CompTIA

CAS-004 Exam
CASP

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading CAS-004 exam PDF Demo

Get Full File:

https://www.certsland.com/cas-004-dumps/

www.certsland.com
Questions & Answers PDF Page 2

Version:32.0

Topic 1, Exam Pool A

Question: 1

An organization is referencing NIST best practices for BCP creation while reviewing current internal
organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and
functions?

A. Review a recent gap analysis.

B. Perform a cost-benefit analysis.
C. Conduct a business impact analysis.
D. Develop an exposure factor matrix.

Answer: C

Explanation:
Reference: https://itsm.ucsf.edu/business-impact-analysis-bia-0
According to NIST SP 800-34 Rev. 1, a business impact analysis (BIA) is a process that identifies and
evaluates the potential effects of natural and man-made events on organizational operations. The
BIA enables an organization to determine which systems and processes are essential to the
organization’s mission and prioritize their recovery time objectives (RTOs) and recovery point
objectives (RPOs).12

Question: 2

An organization is preparing to migrate its production environment systems from an on-premises

environment to a cloud service. The lead security architect is concerned that the organization's
current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not
be possible in the cloud?

www.certsland.com
Questions & Answers PDF Page 3

A. Migrating operations assumes the acceptance of all risk.

B. Cloud providers are unable to avoid risk.
C. Specific risks cannot be transferred to the cloud provider.
D. Risks to data in the cloud cannot be mitigated.

Answer: C

Explanation:

According to NIST SP 800-146, cloud computing introduces new risks that need to be assessed and
managed by the cloud consumer. Some of these risks are related to the shared responsibility model
of cloud computing, where some security controls are implemented by the cloud provider and some
by the cloud consumer. The cloud consumer cannot transfer all the risks to the cloud provider and
needs to understand which risks are retained and which are mitigated by the cloud provider.3

Question: 3

A company created an external application for its customers. A security researcher now reports that
the application has a serious LDAP injection vulnerability that could be leveraged to bypass
authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)

A. Conduct input sanitization.

B. Deploy a SIEM.
C. Use containers.
D. Patch the OS
E. Deploy a WAF.
F. Deploy a reverse proxy
G. Deploy an IDS.

Answer: A,E

Explanation:

A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic
traveling to the web application, and prevents any unauthorized data from leaving the app. It does
this by adhering to a set of policies that help determine what traffic is malicious and what traffic is
safe.

www.certsland.com
Questions & Answers PDF Page 4

According to OWASP, LDAP injection is an attack that exploits web applications that construct LDAP
statements based on user input without proper validation or sanitization. LDAP injection can result in
unauthorized access, data modification, or denial of service. To prevent LDAP injection, OWASP
recommends conducting input sanitization by escaping special characters in user input and deploying
a web application firewall (WAF) that can detect and block malicious LDAP queries.45

Question: 4

In preparation for the holiday season, a company redesigned the system that manages retail sales
and moved it to a cloud service provider. The new infrastructure did not meet the company’s
availability requirements. During a postmortem analysis, the following issues were highlighted:
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place
orders.
3. Despite the fact that ten new API servers were added, the load across servers was heavy at peak
times.
Which of the following infrastructure design changes would be BEST for the organization to
implement to avoid these issues in the future?

A. Serve static content via distributed CDNs, create a read replica of the central database and pull
reports from there, and auto-scale API servers based on performance.
B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a
non-relational database, and split the ten API servers across two load balancers.
C. Serve images from an object storage bucket with infrequent read times, replicate the database
across different regions, and dynamically create API servers based on load.
D. Serve static-content object storage across different regions, increase the instance size on the
managed relational database, and distribute the ten API servers across multiple regions.

Answer: A

Explanation:

This solution would address the three issues as follows:

Serving static content via distributed CDNs would reduce the latency for international users by
delivering images from the nearest edge location to the user’s request.
Creating a read replica of the central database and pulling reports from there would ofload the read-
intensive workload from the primary database and avoid affecting the inventory data for order
placement.
Auto-scaling API servers based on performance would dynamically adjust the number of servers to
match the demand and balance the load across them at peak times.

