CompTIA CompTIA Certifications CAS-004 Questions & Answers

• Question 91:

  A security administrator wants to enable a feature that would prevent a compromised encryption key from being used to decrypt all the VPN traffic. Which of the following should the security administrator use?

  A. Salsa20 cipher

  B. TLS-based VPN

  C. PKI-based IKE IPSec negotiation

  D. Perfect forward secrecy

  Correct Answer: D

  Perfect forward secrecy (PFS) is a feature in cryptographic systems that ensures that session keys derived from long-term keys are not compromised even if the long-term keys are compromised in the future. In the context of VPNs, PFS ensures that each session key used for encryption is unique to that session and not derived from the VPN server's long-term private key alone. This means that if an attacker obtains the server's private key later on, they cannot use it to decrypt past VPN sessions because those session keys were derived separately and are not accessible from the compromised private key. Thus, PFS protects VPN traffic from retrospective decryption by ensuring that compromise of a longterm key does not compromise past session keys.

• Question 92:

  An organization is designing a MAC scheme (or critical servers running GNU/Linux. The security engineer is investigating SELinux but is confused about how to read labeling contexts. The engineer executes the command stat ./secretfile and receives the following output:

  

  Which of the following describes the correct order of labels shown in the output above?

  A. Role, type MLS level, and user identity

  B. Role, user identity, object, and MLS level

  C. Object MLS level, role, and type

  D. User identity, role, type, and MLS level

  E. Object, user identity, role, and MLS level

  Correct Answer: D

  SELinux contexts are typically made up of several components, including the user identity, role, type (also known as domain or type), and MLS (Multi-Level Security) level. The context format is user:role:type:level. In the given output sys:secret:sec_t:s0, 'sys' represents the user identity, 'secret' is the role, 'sec_t' is the type, and 's0' is the MLS level. Understanding SELinux contexts is critical for managing Mandatory Access Control (MAC) in GNU/Linux systems to protect against unauthorized access.

• Question 93:

  A company with only U S -based customers wants to allow developers from another country to work on the company's website However, the company plans to block normal internet traffic from the other country Which of the following strategies should the company use to accomplish this objective? (Select two).

  A. Block foreign IP addresses from accessing the website

  B. Have the developers use the company's VPN

  C. Implement a WAP for the website

  D. Give the developers access to a jump box on the network

  E. Employ a reverse proxy for the developers

  F. Use NAT to enable access for the developers

  Correct Answer: BD

  Having developers use the company's VPN can provide them with secure access to the network while still allowing the company to block normal internet traffic from the other country. A jump box serves as a secure entry point for administrators or in this case, developers, to connect before launching any administrative tasks or accessing further areas of the network. This setup maintains security while still providing necessary access.

• Question 94:

  Which of the following is record-level encryption commonly used to do?

  A. Protect database fields

  B. Protect individual files

  C. Encrypt individual packets

  D. Encrypt the master boot record

  Correct Answer: A

  Record-level encryption is primarily used to protect sensitive information stored in specific fields within a database, such as personal data, financial information, or health records. This encryption method ensures that individual data entries are encrypted, providing a high level of security and privacy by making the data unreadable to unauthorized users or in the event of a database breach, while still allowing the database to be functional for authorized queries and operations.

• Question 95:

  A network security engineer is designing a three-tier web architecture that will allow a third- party vendor to perform the following audit functions within the organization's cloud environment

  1.

  Review communication between all infrastructure endpoints

  2.

  Identify unauthorized and malicious data patterns

  3.

  Perform automated, risk-mitigating configuration changes

  Which of the following should the network security engineer include in the design to address these requirements?

  A. Network edge NIPS

  B. Centralized syslog

  C. Traffic mirroring

  D. Network flow

  Correct Answer: C

  Traffic mirroring, also known as port mirroring or SPAN (Switched Port Analyzer), involves creating a copy of the actual network traffic for independent analysis. This would allow the third-party vendor to review communications between infrastructure endpoints, identify unauthorized and malicious data patterns, and perform automated, risk-mitigating configuration changes without impacting the live environment. This is used in network intrusion detection systems (NIDS) and for traffic analysis purposes.

• Question 96:

  An IT department is currently working to implement an enterprise DLP solution. Due diligence and best practices must be followed in regard to mitigating risk. Which of the following ensures that authorized modifications are well planned and executed?

