CompTIA CAS-004 Online Practice Questions and Exam Preparation

CompTIA CAS-004 Online Questions & Answers

• Question 361:

  DRAG DROP

  You are an information security analyst tasked to provide feedback and remediation guidance to an organization that is working to comply with a prescriptive framework. The framework includes the following controls related to network design:

  Network hosts must be segmented into security domains.

  A screened subnet must be used for all externally available assets.

  A shared services zone must be present for internal servers and should not contain workstations.

  INSTRUCTIONS

  Based on the stated requirements, place each resource in the appropriate network location. All resources must be used, and all network zones will be filled.

  Select and Place:

  

  

  ---

  The LAN can contain only endpoint devices, so all workstations must be placed in the LAN.

  The Shared Services Zone can contain only internal servers, so the file server, authentication server, and database server must be placed there.

  The Screened Subnet (DMZ) is used for externally facing services, so the web server, email proxy, and VPN concentrator must be placed there.

• Question 362:

  Device event logs sources from MDM software as follows: Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?

  

  A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
  B. Resource leak; recover the device for analysis and clean up the local storage.
  C. Impossible travel; disable the device's account and access while investigating.
  D. Falsified status reporting; remotely wipe the device.
  C. Impossible travel; disable the device's account and access while investigating.

  ---

  Explanation

• Question 363:

  A security researcher detonated some malware in a lab environment and identified the following commands running from the EDR tool:

  

  With which of the following MITRE ATTandCK TTPs is the command associated? (Select TWO).

  A. Indirect command execution
  B. OS credential dumping
  C. Inhibit system recovery
  D. External remote services
  E. System information discovery
  F. Network denial of service
  B. OS credential dumping
  E. System information discovery

  ---

  Explanation

  OS credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. System information discovery is the process of

  gathering information about the system, such as hostname, IP address, OS version, running processes, etc. Both of these techniques are commonly used by adversaries to gain access to sensitive data and resources on the target system.

  The command shown in the image is using Mimikatz, a tool that can dump credentials from memory, and also querying the system information using WMIC.

  Verified

  References:

  https://attack.mitre.org/techniques/T1003/

  https://attack.mitre.org/techniques/T1082/

  https://github.com/gentilkiwi/mimikatz

  https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic

• Question 364:

  A security analyst is reviewing suspicious emails that were forwarded by users. Which of the following is the best method for the analyst to use when reviewing attachments that came with these emails?

  A. Reverse engineering
  B. Protocol analysis
  C. Sandboxing
  D. Fuzz testing
  E. Steganography
  C. Sandboxing

  ---

  Explanation

  The most effective method for a security analyst to review suspicious email attachments is to use sandboxing. This approach allows the attachments to be executed in a safe, isolated environment, making it possible to observe any malicious activities without risking the integrity of the actual systems. Sandboxing offers a comprehensive and efficient way to analyze potentially harmful content in email attachments.

• Question 365:

  A network administrator who manages a Linux web server notices the following traffic:

  http://comptia.org/../../../../etc/shadow

  Which of the following is the BEST action for the network administrator to take to defend against this type of web attack?

  A. Validate the server certificate and trust chain.
  B. Validate the server input and append the input to the base directory path.
  C. Validate that the server is not deployed with default account credentials.
  D. Validate that multifactor authentication is enabled on the server for all user accounts.
  B. Validate the server input and append the input to the base directory path.

  ---

  Explanation

  The network administrator is noticing a web attack that attempts to access the /etc/shadow file on a Linux web server. The /etc/shadow file contains the encrypted passwords of all users on the system and is a common target for attackers.

  The attack uses a technique called directory traversal, which exploits a vulnerability in the web application that allows an attacker to access files or directories outside of the intended scope by manipulating the file path.

  Validating the server input and appending the input to the base directory path would be the best action for the network administrator to take to defend against this type of web attack, because it would:

  Check the user input for any errors, malicious data, or unexpected values before processing it by the web application.

  Prevent directory traversal by ensuring that the user input is always relative to the base directory path of the web application, and not absolute to the root directory of the web server.

