CompTIA CompTIA Advanced Security Practitioner CAS-004 Questions & Answers

• Question 11:

  A host on a company's network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis.

  Which of the following steps would be best to perform FIRST?

  A. Turn off the infected host immediately.

  B. Run a full anti-malware scan on the infected host.

  C. Modify the smb.conf file of the host to prevent outgoing SMB connections.

  D. Isolate the infected host from the network by removing all network connections.

  Correct Answer: D

• Question 12:

  A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company's managed database, exposing customer information.

  The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach?

  A. The pharmaceutical company

  B. The cloud software provider

  C. The web portal software vendor

  D. The database software vendor

  Correct Answer: A

• Question 13:

  A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings.

  Which of the following scan types will provide the systems administrator with the MOST accurate information?

  A. A passive, credentialed scan

  B. A passive, non-credentialed scan

  C. An active, non-credentialed scan

  D. An active, credentialed scan

  Correct Answer: D

• Question 14:

  An organization developed a social media application that is used by customers in multiple remote geographic locations around the world. The organization's headquarters and only datacenter are located in New York City. The Chief Information Security Officer wants to ensure the following requirements are met for the social media application:

  1.

  Low latency for all mobile users to improve the users' experience

  2.

  SSL offloading to improve web server performance

  3.

  Protection against DoS and DDoS attacks

  4.

  High availability

  Which of the following should the organization implement to BEST ensure all requirements are met?

  A. A cache server farm in its datacenter

  B. A load-balanced group of reverse proxy servers with SSL acceleration

  C. A CDN with the origin set to its datacenter

  D. Dual gigabit-speed Internet connections with managed DDoS prevention

  Correct Answer: C

• Question 15:

  Given the following log snippet from a web server: Which of the following BEST describes this type of attack?

  

  A. SQL injection

  B. Cross-site scripting

  C. Brute-force

  D. Cross-site request forgery

  Correct Answer: A

• Question 16:

  A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment.

  Which of the following should the security administrator do to mitigate the risk?

  A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement.

  B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management.

  C. Suggest that the networking team contact the original embedded system's vendor to get an update to the system that does not require Flash.

  D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.

  Correct Answer: D

• Question 17:

  city government's IT director was notified by the City council that the following cybersecurity requirements must be met to be awarded a large federal grant:

  Logs for all critical devices must be retained for 365 days to enable monitoring and threat hunting. All privileged user access must be tightly controlled and tracked to mitigate compromised accounts. Ransomware threats and zero-day vulnerabilities must be quickly identified. Which of the following technologies would BEST satisfy these requirements? (Select THREE).

  A. Endpoint protection

  B. Log aggregator

  C. Zero trust network access

  D. PAM

  E. Cloud sandbox

  F. SIEM

  G. NGFW

  Correct Answer: BDF

  Log aggregator: A log aggregator is a tool that collects, parses, and stores logs from various sources, such as devices, applications, servers, etc. A log aggregator can help meet the requirement of retaining logs for 365 days by providing a centralized and scalable storage solution1 . PAM: PAM stands for privileged access management. It is a technology that controls and monitors the access of privileged users (such as administrators) to critical systems and data. PAM can help meet the requirement of controlling and tracking privileged user access by enforcing policies such as least privilege, multifactor authentication, password rotation, session recording, etc. . SIEM: SIEM stands for security information and event management. It is a technology that analyzes and correlates logs from various sources to detect and respond to security incidents. SIEM can help meet the requirement of identifying ransomware threats and zero- day vulnerabilities by providing real-time alerts, threat intelligence feeds, incident response workflows, etc.

• Question 18:

  A company has moved its sensitive workloads lo the cloud and needs to ensure high availability and resiliency of its web-based application. The cloud architecture team was given the following requirements

  The application must run at 70% capacity at all times The application must sustain DoS and DDoS attacks. Services must recover automatically.

  Which of the following should the cloud architecture team implement? (Select THREE).

  A. Read-only replicas

  B. BCP

  C. Autoscaling

  D. WAF

  E. CDN

  F. Encryption

  G. Continuous snapshots

  H. Containenzation

  Correct Answer: CDE

• Question 19:

  A security analyst at a global financial firm was reviewing the design of a cloud-based system to identify opportunities to improve the security of the architecture. The system was recently involved in a data breach after a vulnerability was exploited within a virtual machine's operating system. The analyst observed the VPC in which the system was located was not peered with the security VPC that contained the centralized vulnerability scanner due to the cloud provider's limitations. Which of the following is the BEST course of action to help prevent this situation m the near future?

  A. Establish cross-account trusts to connect all VPCs via API for secure configuration scanning.

  B. Migrate the system to another larger, top-tier cloud provider and leverage the additional VPC peering flexibility.

  C. Implement a centralized network gateway to bridge network traffic between all VPCs.

  D. Enable VPC traffic mirroring for all VPCs and aggregate the data for threat detection.

  Correct Answer: A

  The BEST course of action for the security analyst to help prevent a similar situation in the near future is to Establish cross-account trusts to connect all VPCs via API for secure configuration scanning (A). Cross-account trusts allow for VPCs to be securely connected for the purpose of secure configuration scanning, which can help to identify and remediate vulnerabilities within the system.

• Question 20:

  A security architect is designing a solution for a new customer who requires significant security capabilities in its environment. The customer has provided the architect with the following set of requirements:

  Capable of early detection of advanced persistent threats. Must be transparent to users and cause no performance degradation. Allow integration with production and development networks seamlessly. Enable the security team to hunt and

  investigate live exploitation techniques.

  Which of the following technologies BEST meets the customer's requirements for security capabilities?

  A. Threat Intelligence

  B. Deception software

  C. Centralized logging

  D. Sandbox detonation

  Correct Answer: B

  Deception software is a technology that creates realistic but fake assets (such as servers, applications, data, etc.) that mimic the real environment and lure attackers into interacting with them. By doing so, deception software can help detect

  advanced persistent threats (APTs) that may otherwise evade traditional security tools12. Deception software can also provide valuable insights into the attacker's tactics, techniques, and procedures (TTPs) by capturing their actions and

  behaviors on the decoys13. Deception software can meet the customer's requirements for security capabilities because:

  It is capable of early detection of APTs by creating attractive targets for them and alerting security teams when they are engaged12.

  It is transparent to users and causes no performance degradation because it does not interfere with legitimate traffic or resources13. It allows integration with production and development networks seamlessly because it can create decoys

  that match the network topology and configuration13. It enables the security team to hunt and investigate live exploitation techniques because it can record and analyze the attacker's activities on the decoys13.