CompTIA CV0-004 Online Practice Questions and Exam Preparation

CompTIA CV0-004 Online Questions & Answers

• Question 141:

  A cross-site request forgery vulnerability exploited a web application that was hosted in a public laaS network. A security engineer determined that deploying a WAF in blocking mode at a CDN would prevent the application from being exploited again. However, a week after implementing the WAF, the application was exploited again. Which of the following should the security engineer do to make the WAF control effective?

  A. Configure the DDoS protection on the CDN.
  B. Install endpoint protection software on the VMs
  C. Add an ACL to the VM subnet.
  D. Deploy an IDS on the laaS network.
  C. Add an ACL to the VM subnet.

  ---

  Explanation

  After a WAF deployment fails to prevent an exploit, adding an Access Control List (ACL) to the Virtual Machine (VM) subnet can be an effective control. ACLs provide an additional layer of security by explicitly defining which traffic can or cannot enter a network segment. By setting granular rules based on IP addresses, protocols, and ports, ACLs help to restrict access to resources, thereby mitigating potential exploits and enhancing the security of the IaaS network.References: CompTIA Cloud+ materials cover governance, risk, compliance, and security for the cloud, including the implementation of network security controls like ACLs, to protect cloud environments from unauthorized access and potential security threats.

• Question 142:

  Which of the following requirements are core considerations when migrating a small business's on-premises applications to the cloud? (Select two).

  A. Availability
  B. Hybrid
  C. Testing
  D. Networking
  E. Compute
  F. Logs
  A. Availability
  D. Networking

  ---

  Explanation

  When migrating on-premises applications to the cloud for a small business, availability and networking are core considerations. Ensuring that applications are available and that the network is capable of handling the new cloud traffic are pivotal for a successful transition.References: The migration process and its core considerations, including availability and networking, are topics within the Business Principles of Cloud Environments in the CompTIA Cloud+ material.

• Question 143:

  A company experienced a data leak through its website. A security engineer, who is investigating the issue, runs a vulnerability scan against the website and receives the following output:

  

  Which of the following is the most likely cause of this leak?

  A. RTMP port open
  B. SQL injection
  C. Privilege escalation
  D. Insecure protocol
  D. Insecure protocol

  ---

  Explanation

  The data leak is most likely caused by the use of an insecure protocol. The vulnerability scan output shows that port 21/tcp for FTP (File Transfer Protocol) is open. FTP is known for transmitting data unencrypted, which could allow sensitive data to be intercepted during transfer.References: The security risks associated with the use of insecure or unencrypted protocols are covered under cloud security best practices in the CompTIA Cloud+ curriculum.

• Question 144:

  A cloud consultant needs to modernize a legacy application that can no longer address user demand and is expensive to maintain. Which of the following is the best migration strategy?

  A. Retain
  B. Rehost
  C. Refactor
  D. Replatform
  C. Refactor

  ---

  Explanation

  Refactoring is the process of restructuring existing computer code without changing its external behavior. In cloud computing, it often means modifying the application to better leverage cloud-native features and services. This can address user demand and reduce maintenance costs by making the application more scalable, resilient, and manageable.

  References: CompTIA Cloud+ Certification Study Guide (Exam CV0-004) by Scott Wilson and Eric Vanderburg

• Question 145:

  A systems administrator is configuring a storage system for maximum performance and redundancy. Which of the following storage technologies should the administrator use to achieve this?

  A. RAID 5
  B. RAID 6
  C. RAID 10
  D. RAID 50
  C. RAID 10

  ---

  Explanation

  The best storage technology to configure for maximum performance and redundancy is RAID 10 (Redundant Array of Independent Disks 10). RAID 10 is a combination of RAID 1 (mirroring) and RAID 0 (striping) that provides both fault tolerance and improved performance. RAID 10 divides and replicates the data across multiple disks in pairs, creating mirrored sets, and then stripes the data across those sets, creating a striped set. RAID 10 can withstand multiple disk failures as long as they are not in the same mirrored set, and can also increase the read and write speed by parallelizing the disk operations. Reference: [CompTIA Cloud+ Certification Exam Objectives], Domain 1.0 Configuration and Deployment, Objective 1.2 Given a scenario involving requirements for deploying an application in the cloud, select an appropriate solution design.

• Question 146:

  A cloud administrator is building a company-standard VM image, which will be based on a public image. Which of the following should the administrator implement to secure the image?

  A. ACLs
  B. Least privilege
  C. Hardening
  D. Vulnerability scanning
  C. Hardening

  ---

  Explanation

  Hardening a VM image involves implementing security measures to reduce vulnerabilities and protect against threats. This process includes removing unnecessary software, services, and permissions, ensuring that the remaining software is updated with the latest security patches, and configuring settings to enhance security. Starting with a public image, the administrator should apply hardening techniques to ensure the custom company-standard VM image is secure and resilient against attacks.

• Question 147:

  A customer relationship management application, which is hosted in a public cloud laaS network, is vulnerable to a remote command execution vulnerability.

  Which of the following is the best solution for the security engineer to implement to prevent the application from being exploited by basic attacks?

