CompTIA CAS-004 Online Practice Questions and Exam Preparation

CompTIA CAS-004 Online Questions & Answers

• Question 211:

  A company's employees are not permitted to access company systems while traveling internationally. The company email system is configured to block logins based on geographic location, but some employees report their mobile phones

  continue to sync email while traveling.

  Which of the following is the MOST likely explanation? (Choose two.)

  A. Outdated geographic IP information
  B. Privilege escalation attack
  C. VPN on the mobile device
  D. Unrestricted email administrator accounts
  E. Client use of UDP protocols
  F. Disabled GPS on mobile devices
  C. VPN on the mobile device
  F. Disabled GPS on mobile devices

  ---

  Explanation

• Question 212:

  A company publishes several APIs for customers and is required to use keys to segregate customer data sets. Which of the following would be BEST to use to store customer keys?

  A. A trusted platform module
  B. A hardware security module
  C. A localized key store
  D. A public key infrastructure
  B. A hardware security module

  ---

  Explanation

  https://developer.android.com/studio/publish/app-signing

• Question 213:

  A major broadcasting company that requires continuous availability to streaming content needs to be resilient against DDoS attacks. Which of the following Is the MOST important infrastructure security design element to prevent an outage?

  A. Supporting heterogeneous architecture
  B. Leveraging content delivery network across multiple regions
  C. Ensuring cloud autoscaling is in place
  D. Scaling horizontally to handle increases in traffic
  B. Leveraging content delivery network across multiple regions

  ---

  Explanation

  A content delivery network (CDN) is a distributed system of servers that delivers web content to users based on their geographic location, the origin of the content, and the performance of the network. A CDN can help improve the availability and performance of web applications by caching content closer to the users, reducing latency and bandwidth consumption. A CDN can also help mitigate distributed denial-of-service (DDoS) attacks by absorbing or filtering malicious traffic before it reaches the origin servers, reducing the impact on the application availability. Supporting heterogeneous architecture means using different types of hardware, software, or platforms in an IT environment. This can help improve resilience by reducing single points of failure and increasing compatibility, but it does not directly prevent DDoS attacks. Ensuring cloud autoscaling is in place means using cloud services that automatically adjust the amount of resources allocated to an application based on the demand or load. This can help improve scalability and performance by providing more resources when needed, but it does not directly prevent DDoS attacks. Scaling horizontally means adding more servers or nodes to an IT environment to increase its capacity or throughput. This can help improve scalability and performance by distributing the load across multiple servers, but it does not directly prevent DDoS attacks.

  References: [CompTIA Advanced Security Practitioner (CASP+) Certification Exam Objectives], Domain 2: Enterprise Security Architecture, Objective 2.4: Select controls based on systems security evaluation models

• Question 214:

  A review of the past year's attack patterns shows that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information.

  Which of the following would be BEST for the company to implement?

  A. A WAF
  B. An IDS
  C. A SIEM
  D. A honeypot
  D. A honeypot

  ---

  Explanation

  https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot

• Question 215:

  Which of the following industrial protocols is most likely to be found in public utility applications, such as water or electric?

  A. CIP
  B. Zigbee
  C. Modbus
  D. DNP3
  D. DNP3

  ---

  Explanation

  DNP3 (Distributed Network Protocol 3) is specifically designed for use in SCADA (Supervisory Control and Data Acquisition) systems, which are commonly employed in public utility sectors such as water and electric utilities. DNP3 is known for its robustness in handling communication over long distances and in noisy environments typical of utility operations. It supports features essential for reliable and secure communication, including time synchronization, data integrity checks, and error recovery mechanisms. These capabilities make DNP3 highly suitable for monitoring and controlling remote devices and systems critical to public utilities.

• Question 216:

  A security engineer has been informed by the firewall team that a specific Windows workstation is part of a command-and-control network. The only information the security engineer is receiving is that the traffic is occurring on a non-standard port (TCP 40322). Which of the following commands should the security engineer use FIRST to find the malicious process?

  A. tcpdump
  B. netstat
  C. tasklist
  D. traceroute
  E. ipconfig
  B. netstat

  ---

  Explanation

• Question 217:

  SIMULATION

  You are a security analyst tasked with interpreting an Nmap scan output from Company A’s privileged network.

  The company’s hardening guidelines indicate the following:

  1. There should be one primary server or service per device.

  2. Only default ports should be used.

  3. Non-secure protocols should be disabled.

  INSTRUCTIONS

  Using the Nmap output, identify the devices on the network and their roles, and any open ports that should be closed. For each device found, add a device entry to the Devices Discovered list, with the following information:

  1. The IP address of the device

  2. The primary server or service of the device

  3. The protocol(s) that should be disabled based on the hardening guidelines

  To select multiple protocols, use CTRL+CLICK.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. Check the answer in explanation.
  B. PlaceHoder
  C. PlaceHoder
  D. PlaceHoder
  A. Check the answer in explanation.

  ---

  Explanation

  10.1.45.65 SFTP Server Disable 8080

  10.1.45.66 Email Server Disable 415 and 443

  10.1.45.67 Web Server Disable 21, 80

  10.1.45.68 UTM Appliance Disable 21

• Question 218:

  A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks.

  Which of the following would be the BEST solution against this type of attack?

  A. Cookies
  B. Wildcard certificates
  C. HSTS
  D. Certificate pinning
  D. Certificate pinning

  ---

  Explanation

  https://cloud.google.com/security/encryption-in-transit

• Question 219:

  A company uses a CSP to provide a front end for its new payment system offering. The new offering is currently certified as PCI compliant. In order for the integrated solution to be compliant, the customer:

  A. must also be PCI compliant, because the risk is transferred to the provider.
  B. still needs to perform its own PCI assessment of the provider's managed serverless service.
  C. needs to perform a penetration test of the cloud provider's environment.
  D. must ensure in-scope systems for the new offering are also PCI compliant.
  D. must ensure in-scope systems for the new offering are also PCI compliant.

  ---

  Explanation

  Even though the company uses a cloud service provider (CSP) that is PCI compliant, the customer must still ensure that in-scope systems related to their new payment system offering are also PCI compliant. PCI DSS (Payment Card Industry Data Security Standard) applies to any system that processes, stores, or transmits credit card data, and this includes customer-owned systems, services, or applications integrated into the solution. The responsibility is shared between the CSP and the customer, and compliance is not automatically inherited just because the CSP is compliant. CASP+ emphasizes that organizations must ensure all components within their control are also PCI compliant.

  References: CASP+ CAS-004 Exam Objectives: Domain 1.0 Risk Management (Compliance and PCI DSS) CompTIA CASP+ Study Guide: Cloud Services and PCI Compliance

• Question 220:

  A security architect must mitigate the risks from what is suspected to be an exposed, private cryptographic key. Which of the following is the BEST step to take?

  A. Revoke the certificate.
  B. Inform all the users of the certificate.
  C. Contact the company's Chief Information Security Officer.
  D. Disable the website using the suspected certificate.
  E. Alert the root CA.
  A. Revoke the certificate.

  ---

  Explanation

  In the context of a private cryptographic key suspected to be exposed, the best immediate action is to revoke the certificate associated with that key. Revoking the certificate ensures that it cannot be used to establish new secure sessions, which prevents attackers from using the potentially compromised key to impersonate or decrypt communications. The revocation process typically involves updating the Certificate Revocation List (CRL) or leveraging the Online Certificate Status Protocol (OCSP), both of which are used by clients to check the validity of certificates.