Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Engineering practice sets

CAS-004 Security Engineering • Complete Question Bank

CAS-004 Security Engineering — All Questions With Answers

Complete CAS-004 Security Engineering question bank — all 0 questions with answers and detailed explanations.

97
Questions
Free
No signup
Certifications/CAS-004/Practice Test/Security Engineering/All Questions
Question 1mediummultiple choice
Read the full VPN explanation →

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

Question 2hardmultiple choice
Read the full Security Engineering explanation →

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

Question 3easymultiple choice
Read the full Security Engineering explanation →

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

Question 4mediummultiple choice
Study the full ACL explanation →

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

Question 5hardmultiple choice
Read the full Security Engineering explanation →

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

Question 6mediummulti select
Read the full Security Engineering explanation →

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Question 7hardmulti select
Read the full Security Engineering explanation →

Which THREE of the following are common vulnerabilities in IoT devices? (Select THREE.)

Question 8mediummultiple choice
Read the full Security Engineering explanation →

A security analyst is reviewing an AppArmor profile for an application. Based on the exhibit, which action would the application be denied?

Exhibit

Refer to the exhibit.

```
-- AppArmor Profile: /usr/bin/somebin
#include <tunables/global>

profile somebin /usr/bin/somebin {
  capability dac_override,
  network inet dgram,
  /etc/config/* r,
  /var/log/app.log w,
}
```
Question 9hardmultiple choice
Read the full Security Engineering explanation →

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

Exhibit

Refer to the exhibit.

```
# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    10.0.1.0/24          0.0.0.0/0            state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            10.0.1.0/24          state ESTABLISHED
```
Question 10mediummultiple choice
Study the full virtualization explanation →

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

Question 11hardmulti select
Read the full Security Engineering explanation →

A security engineer is hardening a Linux web server. The team requires that the web server process cannot run with root privileges and that any file it writes must have minimal permissions. Which two controls should be implemented together? (Select TWO).

Question 12easymultiple choice
Read the full Security Engineering explanation →

An organization wants to implement a solution that ensures data cannot be read if a storage device is physically stolen. Which encryption approach BEST meets this requirement?

Question 13mediummultiple choice
Read the full Security Engineering explanation →

A network administrator is configuring a firewall rule set. The requirement is to allow inbound HTTPS traffic from the internet to a web server at 10.1.1.10, and to allow the web server to respond. All other inbound traffic should be blocked. Which rule set accomplishes this?

Question 14hardmultiple choice
Read the full Security Engineering explanation →

A security analyst reviews logs from a web application firewall (WAF) and notices that an attacker is bypassing the WAF by encoding malicious payloads using base64 and then sending them in HTTP headers. Which WAF configuration change would BEST detect and block such attacks?

Question 15mediummulti select
Read the full Security Engineering explanation →

Which TWO of the following are considered secure design principles for cryptographic systems?

Question 16hardmulti select
Read the full Security Engineering explanation →

Which THREE of the following are common techniques to mitigate side-channel attacks?

Question 17mediummultiple choice
Read the full Security Engineering explanation →

An administrator runs the above iptables command on a Linux server. The server is directly connected to the internet. Which of the following is the MOST significant security issue with this configuration?

Exhibit

Refer to the exhibit.

```
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
```
Question 18hardmultiple choice
Read the full Security Engineering explanation →

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 19easymultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a web application that handles sensitive customer data. The application must ensure that if one server is compromised, the attacker cannot access the private keys used for TLS termination. Which of the following approaches best meets this requirement?

Question 20mediummultiple choice
Read the full Security Engineering explanation →

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

Question 21hardmultiple choice
Read the full network assurance explanation →

A security analyst reviews the syslog messages from the company's ASA firewall. Based on the exhibit, which of the following is the MOST likely cause of the denied traffic?

Exhibit

Refer to the exhibit.

=== syslog excerpt ===
Mar 15 14:23:45 firewall1 %ASA-4-106023: Deny tcp src inside:192.168.1.10/54321 dst outside:10.0.0.1/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Mar 15 14:23:46 firewall1 %ASA-4-106023: Deny tcp src inside:192.168.1.10/54322 dst outside:10.0.0.1/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Mar 15 14:23:47 firewall1 %ASA-4-106023: Deny tcp src inside:192.168.1.10/54323 dst outside:10.0.0.1/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 22mediummulti select
Read the full Security Engineering explanation →

A security architect is designing a secure software development pipeline. The organization wants to ensure that code is thoroughly analyzed before deployment. Which TWO of the following should be integrated into the pipeline to identify vulnerabilities early? (Select TWO.)

