CompTIA CAS-004 Online Practice Questions and Exam Preparation

CompTIA CAS-004 Online Questions & Answers

• Question 621:

  Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party entity?

  A. Key sharing
  B. Key distribution
  C. Key recovery
  D. Key escrow
  B. Key distribution

  ---

  Explanation

  The term is actually key distribution key word distribution = delivery. Key Escrow is the process to store the key. Totally use key Escrow with CASB and third party but the deliver system is Key Distribution. In short escrow is method of storing and distribution is method of delivery. https://csrc.nist.gov/glossary/term/key_distribution https://jumpcloud.com/blog/key-escrow

• Question 622:

  An organization's board of directors has asked the Chief Information Security Officer to build a third-party management program.

  Which of the following best explains a reason for this request?

  A. Risk transference
  B. Supply chain visibility
  C. Support availability
  D. Vulnerability management
  B. Supply chain visibility

• Question 623:

  A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots. Which of the following would provide the BEST boot loader protection?

  A. TPM
  B. HSM
  C. PKI
  D. UEFI/BIOS
  D. UEFI/BIOS

  ---

  Explanation

  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-898217D4-689D-4EB5-866C-888353FE241C.html

• Question 624:

  A company has instituted a new policy in which all outbound traffic must go over TCP ports 80 and 443 for all its managed mobile devices. No other IP traffic is allowed to be initiated from a device. Which of the following should the organization consider implementing to ensure internet access continues without interruption?

  A. CYOD
  B. MDM
  C. WPA3
  D. DoH
  B. MDM

  ---

  Explanation

• Question 625:

  An organization wants to implement an access control system based on its data classification policy that includes the following data types:

  Confidential Restricted Internal Public

  The access control system should support SSO federation to map users into groups. Each group should only access systems that process and store data at the classification assigned to the group.

  Which of the following should the organization implement to enforce its requirements with minimal impact to systems and resources?

  A. A tagging strategy in which all resources are assigned a tag based on the data classification type, and a system that enforces attribute-based access control.
  B. Role-based access control that maps data types to internal roles, which are defined in the human resources department's source of truth system.
  C. Network microsegmentation based on data types, and a network access control system enforcing mandatory access control based on the user principal.
  D. A rule-based access control strategy enforced by the SSO system with rules managed by the internal LDAP and applied on a per-system basis.
  A. A tagging strategy in which all resources are assigned a tag based on the data classification type, and a system that enforces attribute-based access control.

  ---

  Explanation

  Attribute-Based Access Control (ABAC) with a tagging strategy allows flexible and granular access control based on resource classification and user attributes. This minimizes system impact and ensures compliance with data classification policies. This aligns with CASP+ objective 3.4, focusing on advanced access control mechanisms.

• Question 626:

  Company A is establishing a contractual with Company

  B. The terms of the agreement are formalized in a document covering the payment terms, limitation of liability, and intellectual property rights. Which of the following documents will MOST likely contain these elements

  A. Company A-B SLA v2.docx
  B. Company A OLA v1b.docx
  C. Company A MSA v3.docx
  D. Company A MOU v1.docx
  E. Company A-B NDA v03.docx
  C. Company A MSA v3.docx

  ---

  Explanation

• Question 627:

  A security engineer has learned that terminated employees' accounts are not being disabled. The termination dates are updated automatically in the human resources information system software by the appropriate human resources staff. Which of the following would best reduce risks to the organization?

  A. Exporting reports from the system on a weekly basis to disable terminated employees' accounts
  B. Granting permission to human resources staff to mark terminated employees' accounts as disabled
  C. Configuring allowed login times for all staff to only work during business hours
  D. Automating a process to disable the accounts by integrating Active Directory and human resources information systems
  D. Automating a process to disable the accounts by integrating Active Directory and human resources information systems

  ---

  Explanation

  Automating the process to disable terminated employees' accounts by integrating Active Directory (or any other authentication system) with the human resources information system (HRIS) is the best approach to reduce risks to the organization. By automating this process, the organization ensures that accounts are disabled promptly and consistently whenever an employee's termination date is updated in the HRIS. This reduces the window of opportunity for terminated employees to retain access to systems and sensitive information after leaving the organization.

• Question 628:

  An organization collects personal data from its global customers. The organization determines how that data is going to be used, why it is going to be used, and how it is manipulated for business processes. Which of the following will the organization need in order to comply with GDPR? (Choose two.)

  A. Data processor
  B. Data custodian
  C. Data owner
  D. Data steward
  E. Data controller
  F. Data manager
  A. Data processor
  E. Data controller

  ---

  Explanation

• Question 629:

  A security engineer investigates an incident and determines that a rogue device is on the network. Further investigation finds that an employee's personal device has been set up to access company resources and does not comply with standard security controls. Which of the following should the security engineer recommend to reduce the risk of future reoccurrence?

  A. Require device certificates to access company resources.
  B. Enable MFA at the organization's SSO portal.
  C. Encrypt all workstation hard drives.
  D. Hide the company wireless SSID.
  A. Require device certificates to access company resources.

  ---

  Explanation

  To reduce the risk of unauthorized devices accessing company resources, requiring device certificates is an effective control. Device certificates can be used to authenticate devices before they are allowed to connect to the network and access resources, ensuring that only devices with a valid certificate, which are typically managed and issued by the organization, can connect.

• Question 630:

  A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.

  Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?

  A. Execute never
  B. No-execute
  C. Total memory encryption
  D. Virtual memory encryption
  A. Execute never

  ---

  Explanation

  https://developer.arm.com/documentation/102433/0100/Stack-smashing-and-execution-permissions