HVAC) controls. LDAP is a used to interact with directories such as Microsoft’s Active Directory. NIPS is used to detect and prevent network intrusions. TSIG is primarily used to protect DNS updates.

Domain: 1.0 Enterprise Security

SubDomain: 1.4 Integrate hosts, networks, infrastructures, applications and storage into secure comprehensive solutions

4. A web site uses certificates to secure HTTPS transmissions. What can be used to query the CA to verify the certificate is
not revoked?

A. CRL

B. OCSP

C. RA

D. RSA

4. Answer: B

Explanation: The Online Certificate Status Protocol (OCSP) allows clients to send a query to a CA with the serial number of a certificate and the CA replies with the status of the certificate. A CA can also publish a certificate revocation list (CRL), but the CRL is not used to query. Instead, the CRL (in the form of a version 2 certificate) is the response to request for the CRL. A RA provides registration services for a CA (when used) but does not verify certificates. RSA is the asymmetric encryption used with public key cryptography.

Domain: 1.0 Enterprise Security

SubDomain: 1.1 Distinguish which cryptographic tools and techniques are appropriate for a given situation.

5. An organization decides to purchase insurance to provide protection against a risk. What are they using?

A. Risk avoidance

B. Risk transference

C. Risk mitigation

D. Risk acceptance

5. Answer: B

Explanation: Risks can be transferred to another entity by purchasing insurance, such as fire or flood insurance. You avoid a risk by avoiding the activity that creates a risk. Risk mitigation refers to taking steps to reduce a risk. Risks can’t be eliminated and the risk that remains after taking steps to manage risk is referred to as residual risk and bit is accepted.

Domain: 2.0 Risk Mgmt, Policy/Procedure and Legal

SubDomain: 2.2 Execute and implement risk mitigation strategies and controls

6. An organization has created a disaster recovery plan. Additionally, they encrypt valuable data. What basic security principles are they addressing?

A. Confidentiality and integrity

B. Availability and integrity

C. Availability and confidentiality

D. Risk mitigation and risk avoidance

6. Answer: C

Explanation: A disaster recovery plan addresses availability and encryption of data addresses confidentiality. Elements of the security triad of confidentiality, integrity, and availability (CIA) are possible answers. Both of these steps are risk mitigation steps; they are attempting to reduce risks for potential losses.

Domain: 2.0 Risk Mgmt, Policy/Procedure and Legal

SubDomain: 2.2 Execute and implement risk mitigation strategies and controls

7. After a court directed that you need to provide copies of all email sent and received from an employee over the last three years. After investigation, your company realizes it cannot provide all the email copies. Which of the following topics is most relevant?

A. Data ownership policies

B. Offsite storage of data

C. Data retention policies

D. Data backup procedures

7. Answer: C

Explanation: If your organization has a data retention policy stating that email is archived for two years and then purged, this can be presented to the court as a reason why a company can’t comply with the order. Data ownership refers to who owns and manages data, but this is not relevant here. Data backups are stored offsite as a contingency in case onsite backups are not available, but this isn’t as relevant as the retention policies. Data backup procedures provide the steps to perform backups, but since the company can provide some copies, there is no indication that the backup procedures are faulty.

Domain: 2.0 Risk Mgmt, Policy/Procedure and Legal

SubDomain: 2.3 Explain the importance of preparing for and supporting the incident response and recovery process

8. You are researching security requirements for a contract that your company will bid on. You need to get additional information on the security requirements, what would you use?

A. RFP

B. RFQ

C. RFI

D. RFC

8. Answer: C

Explanation: A Request for Information (RFI) is a formal method of getting additional information on a contract. This question is an example of how important it is to know the acronyms for CASP and if you know the acronyms, you can easily the questions. RFP is the acronym for Request for Proposal. RFQ is the acronym for Request for Quote. RFC is Request for Comments but is used for networking standards, not contracts.

Domain: 3.0 Research and Analysis

SubDomain: 3.1 Analyze industry trends and outline potential impact to the enterprise

9. An organization is researching the availability of software to improve internal processes. They want to reduce the potential
risks. What should they use?

A. Develop the software in house

B. Outsource the development of the software

C. Custom develop an available application

D. Use COTS

9. Answer: D

Explanation: Commercial Off The Shelf (COTS) software reduces since it is known and tested. Any type of
software development introduces unknown risks.

Domain: 4.0 Integration of Computing, Communications and Business Disciplines

SubDomain: 4.2 Explain the security impact of inter-organizational change

10. The CEO of a company loses his mobile phone and the phone has sensitive stored on it. What can reduce the risks in this situation?

A. GPS

B. Password protect the phone

C. Remotely wipe the phone

D. Report the loss to the police

10. Answer: C

Explanation: The risk is related to the data so if the phone supports remotely clearing the data (remote wipe), this is the best solution. While GPS may help locate the phone doesn’t prevent someone from viewing the sensitive data. At this point, it is too late to password protect the phone. Reporting it to the police is a necessary step, but it is doubtful it will protect the data.

Domain: 4.0 Integration of Computing, Communications and Business Disciplines

SubDomain: 4.3 Select and distinguish the appropriate security controls with regard to communications and collaboration