Question: 5

www.certsland.com
Questions & Answers PDF Page 5

During a remodel, a company’s computer equipment was moved to a secure storage room with
cameras positioned on both sides of the door. The door is locked using a card reader issued by the
security team, and only the security team and department managers have access to the room. The
company wants to be able to identify any unauthorized individuals who enter the storage room by
following an authorized employee.
Which of the following processes would BEST satisfy this requirement?

A. Monitor camera footage corresponding to a valid access request.

B. Require both security and management to open the door.
C. Require department managers to review denied-access requests.
D. Issue new entry badges on a weekly basis.

Answer: B

Explanation:
Reference: https://www.getkisi.com/access-control
This solution would implement a two-factor authentication (2FA) process that would prevent
unauthorized individuals from entering the storage room by following an authorized employee. The
two factors would be the card reader issued by the security team and the presence of a department
manager.

Question: 6

A company is preparing to deploy a global service.

Which of the following must the company do to ensure GDPR compliance? (Choose two.)

A. Inform users regarding what data is stored.

B. Provide opt-in/out for marketing messages.
C. Provide data deletion capabilities.
D. Provide optional data encryption.
E. Grant data access to third parties.
F. Provide alternative authentication techniques.

Answer: A,C

Explanation:

The main rights for individuals under the GDPR are to:

allow subject access

www.certsland.com
Questions & Answers PDF Page 6

have inaccuracies corrected

have information erased
prevent direct marketing
prevent automated decision-making and profiling
allow data portability (as per the paragraph above)

source: https://www.clouddirect.net/11-things-you-must-do-now-for-gdpr-compliance/
These are two of the requirements of the GDPR (General Data Protection Regulation), which is a legal
framework that sets guidelines for the collection and processing of personal data of individuals
within the European Union (EU). The GDPR also requires data controllers to obtain consent from data
subjects, protect data with appropriate security measures, notify data subjects and authorities of
data breaches, and appoint a data protection officer.

Question: 7

A SOC analyst is reviewing malicious activity on an external, exposed web server. During the
investigation, the analyst determines specific traffic is not being logged, and there is no visibility from
the WAF for the web application.
Which of the following is the MOST likely cause?

A. The user agent client is not compatible with the WAF.

B. A certificate on the WAF is expired.
C. HTTP traffic is not forwarding to HTTPS to decrypt.
D. Old, vulnerable cipher suites are still being used.

Answer: C

Explanation:

This could be the cause of the lack of visibility from the WAF (Web Application Firewall) for the web
application, as the WAF may not be able to inspect or block unencrypted HTTP traffic. To solve this
issue, the web server should redirect all HTTP requests to HTTPS and use SSL/TLS certificates to
encrypt the traffic.

Question: 8

A security analyst is reviewing the following output:

www.certsland.com
Questions & Answers PDF Page 7

Which of the following would BEST mitigate this type of attack?

A. Installing a network firewall

B. Placing a WAF inline
C. Implementing an IDS
D. Deploying a honeypot

Answer: B

Explanation:

The output shows a SQL injection attack that is trying to exploit a web application. A WAF (Web
Application Firewall) is a security solution that can detect and block malicious web requests, such as
SQL injection, XSS, CSRF, etc. Placing a WAF inline would prevent the attack from reaching the web
server and database. Reference: https://owasp.org/www-community/attacks/SQL_Injection
https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/

Question: 9

Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party
entity?

A. Key sharing
B. Key distribution
C. Key recovery
D. Key escrow

Answer: D

Explanation:

Key escrow is a process that involves storing encryption keys with a trusted third party, such as a
CASB (Cloud Access Security Broker) or a government agency. Key escrow can enable authorized
access to encrypted data in case of emergencies, legal issues, or data recovery. However, key escrow
also introduces some risks and challenges, such as trust, security, and privacy. Reference:

www.certsland.com
Questions & Answers PDF Page 8

https://www.techopedia.com/definition/1772/key-escrow
https://searchsecurity.techtarget.com/definition/key-escrow

Question: 10

An organization is implementing a new identity and access management architecture with the
following objectives:
Supporting MFA against on-premises infrastructure
Improving the user experience by integrating with SaaS applications
Applying risk-based policies based on location
Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these
requirements?

A. Kerberos and TACACS

B. SAML and RADIUS
C. OAuth and OpenID
D. OTP and 802.1X

Answer: C

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-
application-authentication-to-azure-active-directory
OAuth and OpenID are two authentication protocols that can support the objectives of the
organization. OAuth is a protocol that allows users to grant access to their resources on one site (or
service) to another site (or service) without sharing their credentials. OpenID is a protocol that allows
users to use an existing account to sign in to multiple websites without creating new passwords. Both
protocols can support MFA, SaaS integration, risk-based policies, and just-in-time provisioning.
Reference: https://auth0.com/docs/protocols/oauth2 https://openid.net/connect/

Question: 11

Which of the following allows computation and analysis of data within a ciphertext without
knowledge of the plaintext?

A. Lattice-based cryptography
B. Quantum computing
C. Asymmetric cryptography
D. Homomorphic encryption

Answer: D

Explanation:
Reference: https://searchsecurity.techtarget.com/definition/cryptanalysis

www.certsland.com
Questions & Answers PDF Page 9

Homomorphic encryption is a type of encryption that allows computation and analysis of data within
a ciphertext without knowledge of the plaintext. This means that encrypted data can be processed
without being decrypted first, which enhances the security and privacy of the data. Homomorphic
encryption can enable applications such as secure cloud computing, machine learning, and data
analytics. Reference: https://www.ibm.com/security/homomorphic-encryption
https://www.synopsys.com/blogs/software-security/homomorphic-encryption/

Question: 12

A company is looking to fortify its cybersecurity defenses and is focusing on its network
infrastructure. The solution cannot affect the availability of the company’s services to ensure false
positives do not drop legitimate traffic.
Which of the following would satisfy the requirement?

A. NIDS
B. NIPS
C. WAF
D. Reverse proxy

Answer: A

Explanation:
Reference: https://subscription.packtpub.com/book/networking-and-
servers/9781782174905/5/ch05lvl1sec38/differentiating-between-nids-and-nips

https://owasp.org/www-community/controls/Intrusion_Detection
A NIDS (Network Intrusion Detection System) is a security solution that monitors network traffic for
signs of malicious activity, such as attacks, intrusions, or policy violations. A NIDS does not affect the
availability of the company’s services because it operates in passive mode, which means it does not
block or modify traffic. Instead, it alerts the network administrator or other security tools when it
detects an anomaly or threat. Reference: https://www.cisco.com/c/en/us/products/security/what-is-
network-intrusion-detection-system.html https://www.imperva.com/learn/application-
security/network-intrusion-detection-system-nids/

Question: 13

A disaster recovery team learned of several mistakes that were made during the last disaster
recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring?

A. Recovery point objective

B. Recovery time objective
C. Mission-essential functions
D. Recovery service level

www.certsland.com
Questions & Answers PDF Page 10

Answer: D

Explanation:
Reference: https://www.nakivo.com/blog/disaster-recovery-in-cloud-computing/
The recovery service level is a metric that defines the minimum level of service or performance that
a system or process must provide after a disaster or disruption. The recovery service level can include
parameters such as availability, capacity, throughput, latency, etc. The recovery service level should
be modified to prevent the issue of running out of computational resources at 70% of restoration of
critical services. The recovery service level should be aligned with the recovery point objective (RPO)
and the recovery time objective (RTO), which are the maximum acceptable amount of data loss and
downtime respectively. Reference: https://www.techopedia.com/definition/29836/recovery-service-
level https://www.ibm.com/cloud/learn/recovery-point-objective
https://www.ibm.com/cloud/learn/recovery-time-objective

Question: 14

A technician is reviewing the logs and notices a large number of files were transferred to remote
sites over the course of three months. This activity then stopped. The files were transferred via TLS-
protected HTTP sessions from systems that do not send traffic to those sites.
The technician will define this threat as:

A. a decrypting RSA using obsolete and weakened encryption attack.

B. a zero-day attack.
C. an advanced persistent threat.
D. an on-path attack.

Answer: C

Explanation:
Reference: https://www.internetsociety.org/deploy360/tls/basics/
An advanced persistent threat (APT) is a type of cyberattack that involves a stealthy and continuous
process of compromising and exploiting a target system or network. An APT typically has a specific
goal or objective, such as stealing sensitive data, disrupting operations, or sabotaging infrastructure.
An APT can use various techniques to evade detection and maintain persistence, such as encryption,
proxy servers, malware, etc. The scenario described in the question matches the characteristics of an
APT. Reference: https://www.cisco.com/c/en/us/products/security/what-is-apt.html
https://www.imperva.com/learn/application-security/advanced-persistent-threat-apt/

Question: 15

A security engineer thinks the development team has been hard-coding sensitive environment
variables in its code.
Which of the following would BEST secure the company’s CI/CD pipeline?

