Practice Free CAS-004 Exam Online Questions
A security team is creating tickets to track the progress of remediation.
Which of the following is used to specify the due dates for high- and critical-priority findings?
- A . MSA
- B . SLA
- C . ISA
- D . MOU
B
Explanation:
A Service Level Agreement (SLA) is the document used to specify due dates for the remediation of high- and critical-priority findings. SLAs outline the responsibilities of the service provider, including time frames for addressing issues or vulnerabilities, based on their severity. By setting clear timelines for remediation, SLAs ensure that critical security vulnerabilities are addressed in a timely manner. CASP+ emphasizes the importance of SLAs in maintaining accountability for security operations and ensuring compliance with organizational security policies.
Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (SLAs and Security Management)
CompTIA CASP+ Study Guide: SLAs for Security Vulnerability Management
A security analyst is designing a touch screen device so users can gain entry into a locked room by touching buttons numbered zero through nine in a specific numerical sequence. The analyst designs the keypad so that the numbers are randomly presented to the user each time the device is used.
Which of the following best describes the design trade-offs? (Select two.)
- A . The risk of someone overseeing a pattern as a user enters the numbers is decreased.
- B . The routines to generate the random sequences are trivial to implement.
- C . This design makes entering numbers more difficult for users.
- D . The device needs to have additional power to compute the numbers.
- E . End users will have a more difficult time remembering the access numbers.
- F . Weak or easily guessed access numbers are more likely.
A,C
Explanation:
Step by Step
A: Randomizing the keypad reduces the risk of shoulder-surfing attacks by eliminating predictable patterns.
C: Randomization increases the cognitive load on users, making it harder to input numbers quickly.
D: Additional computational power is minimal and not typically a trade-off.
E and F: Remembering access numbers or weak passwords are unrelated to keypad randomization.
Reference: CASP+ Exam Objectives 3.4 C Evaluate usability and security trade-offs in design.
A network administrator who manages a Linux web server notices the following traffic:
http://corr.ptia.org/…/…/…/… /etc./shadow
Which of the following Is the BEST action for the network administrator to take to defend against this type of web attack?
- A . Validate the server certificate and trust chain.
- B . Validate the server input and append the input to the base directory path.
- C . Validate that the server is not deployed with default account credentials.
- D . Validate that multifactor authentication is enabled on the server for all user accounts.
B
Explanation:
The network administrator is noticing a web attack that attempts to access the /etc/shadow file on a Linux web server. The /etc/shadow file contains the encrypted passwords of all users on the system and is a common target for attackers. The attack uses a technique called directory traversal, which exploits a vulnerability in the web application that allows an attacker to access files or directories outside of the intended scope by manipulating the file path.
Validating the server input and appending the input to the base directory path would be the best action for the network administrator to take to defend against this type of web attack, because it would:
Check the user input for any errors, malicious data, or unexpected values before processing it by the web application.
Prevent directory traversal by ensuring that the user input is always relative to the base directory path of the web application, and not absolute to the root directory of the web server.
Deny access to any files or directories that are not part of the web application’s scope or functionality.
A company just released a new video card. Due to limited supply and nigh demand, attackers are employing automated systems to purchase the device through the company’s web store so they can resell it on the secondary market. The company’s Intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems.
Which of the following now describes the level of risk?
- A . InherentLow
- B . Mitigated
- C . Residual
- D . Transferred
An organization is preparing to migrate its production environment systems from an on-premises environment to a cloud service. The lead security architect is concerned that the organization’s current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not be possible in the cloud?
- A . Migrating operations assumes the acceptance of all risk.
- B . Cloud providers are unable to avoid risk.
- C . Specific risks cannot be transferred to the cloud provider.
- D . Risks to data in the cloud cannot be mitigated.
C
Explanation:
According to NIST SP 800-146, cloud computing introduces new risks that need to be assessed and managed by the cloud consumer. Some of these risks are related to the shared responsibility model of cloud computing, where some security controls are implemented by the cloud provider and some by the cloud consumer. The cloud consumer cannot transfer all the risks to the cloud provider and needs to understand which risks are retained and which are mitigated by the cloud provider.3
A security engineer receives reports through the organization’s bug bounty program about remote code execution in a specific component in a custom application. Management wants to properly secure the component and proactively avoid similar issues.
Which of the following is the best approach to uncover additional vulnerable paths in the application?
- A . Implement fuzz testing focused on the component and inputs uncovered by the bug bounty program.
- B . Leverage a software composition analysis tool to find all known vulnerabilities in dependencies.
- C . Use a vulnerability scanner to perform multiple types of network scans to look for vulnerabilities.
- D . Utilize a network traffic analyzer to find malicious packet combinations that lead to remote code execution.
- E . Run an exploit framework with all payloads against the application to see if it is able to gain access.
A
Explanation:
Fuzz testing identifies vulnerabilities by providing unexpected or random input to the application, exposing edge cases and additional attack vectors. This aligns with CASP+ objective 1.5, emphasizing proactive vulnerability discovery techniques in application security.
A company just released a new video card. Due to limited supply and high demand, attackers are employing automated systems to purchase the device through the company’s web store so they can resell it on the secondary market. The company’s intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems.
Which of the following now describes the level of risk?
- A . Inherent
- B . Low
- C . Mitigated
- D . Residual.
- E . Transferred
A large organization is planning to migrate from on premises to the cloud. The Chief Information Security Officer (CISO) is concerned about security responsibilities.
If the company decides to migrate to the cloud, which of the following describes who is responsible for the security of the new physical datacenter?
- A . Third-party assessor
- B . CSP
- C . Organization
- D . Shared responsibility
B
Explanation:
In cloud computing models, the security of the physical data center is the responsibility of the Cloud Service Provider (CSP). The CSP is responsible for protecting the infrastructure that runs all of the services offered in the cloud, which includes the physical security of the data center.
A security engineer is performing a vulnerability management scan on multihomed Linux systems. The engineer notices that the vulnerability count is high due to the fact that each vulnerability is multiplied by the number of NICs on each system.
Which of the following should the engineer do to deduplicate the vulnerabilities and to associate the vulnerabilities with a particular host?
- A . Use a SCAP scanner.
- B . Deploy an agent.
- C . Initiate a discovery scan.
- D . Perform an Nmap scan.
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.
Which of the following would BEST secure the company’s CI/CD pipeline?
- A . Utilizing a trusted secrets manager
- B . Performing DAST on a weekly basis
- C . Introducing the use of container orchestration
- D . Deploying instance tagging
A
Explanation:
Reference: https://about.gitlab.com/blog/2021/04/09/demystifying-ci-cd-variables/
A trusted secrets manager is a tool or service that securely stores and manages sensitive information, such as passwords, API keys, tokens, certificates, etc. A trusted secrets manager can help secure the company’s CI/CD (Continuous Integration/Continuous Delivery) pipeline by preventing hard-coding sensitive environment variables in the code, which can expose them to unauthorized access or leakage. A trusted secrets manager can also enable encryption, rotation, auditing, and access control for the secrets.
Reference:
https://www.hashicorp.com/resources/what-is-a-secret-manager
https://dzone.com/articles/how-to-securely-manage-secrets-in-a-ci-cd-pipeline