  A. IPS
  B. ACL
  C. DLP
  D. WAF
  D. WAF

  ---

  Explanation

  A Web Application Firewall (WAF) is the best solution to implement for a public cloud IaaS hosted customer relationship management application vulnerable to remote command execution attacks. WAFs are designed to monitor, filter, and block malicious HTTP/S traffic to and from a web application to protect against various application layer attacks, including remote command execution.

  References: CompTIA Cloud+ Study Guide (Exam CV0-004) - Chapter on Security in the Cloud

• Question 148:

  SIMULATION

  A company has decided to scale its e-commerce application from its corporate datacenter to a commercial cloud provider to meet an anticipated increase in demand during an upcoming holiday.

  The majority of the application load takes place on the application server under normal conditions. For this reason, the company decides to deploy additional application servers into a commercial cloud provider using the on-premises orchestration engine that installs and configures common software and network configurations.

  The remote computing environment is connected to the on-premises datacenter via a site-to-site IPSec tunnel. The external DNS provider has been configured to use weighted round-robin routing to load balance connections from the Internet.

  During testing, the company discovers that only 20% of connections completed successfully.

  INSTRUCTIONS

  Review the network architecture and supporting documents and fulfill these requirements:

  Part 1:

  1. Analyze the configuration of the following components: DNS, Firewall 1, Firewall 2, Router 1, Router 2, VPN and Orchestrator Server.

  2. Identify the problematic device(s).

  Part 2:

  1. Identify the correct options to provide adequate configuration for hybrid cloud architecture.

  2. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  Part 1:

  Cloud Hybrid Network Diagram

  

  

  

  

  

  

  

  

  Part 2:

  Only select a maximum of TWO options from the multiple choice question

  A. Update the PSK (Pre-shared key) in Router 2.
  B. Update the A record on the DNS from 2.2.2.2 to 1.1.1.1.
  C. Promote deny All to allow All in Firewall 1 and Firewall 2.
  D. Change the Address Space on Router 2.
  E. Change internal IP Address of Router 1.
  F. Reverse the Weight property in the two CNAME records on the DNS.
  G. Add the Application Server at on-premises to the Load Balancer.
  A. Update the PSK (Pre-shared key) in Router 2.
  D. Change the Address Space on Router 2.

  ---

  Explanation

  Part 1: Router 2

  The problematic device is Router 2, which has an incorrect configuration for the IPSec tunnel. The IPSec tunnel is a secure connection between the on-premises datacenter and the cloud provider, which allows the traffic to flow between the two networks. The IPSec tunnel requires both endpoints to have matching parameters, such as the IP addresses, the pre-shared key (PSK), the encryption and authentication algorithms, and the security associations (SAs) .

  According to the network diagram and the configuration files, Router 2 has a different PSK and a different address space than Router 1. Router 2 has a PSK of "1234567890", while Router 1 has a PSK of "0987654321". Router 2 has an address space of 10.0.0.0/8, while Router 1 has an address space of 192.168.0.0/16. These mismatches prevent the IPSec tunnel from establishing and encrypting the traffic between the two networks. The other devices do not have any obvious errors in their configuration.

  The DNS provider has two CNAME records that point to the application servers in the cloud provider, with different weights to balance the load. The firewall rules allow the traffic from and to the application servers on port 80 and port 443, as well as the traffic from and to the VPN server on port 500 and port 4500. The orchestration server has a script that installs and configures the application servers in the cloud provider, using the DHCP server to assign IP addresses.

  Part 2:

  The correct options to provide adequate configuration for hybrid cloud architecture are:

  Update the PSK (Pre-shared key) in Router 2.

  Change the Address Space on Router 2.

  These options will fix the IPSec tunnel configuration and allow the traffic to flow between the on-premises datacenter and the cloud provider. The PSK should match the one on Router 1, which is "0987654321". The address space should also match the one on Router 1, which is 192.168.0.0/16.

• Question 149:

  A software engineer needs to transfer data over the internet using programmatic access while also being able to query the data. Which of the following will best help the engineer to complete this task?

  A. SQL
  B. Web sockets
  C. RPC
  D. GraphQL
  D. GraphQL

  ---

  Explanation

  GraphQL is the best option for transferring data over the internet with programmatic access and querying capabilities. It is a query language for APIs and a runtime for executing those queries with existing data, providing a more efficient, powerful, and flexible alternative to the REST API.

  References: Data transfer and querying methods are part of the technical knowledge associated with cloud computing, as included in CompTIA Cloud+.

• Question 150:

  A cloud engineer is designing a cloud-native, three-tier application. The engineer must adhere to the following security best practices:

  1. Minimal services should run on all layers of the stack.

  2. The solution should be vendor agnostic.

  3. Virealization could be used over physical hardware.

  Which of the following concepts should the engineer use to design the system to best meet these requirements?

  A. Virtual machine
  B. Micro services
  C. Fan-out
  D. Cloud-provided managed services
  B. Micro services

  ---

  Explanation

  Microservices architecture is the most suitable design principle that aligns with the security best practices mentioned. It involves developing a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. This architecture minimizes the services running on each layer, allows for vendor-agnostic solutions,and is well-suited for virtualization over physical hardware. References: Microservices as an architectural approach is discussed in the context of cloud-native applications within the CompTIA Cloud+ material.