CompTIA CAS-005 問題集

質問 1：
Embedded malware has been discovered in a popular PDF reader application and is currently being exploited in the wild. Because the supply chain was compromised, this malware is present in versions 10.0 through 10.3 of the software's official versions. The malware is not present in version 10.4.
Since the details around this malware are still emerging, the Chief Information Security Officer has asked the senior security analyst to collaborate with the IT asset inventory manager to find instances of the installed software in order to begin response activities. The asset inventory manager has asked an analyst to provide a regular expression that will identify the affected versions. The software installation entries are formatted as follows:
Reader 10.0
Reader 10.1
Reader 10.2
Reader 10.3
Reader 10.4
Which of the following regular expression entries will accurately identify all the affected versions?
A. Reader[11[01X.f0-3'
B. Reader( )[1][0] X.[1-3:
C. Reader( )[1][0].[0-3:
D. Reader(*)[1][0].[0-4:
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 2：
An organization is looking for gaps in its detection capabilities based on the APTs that may target the industry Which of the following should the security analyst use to perform threat modeling?
A. STRIDE
B. CAPEC
C. OWASP
D. ATT&CK
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 3：
A company's internal network is experiencing a security breach, and the threat actor is still active. Due to business requirements, users in this environment are allowed to utilize multiple machines at the same time.
Given the following log snippet:

Which of the following accounts should a security analyst disable to best contain the incident without impacting valid users?
A. user-c
B. user-a
C. user-b
D. user-d
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 4：
An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:
Web server logs:
192.168.1.10 - - [24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36
192.168.1.10 - - [24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36 Application server logs:
24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying DB
24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing Database server logs:
24/Oct/2020 11:24:34 +05:00 [Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048
24/Oct/2020 11:24:35 +05:00 [Warning] CA certificate ca.pem is self-signed.
Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources?
A. Install a software-based HIDS on the application servers.
B. Use stored procedures on the database server.
C. Enable the X-Forwarded-For header at the load balancer.
D. Install a certificate signed by a trusted CA.
E. Store the value of the $_SERVER['REMOTE_ADDR'] received by the web servers.
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 5：

Which of the following is the security engineer most likely doing?
A. Assessing log in activities using geolocation to tune impossible Travel rate alerts
B. Baselining user behavior to support advanced analytics
C. Threat hunting for suspicious activity from an insider threat
D. Reporting on remote log-in activities to track team metrics
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 6：

An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS
Review the following scenarios and instructions. Match each relevant finding to the affected host.
After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may be used more than once.
If at any time you would like to bring back the initial state of the simul-ation, please click the Reset All button.
正解：

Explanation:
A computer screen shot of a diagram Description automatically generated

A screenshot of a computer error Description automatically generated


質問 7：
Source code snippets for two separate malware samples are shown below:
Sample 1:
knockEmDown(String e) {
if(target.isAccessed()) {
target.toShell(e);
System.out.printIn(e.toString());
c2.sendTelemetry(target.hostname.toString + " is " + e.toString());
} else {
target.close();
}
}
Sample 2:
targetSys(address a) {
if(address.islpv4()) {
address.connect(1337);
address.keepAlive("paranoid");
String status = knockEmDown(address.current);
remote.sendC2(address.current + " is " + status);
} else {
throw Exception e;
}
}
Which of the following describes the most important observation about the two samples?
A. The samples were probably written by the same developer.
B. Both samples use IP connectivity for command and control.
C. Telemetry is first buffered and then transmitted in paranoid mode.
D. Sample 1 is the target agent while Sample 2 is the C2 server.
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 8：
A financial technology firm works collaboratively with business partners in the industry to share threat intelligence within a central platform This collaboration gives partner organizations theability to obtain and share data associated with emerging threats from a variety of adversaries Which of the following should the organization most likely leverage to facilitate this activity? (Select two).
A. CWPP
B. JTAG
C. YAKA
D. STIX
E. TAXII
F. ATTACK
正解：D,E
解説: (Topexam メンバーにのみ表示されます)