Question 23hardmulti select
Read the full Security Engineering explanation →

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Question 24easymultiple choice
Study the full virtualization explanation →

A small business has a single physical server running multiple virtual machines (VMs) using Type 2 hypervisor software on a Windows Server host. The host is not joined to a domain. The VMs include an Active Directory domain controller, a file server, and a web server. The company recently suffered a ransomware attack that encrypted all data on the file server VM. The IT administrator restored the file server from a backup, but the ransomware returned within hours. Analysis shows that the ransomware is now spreading to other VMs. The administrator suspects that the hypervisor host itself may be compromised. Which of the following is the MOST effective immediate action to contain the spread and secure the environment?

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a public-facing e-commerce site. The site has been experiencing intermittent false positives that block legitimate customers during checkout. The WAF is deployed in blocking mode with a rule set that includes SQL injection and cross-site scripting (XSS) signatures. The engineer notices that legitimate credit card numbers containing the string 'OR' are being blocked. The site uses HTTPS and input validation on the server side. Which of the following actions would BEST resolve the false positives while maintaining security?

Question 26hardmulti select
Read the full Security Engineering explanation →

A security engineer is designing a secure enclave for processing sensitive personally identifiable information (PII). The enclave must protect data at rest and in use, and must support attestation to verify its integrity. Which THREE technologies should the engineer incorporate? (Choose three.)

Question 27mediummultiple choice
Study the full ACL explanation →

A security analyst reviews the ACL rules above. A host at 10.0.1.5 attempts to SSH (port 22) to a server at 10.0.2.10. What is the result?

Exhibit

Refer to the exhibit.

Exhibit:
```
Filtering rules for interface eth0 (direction inbound):
Rule 1: deny tcp 10.0.1.0/24 any eq 22
Rule 2: permit tcp any host 10.0.1.10 eq 443
Rule 3: deny ip any 10.0.2.0/24
Rule 4: permit tcp 10.0.1.0/24 host 10.0.2.10 eq 3306
Rule 5: deny ip any any
```
Question 28easymultiple choice
Read the full NAT/PAT explanation →

A company's development team uses a CI/CD pipeline hosted in a public cloud. The pipeline builds container images, pushes them to a private registry, and deploys them to a Kubernetes cluster. A security engineer must ensure that only signed and vulnerability-scanned images are deployed. The engineer has configured the registry to require signatures and the CI/CD pipeline to scan images. However, deployments are still failing because unsigned images are being pulled. The engineer discovers that developers can push images directly to the registry bypassing the CI/CD pipeline and that Kubernetes nodes can pull images without signature verification. Which of the following should the engineer implement to enforce image signing and scanning?

Question 29mediumdrag order
Read the full Security Engineering explanation →

Drag and drop the steps to respond to a ransomware incident in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full Security Engineering explanation →

Drag and drop the steps to implement a DLP policy to prevent credit card data exfiltration via email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Security Engineering explanation →

Match each command-line tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS query and lookup

Display network connections and listening ports

Capture and analyze network traffic

Perform SSL/TLS cryptographic operations

Network discovery and port scanning

Question 32mediummatching
Read the full Security Engineering explanation →

Match each cloud service model to its scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software delivered over the internet

Platform for application development and deployment

Virtualized computing resources over the internet

Disaster recovery as a service

Security services delivered via the cloud

Question 33easymultiple choice
Read the full Security Engineering explanation →

A security engineer needs to implement a solution that provides both confidentiality and integrity for data at rest. Which cryptographic method BEST meets these requirements?

Question 34mediummultiple choice
Read the full Security Engineering explanation →

A company is deploying IoT sensors in a remote area with limited connectivity. The sensors must be able to securely transmit data using minimal bandwidth. Which protocol should the engineer choose?

Question 35hardmultiple choice
Read the full Security Engineering explanation →

During a security assessment, the engineer discovers that a network appliance's firmware updates are signed using a 1024-bit RSA key. The appliance was manufactured in 2015. What is the primary security concern?

