CompTIA CAS-004 Exam Practice Test Instant Access

Question 1

A new VM server (Web Server C) was spun up in the cloud and added to the load balancer to an existing web application (Application A) that does not require internet access. Sales users are reporting intermittent issues with this application when processing orders that require access to the warehouse department.

Given the following information:

Firewall rules: Existing rules do not account for Web Server C's IP address (10.2.0.92).

Application A Security Group: Inbound rules and outbound rules are insufficient for the new server.

The security team wants to minimize the firewall rule set by avoiding specific host rules whenever possible. Which of the following actions must be taken to resolve the issue and meet the security team's requirements?

AReconfigure Web Server C to 10.2.0.62

BModify the firewall rules to include the new IP address of Web Server C

CAlter the security group outbound rules to be more restrictive

DChange the security group inbound rules to include the new IP address of Web Server C

Answer : B

Comprehensive and Detailed Step by Step

The issue stems from Web Server C's new IP (10.2.0.92) not being included in the firewall rules.

To resolve the issue, modify the firewall rules to include the new IP range (e.g., 10.2.0.0/26) rather than adding a specific host rule, ensuring scalability and simplicity.

Changing inbound or outbound security group rules would still miss the underlying issue of omitted IPs.

Reconfiguring the IP is unnecessary when updating firewall rules is sufficient.

CompTIA CASP+ Exam Objective 2.2: Implement network security solutions.

CASP+ Study Guide, 5th Edition, Chapter 7, Network Security.

Question 2

A software development company is implementing a SaaS-based password vault for customers to use. The requirements for the password vault include:

Vault encryption using a variable block and key size

Resistance to brute-force attacks

Which of the following should be implemented to meet these requirements? (Select two.)

APBKDF2

BRC5

CAES

DP256

EECDSA

FRIPEMD

Answer : A, C

Comprehensive and Detailed Step by Step

PBKDF2 (Password-Based Key Derivation Function 2) strengthens passwords against brute-force attacks.

AES (Advanced Encryption Standard) supports variable block and key sizes, making it ideal for secure encryption.

RC5, P256, and ECDSA are not relevant to password vault requirements.

RIPEMD is a hashing algorithm and does not meet the criteria for encryption or brute-force resistance.

CompTIA CASP+ Exam Objective 2.1: Implement cryptographic technologies.

CASP+ Study Guide, 5th Edition, Chapter 9, Cryptographic Tools.

Question 3

A company is developing a new service product offering that will involve the storage of personal health information. The Chief Information Security Officer (CISO) is researching the relevant compliance regulations. Which of the following best describes the CISO's action?

AData retention

BData classification

CDue diligence

DReference framework

Answer : C

Comprehensive and Detailed Step by Step

Due diligence involves researching and understanding regulatory requirements (e.g., HIPAA) to ensure compliance for handling sensitive data like personal health information.

Data retention refers to how long data is stored, not compliance research.

Data classification organizes data by sensitivity but is not specific to compliance research.

Reference frameworks provide guidelines for implementation but are not directly about research.

CompTIA CASP+ Exam Objective 1.1: Analyze business and compliance requirements.

CASP+ Study Guide, 5th Edition, Chapter 2, Legal and Regulatory Compliance.

Question 4

A security analyst is evaluating all third-party software an organization uses. The analyst discovers that each department is violating the organization's policy by provisioning access to SaaS products without oversight from the security group and without using a centralized access control methodology. Which of the following should the organization use to enforce its SaaS product access requirements?

ASLDAP

BSAML

CVDI

DTACACS

Answer : B

Comprehensive and Detailed Step by Step

SAML (Security Assertion Markup Language) is a standard for single sign-on (SSO) that provides centralized authentication and authorization, ensuring SaaS access is governed by organizational policies.

SLDAP (Secure LDAP) focuses on directory services but does not centralize SaaS product access.

VDI (Virtual Desktop Infrastructure) is unrelated to SaaS authentication.

TACACS (Terminal Access Controller Access-Control System) is more suited for network devices.

CompTIA CASP+ Exam Objective 2.3: Implement authentication and authorization technologies.

CASP+ Study Guide, 5th Edition, Chapter 6, Identity and Access Management.

Question 5

An organization handles sensitive information that must be displayed on call center technicians' screens to verify the identities of remote callers. The technicians use three randomly selected fields of information to complete the identity verification. Some of the fields contain PII that are unique identifiers for the remote callers. Which of the following should be implemented to identify remote callers while also reducing the risk that technicians could improperly use the identification information?

AData masking

BEncryption

CTokenization

DScrubbing

Answer : A

Comprehensive and Detailed Step by Step

Data masking obscures sensitive data displayed on screens, such as masking certain characters (e.g., showing *** for parts of SSNs).

It allows legitimate use while protecting the data from being misused or stolen.

Encryption is unrelated because it protects data in transit or at rest but does not address how it is displayed.

Tokenization replaces data with a token but is more relevant for storage and transactional systems, not screen data.

Scrubbing refers to cleansing datasets but does not address this scenario.

CompTIA CASP+ Exam Objective 3.4: Implement controls to reduce privacy and information risks.

CASP+ Study Guide, 5th Edition, Chapter 8, Privacy Controls.

Question 6

A software developer must choose encryption algorithms to secure two parts of a mobile application. Given the following part descriptions and requirements:

* The first part of the application is used to transfer large files and must support file parts with transfer start/stop/resume. This part requires strong file encryption.

* The second part of the application uses a bit stream to continuously authenticate both ends of the connection. This part must implement confidentiality for the stream.

Which of the following encryption algorithms should the developer implement in the code to support both parts of the application? (Select two).

AP384

BECDSA

CRC5

DChaCha20

Ebcrypt

FRIPEMD

Answer : D, F

* ChaCha20: A stream cipher suited for real-time bitstream authentication and encryption.

* RIPEMD: A hashing algorithm useful for file integrity checks during large file transfers.

This aligns with CASP+ objective 3.2, focusing on selecting appropriate cryptographic methods for secure data handling and transmission.

________________________________________

Question 7

An organization is rolling out a robust vulnerability management system to monitor SCADA devices on the network. Which of the following scan types should be used to monitor these system types?

AWeb application

BAgent

CPassive

DAuthenticated

Answer : C

Passive scanning is the safest approach for SCADA systems to avoid disrupting their operations. It detects vulnerabilities by analyzing network traffic without directly interacting with the systems, aligning with CASP+ objective 4.2, which focuses on securing critical systems and reducing risks during vulnerability management.

________________________________________

CompTIA CAS-004 CompTIA Advanced Security Practitioner (CASP+) Exam Practice Test