CAS-004日本語試験無料問題集「CompTIA Advanced Security Practitioner (CASP+) Exam (CAS-004日本語版) 認定」
セキュリティ アナリストは、組織のインターネットに接続された Web サービスの脆弱性スキャンからの次の出力を確認しています。
*行 06: SNI 経由で送信されたホスト名が証明書と一致しません。
*行 10: 証明書は OCSP によって検証されていません。
* 13 行目: 弱い SHA-1 署名アルゴリズムが検出されました。
* 17 行目: TLS 1.2 暗号スイートがネゴシエートされました。
* 18 行目: SSL セッションは前方秘匿性を使用していません。
次のどれが、攻撃者がクライアントとサーバー間の信頼関係を悪用する脆弱性を示していますか?
*行 06: SNI 経由で送信されたホスト名が証明書と一致しません。
*行 10: 証明書は OCSP によって検証されていません。
* 13 行目: 弱い SHA-1 署名アルゴリズムが検出されました。
* 17 行目: TLS 1.2 暗号スイートがネゴシエートされました。
* 18 行目: SSL セッションは前方秘匿性を使用していません。
次のどれが、攻撃者がクライアントとサーバー間の信頼関係を悪用する脆弱性を示していますか?
正解:D
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
セキュリティ エンジニアは、次の要件を満たすために、ネットワーク上の複数のデバイスの構成を確認する必要があります。
* PostgreSQL サーバーは、10.1.2.0/24 サブネット内の接続のみを許可する必要があります。
* データベースサーバ上のSSHデーモンは、リッスンするように設定する必要があります。
ポート4022へ。
* SSHデーモンは単一の接続のみを受け入れる必要があります
ワークステーション。
* すべてのワークステーションでホストベースのファイアウォールを無効にする必要があります。
* すべてのデバイスは過去8ヶ月以内に最新のアップデートを適用する必要があります
日。
* すべての HDD は保存中のデータを保護するように構成する必要があります。
* クリアテキスト サービスは許可されません。
* 可能な限り、すべてのデバイスを強化する必要があります。
説明書:
各種ワークステーションおよびネットワークデバイスをクリックして、ポスチャ評価の結果を確認します。問題がある場合は修正するか、問題が見つからない場合はその旨を表示します。
サーバーAをクリックして出力データを確認します。適切なタブでコマンドを選択し、pOSTGREsqlデータベースへのssh経由の接続の問題を修正します。
WAP A
PC A
ノートパソコンA
スイッチA
スイッチB:
ラップトップB
PCB
PC C
サーバーA
* PostgreSQL サーバーは、10.1.2.0/24 サブネット内の接続のみを許可する必要があります。
* データベースサーバ上のSSHデーモンは、リッスンするように設定する必要があります。
ポート4022へ。
* SSHデーモンは単一の接続のみを受け入れる必要があります
ワークステーション。
* すべてのワークステーションでホストベースのファイアウォールを無効にする必要があります。
* すべてのデバイスは過去8ヶ月以内に最新のアップデートを適用する必要があります
日。
* すべての HDD は保存中のデータを保護するように構成する必要があります。
* クリアテキスト サービスは許可されません。
* 可能な限り、すべてのデバイスを強化する必要があります。
説明書:
各種ワークステーションおよびネットワークデバイスをクリックして、ポスチャ評価の結果を確認します。問題がある場合は修正するか、問題が見つからない場合はその旨を表示します。
サーバーAをクリックして出力データを確認します。適切なタブでコマンドを選択し、pOSTGREsqlデータベースへのssh経由の接続の問題を修正します。
WAP A
PC A
ノートパソコンA
スイッチA
スイッチB:
ラップトップB
PCB
PC C
サーバーA
正解:
See the Explanation below for the solution.
Explanation:
WAP A: No issue found. The WAP A is configured correctly and meets the requirements.
PC A = Enable host-based firewall to block all traffic
This option will turn off the host-based firewall and allow all traffic to pass through. This will comply with the requirement and also improve the connectivity of PC A to other devices on the network. However, this option will also reduce the security of PC A and make it more vulnerable to attacks. Therefore, it is recommended to use other security measures, such as antivirus, encryption, and password complexity, to protect PC A from potential threats.
Laptop A: Patch management
This option will install the updates that are available for Laptop A and ensure that it has the most recent security patches and bug fixes. This will comply with the requirement and also improve the performance and stability of Laptop A. However, this option may also require a reboot of Laptop A and some downtime during the update process. Therefore, it is recommended to backup any important data and close any open applications before applying the updates.