Question 36easymultiple choice
Read the full Security Engineering explanation →

An organization wants to implement a zero-trust architecture for remote access. Which of the following is the MOST important component?

Question 37mediummultiple choice
Read the full Security Engineering explanation →

A financial institution needs to ensure that transaction logs are tamper-proof after creation. Which solution should be implemented?

Question 38hardmultiple choice
Read the full Security Engineering explanation →

A cloud security architect is designing a multi-region active-active application. The application must maintain high availability even if an entire AWS region fails. Which architecture BEST meets this requirement?

Question 39easymultiple choice
Read the full Security Engineering explanation →

A small business wants to protect endpoints from malware without incurring per-device licensing costs. Which approach is MOST cost-effective?

Question 40mediummultiple choice
Read the full Security Engineering explanation →

During a penetration test, an engineer discovers that the application uses client-side JavaScript to validate input before submission. What is the MOST significant vulnerability?

Question 41hardmultiple choice
Read the full Security Engineering explanation →

An organization is migrating to a hybrid cloud model. The security policy mandates that all keys used for data encryption must be managed on-premises. Which key management solution should be used?

Question 42mediummulti select
Read the full wireless explanation →

A security engineer is designing a secure wireless network for a corporate office. Which TWO configurations should be implemented to maximize security?

Question 43hardmulti select
Read the full Security Engineering explanation →

An incident responder is analyzing a compromised server. Which THREE indicators are MOST likely to confirm a successful attack?

Question 44easymulti select
Read the full Security Engineering explanation →

A security team is implementing controls to meet PCI DSS requirements for cardholder data. Which THREE controls are required?

Question 45mediummultiple choice
Read the full Security Engineering explanation →

The security engineer notices that SSH login attempts to 192.168.1.1 from the untrust zone are being blocked. Which policy misconfiguration is MOST likely causing this?

Exhibit

Refer to the exhibit.

show security policies
Policy Name: Web-Server-Access
Source Zone: untrust
Dest Zone: dmz
Source Address: any
Dest Address: 10.1.1.100
Application: http, https
Action: permit
Log: session-init

Policy Name: Remote-Admin
Source Zone: vpn
Dest Zone: mgmt
Source Address: 10.2.2.0/24
Dest Address: 192.168.1.1
Application: ssh, https
Action: permit
Log: session-close
Question 46hardmultiple choice
Read the full Security Engineering explanation →

The engineer needs to prevent brute-force attacks while allowing legitimate access. Which security control is MOST effective?

Exhibit

Refer to the exhibit.

Aug 15 14:23:10 server1 sshd[1234]: Failed password for root from 192.168.1.200 port 56789 ssh2
Aug 15 14:23:12 server1 sshd[1234]: Failed password for root from 192.168.1.200 port 56790 ssh2
Aug 15 14:23:15 server1 sshd[1234]: Failed password for root from 192.168.1.200 port 56791 ssh2
...
Aug 15 14:25:30 server1 sshd[1234]: Accepted password for admin from 10.0.0.50 port 34821 ssh2
Question 47easymultiple choice
Read the full Security Engineering explanation →

A security analyst reviews this configuration and identifies a vulnerability. What is the MOST critical issue?

Exhibit

Refer to the exhibit.

<security>
  <authentication type="OAuth2">
    <client-id>abc123</client-id>
    <client-secret>secret!</client-secret>
    <token-endpoint>https://auth.example.com/token</token-endpoint>
    <redirect-uri>http://app.example.com/callback</redirect-uri>
    <grant-type>authorization_code</grant-type>
  </authentication>
</security>
Question 48easymultiple choice
Read the full Security Engineering explanation →

A security architect needs to protect sensitive data in use within a server's memory from other processes. Which technology should be implemented?

Question 49mediummultiple choice
Read the full Security Engineering explanation →

A company has implemented a hardware security module (HSM) to manage cryptographic keys for a payment processing system. Which of the following best describes an advantage of using an HSM over software-based key storage?

Question 50hardmultiple choice
Read the full Security Engineering explanation →

During a security assessment, a penetration tester discovers that a web application uses a custom encryption algorithm to protect session tokens. According to secure engineering principles, what is the primary concern?