  A. Risk management

  B. Network management

  C. Configuration management

  D. Change management

  Correct Answer: D

  Change management is a systematic approach to dealing with the transition or transformation of an organization's goals, processes, or technologies. In the context of implementing a Data Loss Prevention (DLP) solution and ensuring that authorized modifications are well-planned and executed, change management is critical. It ensures that changes are introduced in a controlled and coordinated manner to minimize the impact on service quality and mitigate risks associated with the changes.

• Question 97:

  A senior security analyst is helping the development team improve the security of an application that is being developed. The developers use third-party libraries and applications. The software in development used old, third-party packages that were not replaced before market distribution. Which of the following should be implemented into the SDLC to resolve the issue?

  A. Software composition analysis

  B. A SCAP scanner

  C. ASAST

  D. A DAST

  Correct Answer: A

  Software Composition Analysis (SCA) is a process that identifies the open- source components used in software development to manage the risks associated with third-party components. Implementing SCA into the Software Development Life Cycle (SDLC) can help identify outdated third-party packages and ensure they are replaced or updated before the software is distributed.

• Question 98:

  During a network defense engagement, a red team is able to edit the following registry key:

  

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  Which of the following tools is the red team using to perform this action?

  A. PowerShell

  B. SCAP scanner

  C. Network vulnerability scanner

  D. Fuzzer

  Correct Answer: A

  PowerShell is a versatile scripting language that can be used to automate administrative tasks and configurations on Windows machines. It has the capability to edit registry keys, which is what the red team appears to have done based on the provided information. PowerShell is a common tool used by both system administrators and attackers (in the form of a red team during penetration testing).

• Question 99:

  A company with customers in the United States and Europe wants to ensure its content is delivered to end users with low latency. Content includes both sensitive and public information. The company's data centers are located on the West Coast of the United States. Users on the East Coast of the United States and users in Europe are experiencing slow application response. Which of the following would allow the company to improve application response quickly?

  A. Installing reverse caching proxies in both data centers and implementing proxy auto scaling

  B. Using HTTPS to serve sensitive content and HTTP for public content

  C. Using colocation services in regions where the application response is slow

  D. Implementing a CDN and forcing all traffic through the CDN

  Correct Answer: D

  A Content Delivery Network (CDN) is designed to serve content to end-users with high availability and high performance. By implementing a CDN, the company can distribute the content across multiple geographically dispersed servers, thereby reducing latency for users far from the West Coast data centers, including those on the East Coast of the United States and in Europe.

• Question 100:

  A company recently deployed a SIEM and began importing logs from a firewall, a file server, a domain controller a web server, and a laptop. A security analyst receives a series of SIEM alerts and prepares to respond. The following is the alert information:

  

  Which of the following should the security analyst do FIRST?

  A. Disable Administrator on abc-uaa-fsl, the local account is compromised

  B. Shut down the abc-usa-fsl server, a plaintext credential is being used

  C. Disable the jdoe account, it is likely compromised

  D. Shut down abc-usa-fw01; the remote access VPN vulnerability is exploited

  Correct Answer: C

  Based on the SIEM alerts, the security analyst should first disable the jdoe account, as it is likely compromised by an attacker. The alerts show that the jdoe account successfully logged on to the abc-usa-fsl server, which is a file server, and then initiated SMB (445) traffic to the abc-web01 server, which is a web server. This indicates that the attacker may be trying to exfiltrate data from the file server to the web server. Disabling the jdoe account would help stop this unauthorized activity and prevent further damage. Disabling Administrator on abc-usa-fsl, the local account is compromised, is not the first action to take, as it is not clear from the alerts if the local account is compromised or not. The alert shows that there was a successful logon event for Administrator on abc-usa-fsl, but it does not specify if it was a local or domain account, or if it was authorized or not. Moreover, disabling the local account would not stop the SMB traffic from jdoe to abcweb01. Shutting down the abc-usa-fsl server, a plaintext credential is being used, is not the first action to take, as it is not clear from the alerts if a plaintext credential is being used or not. The alert shows that there was RDP (3389) traffic from abcadmin1-logon to abc-usa-fsl, but it does not specify if the credential was encrypted or not. Moreover, shutting down the file server would disrupt its normal operations and affect other users. Shutting down abc-usa-fw01; the remote access VPN vulnerability is exploited, is not the first action to take, as it is not clear from the alerts if the remote access VPN vulnerability is exploited or not. The alert shows that there was FTP (21) traffic from abc-usa-dcl to abc- web01, but it does not specify if it was related to the VPN or not. Moreover, shutting down the firewall would expose the network to other threats and affect other services. References: What is SIEM? | Microsoft Security, What is a SIEM Alert? | Cofense