Switch A: No issue found. The Switch A is configured correctly and meets the requirements.
Switch B: No issue found. The Switch B is configured correctly and meets the requirements.
Laptop B: Disable unneeded services
This option will stop and disable the telnet service that is using port 23 on Laptop B. Telnet is a cleartext service that transmits data in plain text over the network, which exposes it to eavesdropping, interception, and modification by attackers. By disabling the telnet service, you will comply with the requirement and also improve the security of Laptop B. However, this option may also affect the functionality of Laptop B if it needs to use telnet for remote administration or other purposes. Therefore, it is recommended to use a secure alternative to telnet, such as SSH or HTTPS, that encrypts the data in transit.
PC B: Enable disk encryption
This option will encrypt the HDD of PC B using a tool such as BitLocker or VeraCrypt. Disk encryption is a technique that protects data at rest by converting it into an unreadable format that can only be decrypted with a valid key or password. By enabling disk encryption, you will comply with the requirement and also improve the confidentiality and integrity of PC B's data. However, this option may also affect the performance and usability of PC B, as it requires additional processing time and user authentication to access the encrypted data. Therefore, it is recommended to backup any important data and choose a strong key or password before encrypting the disk.
PC C: Disable unneeded services
This option will stop and disable the SSH daemon that is using port 22 on PC C. SSH is a secure service that allows remote access and command execution over an encrypted channel. However, port 22 is the default and well-known port for SSH, which makes it a common target for brute-force attacks and port scanning. By disabling the SSH daemon on port 22, you will comply with the requirement and also improve the security of PC C. However, this option may also affect the functionality of PC C if it needs to use SSH for remote administration or other purposes. Therefore, it is recommended to enable the SSH daemon on a different port, such as 4022, by editing the configuration file using the following command:
sudo nano /etc/ssh/sshd_config
Server A. Need to select the following:
Explanation:
WAP A: No issue found. The WAP A is configured correctly and meets the requirements.
PC A = Enable host-based firewall to block all traffic
This option will turn off the host-based firewall and allow all traffic to pass through. This will comply with the requirement and also improve the connectivity of PC A to other devices on the network. However, this option will also reduce the security of PC A and make it more vulnerable to attacks. Therefore, it is recommended to use other security measures, such as antivirus, encryption, and password complexity, to protect PC A from potential threats.
Laptop A: Patch management
This option will install the updates that are available for Laptop A and ensure that it has the most recent security patches and bug fixes. This will comply with the requirement and also improve the performance and stability of Laptop A. However, this option may also require a reboot of Laptop A and some downtime during the update process. Therefore, it is recommended to backup any important data and close any open applications before applying the updates.
Switch A: No issue found. The Switch A is configured correctly and meets the requirements.
Switch B: No issue found. The Switch B is configured correctly and meets the requirements.
Laptop B: Disable unneeded services
This option will stop and disable the telnet service that is using port 23 on Laptop B. Telnet is a cleartext service that transmits data in plain text over the network, which exposes it to eavesdropping, interception, and modification by attackers. By disabling the telnet service, you will comply with the requirement and also improve the security of Laptop B. However, this option may also affect the functionality of Laptop B if it needs to use telnet for remote administration or other purposes. Therefore, it is recommended to use a secure alternative to telnet, such as SSH or HTTPS, that encrypts the data in transit.
PC B: Enable disk encryption
This option will encrypt the HDD of PC B using a tool such as BitLocker or VeraCrypt. Disk encryption is a technique that protects data at rest by converting it into an unreadable format that can only be decrypted with a valid key or password. By enabling disk encryption, you will comply with the requirement and also improve the confidentiality and integrity of PC B's data. However, this option may also affect the performance and usability of PC B, as it requires additional processing time and user authentication to access the encrypted data. Therefore, it is recommended to backup any important data and choose a strong key or password before encrypting the disk.
PC C: Disable unneeded services
This option will stop and disable the SSH daemon that is using port 22 on PC C. SSH is a secure service that allows remote access and command execution over an encrypted channel. However, port 22 is the default and well-known port for SSH, which makes it a common target for brute-force attacks and port scanning. By disabling the SSH daemon on port 22, you will comply with the requirement and also improve the security of PC C. However, this option may also affect the functionality of PC C if it needs to use SSH for remote administration or other purposes. Therefore, it is recommended to enable the SSH daemon on a different port, such as 4022, by editing the configuration file using the following command:
sudo nano /etc/ssh/sshd_config
Server A. Need to select the following:
