CompTIA CAS-004 Online Practice Questions and Exam Preparation

CompTIA CAS-004 Online Questions & Answers

• Question 241:

  A security engineer needs to ensure production containers are automatically scanned for vulnerabilities before they are accepted into the production environment.

  Which of the following should the engineer use to automatically incorporate vulnerability scanning on every commit?

  A. Code repository
  B. CI/CD pipeline
  C. Integrated development environment
  D. Container orchestrator
  B. CI/CD pipeline

  ---

  Explanation

  CI/CD pipeline (Continuous Integration/Continuous Deployment) automates the testing, including vulnerability scanning, for every code commit before deploying to production. Code repository stores the code but does not handle scanning.

  Integrated development environment (IDE) aids developers in writing and testing code but does not enforce automated scanning.

  Container orchestrator manages container deployment but does not directly address pre-production scanning.

  CASP+ Exam Objectives 3.6 ?Integrate automated security tools into the development process.

• Question 242:

  An ASIC manufacturer wishing to best reduce downstream supply chain risk can provide validation instructions for consumers that:

  A. Leverage physically uncloneable functions.
  B. Analyze an emplaced holographic icon on the board.
  C. Include schematics traceable via X-ray interrogation.
  D. Incorporate MD5 hashes of the ASIC design file.
  A. Leverage physically uncloneable functions.

  ---

  Explanation

  Physically uncloneable functions (PUFs) are hardware-based features that leverage intrinsic physical properties of chips to create unique, non-reproducible identifiers. This reduces supply chain risks by enabling robust authentication and counterfeit prevention. This method aligns with CASP+ objective 4.3, which focuses on secure hardware design and supply chain risk management, ensuring authenticity and integrity of hardware components.

• Question 243:

  A new mandate by the corporate security team requires that all endpoints must meet a security baseline before accessing the corporate network. All servers and desktop computers are scanned by the dedicated internal scanner appliance installed in each subnet. However, remote worker laptops do not access the network regularly. Which of the following is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network?

  A. Implement network access control to perform host validation of installed patches.
  B. Create an 802.1X implementation with certificate-based device identification.
  C. Create a vulnerability scanning subnet for remote workers to connect to on the network at headquarters.
  D. Install a vulnerability scanning agent on each remote laptop to submit scan data.
  D. Install a vulnerability scanning agent on each remote laptop to submit scan data.

  ---

  Explanation

• Question 244:

  The principal security analyst for a global manufacturer is investigating a security incident related to abnormal behavior in the ICS network. A controller was restarted as part of the troubleshooting process, and the following issue was identified

  when the controller was restarted:

  SECURE BOOT FAILED:

  FIRMWARE MISMATCH EXPECTED 0xFDC479 ACTUAL 0x79F31B

  During the investigation, this modified firmware version was identified on several other controllers at the site. The official vendor firmware versions do not have this checksum. Which of the following stages of the MITRE ATTandCK framework for

  ICS includes this technique?

  A. Evasion
  B. Persistence
  C. Collection
  D. Lateral movement
  B. Persistence

  ---

  Explanation

  In the context of the MITRE ATTandCK framework, the "Persistence" stage involves techniques used by attackers to maintain their presence in a compromised environment over an extended period. One way to achieve persistence in ICS environments is by modifying firmware or configurations in such a way that the malicious changes persist even after system restarts or updates.

• Question 245:

  A development team needs terminal access to preproduction servers to verify settings and enter purchased license keys. To address the team's needs, the security administrator implements the following requirements:

  1.Only trusted accounts can access the preproduction servers.

  2.Developers cannot access the preproduction servers directly from their workstations.

  3.The trusted accounts should only have access to specific preproduction servers.

  Which of the following are necessary to fulfill the security requirements? (Select two).

  A. SSL VPN
  B. NAT gateway
  C. Air gap
  D. WAF
  E. Jump box
  F. Network ACLs
  E. Jump box
  F. Network ACLs

  ---

  Explanation

  Jump box: Acts as an intermediary that allows secure access to preproduction servers while enforcing access controls.