A. Utilizing a trusted secrets manager

B. Performing DAST on a weekly basis

www.certsland.com
Questions & Answers PDF Page 11

C. Introducing the use of container orchestration

D. Deploying instance tagging

Answer: A

Explanation:
Reference: https://about.gitlab.com/blog/2021/04/09/demystifying-ci-cd-variables/
A trusted secrets manager is a tool or service that securely stores and manages sensitive
information, such as passwords, API keys, tokens, certificates, etc. A trusted secrets manager can
help secure the company’s CI/CD (Continuous Integration/Continuous Delivery) pipeline by
preventing hard-coding sensitive environment variables in the code, which can expose them to
unauthorized access or leakage. A trusted secrets manager can also enable encryption, rotation,
auditing, and access control for the secrets. Reference: https://www.hashicorp.com/resources/what-
is-a-secret-manager https://dzone.com/articles/how-to-securely-manage-secrets-in-a-ci-cd-pipeline

Question: 16

A small company recently developed prototype technology for a military program. The company’s
security engineer is concerned about potential theft of the newly developed, proprietary
information.
Which of the following should the security engineer do to BEST manage the threats proactively?

A. Join an information-sharing community that is relevant to the company.

B. Leverage the MITRE ATT&CK framework to map the TTR.
C. Use OSINT techniques to evaluate and analyze the threats.
D. Update security awareness training to address new threats, such as best practices for data
security.

Answer: A

Explanation:

An information-sharing community is a group or network of organizations that share threat

intelligence, best practices, and mitigation strategies related to cybersecurity. An information-
sharing community can help the company proactively manage the threats of potential theft of its
newly developed, proprietary information by providing timely and actionable insights, alerts, and
recommendations. An information-sharing community can also enable collaboration and
coordination among its members to enhance their collective defense and resilience. Reference:
https://us-cert.cisa.gov/ncas/tips/ST04-016 https://www.cisecurity.org/blog/what-is-an-
information-sharing-community/

Question: 17

A security engineer has been asked to close all non-secure connections from the corporate network.
The engineer is attempting to understand why the corporate UTM will not allow users to download

www.certsland.com
Questions & Answers PDF Page 12

email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58,
and users are able to download emails correctly by using IMAP instead. The network comprises three
VLANs:

The security engineer looks at the UTM firewall rules and finds the following:

Which of the following should the security engineer do to ensure IMAPS functions properly on the
corporate user network?

A. Contact the email service provider and ask if the company IP is blocked.
B. Confirm the email server certificate is installed on the corporate computers.
C. Make sure the UTM certificate is imported on the corporate computers.
D. Create an IMAPS firewall rule to ensure email is allowed.

Answer: D

Explanation:

IMAPS (Internet Message Access Protocol Secure) is a protocol that allows users to access and
manipulate email messages on a remote mail server over a secure connection. IMAPS uses SSL/TLS
encryption to protect the communication between the client and the server. IMAPS uses port 993 by
default. To ensure IMAPS functions properly on the corporate user network, the security engineer
should create an IMAPS firewall rule on the UTM (Unified Threat Management) device that allows
traffic from VLAN 10 (Corporate Users) to VLAN 20 (Email Server) over port 993. The existing firewall
rules do not allow this traffic, as they only allow HTTP (port 80), HTTPS (port 443), and SMTP (port
25). Reference: https://www.techopedia.com/definition/2460/internet-message-access-protocol-
secure-imaps https://www.sophos.com/en-us/support/knowledgebase/115145.aspx

Question: 18

A security analyst is reviewing network connectivity on a Linux workstation and examining the active
TCP connections using the command line.
Which of the following commands would be the BEST to run to view only active Internet
connections?

