CompTIA CAS-004 Exam Practice Test Instant Access

Question 1

A new VM server (Web Server C) was spun up in the cloud and added to the load balancer to an existing web application (Application A) that does not require internet access. Sales users are reporting intermittent issues with this application when processing orders that require access to the warehouse department.

Given the following information:

Firewall rules: Existing rules do not account for Web Server C's IP address (10.2.0.92).

Application A Security Group: Inbound rules and outbound rules are insufficient for the new server.

The security team wants to minimize the firewall rule set by avoiding specific host rules whenever possible. Which of the following actions must be taken to resolve the issue and meet the security team's requirements?

AReconfigure Web Server C to 10.2.0.62

BModify the firewall rules to include the new IP address of Web Server C

CAlter the security group outbound rules to be more restrictive

DChange the security group inbound rules to include the new IP address of Web Server C

Answer : B

Comprehensive and Detailed Step by Step

The issue stems from Web Server C's new IP (10.2.0.92) not being included in the firewall rules.

To resolve the issue, modify the firewall rules to include the new IP range (e.g., 10.2.0.0/26) rather than adding a specific host rule, ensuring scalability and simplicity.

Changing inbound or outbound security group rules would still miss the underlying issue of omitted IPs.

Reconfiguring the IP is unnecessary when updating firewall rules is sufficient.

CompTIA CASP+ Exam Objective 2.2: Implement network security solutions.

CASP+ Study Guide, 5th Edition, Chapter 7, Network Security.

Question 2

A software development company is implementing a SaaS-based password vault for customers to use. The requirements for the password vault include:

Vault encryption using a variable block and key size

Resistance to brute-force attacks

Which of the following should be implemented to meet these requirements? (Select two.)

APBKDF2

BRC5

CAES

DP256

EECDSA

FRIPEMD

Answer : A, C

Comprehensive and Detailed Step by Step

PBKDF2 (Password-Based Key Derivation Function 2) strengthens passwords against brute-force attacks.

AES (Advanced Encryption Standard) supports variable block and key sizes, making it ideal for secure encryption.

RC5, P256, and ECDSA are not relevant to password vault requirements.

RIPEMD is a hashing algorithm and does not meet the criteria for encryption or brute-force resistance.

CompTIA CASP+ Exam Objective 2.1: Implement cryptographic technologies.

CASP+ Study Guide, 5th Edition, Chapter 9, Cryptographic Tools.

Question 3

A company is developing a new service product offering that will involve the storage of personal health information. The Chief Information Security Officer (CISO) is researching the relevant compliance regulations. Which of the following best describes the CISO's action?

AData retention

BData classification

CDue diligence

DReference framework

Answer : C

Comprehensive and Detailed Step by Step

Due diligence involves researching and understanding regulatory requirements (e.g., HIPAA) to ensure compliance for handling sensitive data like personal health information.

Data retention refers to how long data is stored, not compliance research.

Data classification organizes data by sensitivity but is not specific to compliance research.

Reference frameworks provide guidelines for implementation but are not directly about research.

CompTIA CASP+ Exam Objective 1.1: Analyze business and compliance requirements.

CASP+ Study Guide, 5th Edition, Chapter 2, Legal and Regulatory Compliance.

Question 4

A security analyst is evaluating all third-party software an organization uses. The analyst discovers that each department is violating the organization's policy by provisioning access to SaaS products without oversight from the security group and without using a centralized access control methodology. Which of the following should the organization use to enforce its SaaS product access requirements?

ASLDAP

BSAML

CVDI

DTACACS

Answer : B

Comprehensive and Detailed Step by Step

SAML (Security Assertion Markup Language) is a standard for single sign-on (SSO) that provides centralized authentication and authorization, ensuring SaaS access is governed by organizational policies.

SLDAP (Secure LDAP) focuses on directory services but does not centralize SaaS product access.

VDI (Virtual Desktop Infrastructure) is unrelated to SaaS authentication.

TACACS (Terminal Access Controller Access-Control System) is more suited for network devices.

CompTIA CASP+ Exam Objective 2.3: Implement authentication and authorization technologies.

CASP+ Study Guide, 5th Edition, Chapter 6, Identity and Access Management.

Question 5

An organization handles sensitive information that must be displayed on call center technicians' screens to verify the identities of remote callers. The technicians use three randomly selected fields of information to complete the identity verification. Some of the fields contain PII that are unique identifiers for the remote callers. Which of the following should be implemented to identify remote callers while also reducing the risk that technicians could improperly use the identification information?

AData masking

BEncryption

CTokenization

DScrubbing

Answer : A

Comprehensive and Detailed Step by Step

Data masking obscures sensitive data displayed on screens, such as masking certain characters (e.g., showing *** for parts of SSNs).

It allows legitimate use while protecting the data from being misused or stolen.

Encryption is unrelated because it protects data in transit or at rest but does not address how it is displayed.

Tokenization replaces data with a token but is more relevant for storage and transactional systems, not screen data.

Scrubbing refers to cleansing datasets but does not address this scenario.

CompTIA CASP+ Exam Objective 3.4: Implement controls to reduce privacy and information risks.

CASP+ Study Guide, 5th Edition, Chapter 8, Privacy Controls.

Question 6

A security analyst and a DevOps engineer are working together to address configuration drifts in highly scalable systems that are leading to increased vulnerability findings. Which of the following recommendations would be best to eliminate this issue?

AUsing a baseline configuration manager for deployment

BDeploying an immutable infrastructure through containers

CEliminating false positives from the vulnerability scans

DPerforming continuous audits of the patching status

Answer : B

Immutable infrastructure through containers ensures that the deployed systems remain consistent and resistant to drift. Any changes require rebuilding and redeploying containers, eliminating configuration inconsistencies. This aligns with CASP+ objective 2.2, which emphasizes implementing scalable, secure system configurations.

________________________________________

Question 7

In support of disaster recovery objectives, a third party agreed to provide 99.999% uptime. Recently, a hardware failure impacted a firewall without service degradation. Which of the following resiliency concepts was most likely in place?

AClustering

BHigh availability

CRedundancy

DReplication

Answer : B

High availability ensures continuous operation despite hardware failures by leveraging redundant components like clustered firewalls or failover systems. This aligns with CASP+ objective 3.1, which focuses on implementing availability and redundancy mechanisms in disaster recovery planning.

________________________________________

CompTIA CAS-004 CompTIA Advanced Security Practitioner (CASP+) Exam Practice Test