Correct Answer: (Answer option in bold)
Short but Comprehensive Explanation of Correct Answer Only: (Short Explanation based on CompTIA CASP+ documents and resources)
Verified References: (Related URLs AND Make sure Links are working and verified references)
================
A security administrator wants to detect a potential forged sender claim in tt-e envelope of an email. Which of the following should the security administrator implement? (Select TWO).

1. A. MX record
2. B. DMARC
3. C. SPF
4. D. DNSSEC
5. E. S/MIME
6. F. TLS

Correct Answer: BC
DMARC (Domain-based Message Authentication, Reporting and Conformance) and SPF (Sender Policy Framework) are two mechanisms that can help detect and prevent email spoofing, which is the creation of email messages with a forged sender address. DMARC allows a domain owner to publish a policy that specifies how receivers should handle messages that fail authentication tests, such as SPF or DKIM (DomainKeys Identified Mail). SPF allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. By checking the DMARC and SPF records of the sender’s domain, a receiver can verify if the email is from a legitimate source or not. Verified References:
✑ https://en.wikipedia.org/wiki/Email_spoofing
✑ https://en.wikipedia.org/wiki/DMARC
✑ https://en.wikipedia.org/wiki/Sender_Policy_Framework

Which of the following controls primarily detects abuse of privilege but does not prevent it?

1. A. Off-boarding
2. B. Separation of duties
3. C. Least privilege
4. D. Job rotation

Correct Answer: A

A security is assisting the marketing department with ensuring the security of the organization’s social media platforms. The two main concerns are:
The Chief marketing officer (CMO) email is being used department wide as the username The password has been shared within the department
Which of the following controls would be BEST for the analyst to recommend?

1. A. Configure MFA for all users to decrease their reliance on other authentication.
2. B. Have periodic, scheduled reviews to determine which OAuth configuration are set for each media platform.
3. C. Create multiple social media accounts for all marketing user to separate their actions.
4. D. Ensue the password being shared is sufficiently and not written down anywhere.

Correct Answer: A
Configuring MFA for all users to decrease their reliance on other authentication is the best option to improve email security at the company. MFA stands for multi-factor authentication, which is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g., password), something the user
has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access to email accounts even if the username or password is compromised or shared. Verified References: https://www.comptia.org/training/books/casp-cas-004-study-guide , https://www.csoonline.com/article/3239144/what-is-mfa-how-multi-factor-authentication- works.html

A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead. The network comprises three VLANs:

The security engineer looks at the UTM firewall rules and finds the following:

Which of the following should the security engineer do to ensure IMAPS functions properly on the corporate user network?

1. A. Contact the email service provider and ask if the company IP is blocked.
2. B. Confirm the email server certificate is installed on the corporate computers.
3. C. Make sure the UTM certificate is imported on the corporate computers.
4. D. Create an IMAPS firewall rule to ensure email is allowed.

Correct Answer: D
IMAPS (Internet Message Access Protocol Secure) is a protocol that allows users to access and manipulate email messages on a remote mail server over a secure connection. IMAPS uses SSL/TLS encryption to protect the communication between the client and the server. IMAPS uses port 993 by default. To ensure IMAPS functions properly on the corporate user network, the security engineer should create an IMAPS firewall rule on the UTM (Unified Threat Management) device that allows traffic from VLAN 10 (Corporate Users) to VLAN 20 (Email Server) over port 993. The existing firewall rules do not allow this traffic, as they only allow HTTP (port 80), HTTPS (port 443), and SMTP (port 25). References: https://www.techopedia.com/definition/2460/internet-message-access- protocol-secure-imaps https://www.sophos.com/en- us/support/knowledgebase/115145.aspx

A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks by the activity in the logs?

1. A. Alerting the misconfigured service account password
2. B. Modifying the AllowUsers configuration directive
3. C. Restricting external port 22 access
4. D. Implementing host-key preferences

Correct Answer: B
Reference: https://www.rapid7.com/blog/post/2017/10/04/how-to-secure-ssh-server-using- port-knocking-on-ubuntu-linux/
The AllowUsers configuration directive is an option for SSH servers that specifies which users are allowed to log in using SSH. The directive can include usernames, hostnames, IP addresses, or patterns. The directive can also be negated with a preceding exclamation mark (!) to deny access to specific users.
The logs show that there are multiple failed login attempts from different IP addresses using different usernames, such as root, admin, test, etc. This indicates a brute-force attack that is trying to guess the SSH credentials. To address this risk, the security analyst should modify the AllowUsers configuration directive to only allow specific users or hosts that are authorized to access the SSH jump server. This will prevent unauthorized users from attempting to log in using SSH and reduce the attack surface. References: https://man.openbsd.org/sshd_config#AllowUsers
https://www.ssh.com/academy/ssh/brute-force