Practice Free CAS-004 Exam Online Questions
A company is looking for a solution to hide data stored in databases.
The solution must meet the following requirements:
Be efficient at protecting the production environment
Not require any change to the application
Act at the presentation layer
Which of the following techniques should be used?
- A . Masking
- B . Tokenization
- C . Algorithmic
- D . Random substitution
A security engineer needs to recommend a solution that will meet the following requirements:
Identify sensitive data in the provider’s network
Maintain compliance with company and regulatory guidelines
Detect and respond to insider threats, privileged user threats, and compromised accounts Enforce datacentric security, such as encryption, tokenization, and access control
Which of the following solutions should the security engineer recommend to address these requirements?
- A . WAF
- B . CASB
- C . SWG
- D . DLP
D
Explanation:
DLP (data loss prevention) is a solution that can meet the following requirements: identify sensitive data in the provider’s network, maintain compliance with company and regulatory guidelines, detect and respond to insider threats, privileged user threats, and compromised accounts, and enforce data-centric security, such as encryption, tokenization, and access control. DLP can monitor, classify, and protect data in motion, at rest, or in use, and prevent unauthorized disclosure or exfiltration. WAF (web application firewall) is a solution that can protect web applications from common attacks, such as SQL injection or cross-site scripting, but it does not address the requirements listed. CASB (cloud access security broker) is a solution that can enforce policies and controls for accessing cloud services and applications, but it does not address the requirements listed. SWG (secure web gateway) is a solution that can monitor and filter web traffic to prevent malicious or unauthorized
access, but it does not address the requirements listed.
Verified Reference:
https://www.comptia.org/blog/what-is-data-loss-prevention https://partners.comptia.org/docs/default-source/resources/casp-content-guid
Which of the following is a risk associated with SDN?
- A . Expanded attack surface
- B . Increased hardware management costs
- C . Reduced visibility of scaling capabilities
- D . New firmware vulnerabilities
A
Explanation:
A risk associated with SDN is the expanded attack surface that it introduces. SDN is a network architecture that decouples the control plane from the data plane, allowing centralized and programmable management of network devices and traffic. However, this also exposes new attack vectors and vulnerabilities that can compromise the security and performance of the network.
For example, an attacker can target the SDN controller, which is the core component that communicates with and controls the network devices. A successful attack on the SDN controller can result in denial of service, unauthorized access, data leakage, or network hijacking. An attacker can also exploit the communication channels between the SDN controller and the network devices, such as the OpenFlow protocol, to intercept, modify, or inject malicious messages or commands. Additionally, an attacker can leverage malicious or compromised applications that run on top of the SDN controller to manipulate or disrupt the network behavior.
Verified Reference:
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/benefits-and-the-security-risk-of-software-defined-networking
https://link.springer.com/article/10.1007/s40860-022-00171-8
A security architect is given the following requirements to secure a rapidly changing enterprise with an increasingly distributed and remote workforce
• Cloud-delivered services
• Full network security stack
• SaaS application security management
• Minimal latency for an optimal user experience
• Integration with the cloud 1AM platform
Which of the following is the BEST solution?
- A . Routing and Remote Access Service (RRAS)
- B . NGFW
- C . Managed Security Service Provider (MSSP)
- D . SASE
A compliance officer is responsible for selecting the right governance framework to protect individuals’ data.
Which of the following is the appropriate framework for the company to consult when collecting international user data for the purpose of processing credit cards?
- A . ISO 27001
- B . COPPA
- C . NIST 800-53
- D . PCI DSS
D
Explanation:
PCI DSS (Payment Card Industry Data Security Standard) is the most appropriate governance framework when collecting and processing credit card data, including international user data. PCI DSS establishes security standards for organizations that handle payment card transactions and ensures the protection of cardholder data globally. The other options, such as ISO 27001 and NIST 800-53, provide general security frameworks, but PCI DSS is specifically designed for payment card security, which is critical when handling credit card information. CASP+ emphasizes the role of PCI DSS in ensuring the secure handling of payment data.
Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (PCI DSS Compliance for Payment Systems)
CompTIA CASP+ Study Guide: Payment Systems Security and PCI DSS
A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack.
A security analyst is reviewing the following web server configuration:
Which of the following ciphers should the security analyst remove to support the business requirements?
