CompTIA CompTIA Certifications CAS-004 Questions & Answers

• Question 351:

  A security architect is designing a solution for a new customer who requires significant security capabilities in its environment. The customer has provided the architect with the following set of requirements:

  Capable of early detection of advanced persistent threats. Must be transparent to users and cause no performance degradation. Allow integration with production and development networks seamlessly. Enable the security team to hunt and investigate live exploitation techniques.

  Which of the following technologies BEST meets the customer's requirements for security capabilities?

  A. Threat Intelligence

  B. Deception software

  C. Centralized logging

  D. Sandbox detonation

  Correct Answer: B

  Deception software is a technology that creates realistic but fake assets (such as servers, applications, data, etc.) that mimic the real environment and lure attackers into interacting with them. By doing so, deception software can help detect advanced persistent threats (APTs) that may otherwise evade traditional security tools12. Deception software can also provide valuable insights into the attacker's tactics, techniques, and procedures (TTPs) by capturing their actions and behaviors on the decoys13. Deception software can meet the customer's requirements for security capabilities because: It is capable of early detection of APTs by creating attractive targets for them and alerting security teams when they are engaged12. It is transparent to users and causes no performance degradation because it does not interfere with legitimate traffic or resources13. It allows integration with production and development networks seamlessly because it can create decoys that match the network topology and configuration13. It enables the security team to hunt and investigate live exploitation techniques because it can record and analyze the attacker's activities on the decoys13.

• Question 352:

  A company hosts a large amount of data in blob storage for its customers. The company recently had a number of issues with this data being prematurely deleted before the scheduled backup processes could be completed. The management team has asked the security architect for a recommendation that allows blobs to be deleted occasionally, but only after a successful backup. Which of the following solutions will BEST meet this requirement?

  A. Mirror the blobs at a local data center.

  B. Enable fast recovery on the storage account.

  C. Implement soft delete for blobs.

  D. Make the blob immutable.

  Correct Answer: C

  Soft delete allows blobs to be deleted, but the data remains accessible for a period of time before it is permanently deleted. This allows the company to delete blobs as needed, while still affording enough time for the backup process to complete. After the backup process is complete, the blobs can be permanently deleted.

• Question 353:

  A software company wants to build a platform by integrating with another company's established product. Which of the following provisions would be MOST important to include when drafting an agreement between the two companies?

  A. Data sovereignty

  B. Shared responsibility

  C. Source code escrow

  D. Safe harbor considerations

  Correct Answer: B

  When drafting an agreement between two companies, it is important to clearly define the responsibilities of each party. This is particularly relevant when a software company is looking to integrate with an established product. A shared responsibility agreement ensures that both parties understand their respective responsibilities and are able to work together efficiently and effectively. For example, the software company might be responsible for integrating the product and ensuring it meets user needs, while the established product provider might be responsible for providing ongoing support and maintenance. By outlining these responsibilities in the agreement, both parties can ensure that the platform is built and maintained successfully. References: CompTIA Advanced Security Practitioner (CASP+) Study Guide, Chapter 8, Working with Third Parties.

• Question 354:

  A security engineer notices the company website allows users to select which country they reside in, such as the following example:

  hitps://mycompany.com/main.php?Country=US

  Which of the following vulnerabilities would MOST likely affect this site?

  A. SQL injection

  B. Remote file inclusion

  C. Directory traversal

  D. Unsecure references

  Correct Answer: C

  In a directory traversal attack, an attacker attempts to access files or directories that are located outside the web root directory or intended area. The URL parameter "Country=US" could potentially be manipulated by an attacker to traverse directories and access files they shouldn't have access to.

• Question 355:

  An organization's finance system was recently attacked. A forensic analyst is reviewing the contents of the compromised files for credit card data. Which of the following commands should

  the analyst run to BEST determine whether financial data was lost?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: B

• Question 356:

  A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

  dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m. A persistent TCP/6667 connection to the external address was established at 7:55 a.m.

  The connection is still active.

  Other than bytes transferred to keep the connection alive, only a few kilobytes of data transfer every hour since the start of the connection.

  A sample outbound request payload from PCAP showed the ASCII content:";JOIN #community".

  Which of the following is the MOST likely root cause?

  A. A SQL injection was used to exfiltrate data from the database server.

  B. The system has been hijacked for cryptocurrency mining.

  C. A botnet Trojan is installed on the database server.

  D. The dbadmin user is consulting the community for help via Internet Relay Chat.

  Correct Answer: C

• Question 357:

  Users are claiming that a web server is not accessible. A security engineer logs for the site. The engineer connects to the server and runs netstat -an and receives the following output:

  

  Which of the following is MOST likely happening to the server?

  A. Port scanning

  B. ARP spoofing

  C. Buffer overflow

  D. Denial of service

  Correct Answer: D

  A denial of service (DoS) attack is a malicious attempt to disrupt the normal functioning of a server by overwhelming it with requests or traffic1. One possible indicator of a DoS attack is a large number of connections from a single source IP address1. In this case, the output of netstat -an shows that there are many connections from 213.37.55.67 with different port numbers and in TIME WAIT state23. This suggests that the attacker is sending many SYN packets to initiate connections but not completing them, thus exhausting the server's resources and preventing legitimate users from accessing it1.

• Question 358:

  An administrator at a software development company would like to protect the integrity Of the company's applications with digital signatures. The developers report that the signing process keeps failing on all applications. The same key pair used for signing, however, is working properly on the website, is valid, and is issued by a trusted CA. Which of the following is MOST likely the cause of the signature failing?

  A. The NTP server is set incorrectly for the developers.

  B. The CA has included the certificate in its CRL_

  C. The certificate is set for the wrong key usage.

  D. Each application is missing a SAN or wildcard entry on the certificate.

  Correct Answer: C

• Question 359:

  An organization's finance system was recently attacked. A forensic analyst is reviewing the contents Of the compromised files for credit card data.

  Which of the following commands should the analyst run to BEST determine whether financial data was lost?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

• Question 360:

  An organization is establishing a new software assurance program to vet applications before they are introduced into the production environment, Unfortunately. many Of the applications are provided only as compiled binaries. Which Of the following should the organization use to analyze these applications? (Select TWO).

  A. Regression testing

  B. SAST

  C. Third-party dependency management

  D. IDE SAST

  E. Fuzz testing

  F. IAST

  Correct Answer: EF