CompTIA CAS-004 Online Practice Questions and Exam Preparation

CompTIA CAS-004 Online Questions & Answers

• Question 131:

  A vulnerability analyst identified a zero-day vulnerability in a company's internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one.

  Which of the following would be BEST suited to meet these requirements?

  A. ARF
  B. ISACs
  C. Node.js
  D. OVAL
  D. OVAL

  ---

  Explanation

• Question 132:

  A security architect is improving a healthcare organization's security posture. Most of the software is cloud-based, but some old applications are still running on a server on-site. Medical devices using such applications require very low latency. The most important consideration isconfidentiality, followed byavailability, and thenintegrity.

  Which of the following is thefirst stepthe security architect should implement to protect PII?

  A. Move the application server to a network load balancing cluster.
  B. Move the application to a CSP.
  C. Enable encryption at rest on medical devices.
  D. Install FIM on the application server.
  C. Enable encryption at rest on medical devices.

  ---

  Explanation

  Context: Confidentiality is the highest priority, as the primary goal is to protect PII (Personally Identifiable Information). Availability is the second priority, which is crucial due to the low-latency requirement of medical devices. Integrity is the third priority, and it is essential for maintaining accurate patient data. The environment consists of on-site applications interacting with medical devices, where cloud migration is not feasible because of latency concerns.

  Why Option C is correct:

  Since confidentiality is the top priority, enabling encryption at rest on devices ensures that sensitive data is protected even if the devices are compromised. Medical devices can store PII locally, and encryption at rest ensures that even if physical or unauthorized access occurs, the data remains confidential. Encrypting data at rest mitigates the risk of data leakage in scenarios such as device theft or unauthorized access. Given that the primary goal is confidentiality, this action aligns with the CIA triad priorities mentioned.

  Why the Other Options Are Incorrect:

  Option A. Move the application server to a network load-balancing cluster: This primarily addresses availability, not confidentiality. Moving to a load-balanced setup may improve uptime, but it does not directly protect PII.

  Option B. Move the application to a CSP (Cloud Service Provider): While cloud migration can offer enhanced security, it contradicts the low-latency requirement for medical devices. Transferring sensitive healthcare data to the cloud might introduce latency issues and compromise availability.

  Option D. Install FIM (File Integrity Monitoring) on the application server: FIM primarily addresses integrity by detecting changes in files, but it does not protect confidentiality. Monitoring changes to files does not encrypt or secure data at rest.

  Best Practice:

  In healthcare environments where PII and medical data are stored locally, always implement encryption at rest to ensure data remains protected and confidential.

  Extract from the CompTIA SecurityX CAS-005 Study Guide: The CompTIA SecurityX CAS-005 Official Study Guide emphasizes that when confidentiality is the highest priority, data encryption at rest is essential for protecting sensitive information. In healthcare environments where PII and medical data are involved, encryption is a non-negotiable requirement for meeting compliance standards.

• Question 133:

  An internal security assessor identified large gaps in a company's IT asset inventory system during a monthly asset review. The assessor is aware of an external audit that is underway. In an effort to avoid external findings, the assessor chooses not to report the gaps in the inventory system. Which of the following legal considerations is the assessor directly violating?

  A. Due care
  B. Due diligence
  C. Due process
  D. Due notice
  A. Due care

  ---

  Explanation

  Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another party. By not reporting the gaps in the inventory system, the assessor is neglecting their responsibility and not exercising the due care that is expected of them, which could lead to legal ramifications for non-compliance or other security breaches.

  https://www.studynotesandtheory.com/single-post/due-care-vs-due-diligence

• Question 134:

  A security solution uses a sandbox environment to execute zero-day software and collect indicators of compromise. Which of the following should the organization do to BEST take advantage of this solution?

  A. Develop an Nmap plug-in to detect the indicator of compromise.
  B. Update the organization's group policy.
  C. Include the signature in the vulnerability scanning tool.
  D. Deliver an updated threat signature throughout the EDR system.
  D. Deliver an updated threat signature throughout the EDR system.

  ---

  Explanation

• Question 135:

  An analyst has prepared several possible solutions to a successful attack on the company. The solutions need to be implemented with the LEAST amount of downtime. Which of the following should the analyst perform?

