CASP Practice Exam 1
Several of your organization's users have requested permission to install certificates
from a third party. Company policy states that before users can install these certificates,
you must verify that the certificates are still valid. You need to check for revocation.
What could you check to verify this information? (Choose all that apply.)
A. CRL
B. OCSP
C. DNSSEC
D. DRM - Answer Answer: A, B
Explanation: You can use either a certificate revocation list (CRL) or Online Certificate
Status Protocol (OCSP) to check for certificate revocation, depending on which type of
PKI is deployed.
Your company has an intrusion detection system (IDS) and firewall deployed on the
perimeter of the network to detect attacks against internal resources. Yesterday, the
IDS alerted you that SSL sessions are under attack, using an older exploit against
SSLv2. Your organization's web server must use encryption for all financial
transactions. You need to prevent such an attack from being successful in the future.
What should you do?
A. Block SSLv2 on the firewall.
B. Block SSLv2 on the web server.
C. Disable SSLv2 and enable SSLv3 on the web server.
D. Update the web server with the latest patches and updates. - Answer Answer: C
Explanation: You should disable SSLv2 and enable SSLv3 on the web server. This will
prevent the use of SSLv2, which is the problem.
The research department for your company needs to carry out a web conference with a
third party. The manager of the research department has requested that you ensure that
the web conference is encrypted because of the sensitive nature of the topic that will be
discussed. Which of the following should you deploy?
A. SSL
B. SET
,C. IPsec
D. RC4 - Answer Answer: D
Explanation: RC4 is a stream-based cipher and could be used to encrypt web
conference traffic.
Your company has recently decided to merge with another company. Each company
has its own Internet PKI that deploys certificates to users within that network. You have
been asked to deploy a solution that allows each company to trust the other's
certificates. What should you do?
A. Issue a policy certificate accepting both trust paths.
B. Deploy a new PKI for all users and import the current user certificates to the new
PKI.
C. Use a cross-certification certificate.
D. Add the root certificate to both of the root certification authorities (CAs). - Answer
Answer: C
Explanation: You should use a cross-certification certificate to ensure that each
company trusts the other company's certificates.
Your company has a single, centralized web-based retail sales system. Orders come in
12 hours per day, 364 days per year. Sales average $500,000 per day. Attacks against
the retail sales system occur on a daily basis.
For the retail sales system, there is a 1% chance of a hacker bringing the system down.
The mean time to restore the system is 6 hours. What is the ALE for this system?
A. $912,500
B. $250,000
C. $500,000
D. $910,000 - Answer Answer: D
Explanation: The annualized loss expectancy (ALE) for the system is $910,000. The
asset value (AV) is $500,000. The exposure factor (EF) is 0.5 (6 hours/12 hours).
Single loss expectancy (SLE) = AV × EF = $500,000 × 0.5 = $250,000
,Annualized rate of occurrence (ARO) = 0.01 × 364 = 3.64
Annualized loss expectancy (ALE) = SLE × ARO = $250,000 × 3.64 = $910,000
Your organization has recently implemented several new security policies in response
to a recent risk analysis. One of the new policies states that controls must be configured
to protect files from unauthorized or accidental deletion. Which aspect of security does
this new policy address?
A. confidentiality
B. integrity
C. availability
D. authorization - Answer Answer: B
Explanation: Configuring controls that will protect files from unauthorized or accidental
deletion addresses data integrity.
Your company completes a risk analysis. After the analysis, management requests that
you deploy security controls that will mitigate any of the identified risks. What is risk
mitigation?
A. risk that is left over after safeguards have been implemented
B. terminating the activity that causes a risk or choosing an alternative that is not as
risky
C. passing the risk on to a third party
D. defining the acceptable risk level the organization can tolerate and reducing the risk
to that level - Answer Answer: D
Explanation: Risk mitigation is defining the acceptable risk level the organization can
tolerate and reducing the risk to that level.
Your company completes a risk analysis. After the analysis, management requests that
you deploy security controls that will mitigate any of the identified risks. Management
indicates that there is an expected level of residual risk that they expect. What is
residual risk?
A. risk that is left over after safeguards have been implemented
B. terminating the activity that causes a risk or choosing an alternative that is not as
risky
, C. passing the risk on to a third party
D. defining the acceptable risk level the organization can tolerate and reducing the risk
to that level - Answer Answer: A
Explanation: Residual risk is risk that is left over after safeguards have been
implemented.
Your company is negotiating with a new service provider for its Internet services. You
have been asked to draft a service-level agreement (SLA) that stipulates the required
levels of service for this company. The SLA must provide the appropriate levels of
service that will ensure that your company's departmental SLAs are met. What should
you use to develop the draft SLA?
A. OLA
B. NDA
C. MOU
D. ISA - Answer Answer: A
Explanation: You should use the operating-level agreement (OLA) to develop the draft
SLA. You need to ensure that your company's departmental SLAs are met. These are
defined in an OLA.
Your company recently had a third party review all internal procedures. As a result of
this review, the third party made several recommendations for procedural changes. One
of the recommendations is that critical financial transactions should be split between two
independent parties. Of which principle is this an example?
A. job rotation
B. separation of duties
C. least privilege
D. mandatory vacation - Answer Answer: B
Explanation: This is an example of separation of duties, which occurs when critical tasks
are split between independent parties to prevent fraud.
As part of the process of conducting a business impact analysis (BIA), you document
the device name, operating system or platform version, hardware requirements, and
device interrelationships of all devices. Which step of the BIA are you performing?
