CompTIA CompTIA Certifications CAS-004 Questions & Answers

• Question 101:

  A user forwarded a suspicious email to a security analyst for review. The analyst examined the email and found that neither the URL nor the attachment showed any indication of malicious activities. Which of the following intelligence collection methods should the analyst use to confirm the legitimacy of the email?

  A. HUMINT

  B. UEBA

  C. OSINT

  D. RACE

  Correct Answer: C

  Open-source intelligence (OSINT) refers to the collection and analysis of information that is gathered from public, or open, sources. In the context of confirming the legitimacy of an email, OSINT could involve checking online databases, public records, or using search engines to find information related to the email's domain, the sender, links included in the email, or file hashes of attachments. This method can help determine if the email is part of a known phishing campaign or if it has been flagged by others as suspicious.

• Question 102:

  A Chief Information Security Officer (CISO) reviewed data from a cyber exercise that examined all aspects of the company's response plan. Which of the following best describes what the CISO reviewed?

  A. An after-action report

  B. A tabletop exercise

  C. A system security plan

  D. A disaster recovery plan

  Correct Answer: A

  An after-action report is a document that summarizes the performance of a team during a cybersecurity incident. It is used to review all aspects of the incident response plan, including what was done correctly, what needs improvement, and how the team responded to the incident. The CISO's review of data from a cyber exercise would typically result in an after-action report, which helps in improving future responses to incidents.

• Question 103:

  A software developer created an application for a large, multinational company. The company is concerned the program code could be reverse engineered by a foreign entity and intellectual property would be lost. Which of the following techniques should be used to prevent this situation?

  A. Obfuscation

  B. Code signing

  C. Watermarking

  D. Digital certificates

  Correct Answer: A

  Obfuscation is a technique used to make the program code difficult to understand or read. It can help to prevent reverse engineering by making it more challenging to analyze the code and understand its structure and functionality, thereby protecting intellectual property.

• Question 104:

  in a situation where the cost of anti-malware exceeds the potential loss from a malware threat, which of the following is the most cost-effective risk response?

  A. Risk transfer

  B. Risk mitigation

  C. Risk acceptance

  D. Risk avoidance

  Correct Answer: C

  Risk acceptance is the decision to accept the potential risk and continue operating without engaging in extraordinary measures to mitigate it. If the cost of anti-malware exceeds the potential loss from a malware threat, it would be more cost-effective to accept the risk rather than spend more on mitigations that don't provide proportional value. This is part of a cost-benefit analysis in risk management.

• Question 105:

  Which of the following technologies would benefit the most from the use of biometric readers proximity badge entry systems, and the use of hardware security tokens to access various environments and data entry systems?

  A. Deep learning

  B. Machine learning

  C. Nanotechnology

  D. Passwordless authentication

  E. Biometric impersonation

  Correct Answer: D

  Passwordless authentication is an authentication method that does not require the user to enter a password. Instead, it relies on alternative forms of verification, such as biometric readers (fingerprint or facial recognition), proximity badge entry systems, and hardware security tokens. These technologies provide a means to authenticate users with higher assurance levels and would benefit the most from the use of the mentioned devices and methods.

• Question 106:

  Application owners are reporting performance issues with traffic using port 1433 from the cloud environment. A security administrator has various pcap files to analyze the data between the related source and destination servers. Which of the following tools should be used to help troubleshoot the issue?

  A. Fuzz testing

  B. Wireless vulnerability scan

  C. Exploit framework

  D. Password cracker

  E. Protocol analyzer

  Correct Answer: E

  A protocol analyzer, such as Wireshark, is a tool used to capture and analyze network traffic. It allows security administrators to inspect individual packets, understand the traffic flow, and identify any unusual patterns or issues that may be impacting performance, such as high latency or unusual volume of traffic on a specific port.

• Question 107:

  An ISP is receiving reports from a portion of its customers who state that typosquatting is occurring when they type in a portion of the URL for the ISP's website. The reports state that customers are being directed to an advertisement website that is asking for personal information. The security team has verified the DNS system is returning proper results and has no known lOCs. Which of the following should the security team implement to best mitigate this situation?

  A. DNSSEC

  B. DNS filtering

  C. Multifactor authentication

  D. Self-signed certificates

  E. Revocation of compromised certificates

  Correct Answer: B

  DNS filtering can be used to prevent users from accessing malicious or unintended websites by blocking certain domains at the DNS level. In the case of typosquatting, where users are being directed to an advertisement website asking for personal information, DNS filtering can help by blocking access to these known malicious domains. This would ensure that even if users mistype a URL, they will not be directed to a harmful site.

• Question 108:

  Company A is merging with Company B Company A is a small, local company Company B has a large, global presence The two companies have a lot of duplication in their IT systems processes, and procedures On the new Chief Information Officer's (ClO's) first day a fire breaks out at Company B's mam data center Which of the following actions should the CIO take first?

  A. Determine whether the incident response plan has been tested at both companies, and use it to respond

  B. Review the incident response plans, and engage the disaster recovery plan while relying on the IT leaders from both companies.

  C. Ensure hot. warm, and mobile disaster recovery sites are available, and give an update to the companies' leadership teams

  D. Initiate Company A's IT systems processes and procedures, assess the damage, and perform a BIA

  Correct Answer: B

  In the event of a fire at the main data center, the immediate action should be to review and engage the disaster recovery plan. This is to ensure the continuity of business operations. The CIO should coordinate with IT leaders from both companies to ensure a unified response. Assessing the damage and planning for recovery are crucial, and leveraging the expertise from both companies can help streamline the process.

• Question 109:

  The information security manager at a 24-hour manufacturing facility is reviewing a contract for potential risks to the organization. The contract pertains to the support of printers and multifunction devices during non-standard business hours. Which of the following will the security manager most likely identify as a risk?

  A. Print configurations settings for locked print jobs

  B. The lack of an NDA with the company that supports its devices

  C. The lack of an MSA to govern other services provided by the service provider

  D. The lack of chain of custody for devices prior to deployment at the company

  Correct Answer: B

  A non-disclosure agreement (NDA) is crucial when external parties are provided access to sensitive company devices or information. The absence of an NDA poses a risk that confidential information could be disclosed by the service provider. Therefore, ensuring an NDA is in place with the company that supports sensitive devices would be a key risk identified in the contract.

• Question 110:

  A security architect is implementing a SOAR solution in an organization's cloud production environment to support detection capabilities. Which of the following will be the most likely benefit?

  A. Improved security operations center performance

  B. Automated firewall log collection tasks

  C. Optimized cloud resource utilization

  D. Increased risk visibility

  Correct Answer: A

  Implementing a SOAR (Security Orchestration, Automation, and Response) solution in a cloud production environment is primarily aimed at enhancing the performance of the security operations center (SOC). SOAR tools integrate with various security technologies and automate repetitive tasks such as incident response, threat detection, and remediation. By automating these tasks, SOAR frees up SOC analysts to focus on more complex security issues, reduces response times to incidents, improves incident prioritization, and overall enhances the efficiency and effectiveness of the SOC.