Question 51easymultiple choice
Read the full Security Engineering explanation →

An organization is deploying a new application that processes sensitive user data. The security team recommends using a dedicated cryptographic module. Which standard should the module comply with to ensure it is validated for security?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a secure boot process for embedded devices. Which component is responsible for verifying the signature of the bootloader before execution?

Question 53hardmultiple choice
Read the full Security Engineering explanation →

An organization wants to implement a zero-trust architecture for remote access. Which component is most critical for enforcing least-privilege access to internal applications?

Question 54easymultiple choice
Read the full Security Engineering explanation →

A company wants to ensure that only authorized code runs on its point-of-sale (POS) terminals. Which technology should be implemented?

Question 55mediummultiple choice
Read the full wireless explanation →

A security engineer is deploying a wireless network for a high-security facility. Which protocol should be used to provide the strongest authentication and encryption for client devices?

Question 56hardmultiple choice
Read the full Security Engineering explanation →

During a security incident, a forensic analyst needs to acquire a memory dump from a Linux server without altering the system state. Which tool is most appropriate for this task?

Question 57mediummulti select
Read the full Security Engineering explanation →

A security engineer is evaluating options for securing firmware updates on IoT devices. Which TWO methods provide integrity verification of the update?

Question 58hardmulti select
Read the full Security Engineering explanation →

Which THREE of the following are key components of a zero-trust security architecture? (Select THREE).

Question 59easymulti select
Read the full Security Engineering explanation →

A cloud security architect is designing a key management system for a multi-tenant SaaS application. Which TWO practices are essential for ensuring cryptographic key security? (Select TWO).

Question 60mediummultiple choice
Read the full Security Engineering explanation →

Refer to the exhibit. A security engineer is reviewing an X.509 certificate used for TLS. Which security concern should the engineer identify?

Exhibit

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0x1234567890abcdef
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Example Corp, CN=Example Root CA
        Validity
            Not Before: Jan  1 00:00:00 2024 GMT
            Not After : Dec 31 23:59:59 2024 GMT
        Subject: C=US, O=Example Corp, CN=server01.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus: ...
        X509v3 extensions:
            ...
Question 61easymultiple choice
Read the full Security Engineering explanation →

Refer to the exhibit. A security analyst is reviewing the firewall rule set for a corporate network. Which misconfiguration is present?

Exhibit

Firewall Rule Base:
1. permit tcp any any eq 80
2. permit tcp any any eq 443
3. permit udp any any eq 53
4. permit icmp any any
Question 62hardmultiple choice
Read the full Security Engineering explanation →

Refer to the exhibit. A cloud security engineer is reviewing an AWS S3 bucket policy. What security issue does the policy contain?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 63easymultiple choice
Read the full Security Engineering explanation →

A security architect is designing a secure enclave for a high-value application. Which of the following is the BEST approach to isolate the application from the rest of the network?

Question 64easymultiple choice
Read the full Security Engineering explanation →

A security engineer must select a cryptographic algorithm to ensure non-repudiation for digitally signed documents. Which algorithm is most appropriate?

Question 65mediummultiple choice
Read the full Security Engineering explanation →

A company deploys a web application behind a WAF. The security team discovers that the WAF allows traffic from a known malicious IP. After investigating, they find the WAF is configured to allow all traffic from a specific country for business reasons. Which of the following is the BEST course of action?

Question 66mediummultiple choice
Read the full Security Engineering explanation →

A security engineer is implementing a solution to securely store and manage cryptographic keys for a fleet of IoT devices. The devices have limited processing power and cannot perform asymmetric operations. Which of the following is the BEST approach?

Question 67mediummultiple choice
Read the full Security Engineering explanation →

A security architect is designing a zero-trust network architecture. Which of the following is a fundamental principle of zero trust?

Question 68hardmultiple choice
Read the full Security Engineering explanation →

A company's security team is reviewing the integration of a legacy application that only supports NTLM authentication. The infrastructure must be updated to meet modern security standards. Which of the following is the BEST approach to mitigate the risk of using NTLM?

Question 69hardmultiple choice
Read the full Security Engineering explanation →

During a security assessment, a penetration tester discovers that a web application's session tokens are predictable. The application uses a custom session management system. Which of the following is the MOST effective remediation to ensure secure session tokens?