Several of your organization's users have requested permission to install certificates
from a third party. Company policy states that before users can install these certificates,
you must verify that the certificates are still valid. You need to check for revocation.
What could you check to verify this information? (Choose all that apply.)
A. CRL
B. OCSP
C. DNSSEC
D. DRM - Answer Answer: A, B
Explanation: You can use either a certificate revocation list (CRL) or Online Certificate
Status Protocol (OCSP) to check for certificate revocation, depending on which type of
PKI is deployed.
Your company has an intrusion detection system (IDS) and firewall deployed on the
perimeter of the network to detect attacks against internal resources. Yesterday, the
IDS alerted you that SSL sessions are under attack, using an older exploit against
SSLv2. Your organization's web server must use encryption for all financial
transactions. You need to prevent such an attack from being successful in the future.
What should you do?
A. Block SSLv2 on the firewall.
B. Block SSLv2 on the web server.
C. Disable SSLv2 and enable SSLv3 on the web server.
D. Update the web server with the latest patches and updates. - Answer Answer: C
Explanation: You should disable SSLv2 and enable SSLv3 on the web server. This will
prevent the use of SSLv2, which is the problem.
The research department for your company needs to carry out a web conference with a
third party. The manager of the research department has requested that you ensure that
the web conference is encrypted because of the sensitive nature of the topic that will be
discussed. Which of the following should you deploy?
A. SSL
B. SET
,C. IPsec
D. RC4 - Answer Answer: D
Explanation: RC4 is a stream-based cipher and could be used to encrypt web
conference traffic.
Your company has recently decided to merge with another company. Each company
has its own Internet PKI that deploys certificates to users within that network. You have
been asked to deploy a solution that allows each company to trust the other's
certificates. What should you do?
A. Issue a policy certificate accepting both trust paths.
B. Deploy a new PKI for all users and import the current user certificates to the new
PKI.
C. Use a cross-certification certificate.
D. Add the root certificate to both of the root certification authorities (CAs). - Answer
Answer: C
Explanation: You should use a cross-certification certificate to ensure that each
company trusts the other company's certificates.
Your company has a single, centralized web-based retail sales system. Orders come in
12 hours per day, 364 days per year. Sales average $500,000 per day. Attacks against
the retail sales system occur on a daily basis.
For the retail sales system, there is a 1% chance of a hacker bringing the system down.
The mean time to restore the system is 6 hours. What is the ALE for this system?
A. $912,500
B. $250,000
C. $500,000
D. $910,000 - Answer Answer: D
Explanation: The annualized loss expectancy (ALE) for the system is $910,000. The
asset value (AV) is $500,000. The exposure factor (EF) is 0.5 (6 hours/12 hours).
Single loss expectancy (SLE) = AV × EF = $500,000 × 0.5 = $250,000
,Annualized rate of occurrence (ARO) = 0.01 × 364 = 3.64
Annualized loss expectancy (ALE) = SLE × ARO = $250,000 × 3.64 = $910,000
Your organization has recently implemented several new security policies in response
to a recent risk analysis. One of the new policies states that controls must be configured
to protect files from unauthorized or accidental deletion. Which aspect of security does
this new policy address?
A. confidentiality
B. integrity
C. availability
D. authorization - Answer Answer: B
Explanation: Configuring controls that will protect files from unauthorized or accidental
deletion addresses data integrity.
Your company completes a risk analysis. After the analysis, management requests that
you deploy security controls that will mitigate any of the identified risks. What is risk
mitigation?
A. risk that is left over after safeguards have been implemented
B. terminating the activity that causes a risk or choosing an alternative that is not as
risky
C. passing the risk on to a third party
D. defining the acceptable risk level the organization can tolerate and reducing the risk
to that level - Answer Answer: D
Explanation: Risk mitigation is defining the acceptable risk level the organization can
tolerate and reducing the risk to that level.
Your company completes a risk analysis. After the analysis, management requests that
you deploy security controls that will mitigate any of the identified risks. Management
indicates that there is an expected level of residual risk that they expect. What is
residual risk?
A. risk that is left over after safeguards have been implemented
B. terminating the activity that causes a risk or choosing an alternative that is not as
risky
, C. passing the risk on to a third party
D. defining the acceptable risk level the organization can tolerate and reducing the risk
to that level - Answer Answer: A
Explanation: Residual risk is risk that is left over after safeguards have been
implemented.
Your company is negotiating with a new service provider for its Internet services. You
have been asked to draft a service-level agreement (SLA) that stipulates the required
levels of service for this company. The SLA must provide the appropriate levels of
service that will ensure that your company's departmental SLAs are met. What should
you use to develop the draft SLA?
A. OLA
B. NDA
C. MOU
D. ISA - Answer Answer: A
Explanation: You should use the operating-level agreement (OLA) to develop the draft
SLA. You need to ensure that your company's departmental SLAs are met. These are
defined in an OLA.
Your company recently had a third party review all internal procedures. As a result of
this review, the third party made several recommendations for procedural changes. One
of the recommendations is that critical financial transactions should be split between two
independent parties. Of which principle is this an example?
A. job rotation
B. separation of duties
C. least privilege
D. mandatory vacation - Answer Answer: B
Explanation: This is an example of separation of duties, which occurs when critical tasks
are split between independent parties to prevent fraud.
As part of the process of conducting a business impact analysis (BIA), you document
the device name, operating system or platform version, hardware requirements, and
device interrelationships of all devices. Which step of the BIA are you performing?
