Practice Free CAS-004 Exam Online Questions
A security architect discovers the following page while testing a website for vulnerabilities:
404 – page not found: /gy67162
The page you have requested is no. avai.able on .his server.
Apache Tomcat 7.0.52
Which of the following best describes why this issue should be corrected?
- A . The website is generating a server error.
- B . The URL for this page can be used for directory traversal.
- C . The website fuzzing tool has overloaded the server’s capacity.
- D . The information can be used for more targeted attacks.
D
Explanation:
Step by Step
The information disclosed in the error message (e.g., "Apache Tomcat 7.0.52") provides attackers insights into the software version, which may have known vulnerabilities.
Correcting this issue ensures that attackers cannot use the disclosed information to tailor more sophisticated or targeted attacks.
Best practices include suppressing unnecessary error details to mitigate the risk of information disclosure.
Reference: CASP+ Exam Objectives 5.3 C Mitigate vulnerabilities related to service information leakage.
A company based in the United States holds insurance details of EU citizens.
Which of the following must be adhered to when processing EU citizens’ personal, private, and confidential data?
- A . The principle of lawful, fair, and transparent processing
- B . The right to be forgotten principle of personal data erasure requests
- C . The non-repudiation and deniability principle
- D . The principle of encryption, obfuscation, and data masking
hgQ43jsu23Ly.com
Which of the following should the analyst do next?
- A . Check for data exfiltration.
- B . Reconfigure the server’s DNS settings.
- C . Browse for a website on the requested domain.
- D . Add the host names to a block list.
A
Explanation:
Step by Step
A high volume of DNS queries to unknown domains may indicate domain generation algorithm (DGA) activity associated with malware.
Checking for data exfiltration is the next logical step to determine if sensitive data is being leaked to these domains.
Reconfiguring DNS settings, browsing unknown domains, or blocking the domains are reactive steps that do not address the root cause.
Reference: CASP+ Exam Objectives 3.1 C Analyze indicators of compromise to determine data exfiltration risks.
Which of the following security features do email signatures provide?
- A . Non-repudiation
- B . Body encryption
- C . Code signing
- D . Sender authentication
- E . Chain of custody
A
Explanation:
Email signatures provide non-repudiation, which ensures that the sender of an email cannot deny having sent it. A digital signature, when attached to an email, uses cryptographic techniques to verify the sender’s identity and confirm the authenticity of the message. This feature helps establish trust by preventing tampering and ensuring the integrity of the communication. CASP+ emphasizes the role of digital signatures in ensuring non-repudiation in secure communication protocols.
Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations (Non-repudiation and Digital Signatures)
CompTIA CASP+ Study Guide: Email Security and Non-repudiation with Digital Signatures
A security administrator is trying to securely provide public access to specific data from a web application.
Clients who want to access the application will be required to:
• Only allow the POST and GET options.
• Transmit all data secured with TLS 1.2 or greater.
• Use specific URLs to access each type of data that is requested.
• Authenticate with a bearer token.
Which of the following should the security administrator recommend to meet these requirements?
- A . API gateway
- B . Application load balancer
- C . Web application firewall
- D . Reverse proxy
A
Explanation:
An API gateway is the best solution to meet the specified requirements for securely providing public access to specific data. An API gateway allows the administrator to control HTTP methods like POST and GET, ensure secure transmission via TLS 1.2 or greater, and enforce authentication using bearer tokens. It also allows access control by specifying URLs for different types of data. API gateways centralize security and traffic management for APIs, making them ideal for this type of secure access scenario. CASP+ emphasizes the importance of API gateways in managing and securing web application interfaces.
Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 C Enterprise Security Architecture (API Security and API Gateways)
CompTIA CASP+ Study Guide: Securing Web Application Interfaces with API Gateways
A security administrator is trying to securely provide public access to specific data from a web application.
Clients who want to access the application will be required to:
• Only allow the POST and GET options.
• Transmit all data secured with TLS 1.2 or greater.
• Use specific URLs to access each type of data that is requested.
• Authenticate with a bearer token.
Which of the following should the security administrator recommend to meet these requirements?
- A . API gateway
- B . Application load balancer
- C . Web application firewall
- D . Reverse proxy
A
Explanation:
An API gateway is the best solution to meet the specified requirements for securely providing public access to specific data. An API gateway allows the administrator to control HTTP methods like POST and GET, ensure secure transmission via TLS 1.2 or greater, and enforce authentication using bearer tokens. It also allows access control by specifying URLs for different types of data. API gateways centralize security and traffic management for APIs, making them ideal for this type of secure access scenario. CASP+ emphasizes the importance of API gateways in managing and securing web application interfaces.
Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 C Enterprise Security Architecture (API Security and API Gateways)
CompTIA CASP+ Study Guide: Securing Web Application Interfaces with API Gateways
A security administrator is setting up a virtualization solution that needs to run services from a single host. Each service should be the only one running in its environment. Each environment needs to have its own operating system as a base but share the kernel version and properties of the running host.
Which of the following technologies would best meet these requirements?
- A . Containers
- B . Type 1 hypervisor
- C . Type 2 hypervisor
- D . Virtual desktop infrastructure
- E . Emulation
A
Explanation:
The most appropriate technology for this virtualization solution is containers. Containers allow multiple services to run on a single host with isolated environments, while sharing the same kernel version and properties of the host operating system. Each container has its own instance of the operating system and runs independently from the others, meeting the requirement for separate environments with their own OS. Containers are more lightweight than full hypervisors and are ideal for running microservices in isolated environments. CASP+ emphasizes the use of containers in scenarios where services need to be isolated but share the same host OS kernel.
Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 C Enterprise Security Architecture (Virtualization Technologies, Containers)
CompTIA CASP+ Study Guide: Virtualization and Containerization for Isolated Services
After installing an unapproved application on a personal device, a Chief Executive Officer reported an incident to a security analyst. This device is not controlled by the MDM solution, as stated in the BYOD policy. However, the device contained critical confidential information.
The cyber incident response team performed the analysis on the device and found the following log:
Which of the following is the most likely reason for the successful attack?
- A . Lack of MDM controls
- B . Auto-join hotspots enabled
- C . Sideloading
- D . Lack of application segmentation
A
Explanation:
A lack of Mobile Device Management (MDM) controls can lead to successful attacks because MDM
solutions provide the ability to enforce security policies, remotely wipe sensitive data, and manage software updates, which can prevent unauthorized access and protect corporate data. Without MDM, personal devices are more vulnerable to security risks.
An engineering team has deployed a new VPN service that requires client certificates to be used in order to successfully connect.
On iOS devices, however, the following error occurs after importing the .p12 certificate file:
mbedTLS: ca certificate undefined
Which of the following is the root cause of this issue?
- A . iOS devices have an empty root certificate chain by default.
- B . OpenSSL is not configured to support PKCS#12 certificate files.
- C . The VPN client configuration is missing the CA private key.
- D . The iOS keychain imported only the client public and private keys.
D
Explanation:
The root cause of this issue is that the iOS keychain imported only the client public and private keys, but not the CA certificate. A PKCS#12 file (.p12 or .pfx) is a file format that contains a certificate and its private key, optionally protected by a password. A PKCS#12 file can also contain intermediate certificates or root certificates that are needed to verify the certificate chain. However, when importing a PKCS#12 file into the iOS keychain, only the certificate and its private key are imported, not the CA certificate. This means that the iOS device cannot verify the authenticity of the certificate, and displays the error message “mbedTLS: ca certificate undefined”. To fix this issue, the CA certificate needs to be imported separately into the iOS keychain, either manually or using a configuration profile.
Verified Reference:
https://developer.apple.com/documentation/devicemanagement/certificatepkcs12
https://support.apple.com/guide/deployment/distribute-certificates-depcdc9a6a3f/web
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
An engineering team has deployed a new VPN service that requires client certificates to be used in order to successfully connect.
On iOS devices, however, the following error occurs after importing the .p12 certificate file:
mbedTLS: ca certificate undefined
Which of the following is the root cause of this issue?
- A . iOS devices have an empty root certificate chain by default.
- B . OpenSSL is not configured to support PKCS#12 certificate files.
- C . The VPN client configuration is missing the CA private key.
- D . The iOS keychain imported only the client public and private keys.
D
Explanation:
The root cause of this issue is that the iOS keychain imported only the client public and private keys, but not the CA certificate. A PKCS#12 file (.p12 or .pfx) is a file format that contains a certificate and its private key, optionally protected by a password. A PKCS#12 file can also contain intermediate certificates or root certificates that are needed to verify the certificate chain. However, when importing a PKCS#12 file into the iOS keychain, only the certificate and its private key are imported, not the CA certificate. This means that the iOS device cannot verify the authenticity of the certificate, and displays the error message “mbedTLS: ca certificate undefined”. To fix this issue, the CA certificate needs to be imported separately into the iOS keychain, either manually or using a configuration profile.
Verified Reference:
https://developer.apple.com/documentation/devicemanagement/certificatepkcs12
https://support.apple.com/guide/deployment/distribute-certificates-depcdc9a6a3f/web
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/