CompTIA CAS-004 Exam Practice Test Instant Access

Question 1

PKI can be used to support security requirements in the change management process. Which of the following capabilities does PKI provide for messages?

ANon-repudiation

BConfidentiality

CDelivery receipts

DAttestation

Answer : A

Non-repudiation ensures that a sender cannot deny having sent a message, achieved through digital signatures provided by PKI. This aligns with CASP+ objective 3.2, emphasizing cryptographic assurance in communication.

Question 2

A technology company developed an in-house chat application that is used only by developers. An open-source library within the application has been deprecated. The facts below are provided:

The cost of replacing this system is nominal.

The system provides no revenue to the business.

The system is not a critical part of the business.

Which of the following is the best risk mitigation strategy?

ATransfer the risk, since developers prefer using this chat application over alternatives.

BAccept the risk, since any system disruption will only impact developers.

CAvoid the risk by shutting down this application and migrating to another chat platform.

DMitigate the risk by purchasing an EDR and configuring network ACLs.

Answer : C

Shutting down and migrating to another platform is the most cost-effective and practical option. This avoids risks associated with the deprecated library. This aligns with CASP+ objective 1.3, which emphasizes practical risk mitigation strategies.

Question 3

A company has a BYOD policy and has configured remote-wiping capabilities to support security requirements. An executive has raised concerns about personal contacts and photos being deleted from personal devices when an employee is terminated. Which of the following is the best way to address these concerns?

AEnforce the use of the approved email client.

BRequire full device encryption.

CDisable geotagging on the devices.

DImplement containerization.

Answer : D

Containerization separates corporate data from personal data on BYOD devices. When an employee is terminated, only the corporate container is wiped, preserving personal data. This aligns with CASP+ objective 2.4, which emphasizes securing endpoint devices while respecting privacy.

Question 4

An organization wants to implement an access control system based on its data classification policy that includes the following data types:

Confidential

Restricted

Internal

Public

The access control system should support SSO federation to map users into groups. Each group should only access systems that process and store data at the classification assigned to the group. Which of the following should the organization implement to enforce its requirements with minimal impact to systems and resources?

AA tagging strategy in which all resources are assigned a tag based on the data classification type, and a system that enforces attribute-based access control.

BRole-based access control that maps data types to internal roles, which are defined in the human resources department's source of truth system.

CNetwork microsegmentation based on data types, and a network access control system enforcing mandatory access control based on the user principal.

DA rule-based access control strategy enforced by the SSO system with rules managed by the internal LDAP and applied on a per-system basis.

Answer : A

Attribute-Based Access Control (ABAC) with a tagging strategy allows flexible and granular access control based on resource classification and user attributes. This minimizes system impact and ensures compliance with data classification policies. This aligns with CASP+ objective 3.4, focusing on advanced access control mechanisms.

Question 5

A security engineer receives reports through the organization's bug bounty program about remote code execution in a specific component in a custom application. Management wants to properly secure the component and proactively avoid similar issues. Which of the following is the best approach to uncover additional vulnerable paths in the application?

AImplement fuzz testing focused on the component and inputs uncovered by the bug bounty program.

BLeverage a software composition analysis tool to find all known vulnerabilities in dependencies.

CUse a vulnerability scanner to perform multiple types of network scans to look for vulnerabilities.

DUtilize a network traffic analyzer to find malicious packet combinations that lead to remote code execution.

ERun an exploit framework with all payloads against the application to see if it is able to gain access.

Answer : A

Fuzz testing identifies vulnerabilities by providing unexpected or random input to the application, exposing edge cases and additional attack vectors. This aligns with CASP+ objective 1.5, emphasizing proactive vulnerability discovery techniques in application security.

Question 6

A recent audit discovered that multiple employees had been using their badges to walk through the secured data center to get to the employee break room. Most of the employees were given access during a previous project, but the access was not removed in a timely manner when the project was complete. Which of the following would reduce the likelihood of this scenario occurring again?

ACreate an automated quarterly attestation process that requires management approval for data center access and removes unapproved access.

BRequire all employees to sign an AUP that prohibits accessing the data center without an active service ticket number.

CRemove all access to the data center badge readers and only re-add employees with a valid business purpose for entering the floor.

DImplement time-of-day restrictions on the data center badge readers and create automated alerts for unapproved swipe attempts.

Answer : A

Implementing an automated quarterly attestation process ensures that access is reviewed and approved regularly. This prevents unauthorized or unnecessary access from persisting over time, aligning with CASP+ objective 1.6, which emphasizes continuous access control monitoring.

Question 7

A security analyst is reviewing the following output from a vulnerability scan of an organization's internet-facing web services:

* Line 06: Hostname sent via SNI does not match certificate.

* Line 10: Certificate not validated by OCSP.

* Line 13: Weak SHA-1 signature algorithm detected.

* Line 17: TLS 1.2 cipher suite negotiated.

* Line 18: SSL session not using forward secrecy.

Which of the following indicates a susceptibility whereby an attacker can take advantage of the trust relationship between the client and the server?

ALine 06

BLine 10

CLine 13

DLine 18

Answer : A

The mismatch between the hostname sent via SNI and the certificate undermines the trust relationship. Attackers can exploit this to conduct man-in-the-middle (MITM) attacks. This aligns with CASP+ objective 1.4, which addresses managing vulnerabilities in secure communication protocols.

________________________________________

CompTIA CAS-004 CompTIA Advanced Security Practitioner (CASP+) Exam Practice Test