CompTIA CAS-002 Online Practice Questions and Exam Preparation

CompTIA CAS-002 Online Questions & Answers

• Question 331:

  A security architect is locked into a given cryptographic design based on the allowable software at the company. The key length for applications is already fixed as is the cipher and algorithm in use. The security architect advocates for the use of well-randomized keys as a mitigation to brute force and rainbow attacks. Which of the following is the security architect trying to increase in the design?

  A. Key stretching
  B. Availability
  C. Entropy
  D. Root of trust
  E. Integrity
  C. Entropy

• Question 332:

  The Chief Information Security Officer (CISO) regularly receives reports of a single department repeatedly violating the corporate security policy. The head of the department in question informs the CISO that the offending behaviors are a result of necessary business activities. The CISO assigns a junior security administrator to solve the issue. Which of the following is the BEST course of action for the junior security administrator to take?

  A. Work with the department head to find an acceptable way to change the business needs so the department no longer violates the corporate security policy.
  B. Draft an RFP for the purchase of a COTS product or consulting services to solve the problem through implementation of technical controls.
  C. Work with the CISO and department head to create an SLA specifying the response times of the IT security department when incidents are reported.
  D. Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.
  D. Draft an MOU for the department head and CISO to approve, documenting the limits of the necessary behavior, and actions to be taken by both teams.

• Question 333:

  Customers have recently reported incomplete purchase history and other anomalies while accessing their account history on the web server farm. Upon investigation, it has been determined that there are version mismatches of key e-commerce applications on the production web servers. The development team has direct access to the production servers and is most likely the cause of the different release versions. Which of the following process level solutions would address this problem?

  A. Implement change control practices at the organization level.
  B. Adjust the firewall ACL to prohibit development from directly accessing the production server farm.
  C. Update the vulnerability management plan to address data discrepancy issues.
  D. Change development methodology from strict waterfall to agile.
  A. Implement change control practices at the organization level.

• Question 334:

  A replacement CRM has had its business case approved. In preparation for a requirements workshop, an architect is working with a business analyst to ensure that appropriate security requirements have been captured. Which of the following documents BEST captures the security requirements?

  A. Business requirements document
  B. Requirements traceability matrix document
  C. Use case and viewpoints document
  D. Solution overview document
  A. Business requirements document

• Question 335:

  A security administrator needs to deploy a remote access solution for both staff and contractors. Management favors remote desktop due to ease of use. The current risk assessment suggests protecting Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should be selected?

  A. Deploy a remote desktop server on your internal LAN, and require an active directory integrated SSL connection for access.
  B. Change remote desktop to a non-standard port, and implement password complexity for the entire active directory domain.
  C. Distribute new IPSec VPN client software to applicable parties. Virtualize remote desktop services functionality.
  D. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication.
  D. Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication.

• Question 336:

  A bank has decided to outsource some existing IT functions and systems to a third party service provider. The third party service provider will manage the outsourced systems on their own premises and will continue to directly interface with the bank's other systems through dedicated encrypted links. Which of the following is critical to ensure the successful management of system security concerns between the two organizations?

  A. ISA
  B. BIA
  C. MOU
  D. SOA
  E. BPA
  A. ISA

• Question 337:

  A security engineer is working on a large software development project. As part of the design of the project, various stakeholder requirements were gathered and decomposed to an implementable and testable level. Various security

  requirements were also documented. Organize the following security requirements into the correct hierarchy required for an SRTM.

  Requirement 1: The system shall provide confidentiality for data in transit and data at rest.

  Requirement 2: The system shall use SSL, SSH, or SCP for all data transport.

  Requirement 3: The system shall implement a file-level encryption scheme.

  Requirement 4: The system shall provide integrity for all data at rest.

  Requirement 5: The system shall perform CRC checks on all files.

  A. Level 1: Requirements 1 and 4; Level 2: Requirements 2, 3, and 5
  B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4
  C. Level 1: Requirements 1 and 4; Level 2: Requirement 2 under 1, Requirement 5 under 4; Level 3: Requirement 3 under 2
  D. Level 1: Requirements 1, 2, and 3; Level 2: Requirements 4 and 5
  B. Level 1: Requirements 1 and 4; Level 2: Requirements 2 and 3 under 1, Requirement 5 under 4

• Question 338:

  A system designer needs to factor in CIA requirements for a new SAN. Which of the CIA requirements is BEST met by multipathing?

  A. Confidentiality
  B. Authentication
  C. Integrity
  D. Availability
  D. Availability

• Question 339:

  Employees have recently requested remote access to corporate email and shared drives. Remote access has never been offered; however, the need to improve productivity and rapidly responding to customer demands means staff now requires remote access. Which of the following controls will BEST protect the corporate network?

  A. Develop a security policy that defines remote access requirements. Perform regular audits of user accounts and reviews of system logs.
  B. Secure remote access systems to ensure shared drives are read only and access is provided through a SSL portal. Perform regular audits of user accounts and reviews of system logs.
  C. Plan and develop security policies based on the assumption that external environments have active hostile threats.
  D. Implement a DLP program to log data accessed by users connecting via remote access. Regularly perform user revalidation.
  C. Plan and develop security policies based on the assumption that external environments have active hostile threats.

• Question 340:

  A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted?

  A. Establish the security control baseline
  B. Build the application according to software development security standards
  C. Review the results of user acceptance testing
  D. Consult with the stakeholders to determine which standards can be omitted
  A. Establish the security control baseline