  Network ACLs: Restrict access to only trusted accounts and specified preproduction servers.

  This aligns with CASP+ objectives 2.2 and 3.4, which focus on securing access and implementing appropriate controls for sensitive environments.

• Question 246:

  A company moved its on-premises services to the cloud. Although a recent audit verified that data throughout the cloud service is properly classified and documented, other systems are unable to act or filter based on this information. Which of the following should the company deploy to allow other cloud-based systems to consume this information?

  A. Data mapping
  B. Data labeling
  C. Log scraping
  D. Resource tagging
  B. Data labeling

  ---

  Explanation

  Data labeling enables metadata tagging for data classification, which allows systems to filter, act, and enforce policies based on the labels. Data mapping is used for understanding data flows but does not support automation.

  Log scraping and resource tagging are unrelated to enabling system actions based on data classification.

  CASP+ Exam Objectives 5.1 ?Implement controls based on data classifications.

• Question 247:

  A security engineer needs to implement a cost-effective authentication scheme for a new web-based application that requires:

  1.Rapid authentication

  2.Flexible authorization

  3.Ease of deployment

  4.Low cost but high functionality

  Which of the following approaches best meets these objectives?

  A. Kerberos
  B. EAP
  C. SAML
  D. OAuth
  E. TACACS+
  D. OAuth

  ---

  Explanation

  OAuth, which stands for Open Authorization, is a standard for authorization that enables secure token-based access. It allows users to grant a web application access to their information on another web application without giving them the credentials for their account. OAuth is particularly useful for rapid authentication, flexible authorization, ease of deployment, and offers high functionality at a low cost, making it an ideal choice for new web-based applications. This approach is well-suited for situations where web applications need to interact with each other on behalf of the user, without sharing user's password, such as integrating a geolocation application with Facebook. OAuth uses tokens issued by an authorization server, providing restricted access to a user's data, which aligns with the objectives of rapid authentication, flexible authorization, ease of deployment, and cost- effectiveness.

• Question 248:

  A security architect is advising the application team to implement the following controls in the application before it is released:

  1.Least privilege

  2.Blocklist input validation for the following characters: \<>;, ="#+

  Based on the requirements, which of the following attacks is the security architect trying to prevent?

  A. XML injection
  B. LDAP injection
  C. CSRF
  D. XSS
  D. XSS

  ---

  Explanation

  https://www.techtarget.com/searchsecurity/quiz/Quiz-Web-application-threats-and-vulnerabilities

• Question 249:

  A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources. Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?

  A. Union filesystem overlay
  B. Cgroups
  C. Linux namespaces
  D. Device mapper
  B. Cgroups

  ---

  Explanation

• Question 250:

  A company is migrating its data center to the cloud. Some hosts had been previously isolated, but a risk assessment convinced the engineering team to reintegrate the systems. Because the systems were isolated, the risk associated with

  vulnerabilities was low.

  Which of the following should the security team recommend be performed before migrating these servers to the cloud?

  A. Performing patching and hardening
  B. Deploying host and network IDS
  C. Implementing least functionality and time-based access
  D. Creating a honeypot and adding decoy files
  A. Performing patching and hardening

  ---

  Explanation

  Before migrating previously isolated systems to the cloud, it is essential to perform patching and hardening. These systems may have been neglected while isolated, so updating them with the latest security patches and applying hardening

  measures (such as disabling unnecessary services and implementing strict access controls) is crucial to reduce vulnerabilities. This ensures that the systems are secure before they are exposed to the wider cloud environment. CASP+

  emphasizes the importance of securing systems through patch management and hardening before integrating them into more exposed environments like the cloud.

  References:

  CASP+ CAS-004 Exam Objectives: Domain 2.0

  Enterprise Security Operations (Patching, Hardening, and Cloud Migration Security) CompTIA CASP+ Study Guide: Securing and Hardening Systems Before Cloud Migration