CompTIA CompTIA Certifications CAS-004 Questions & Answers

• Question 531:

  A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack. Which of the following is the NEXT step of the incident response plan?

  A. Remediation

  B. Containment

  C. Response

  D. Recovery

  Correct Answer: B

  Reference: https://www.sciencedirect.com/topics/computer-science/containment-strategy

• Question 532:

  As part of the customer registration process to access a new bank account, customers are required to upload a number of documents, including their passports and driver's licenses. The process also requires customers to take a current photo of themselves to be compared against provided documentation.

  Which of the following BEST describes this process?

  A. Deepfake

  B. Know your customer

  C. Identity proofing

  D. Passwordless

  Correct Answer: C

  Reference: https://auth0.com/blog/what-is-identity-proofing-and-why-does-it-matter/

• Question 533:

  A security engineer is hardening a company's multihomed SFTP server. When scanning a public-facing network interface, the engineer finds the following ports are open:

  1.

  22

  2.

  25

  3.

  110

  4.

  137

  5.

  138

  6.

  139

  7.

  445

  Internal Windows clients are used to transferring files to the server to stage them for customer download as part of the company's distribution process.

  Which of the following would be the BEST solution to harden the system?

  A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface.

  B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface.

  C. Close ports 22 and 139. Bind ports 137, 138, and 445 to only the internal interface.

  D. Close ports 22, 137, and 138. Bind ports 110 and 445 to only the internal interface.

  Correct Answer: B

• Question 534:

  A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes.

  Which of the following should a security architect recommend?

  A. A DLP program to identify which files have customer data and delete them

  B. An ERP program to identify which processes need to be tracked

  C. A CMDB to report on systems that are not configured to security baselines

  D. A CRM application to consolidate the data and provision access based on the process and need

  Correct Answer: D

  A CRM application is a type of software that helps organizations manage customer relationships and interactions, including storing and organizing customer data. By consolidating the customer data files into a CRM application and implementing proper access controls, the company can ensure that the data is protected and that only authorized employees have access to it.

  The security architect should recommend that the CRM application be configured to provision access based on the process and need, so that employees only have access to the data that they need to perform their duties. This can help reduce the risk of unauthorized access to the data and ensure that the data is being used appropriately.

• Question 535:

  A recent data breach stemmed from unauthorized access to an employee's company account with a cloud-based productivity suite. The attacker exploited excessive permissions granted to a third-party OAuth application to collect sensitive information.

  Which of the following BEST mitigates inappropriate access and permissions issues?

  A. SIEM

  B. CASB

  C. WAF

  D. SOAR

  Correct Answer: B

  Reference: https://www.cloudflare.com/en-gb/learning/ddos/glossary/web-application-firewall-waf/

• Question 536:

  A security analyst observes the following while looking through network traffic in a company's cloud log: Which of the following steps should the security analyst take FIRST?

  

  A. Quarantine 10.0.5.52 and run a malware scan against the host.

  B. Access 10.0.5.52 via EDR and identify processes that have network connections.

  C. Isolate 10.0.50.6 via security groups.

  D. Investigate web logs on 10.0.50.6 to determine if this is normal traffic.

  Correct Answer: B

• Question 537:

  Which of the following is the MOST important cloud-specific risk from the CSP's viewpoint?

  A. Isolation control failure

  B. Management plane breach

  C. Insecure data deletion

  D. Resource exhaustion

  Correct Answer: B

• Question 538:

  Leveraging cryptographic solutions to protect data that is in use ensures the data is encrypted:

  A. when it is passed across a local network.

  B. in memory during processing

  C. when it is written to a system's solid-state drive.

  D. by an enterprise hardware security module.

  Correct Answer: B

• Question 539:

  An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment's notice. Which of the following should the organization consider FIRST to address this requirement?

  A. Implement a change management plan to ensure systems are using the appropriate versions.

  B. Hire additional on-call staff to be deployed if an event occurs.

  C. Design an appropriate warm site for business continuity.

  D. Identify critical business processes and determine associated software and hardware requirements.

  Correct Answer: D

  When developing a plan, the first thing to consider is the business process and their impact on operations. A warm site does not make sense even if it were to be first, as a warm site does not replicate in a manner that provides "moments notice" fail over.

• Question 540:

  A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned the disk with an antivirus application and did not find any IOCs. The security analyst now needs to deploy a protection solution against this type of malware.

  Which of the following BEST describes the type of malware the solution should protect against?

  A. Worm

  B. Logic bomb

  C. Fileless

  D. Rootkit

  Correct Answer: C

  Reference: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks