CompTIA CAS-004 Exam Practice Test Instant Access

Question 1

Two companies that recently merged would like to unify application access between the companies, without initially merging internal authentication stores. Which of the following technical strategies would best meet this objective?

AFederation

BRADIUS

CTACACS+

DMFA

EABAC

Answer : A

Federation is the best strategy for unifying application access between two companies without merging their internal authentication stores. Federation allows users from different organizations to authenticate and access resources using their existing credentials through trusted third-party identity providers. This enables seamless access without the need to merge or consolidate internal authentication systems. CASP+ emphasizes federation as a key technology for enabling cross-organizational authentication while maintaining the integrity of separate identity stores.

CASP+ CAS-004 Exam Objectives: Domain 2.0 -- Enterprise Security Operations (Federated Identity and Authentication)

CompTIA CASP+ Study Guide: Federated Identity Management for Mergers and Cross-Company Access

Question 2

A security analyst is participating in a risk assessment and is helping to calculate the exposure factor associated with various systems and processes within the organization. Which of the following resources would be most useful to calculate the exposure factor in this scenario?

AGap analysis

BBusiness impact analysis

CRisk register

DInformation security policy

ELessons learned

Answer : B

A business impact analysis (BIA) is the most useful resource for calculating the exposure factor in a risk assessment. The BIA helps identify the criticality of systems and processes and quantifies the potential financial and operational impact of vulnerabilities being exploited. By understanding the business impact, the security team can more accurately determine the exposure factor, which is the proportion of an asset's value that is at risk in the event of a security incident. CASP+ highlights the role of BIAs in understanding risk exposure and supporting effective risk management decisions.

CASP+ CAS-004 Exam Objectives: Domain 1.0 -- Risk Management (Business Impact Analysis and Risk Exposure)

CompTIA CASP+ Study Guide: Business Impact Analysis for Risk Assessment

Question 3

A company is migrating its data center to the cloud. Some hosts had been previously isolated, but a risk assessment convinced the engineering team to reintegrate the systems. Because the systems were isolated, the risk associated with vulnerabilities was low. Which of the following should the security team recommend be performed before migrating these servers to the cloud?

APerforming patching and hardening

BDeploying host and network IDS

CImplementing least functionality and time-based access

DCreating a honeypot and adding decoy files

Answer : A

Before migrating previously isolated systems to the cloud, it is essential to perform patching and hardening. These systems may have been neglected while isolated, so updating them with the latest security patches and applying hardening measures (such as disabling unnecessary services and implementing strict access controls) is crucial to reduce vulnerabilities. This ensures that the systems are secure before they are exposed to the wider cloud environment. CASP+ emphasizes the importance of securing systems through patch management and hardening before integrating them into more exposed environments like the cloud.

CASP+ CAS-004 Exam Objectives: Domain 2.0 -- Enterprise Security Operations (Patching, Hardening, and Cloud Migration Security)

CompTIA CASP+ Study Guide: Securing and Hardening Systems Before Cloud Migration

Question 4

A Chief Information Security Officer (CISO) received a call from the Chief Executive Officer (CEO) about a data breach from the SOC lead around 9:00 a.m. At 10:00 a.m. The CEO informs the CISO that a breach of the firm is being reported on national news. Upon investigation, it is determined that a network administrator has reached out to a vendor prior to the breach for information on a security patch that failed to be installed. Which of the following should the CISO do to prevent this from happening again?

AProperly triage events based on brand imaging and ensure the CEO is on the call roster.

BCreate an effective communication plan and socialize it with all employees.

CSend out a press release denying the breach until more information can be obtained.

DImplement a more robust vulnerability identification process.

Answer : B

To prevent similar issues from occurring again, the CISO should create an effective communication plan and ensure all employees are aware of it. A clear communication plan ensures that critical security information, such as breaches or vulnerabilities, is promptly communicated to the right stakeholders (e.g., the CEO) in a timely manner, preventing situations where the media reports on breaches before internal teams are fully informed. CASP+ emphasizes the importance of having structured communication protocols during security incidents to ensure accurate and timely responses.