Question 70hardmultiple choice
Read the full Security Engineering explanation →

A security engineer is tasked with designing a cryptographic solution to protect data at rest in a multi-tenant cloud storage system. Each tenant's data must be encrypted with a unique key, and the system must support key rotation with minimal performance impact. Which of the following is the BEST approach?

Question 71easymultiple choice
Read the full Security Engineering explanation →

Which of the following is the primary purpose of implementing a public key infrastructure (PKI)?

Question 72mediummulti select
Read the full Security Engineering explanation →

Which TWO of the following are advantages of using a hardware security module (HSM) over a software-based cryptographic module? (Select exactly 2.)

Question 73mediummulti select
Read the full Security Engineering explanation →

Which TWO of the following are valid techniques to mitigate the risk of side-channel attacks on cryptographic implementations? (Select exactly 2.)

Question 74hardmulti select
Read the full Security Engineering explanation →

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC) to ensure security engineering? (Select exactly 3.)

Question 75easymultiple choice
Read the full Security Engineering explanation →

An engineer reviews the TLS configuration for a web server. Which of the following is a security concern present in this configuration?

Exhibit

Refer to the exhibit.

Exhibit:
```
ssl_cert_path = /etc/ssl/certs/server.pem
ssl_key_path = /etc/ssl/private/server.key
ssl_protocols = TLSv1.2 TLSv1.3
ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
ssl_verify_client = optional
```
Question 76mediummultiple choice
Read the full Security Engineering explanation →

A security engineer is evaluating the use of AES-256-GCM for encrypting sensitive data in transit. They note that the Additional Authenticated Data (AAD) field is empty. What is the security implication?

Exhibit

Refer to the exhibit.

Exhibit:
```
Cipher: AES256-GCM
Mode: GCM
Key size: 256 bits
IV size: 12 bytes
Tag size: 16 bytes
AAD: ""
```
Question 77hardmultiple choice
Read the full VPN explanation →

An OpenVPN configuration file is shown. A security auditor recommends replacing the cipher and auth directives. Which of the following is the BEST replacement pair from a security engineering perspective?

Exhibit

Refer to the exhibit.

Exhibit:
```
[openvpn]
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
```
Question 78easymultiple choice
Read the full Security Engineering explanation →

A security engineer is designing a secure communication channel between two internal systems over an untrusted network. Which protocol should be used to ensure both confidentiality and integrity of data in transit?

Question 79mediummultiple choice
Read the full NAT/PAT explanation →

An organization is deploying hardware security modules (HSMs) to protect cryptographic keys used for digital signatures. Which attack vector is most effectively mitigated by using an HSM compared to storing keys in software?

Question 80hardmultiple choice
Read the full Security Engineering explanation →

A company is implementing single sign-on using SAML 2.0. A security architect is reviewing the authentication flow and notices that the identity provider (IdP) does not digitally sign the SAML assertions. Which of the following is the most significant security risk?

Question 81easymultiple choice
Review the full subnetting walkthrough →

A network administrator is configuring a firewall to allow only necessary traffic to a web server. The server should be accessible from the internet on port 443 and from a management subnet on port 22. Which firewall rule ensures least privilege?

Question 82mediummultiple choice
Read the full Security Engineering explanation →

A data loss prevention (DLP) solution is being implemented to prevent sensitive data from leaving the corporate network. Which of the following is the most effective approach for detecting structured data like credit card numbers in outbound traffic?

Question 83hardmultiple choice
Read the full Security Engineering explanation →

During a security review, it is discovered that a critical application uses hardcoded cryptographic keys. The development team refactors the code to retrieve keys from a centralized key management system (KMS) using role-based access control. Which additional practice should be implemented to minimize the risk of key compromise?

Question 84easymultiple choice
Read the full wireless explanation →

A company is deploying a wireless network for guests. Which security measure is most important to prevent unauthorized users from accessing internal resources?

Question 85mediummultiple choice
Study the full virtualization explanation →

A virtualization administrator needs to ensure that virtual machines (VMs) from different customers cannot communicate with each other unless explicitly allowed. Which network security control should be implemented on the hypervisor?

