A company uses a CSP to provide a front end for its new payment system offering. The new offering is currently certified as PCI compliant. In order for the integrated solution to be compliant, the customer:
A. must also be PCI compliant, because the risk is transferred to the provider.
B. still needs to perform its own PCI assessment of the provider's managed serverless service.
C. needs to perform a penetration test of the cloud provider's environment.
D. must ensure in-scope systems for the new offering are also PCI compliant.
A security technician is trying to connect a remote site to the central office over a site-to-site VPN. The technician has verified the source and destination IP addresses are correct, but the technician is unable to get the remote site to connect. The following error message keeps repeating:
An error has occurred during Phase 1 handshake. Deleting keys and retrying...
Which of the following is most likely the reason the connection is failing?
A. The IKE hashing algorithm uses different key lengths on each VPN device.
B. The IPSec settings allow more than one cipher suite on both devices.
C. The Diffie-Hellman group on both sides matches but is a legacy group.
D. The remote VPN is attempting to connect with a protocol other than SSL/TLS.
A software development company needs to mitigate third-party risks to its software supply chain. Which of the following techniques should the company use in the development environment to best meet this objective?
A. Performing software composition analysis
B. Requiring multifactor authentication
C. Establishing coding standards and monitoring for compliance
D. Implementing a robust unit and regression-testing scheme
A company recently migrated its critical web application to a cloud provider's environment. As part of the company's risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application's security and check for opportunities to expose sensitive company information in the newly migrated cloud environment. Which of the following should be the first consideration prior to engaging in the test?
A. Prepare a redundant server to ensure the critical web application's availability during the test.
B. Obtain agreement between the company and the cloud provider to conduct penetration testing.
C. Ensure the latest patches and signatures are deployed on the web server.
D. Create an NDA between the external penetration tester and the company.
A recent batch of bug bounty findings indicates a systematic issue related to directory traversal. A security engineer needs to prevent flawed code from being deployed into production. Which of the following is the best mitigation strategy for the engineer?
A. Setting up secure development training with a focus on filesystem access issues
B. Implementing static code analysis testing into the CI/CD pipeline and blocking based on findings
C. Using a software composition analysis tool to look for directory traversal issues in the application
D. Developing a secure library for filesystem access and blocking builds that do not use the library
E. Leveraging a dynamic application security testing tool to uncover issues related to directory traversal
A company would like to move its payment card data to a cloud provider. Which of the following solutions will best protect account numbers from unauthorized disclosure?
A. Storing the data in an encoded file
B. Implementing database encryption at rest
C. Only storing tokenized card data
D. Implementing data field masking
An organization developed a containerized application. The organization wants to run the application in the cloud and automatically scale it based on demand. The security operations team would like to use container orchestration but does not want to assume patching responsibilities. Which of the following service models best meets these requirements?
A. PaaS
B. SaaS
C. IaaS
D. MaaS
A control systems analyst is reviewing the defensive posture of engineering workstations on the shop floor. Upon evaluation, the analyst makes the following observations:
1.
Unsupported, end-of-life operating systems were still prevalent on the shop floor.
2.
There are no security controls for systems with supported operating systems.
3.
There is little uniformity of installed software among the workstations.
Which of the following would have the greatest impact on the attack surface?
A. Deploy antivirus software to all of the workstations.
B. Increase the level of monitoring on the workstations.
C. Utilize network-based allow and block lists.
D. Harden all of the engineering workstations using a common strategy.
After investigating a recent security incident, a SOC analyst is charged with creating a reference guide for the entire team to use. Which of the following should the analyst create to address future incidents?
A. Root cause analysis
B. Communication plan
C. Runbook D. Lessons learned
A common industrial protocol has the following characteristics:
1.
Provides for no authentication/security
2.
Is often implemented in a client/server relationship
3.
Is implemented as either RTU or TCP/IP
Which of the following is being described?
A. Profinet
B. Modbus
C. Zigbee
D. Z-Wave
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-004 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.