CASP+ CAS-004 Exam Objectives: Domain 2.0 -- Enterprise Security Operations (Incident Communication Plans)

CompTIA CASP+ Study Guide: Developing and Implementing Effective Incident Communication Plans

Question 5

A security architect is reviewing the following organizational specifications for a new application:

* Be sessionless and API-based

* Accept uploaded documents with Pll, so all storage must be ephemeral

* Be able to scale on-demand across multiple nodes

* Restrict all network access except for the TLS port

Which of the following ways should the architect recommend the application be deployed in order to meet security and organizational infrastructure requirements?

AUtilizing the cloud container service

BOn server instances with autoscaling groups

CUsing scripted delivery

DWith a content delivery network

Answer : A

A cloud container service is the best way to meet the security and organizational infrastructure requirements described. Containers are sessionless, scalable, and can enforce ephemeral storage, which ensures that sensitive data like Personally Identifiable Information (PII) is only stored temporarily. Containers also restrict access to only necessary ports, such as TLS, and can easily scale across multiple nodes to handle varying workloads. CASP+ emphasizes the use of containers in modern, scalable, and secure application deployments, especially for API-based, sessionless applications that require flexible scaling and network security controls.

CASP+ CAS-004 Exam Objectives: Domain 3.0 -- Enterprise Security Architecture (Containers and Cloud Services for Secure Application Deployment)

CompTIA CASP+ Study Guide: Deploying Scalable and Secure Applications with Containers

Question 6

During the development process, the team identifies major components that need to be rewritten. As a result, the company hires a security consultant to help address major process issues. Which of the following should the consultant recommend to best prevent these issues from reoccurring in the future?

AImplementing a static analysis tool within the CI/CD system

BConfiguring a dynamic application security testing tool

CPerforming software composition analysis on all third-party components

DUtilizing a risk-based threat modeling approach on new projects

ESetting up an interactive application security testing tool

Answer : D

A risk-based threat modeling approach is the best recommendation to prevent the recurrence of major process issues during the development lifecycle. Threat modeling identifies potential security threats, vulnerabilities, and design flaws early in the development process by focusing on the specific risks posed to the system. By proactively identifying and addressing security concerns before they escalate, the development team can avoid the need for significant rewrites and ensure that security is embedded into the design of new projects. CASP+ emphasizes threat modeling as a critical activity to improve secure development practices.

CASP+ CAS-004 Exam Objectives: Domain 2.0 -- Enterprise Security Operations (Threat Modeling and Risk-Based Security Approaches)

CompTIA CASP+ Study Guide: Threat Modeling and Secure Development Lifecycle

Question 7

A security administrator is setting up a virtualization solution that needs to run services from a single host. Each service should be the only one running in its environment. Each environment needs to have its own operating system as a base but share the kernel version and properties of the running host. Which of the following technologies would best meet these requirements?

AContainers

BType 1 hypervisor

CType 2 hypervisor

DVirtual desktop infrastructure

EEmulation

Answer : A

The most appropriate technology for this virtualization solution is containers. Containers allow multiple services to run on a single host with isolated environments, while sharing the same kernel version and properties of the host operating system. Each container has its own instance of the operating system and runs independently from the others, meeting the requirement for separate environments with their own OS. Containers are more lightweight than full hypervisors and are ideal for running microservices in isolated environments. CASP+ emphasizes the use of containers in scenarios where services need to be isolated but share the same host OS kernel.

CASP+ CAS-004 Exam Objectives: Domain 3.0 -- Enterprise Security Architecture (Virtualization Technologies, Containers)

CompTIA CASP+ Study Guide: Virtualization and Containerization for Isolated Services

CompTIA CAS-004 CompTIA Advanced Security Practitioner (CASP+) Exam Practice Test