Practice Free CAS-004 Exam Online Questions
The primary advantage of an organization creating and maintaining a vendor risk registry is to:
- A . define the risk assessment methodology.
- B . study a variety of risks and review the threat landscape.
- C . ensure that inventory of potential risk is maintained.
- D . ensure that all assets have low residual risk.
C
Explanation:
The primary advantage of creating and maintaining a vendor risk registry is to ensure that an inventory of potential risks is maintained. A vendor risk registry helps organizations keep track of the risks associated with third-party vendors, especially as they may introduce vulnerabilities or non-compliance issues. By maintaining this registry, the organization can continuously monitor and manage vendor-related risks in a structured way, improving its overall security posture. CASP+ emphasizes the importance of vendor risk management in an organization’s broader risk management strategy.
Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Vendor Risk Management)
CompTIA CASP+ Study Guide: Third-Party Risk Management and Risk Registries
Despite the fact that ten new API servers were added, the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?
- A . Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
- B . Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.
- C . Serve images from an object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.
- D . Serve static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.
A
Explanation:
This solution would address the three issues as follows:
Serving static content via distributed CDNs would reduce the latency for international users by delivering images from the nearest edge location to the user’s request.
Creating a read replica of the central database and pulling reports from there would offload the read-intensive workload from the primary database and avoid affecting the inventory data for order placement.
Auto-scaling API servers based on performance would dynamically adjust the number of servers to match the demand and balance the load across them at peak times.
An multinational organization was hacked, and the incident response team’s timely action prevented a major disaster Following the event, the team created an after action report.
Which of the following is the primary goal of an after action review?
- A . To gather evidence for subsequent legal action
- B . To determine the identity of the attacker
- C . To identify ways to improve the response process
- D . To create a plan of action and milestones
C
Explanation:
The primary goal of an after-action review (AAR) is to evaluate the response to an incident critically and identify what was done well and what could be improved. An AAR is a structured review or de-brief process for analyzing what happened, why it happened, and how it can be done better by the participants and those responsible for the project or event.
A security officer is requiring all personnel working on a special project to obtain a security clearance requisite with the level of all information being accessed Data on this network must be protected at the same level of each clearance holder The need to know must be vended by the data owner.
Which of the following should the security officer do to meet these requirements?
- A . Create a rule lo authorize personnel only from certain IPs to access the files
- B . Assign labels to the files and require formal access authorization
- C . Assign attributes to each file and allow authorized users to share the files
- D . Assign roles to users and authorize access to files based on the roles
B
Explanation:
Labeling files and requiring formal access authorization is a method that aligns with the principle of least privilege and the need-to-know basis. By assigning labels to files based on their sensitivity and requiring formal access approval from the data owner, the security officer can ensure that only personnel with the necessary clearance and a legitimate need to access the information can do so. This approach helps in maintaining data confidentiality and integrity in line with the project’s security requirements.
A security analyst is using data provided from a recent penetration test to calculate CVSS scores to prioritize remediation.
Which of the following metric groups would the analyst need to determine to get the overall scores? (Select THREE).
- A . Temporal
- B . Availability
- C . Integrity
- D . Confidentiality
- E . Base
- F . Environmental
- G . Impact
- H . Attack vector
A,E,F
Explanation:
The three metric groups that are needed to calculate CVSS scores are Base, Temporal, and Environmental. The Base metrics represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments. The Temporal metrics represent the characteristics of a vulnerability that may change over time but not across user environments. The Environmental metrics represent the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.
Verified Reference:
https://nvd.nist.gov/vuln-metrics/cvss
https://www.first.org/cvss/specification-document
Due to internal resource constraints, the management team has asked the principal security architect to recommend a solution that shifts most of the responsibility for application-level controls to the cloud provider.
In the shared responsibility model, which of the following levels of service meets this requirement?
- A . IaaS
- B . SaaS
- C . Faas
- D . PaaS
UESTION NO: 36
Which of the following is a benefit of using steganalysis techniques in forensic response?
- A . Breaking a symmetric cipher used in secure voice communications
- B . Determining the frequency of unique attacks against DRM-protected media
- C . Maintaining chain of custody for acquired evidence
- D . Identifying least significant bit encoding of data in a .wav file
D
Explanation:
Steganalysis is the process of detecting hidden data in files or media, such as images, audio, or video. One technique of steganalysis is to identify least significant bit encoding, which is a method of hiding data by altering the least significant bits of each byte in a file. For example, a .wav file could contain hidden data encoded in the least significant bits of each audio sample. Steganalysis techniques can help forensic responders to discover hidden evidence or malicious payloads. Breaking a symmetric cipher, determining the frequency of attacks, or maintaining chain of custody are not related to steganalysis.
Verified Reference:
https://www.comptia.org/blog/what-is-steganography
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A user in the finance department uses a laptop to store a spreadsheet that contains confidential financial information for the company.
Which of the following would be the best way to protect the file while the user brings the laptop between locations? (Select two).
- A . Encrypt the hard drive with full disk encryption.
- B . Back up the file to an encrypted flash drive.
- C . Place an ACL on the file to only allow access to specified users.
- D . Store the file in the user profile.
- E . Place an ACL on the file to deny access to everyone.
- F . Enable access logging on the file.
A,B
Explanation:
To protect confidential financial information on a laptop that is frequently moved between locations, full disk encryption (FDE) is a strong security measure that ensures that all data on the hard drive is encrypted. This means that if the laptop is lost or stolen, the data remains inaccessible without the encryption key. Additionally, backing up the file to an encrypted flash drive provides an extra layer of security and ensures that there is a secure copy of the file in case the laptop is compromised.
An organization has a secure manufacturing facility that is approximately 10mi (16km) away from its corporate headquarters. The organization’s management team is concerned about being able to track personnel who utilize the facility.
Which of the following would best help to prevent staff from being tracked?
- A . Ensuring that all staff use covered parking so they cannot be seen from outside the perimeter.
- B . Configuring geofencing to disable mobile devices and wearable devices near the secure facility.
- C . Constructing a tunnel between headquarters and the facility to allow more secure access.
- D . Enforcing physical security controls like access control vestibules and appropriate fencing.
B
Explanation:
Geofencing to disable mobile and wearable devices prevents the tracking of staff by disabling GPS and other location-based services. This measure aligns with CASP+ objective 3.2, which includes protecting sensitive facilities against surveillance and unauthorized tracking.
A company recently migrated its critical web application to a cloud provider’s environment. As part of the company’s risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application’s security and check for opportunities to expose sensitive company information in the newly migrated cloud environment.
Which of the following should be the first consideration prior to engaging in the test?
- A . Prepare a redundant server to ensure the critical web application’s availability during the test.
- B . Obtain agreement between the company and the cloud provider to conduct penetration testing.
- C . Ensure the latest patches and signatures are deployed on the web server.
- D . Create an NDA between the external penetration tester and the company.
B
Explanation:
Before conducting a penetration test in a cloud environment, it is critical to first obtain permission from the cloud service provider. Cloud providers often have strict rules about penetration testing to avoid unintended service disruptions or violations of service agreements. Without this agreement, the company could face legal or operational consequences. This aligns with CASP+ best practices, which emphasize the importance of securing approval and understanding shared responsibility models in cloud environments before engaging in security testing.
Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Penetration Testing in Cloud Environments)
CompTIA CASP+ Study Guide: Cloud Security and Legal Considerations for Penetration Testing