www.certsland.com
Questions & Answers PDF Page 13

A. sudo netstat -antu | grep “LISTEN” | awk ‘{print$5}’

B. sudo netstat -nlt -p | grep “ESTABLISHED”
C. sudo netstat -plntu | grep -v “Foreign Address”
D. sudo netstat -pnut -w | column -t -s $’\w’
E. sudo netstat -pnut | grep -P ^tcp

Answer: E

Explanation:
Reference: https://www.codegrepper.com/code-examples/shell/netstat+find+port
The netstat command is a tool that displays network connections, routing tables, interface statistics,
masquerade connections, and multicast memberships. The command has various options that can
modify its output. The options used in the correct answer are:
p: Show the PID and name of the program to which each socket belongs.
n: Show numerical addresses instead of trying to determine symbolic host, port or user names.
u: Show only UDP connections.
t: Show only TCP connections.
The grep command is a tool that searches for a pattern in a file or input. The option used in the
correct answer is:
P: Interpret the pattern as a Perl-compatible regular expression (PCRE).
The pattern used in the correct answer is ^tcp, which means any line that starts with tcp. This will
filter out any UDP connections from the output.
The sudo command is a tool that allows a user to run programs with the security privileges of
another user (usually the superuser or root). This is necessary to run the netstat command with the -
p option, which requires root privileges.
The correct answer will show only active TCP connections with numerical addresses and program
names, which can be considered as active Internet connections. The other answers will either show
different types of connections (such as listening or local), use different options that are not relevant
(such as -a, -l, -w, or -s), or use different commands that are not useful (such as awk or column).
Reference: https://man7.org/linux/man-pages/man8/netstat.8.html https://man7.org/linux/man-
pages/man1/grep.1.html https://man7.org/linux/man-pages/man8/sudo.8.html

Question: 19

A shipping company that is trying to eliminate entire classes of threats is developing an SELinux
policy to ensure its custom Android devices are used exclusively for package tracking.
After compiling and implementing the policy, in which of the following modes must the company
ensure the devices are configured to run?

A. Protecting
B. Permissive
C. Enforcing
D. Mandatory

www.certsland.com
Questions & Answers PDF Page 14

Answer: C

Explanation:
Reference: https://source.android.com/security/selinux/customize
SELinux (Security-Enhanced Linux) is a security module for Linux systems that provides mandatory
access control (MAC) policies for processes and files. SELinux can operate in three modes:
Enforcing: SELinux enforces the MAC policies and denies access based on rules.
Permissive: SELinux does not enforce the MAC policies but only logs actions that would have been
denied if running in enforcing mode.
Disabled: SELinux is turned off.
To ensure its custom Android devices are used exclusively for package tracking, the company must
configure SELinux to run in enforcing mode. This mode will prevent any unauthorized actions or
applications from running on the devices and protect them from potential threats or misuse.
Reference: https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-
enhanced_linux-introduction#sect-Security-Enhanced_Linux-Modes
https://source.android.com/security/selinux

Question: 20

A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public
SSH jump server. To further investigate, the analyst pulls the event logs directly from
/var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks by the activity in the logs?

A. Alerting the misconfigured service account password

B. Modifying the AllowUsers configuration directive
C. Restricting external port 22 access
D. Implementing host-key preferences

Answer: B

Explanation:
Reference: https://www.rapid7.com/blog/post/2017/10/04/how-to-secure-ssh-server-using-port-
knocking-on-ubuntu-linux/
The AllowUsers configuration directive is an option for SSH servers that specifies which users are
allowed to log in using SSH. The directive can include usernames, hostnames, IP addresses, or
patterns. The directive can also be negated with a preceding exclamation mark (!) to deny access to
specific users.
The logs show that there are multiple failed login attempts from different IP addresses using
different usernames, such as root, admin, test, etc. This indicates a brute-force attack that is trying to
guess the SSH credentials. To address this risk, the security analyst should modify the AllowUsers
configuration directive to only allow specific users or hosts that are authorized to access the SSH
jump server. This will prevent unauthorized users from attempting to log in using SSH and reduce the
attack surface. Reference: https://man.openbsd.org/sshd_config#AllowUsers
https://www.ssh.com/academy/ssh/brute-force

www.certsland.com
Questions & Answers PDF Page 15

Question: 21

A high-severity vulnerability was found on a web application and introduced to the enterprise. The
vulnerability could allow an unauthorized user to utilize an open-source library to view privileged
user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the
issue right away.
Which of the following should be implemented to reduce the risk to an acceptable level until the
issue can be fixed?

