CompTIA CompTIA Certifications CAS-004 Questions & Answers

• Question 401:

  A penetration tester is on an active engagement and has access to a remote system. The penetration tester wants to bypass the DLP, which is blocking emails that are encrypted or contain sensitive company information. Which of the following cryptographic techniques should the penetration tester use?

  A. GNU Privacy Guard

  B. UUencoding

  C. DNSCrypt

  D. Steganography

  Correct Answer: D

• Question 402:

  A company in the financial sector receives a substantial number of customer transaction requests via email. While doing a root-cause analysis conceding a security breach, the CIRT correlates an unusual spike in port 80 traffic from the IP address of a desktop used by a customer relations employee who has access to several of the compromised accounts. Subsequent antivirus scans of the device do not return an findings, but the CIRT finds undocumented services running on the device.

  Which of the following controls would reduce the discovery time for similar in the future.

  A. Implementing application blacklisting

  B. Configuring the mall to quarantine incoming attachment automatically

  C. Deploying host-based firewalls and shipping the logs to the SIEM

  D. Increasing the cadence for antivirus DAT updates to twice daily

  Correct Answer: C

• Question 403:

  A small company needs to reduce its operating costs. vendors have proposed solutions, which all focus on management of the company's website and services. The Chief information Security Officer (CISO) insist all available resources in the proposal must be dedicated, but managing a private cloud is not an option. Which of the following is the BEST solution for this company?

  A. Community cloud service model

  B. Multinency SaaS

  C. Single-tenancy SaaS

  D. On-premises cloud service model

  Correct Answer: A

• Question 404:

  A security engineer is troubleshooting an issue in which an employee is getting an IP address in the range on the wired network. The engineer plus another PC into the same port, and that PC gets an IP address in the correct range. The engineer then puts the employee' PC on the wireless network and finds the PC still not get an IP address in the proper range. The PC is up to date on all software and antivirus definitions, and the IP address is not an APIPA address.

  Which of the following is MOST likely the problem?

  A. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.

  B. The DHCP server has a reservation for the PC's MAC address for the wired interface.

  C. The WiFi network is using WPA2 Enterprise, and the computer certificate has the wrong IP address in the SAN field.

  D. The DHCP server is unavailable, so no IP address is being sent back to the PC.

  Correct Answer: A

• Question 405:

  A security analyst is investigating a series of suspicious emails by employees to the security team. The email appear to come from a current business partner and do not contain images or URLs. No images or URLs were stripped from the message by the security tools the company uses instead, the emails only include the following in plain text.

  

  Which of the following should the security analyst perform?

  A. Contact the security department at the business partner and alert them to the email event.

  B. Block the IP address for the business partner at the perimeter firewall.

  C. Pull the devices of the affected employees from the network in case they are infected with a zero-day virus.

  D. Configure the email gateway to automatically quarantine all messages originating from the business partner.

  Correct Answer: A

• Question 406:

  A company that all mobile devices be encrypted, commensurate with the full disk encryption scheme of assets, such as workstation, servers, and laptops. Which of the following will MOST likely be a limiting factor when selecting mobile device managers for the company?

  A. Increased network latency

  B. Unavailable of key escrow

  C. Inability to selected AES-256 encryption

  D. Removal of user authentication requirements

  Correct Answer: A

• Question 407:

  Immediately following the report of a potential breach, a security engineer creates a forensic image of the server in question as part of the organization incident response procedure. Which of the must occur to ensure the integrity of the image?

  A. The image must be password protected against changes.

  B. A hash value of the image must be computed.

  C. The disk containing the image must be placed in a seated container.

  D. A duplicate copy of the image must be maintained

  Correct Answer: B

• Question 408:

  SIMULATION

  Compliance with company policy requires a quarterly review of firewall rules. A new administrator is asked to conduct this review on the internal firewall sitting between several internal networks. The intent of this firewall is to make traffic more

  restrictive. Given the following information answer the questions below:

  User Subnet: 192.168.1.0/24 Server Subnet: 192.168.2.0/24 Finance Subnet:192.168.3.0/24

  Instructions: To perform the necessary tasks, please modify the DST port, Protocol, Action, and/or Rule Order columns. Firewall ACLs are read from the top down

  Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue.

  Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.

  Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.

  Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

  Check the solution below.

  

  A. Check the answer in explanation.

  B. PlaceHoder

  C. PlaceHoder

  D. PlaceHoder

  Correct Answer: A

  Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue.

  The rule shown in the image below is the rule in question. It is not working because the action is set to Deny.

  This needs to be set to Permit.

  Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.

  The web servers rule is shown in the image below. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).

  Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.

  The SQL Server rule is shown in the image below. It is not working because the protocol is wrong. It should be TCP, not UDP.

  Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

  The network time rule is shown in the image below.

  However, this rule is not being used because the `any' rule shown below allows all traffic and the rule is placed above the network time rule. To block all other traffic, the `any' rule needs to be set to Deny, not Permit and the rule needs to be

  placed below all the other rules (it needs to be placed at the bottom of the list to the rule is enumerated last).

• Question 409:

  SIMULATION

  As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit.

  This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server, and it does not need to print.

  The command window will be provided along with root access. You are connected via a secure shell with root access.

  You may query help for a list of commands.

  Instructions:

  You need to disable and turn off unrelated services and processes.

  It is possible to simulate a crash of your server session. The simulation can be reset, but the server cannot be rebooted. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. Check the answer in explanation.

  B. PlaceHoder

  C. PlaceHoder

  D. PlaceHoder

  Correct Answer: A

  In Order to deactivate web services, database services and print service, we can do following things 1) deactivate its services /etc/init.d/apache2 stop /etc/init.d/mysqld stop 2) close ports for these services Web Server iptables -I INPUT -p tcp -m tcp --dport 443 -j REJECTservice iptables save Print Server iptables -I INPUT -p tcp -m tcp --dport 631 -j REJECTservice iptables save Database Server iptables -I INPUT -p tcp -m tcp --dport <> -j REJECTservice iptables save 3) Kill the process any running for the same ps -aef|grep mysql kill -9 <>

• Question 410:

  An IoT device implements an encryption module built within its SoC, where the asymmetric private key has been defined in a write-once read-many portion of the SoC hardware. Which of the following should the IoT manufacture do if the private key is compromised?

  A. Use over-the-air updates to replace the private key.

  B. Manufacture a new IoT device with a redesigned SoC.

  C. Replace the public portion of the IoT key on its servers.

  D. Release a patch for the SoC software.

  Correct Answer: B

  Manufacture a new IoT device with a redesigned SoC: Write-Once Read-Many (WORM) is specifically designed to adhere to the highest level of integrity. Once written, it cannot be replaced. As for the Private Key compromise, OTA updates and software patches don't work and replacing the public key does nothing. Your only option is to burn it to the ground and start again.