CompTIA CAS-002 Online Practice Questions and Exam Preparation

CompTIA CAS-002 Online Questions & Answers

• Question 161:

  The senior security administrator wants to redesign the company DMZ to minimize the risks associated with both external and internal threats. The DMZ design must support security in depth, change management and configuration processes, and support incident reconstruction. Which of the following designs BEST supports the given requirements?

  A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.
  B. A single firewall DMZ where each firewall interface is managed by a separate administrator and logging to the cloud.
  C. A SaaS based firewall which logs to the company's local storage via SSL, and is managed by the change control team.
  D. A virtualized firewall, where each virtual instance is managed by a separate administrator and logging to the same hardware.
  A. A dual firewall DMZ with remote logging where each firewall is managed by a separate administrator.

• Question 162:

  Company ABC was formed by combining numerous companies which all had multiple databases, web portals, and cloud data sets. Each data store had a unique set of custom developed authentication mechanisms and schemas. Which of the following approaches to combining the disparate mechanisms has the LOWEST up front development costs?

  A. Attestation
  B. PKI
  C. Biometrics
  D. Federated IDs
  D. Federated IDs

• Question 163:

  An audit at a popular on-line shopping site reveals that a flaw in the website allows customers to purchase goods at a discounted rate. To improve security the Chief Information Security Officer (CISO) has requested that the web based shopping cart application undergo testing to validate user input in both free form text fields and drop down boxes.

  Which of the following is the BEST combination of tools and / or methods to use?

  A. Blackbox testing and fingerprinting
  B. Code review and packet analyzer
  C. Fuzzer and HTTP interceptor
  D. Enumerator and vulnerability assessment
  C. Fuzzer and HTTP interceptor

• Question 164:

  Which of the following is a security concern with deploying COTS products within the network?

  A. It is difficult to verify the security of COTS code because the source is available to the customer and it takes significant man hours to sort through it.
  B. COTS software often provides the source code as part of the licensing agreement and it becomes the company's responsibility to verify the security.
  C. It is difficult to verify the security of COTS code because the source is not available to the customer in many cases.
  D. COTS source code is readily available to the customer in many cases which opens the customer's network to both internal and external attacks.
  C. It is difficult to verify the security of COTS code because the source is not available to the customer in many cases.

• Question 165:

  The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system operational for the next two years. The legacy system is out of support because the vendor and security patches are no longer released. Additionally, this is a proprietary embedded system and little is documented and known about it. Which of the following should the Information Technology department implement to reduce the security risk from a compromise of this system?

  A. Virtualize the system and migrate it to a cloud provider.
  B. Segment the device on its own secure network.
  C. Install an antivirus and HIDS on the system.
  D. Hire developers to reduce vulnerabilities in the code.
  B. Segment the device on its own secure network.

• Question 166:

  A company has noticed recently that its corporate information has ended up on an online forum. An investigation has identified that internal employees are sharing confidential corporate information on a daily basis. Which of the following are the MOST effective security controls that can be implemented to stop the above problem? (Select TWO).

  A. Implement a URL filter to block the online forum
  B. Implement NIDS on the desktop and DMZ networks
  C. Security awareness compliance training for all employees
  D. Implement DLP on the desktop, email gateway, and web proxies
  E. Review of security policies and procedures
  C. Security awareness compliance training for all employees
  D. Implement DLP on the desktop, email gateway, and web proxies

• Question 167:

  A medium-sized company has recently launched an online product catalog. It has decided to keep the credit card purchasing in-house as a secondary potential income stream has been identified in relation to sales leads. The company has decided to undertake a PCI assessment in order to determine the amount of effort required to meet the business objectives. Which compliance category would this task be part of?

  A. Government regulation
  B. Industry standard
  C. Company guideline
  D. Company policy
  B. Industry standard

• Question 168:

  A security administrator was recently hired in a start-up company to represent the interest of security and to assist the network team in improving security in the company. The programmers are not on good terms with the security team and do not want to be distracted with security issues while they are working on a major project. Which of the following is the BEST time to make them address security issues in the project?

  A. In the middle of the project
  B. At the end of the project
  C. At the inception of the project
  D. At the time they request
  C. At the inception of the project

• Question 169:

  Company A is merging with Company B. Company B uses mostly hosted services from an outside vendor, while Company A uses mostly in-house products.

  The project manager of the merger states the merged systems should meet these goals: Ability to customize systems per department

  

  Quick implementation along with an immediate ROI

  

  The internal IT team having administrative level control over all products

  

  The project manager states the in-house services are the best solution. Because of staff shortages, the senior security administrator argues that security will be best maintained by continuing to use outsourced services. Which of the following solutions BEST solves the disagreement?

  A. Raise the issue to the Chief Executive Officer (CEO) to escalate the decision to senior management with the recommendation to continue the outsourcing of all IT services.
  B. Calculate the time to deploy and support the in-sourced systems accounting for the staff shortage and compare the costs to the ROI costs minus outsourcing costs. Present the document numbers to management for a final decision.
  C. Perform a detailed cost benefit analysis of outsourcing vs. in-sourcing the IT systems and review the system documentation to assess the ROI of in-sourcing. Select COTS products to eliminate development time to meet the ROI goals.
  D. Arrange a meeting between the project manager and the senior security administrator to review the requirements and determine how critical all the requirements are.
  B. Calculate the time to deploy and support the in-sourced systems accounting for the staff shortage and compare the costs to the ROI costs minus outsourcing costs. Present the document numbers to management for a final decision.

• Question 170:

  A security administrator wants to deploy a dedicated storage solution which is inexpensive, can natively integrate with AD, allows files to be selectively encrypted and is suitable for a small number of users at a satellite office. Which of the following would BEST meet the requirement?

  A. SAN
  B. NAS
  C. Virtual SAN
  D. Virtual storage
  B. NAS