A. Scan the code with a static code analyzer, change privileged user passwords, and provide security
training.
B. Change privileged usernames, review the OS logs, and deploy hardware tokens.
C. Implement MFA, review the application logs, and deploy a WAF.
D. Deploy a VPN, configure an official open-source library repository, and perform a full application
review for vulnerabilities.

Answer: C

Explanation:
Reference: https://www.microfocus.com/en-us/what-is/sast
Implementing MFA can add an extra layer of security to protect against unauthorized access if the
vulnerability is exploited. Reviewing the application logs can help identify if any attempts have been
made to exploit the vulnerability, and deploying a WAF can help block any attempts to exploit the
vulnerability. While the other options may provide some level of security, they may not directly
address the vulnerability and may not reduce the risk to an acceptable level.

Question: 22

A security analyst discovered that the company’s WAF was not properly configured. The main web
server was breached, and the following payload was found in one of the malicious requests:

Which of the following would BEST mitigate this vulnerability?

A. CAPTCHA
B. Input validation
C. Data encoding
D. Network intrusion prevention

www.certsland.com
Questions & Answers PDF Page 16

Answer: B

Explanation:
Reference: https://hdivsecurity.com/owasp-xml-external-entities-xxe

Question: 23

A university issues badges through a homegrown identity management system to all staff and
students. Each week during the summer, temporary summer school students arrive and need to be
issued a badge to access minimal campus resources. The security team received a report from an
outside auditor indicating the homegrown system is not consistent with best practices in the security
field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST?

A. Investigating a potential threat identified in logs related to the identity management system
B. Updating the identity management system to use discretionary access control
C. Beginning research on two-factor authentication to later introduce into the identity management
system
D. Working with procurement and creating a requirements document to select a new IAM
system/vendor

Answer: D

Explanation:

This is because the homegrown identity management system is not consistent with best practices
and leaves the institution vulnerable, which means it needs to be replaced with a more secure and
reliable solution. A new IAM system/vendor should be able to provide features such as role-based
access control, two-factor authentication, auditing, and compliance that can enhance the security
and efficiency of the identity management process. A requirements document can help define the
scope, objectives, and criteria for selecting a suitable IAM system/vendor that meets the needs of
the institution.

Question: 24

A customer reports being unable to connect to a website at www.test.com to consume services. The
customer notices the web application has the following published cipher suite:

www.certsland.com
Questions & Answers PDF Page 17

Which of the following is the MOST likely cause of the customer’s inability to connect?

A. Weak ciphers are being used.

B. The public key should be using ECDSA.
C. The default should be on port 80.
D. The server name should be test.com.

Answer: A

Explanation:
Reference: https://security.stackexchange.com/questions/23383/ssh-key-type-rsa-dsa-ecdsa-are-
there-easy-answers-for-which-to-choose-when

Question: 25

An IT administrator is reviewing all the servers in an organization and notices that a server is missing
crucial practice against a recent exploit that could gain root access.
Which of the following describes the administrator’s discovery?

A. A vulnerability
B. A threat
C. A breach
D. A risk

Answer: A

Explanation:
Reference: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained

www.certsland.com
Questions & Answers PDF Page 18

Question: 26

A security analyst is performing a vulnerability assessment on behalf of a client. The analyst must
define what constitutes a risk to the organization.
Which of the following should be the analyst’s FIRST action?

A. Create a full inventory of information and data assets.

B. Ascertain the impact of an attack on the availability of crucial resources.
C. Determine which security compliance standards should be followed.
D. Perform a full system penetration test to determine the vulnerabilities.

Answer: A

Explanation:

This is because a risk assessment requires identifying the assets that are valuable to the organization
and could be targeted by attackers. A full inventory of information and data assets can help the
analyst prioritize the most critical assets and determine their potential exposure to threats. Without
knowing what assets are at stake, the analyst cannot effectively assess the risk level or the impact of
an attack. Creating an inventory of assets is also a prerequisite for performing other actions, such as
following compliance standards, measuring availability, or conducting penetration tests.