- A . TLS_AES_128_CCM_8_SHA256
- B . TLS_DHE_DSS_WITH_RC4_128_SHA
- C . TLS_CHACHA20_POLY1305_SHA256
- D . TLS_AES_128_GCM_SHA256
B
Explanation:
The security analyst should remove the cipher TLS_DHE_DSS_WITH_RC4_128_SHA to support the business requirements, as it is considered weak and vulnerable to on-path attacks. RC4 is an outdated stream cipher that has been deprecated by major browsers and protocols due to its flaws and weaknesses. The other ciphers are more secure and compliant with secure-by-design principles and PCI DSS.
Verified Reference:
https://www.comptia.org/blog/what-is-a-cipher https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A SIEM generated an alert after a third-party database administrator, who had recently been granted temporary access to the repository, accessed business-sensitive content in the database. The SIEM had generated similar alerts before this incident.
Which of the following best explains the cause of
the alert?
- A . Database field tokenization
- B . Database decoy
- C . Database activity monitoring
- D . Database integrity enforcement
C
Explanation:
Step by Step
Database activity monitoring (DAM) tracks user actions within databases and generates alerts for anomalous behavior, such as unauthorized access to sensitive content. Database field tokenization protects sensitive data but does not monitor access.
Database decoy involves creating fake data to detect misuse but is unrelated to monitoring.
Database integrity enforcement ensures data accuracy but does not generate access alerts.
Reference: CASP+ Exam Objectives 3.1 C Monitor and analyze logs for unauthorized access.
During a software assurance assessment, an engineer notices the source code contains multiple instances of strcpy. which does not verify the buffer length.
Which of the following solutions should be integrated into the SDLC process to reduce future risks?
- A . Require custom IDS/IPS detection signatures for each type of insecure function found.
- B . Perform a penetration test before moving to the next step of the SDLC.
- C . Update the company’s secure coding policy to exclude insecure functions.
- D . Perform DAST/SAST scanning before handoff to another team.
C
Explanation:
The source code in this scenario uses insecure functions like strcpy which are known for not checking buffer sizes, leading to buffer overflow vulnerabilities. The most effective solution is to update the company’s secure coding policy to prohibit the use of insecure functions and replace them with safer alternatives, such as strncpy, which enforces buffer length checks. Integrating this change into the Software Development Life Cycle (SDLC) ensures that future code adheres to secure practices, thereby reducing the risk of vulnerabilities being introduced into production systems. This approach aligns with CASP+ guidelines that emphasize secure coding practices and policies to prevent common security flaws in software development.
Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations (Secure Coding Standards)
CompTIA CASP+ Study Guide: Secure Coding and Prevention of Buffer Overflows
During a software assurance assessment, an engineer notices the source code contains multiple instances of strcpy. which does not verify the buffer length.
Which of the following solutions should be integrated into the SDLC process to reduce future risks?
- A . Require custom IDS/IPS detection signatures for each type of insecure function found.
- B . Perform a penetration test before moving to the next step of the SDLC.
- C . Update the company’s secure coding policy to exclude insecure functions.
- D . Perform DAST/SAST scanning before handoff to another team.
C
Explanation:
The source code in this scenario uses insecure functions like strcpy which are known for not checking buffer sizes, leading to buffer overflow vulnerabilities. The most effective solution is to update the company’s secure coding policy to prohibit the use of insecure functions and replace them with safer alternatives, such as strncpy, which enforces buffer length checks. Integrating this change into the Software Development Life Cycle (SDLC) ensures that future code adheres to secure practices, thereby reducing the risk of vulnerabilities being introduced into production systems. This approach aligns with CASP+ guidelines that emphasize secure coding practices and policies to prevent common security flaws in software development.
Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations (Secure Coding Standards)
CompTIA CASP+ Study Guide: Secure Coding and Prevention of Buffer Overflows
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels.
Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
- A . Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
- B . Perform ASIC password cracking on the host.
- C . Read the /etc/passwd file to extract the usernames.
- D . Initiate unquoted service path exploits.
- E . Use the UNION operator to extract the database schema.
A
Explanation:
Reference: https://docs.rapid7.com/insightvm/elevating-permissions/
Spawning a shell using sudo and an escape string is a valid Linux post-exploitation method that can exploit a misconfigured sudoers file and allow a standard user to execute commands as root. ASIC password cracking is used to break hashed passwords, not to elevate privileges. Reading the /etc/passwd file may reveal usernames, but not passwords or privileges. Unquoted service path exploits are applicable to Windows systems, not Linux. Using the UNION operator is a SQL injection technique, not a Linux post-exploitation method.
Verified Reference:
https://www.comptia.org/blog/what-is-post-exploitation
https://partners.comptia.org/docs/default-source/resources/casp-content-guide