  Deny access to any files or directories that are not part of the web application's scope or functionality.

• Question 366:

  A Chief Information Security Officer is concerned about the condition of the code security being used for web applications. It is important to get the review right the first time, and the company is willing to use a tool that will allow developers to validate code as it is written. Which of the following methods should the company use?

  A. SAST
  B. DAST
  C. Fuzz testing
  D. Intercepting proxy
  A. SAST

  ---

  Explanation

  Static Application Security Testing (SAST) is the best method for validating code as it is written. SAST analyzes the source code or binaries of an application for vulnerabilities before the code is executed, allowing developers to identify and fix security flaws early in the development process. This method integrates into the development environment and provides real-time feedback, which is critical for ensuring secure coding practices from the start. CASP+ highlights the importance of SAST in secure software development lifecycles (SDLCs) as a proactive measure to prevent security issues before the code is deployed.

  References: CASP+ CAS-004 Exam Objectives: Domain 2.0 Enterprise Security Operations (SAST for Secure Code Validation) CompTIA CASP+ Study Guide: Secure Software Development and Static Code Analysis

• Question 367:

  A security architect is working with a new customer to find a vulnerability assessment solution that meets the following requirements:

  1.Fast scanning

  2.The least false positives possible

  3.Signature-based

  4.A low impact on servers when performing a scan

  In addition, the customer has several screened subnets, VLANs, and branch offices. Which of the following will BEST meet the customer's needs?

  A. Authenticated scanning
  B. Passive scanning
  C. Unauthenticated scanning
  D. Agent-based scanning
  D. Agent-based scanning

  ---

  Explanation

  Agent-based scanning is best suited for environments with multiple subnets, VLANs, and branch offices, as described. It allows for fast scanning with fewer false positives, and since the agents are installed on the servers, they tend to have a lower impact on performance. This type of scanning also facilitates signature-based scanning, which is one of the customer's requirements.

• Question 368:

  Before launching a new web application, an organization would like to perform security testing. Which of the following resources should the organization use to determine the objectives for the test?

  A. CASB
  B. SOAR
  C. OWASP
  D. ISAC
  C. OWASP

  ---

  Explanation

• Question 369:

  A DNS forward lookup zone named comptia.org must:

  1. Ensure the DNS is protected from on-path attacks.

  2. Ensure zone transfers use mutual authentication and are authenticated and negotiated.

  Which of the following should the security architect configure to meet these requirements? (Choose two.)

  A. Public keys
  B. Conditional forwarders
  C. Root hints
  D. DNSSEC
  E. CNAME records
  F. SRV records
  A. Public keys
  D. DNSSEC

  ---

  Explanation

  To protect DNS from on-path attacks and ensure that zone transfers are mutually authenticated and secure, the security architect should configure DNSSEC and Public keys. DNSSEC (Domain Name System Security Extensions) provides protection against DNS spoofing by digitally signing DNS data to ensure its integrity. Public keys are crucial for mutual authentication during zone transfers, ensuring that only authorized parties can exchange DNS zone data. Together, these options help meet both the requirements of securing DNS queries and authenticating zone transfers with cryptographic integrity.

  References: CASP+ CAS-004 Exam Objectives: Domain 3.0 Enterprise Security Architecture (DNS Security) CompTIA CASP+ Study Guide: DNSSEC Implementation and Use of Public Keys

• Question 370:

  An multinational organization was hacked, and the incident response team's timely action prevented a major disaster Following the event, the team created an after action report. Which of the following is the primary goal of an after action review?

  A. To gather evidence for subsequent legal action
  B. To determine the identity of the attacker
  C. To identify ways to improve the response process
  D. To create a plan of action and milestones
  C. To identify ways to improve the response process

  ---

  Explanation

  The primary goal of an after-action review (AAR) is to evaluate the response to an incident critically and identify what was done well and what could be improved. An AAR is a structured review or de-brief process for analyzing what happened, why it happened, and how it can be done better by the participants and those responsible for the project or event.