Question: 27

While investigating a security event, an analyst finds evidence that a user opened an email
attachment from an unknown source. Shortly after the user opened the attachment, a group of
servers experienced a large amount of network and resource activity. Upon investigating the servers,
the analyst discovers the servers were encrypted by ransomware that is demanding payment within
48 hours or all data will be destroyed. The company has no response plans for ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the
management team?

A. Pay the ransom within 48 hours.

B. Isolate the servers to prevent the spread.
C. Notify law enforcement.
D. Request that the affected servers be restored immediately.

Answer: B

Explanation:

Isolating the servers is the best immediate action to take after reporting the incident to the
management team, as it can limit the damage and contain the ransomware infection. Paying the
ransom is not advisable, as it does not guarantee the recovery of the data and may encourage
further attacks. Notifying law enforcement is a possible step, but not the next one after reporting.

www.certsland.com
Questions & Answers PDF Page 19

Requesting that the affected servers be restored immediately may not be feasible or effective, as it
depends on the availability and integrity of backups, and it does not address the root cause of the
attack. Verified Reference: https://www.comptia.org/blog/what-is-ransomware-and-how-to-protect-
yourself https://www.comptia.org/certifications/comptia-advanced-security-practitioner

Question: 28

A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The
Chief Information Security Officer asks the security engineer to design connectivity to meet the
following requirements:
Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
The company can control what SaaS applications each individual user can access.
User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?

A. IAM gateway, MDM, and reverse proxy

B. VPN, CASB, and secure web gateway
C. SSL tunnel, DLP, and host-based firewall
D. API gateway, UEM, and forward proxy

Answer: B

Explanation:

A VPN (virtual private network) can provide secure connectivity for remote users to access servers
hosted by the cloud provider. A CASB (cloud access security broker) can enforce policies and controls
for accessing SaaS applications. A secure web gateway can monitor and filter user browser activity to
prevent malicious or unauthorized traffic. Verified Reference:
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
https://www.comptia.org/blog/what-is-a-vpn

Question: 29

During a system penetration test, a security engineer successfully gained access to a shell on a Linux
host as a standard user and wants to elevate the privilege levels.
Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?

A. Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
B. Perform ASIC password cracking on the host.
C. Read the /etc/passwd file to extract the usernames.
D. Initiate unquoted service path exploits.
E. Use the UNION operator to extract the database schema.

Answer: A

www.certsland.com
Questions & Answers PDF Page 20

Explanation:
Reference: https://docs.rapid7.com/insightvm/elevating-permissions/
Spawning a shell using sudo and an escape string is a valid Linux post-exploitation method that can
exploit a misconfigured sudoers file and allow a standard user to execute commands as root. ASIC
password cracking is used to break hashed passwords, not to elevate privileges. Reading the
/etc/passwd file may reveal usernames, but not passwords or privileges. Unquoted service path
exploits are applicable to Windows systems, not Linux. Using the UNION operator is a SQL injection
technique, not a Linux post-exploitation method. Verified Reference:
https://www.comptia.org/blog/what-is-post-exploitation https://partners.comptia.org/docs/default-
source/resources/casp-content-guide

Question: 30

A systems administrator is in the process of hardening the host systems before connecting to the
network. The administrator wants to add protection to the boot loader to ensure the hosts are secure
before the OS fully boots.
Which of the following would provide the BEST boot loader protection?

A. TPM
B. HSM
C. PKI
D. UEFI/BIOS

Answer: A

Explanation:

A TPM (trusted platform module) is a hardware device that can provide boot loader protection by
storing cryptographic keys and verifying the integrity of the boot process. An HSM (hardware security
module) is similar to a TPM, but it is used for storing keys for applications, not for booting. A PKI
(public key infrastructure) is a system of certificates and keys that can provide encryption and
authentication, but not boot loader protection. UEFI/BIOS are firmware interfaces that control the
boot process, but they do not provide protection by themselves. Verified Reference:
https://www.comptia.org/blog/what-is-a-tpm-trusted-platform-module
https://partners.comptia.org/docs/default-source/resources/casp-content-guide

www.certsland.com
 Thank You for trying CAS-004 PDF Demo

https://www.certsland.com/cas-004-dumps/

Start Your CAS-004 Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount on the purchase of PDF file. Test your
CAS-004 preparation with actual exam questions

www.certsland.com