  A. Implement all the solutions at once in a virtual lab and then run the attack simulation. Collect the metrics and then choose the best solution based on the metrics.
  B. Implement every solution one at a time in a virtual lab, running a metric collection each time. After the collection, run the attack simulation, roll back each solution, and then implement the next. Choose the best solution based on the best metrics.
  C. Implement every solution one at a time in a virtual lab, running an attack simulation each time while collecting metrics. Roll back each solution and then implement the next. Choose the best solution based on the best metrics.
  D. Implement all the solutions at once in a virtual lab and then collect the metrics. After collection, run the attack simulation. Choose the best solution based on the best metrics.
  C. Implement every solution one at a time in a virtual lab, running an attack simulation each time while collecting metrics. Roll back each solution and then implement the next. Choose the best solution based on the best metrics.

  ---

  Explanation

• Question 136:

  Which of the following best describes what happens if chain of custody is broken?

  A. Tracking record details are not properly labeled.
  B. Vital evidence could be deemed inadmissible.
  C. Evidence is not exhibited in the court of law.
  D. Evidence will need to be recollected.
  B. Vital evidence could be deemed inadmissible.

  ---

  Explanation

  Chain of custody is critical in legal contexts as it documents the seizure, custody, control, transfer, analysis, and disposition of evidence. If the chain of custody is broken, it means there is a possibility that the evidence could have been tampered with or compromised, which can lead to it being deemed inadmissible in court.

• Question 137:

  After a server was compromised an incident responder looks at log files to determine the attack vector that was used The incident responder reviews the web server log files from the time before an unexpected SSH session began:

  

  Which of the following is the most likely vulnerability that was exploited based on the log files?

  A. Directory traversal revealed the hashed SSH password, which was used to access the server.
  B. A SQL injection was used during the ordering process to compromise the database server
  C. The root password was easily guessed and used as a parameter lo open a reverse shell
  D. An outdated third-party PHP plug-in was vulnerable to a known remote code execution
  A. Directory traversal revealed the hashed SSH password, which was used to access the server.

  ---

  Explanation

  The logs indicate a directory traversal attempt (/../..//.etc/shadow), which is a type of attack that exploits insufficient security validation/sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. The /etc/shadow file on Unix systems contains password hashes. If an attacker successfully exploited this vulnerability, they could potentially access the hashed SSH password. This information could then be used to gain unauthorized access to the server if the hash was cracked.

• Question 138:

  A security engineer is performing a threat modeling procedure against a machine learning system that correlates analytic information for decision support. Which of the following threat statements most likely applies to this type of system?

  A. An attacker is able to overload the system with incorrect information.
  B. An attacker conducts a password-spraying attack against the system's authentication method.
  C. An attacker exploits a server-side request forgery attack.
  D. An attacker accesses information that should not be disclosed due to an authorization error.
  A. An attacker is able to overload the system with incorrect information.

  ---

  Explanation

  Overloading a machine learning system with incorrect information is an example of poisoning the data set, which can compromise the integrity of decision-making processes. This aligns with CASP+ objective 2.3, which involves threat modeling and mitigating risks associated with AI and ML systems.

• Question 139:

  A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

  dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m. A persistent TCP/6667 connection to the external address was established at 7:55 a.m.

  The connection is still active.

  Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.

  A sample outbound request payload from PCAP showed the ASCII content:";JOIN #community".

  Which of the following is the MOST likely root cause?

  A. A SQL injection was used to exfiltrate data from the database server.
  B. The system has been hijacked for cryptocurrency mining.
  C. A botnet Trojan is installed on the database server.
  D. The dbadmin user is consulting the community for help via Internet Relay Chat.
  C. A botnet Trojan is installed on the database server.

  ---

  Explanation

• Question 140:

  A Chief Information Security Officer (CISO) is concerned that a company's current data disposal procedures could result in data remanence. The company uses only SSDs. Which of the following would be the MOST secure way to dispose of the SSDs given the CISO's concern?

  A. Degaussing
  B. Overwriting
  C. Shredding
  D. Formatting
  E. Incinerating
  C. Shredding

  ---

  Explanation