Question 86mediummulti select
Read the full Security Engineering explanation →

A security architect is evaluating web application firewall (WAF) features to protect against common attacks. Which TWO of the following attacks can a WAF most effectively prevent?

Question 87hardmulti select
Read the full Security Engineering explanation →

A company is implementing a zero-trust network architecture. Which THREE of the following are critical components of this approach?

Question 88easymulti select
Read the full Security Engineering explanation →

An organization is implementing a public key infrastructure (PKI). Which THREE of the following are essential components?

Question 89hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise recently migrated its critical applications to a hybrid cloud environment. The security team is concerned about the risk of privileged account abuse. They have implemented a privileged access management (PAM) solution that rotates passwords for service accounts after each use. However, during a incident response drill, the team discovers that an attacker who compromised a jump server was able to access multiple administrative consoles without re-authentication. Investigation reveals that the PAM solution uses session recording but does not enforce session termination; instead, it relies on the lifecycle of the token issued during initial authentication. The attacker captured a valid token and reused it from a different machine. Which of the following is the most effective remediation?

Question 90mediummultiple choice
Read the full Security Engineering explanation →

A financial institution is required to comply with PCI DSS and uses a mix of legacy and modern applications. The security architect proposes to segment the network so that the cardholder data environment (CDE) is isolated. However, a legacy application in a non-CDE segment must send data to a database in the CDE. The legacy application cannot be modified and communicates via clear-text protocols. Which of the following is the most secure solution that maintains compliance?

Question 91easymultiple choice
Read the full Security Engineering explanation →

A small business uses an on-premises Active Directory for user authentication. They want to enable employees to use their corporate credentials to access a SaaS application that supports SAML 2.0. The security administrator needs to set up a federation between the on-premises AD and the SaaS provider. Which of the following components must be deployed on-premises to act as a bridge between AD and the SAML identity provider?

Question 92mediummultiple choice
Read the full Security Engineering explanation →

A company is deploying a new web application that handles sensitive customer data. The application is built using a microservices architecture running in containers on a Kubernetes cluster. The security team wants to implement mutual TLS (mTLS) for service-to-service communication. However, they are concerned about the operational overhead of certificate management. Which approach minimizes management overhead while still ensuring strong authentication?

Question 93easymultiple choice
Read the full Security Engineering explanation →

A large financial organization is migrating its on-premises authentication infrastructure to a cloud-based identity provider (IdP) to support a hybrid workforce. Currently, on-premises Active Directory is used with smart cards for authentication. The cloud IdP will support SAML 2.0 and OAuth 2.0. The security team requires that all authentication to cloud applications be protected by hardware-backed keys and that user credentials never leave the on-premises network. The solution must also support FIDO2 authentication for passwordless logins. During a pilot, users report that after authenticating to the cloud IdP using their smart cards, they are prompted again for credentials when accessing certain cloud applications. The logs show that the cloud IdP is issuing multiple authentication requests to the on-premises AD Federation Services (AD FS). The CISO is concerned about performance and security of repeated authentication. As a security architect, what is the best course of action?

Question 94mediummultiple choice
Read the full NAT/PAT explanation →

A defense contractor is developing a new secure messaging application for classified communications. The application must ensure end-to-end encryption, perfect forward secrecy, and resistance to quantum computing attacks. The development team proposes using ECDH for key exchange and AES-256-GCM for message encryption. The security architect reviews the design and identifies a weakness: the current key exchange does not authenticate the public keys, making it vulnerable to man-in-the-middle attacks. The team suggests adding digital signatures using RSA-2048. However, the architect is concerned about quantum resistance. What should the architect recommend?

Question 95easymulti select
Read the full Security Engineering explanation →

A security engineer is hardening a Linux server. Which TWO of the following are best practices for preventing privilege escalation attacks?

Question 96mediummultiple choice
Read the full Security Engineering explanation →

Refer to the exhibit. A security analyst reviews the following firewall rule on a border firewall. Which vulnerability is present?

Exhibit

access-list 100 permit tcp any any eq 22
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 deny ip any any
Question 97hardmultiple choice
Read the full VPN explanation →

A financial company is expanding its hybrid cloud architecture. They have an AWS VPC connected to an on-premises network via an IPsec VPN using IKEv2. The on-premises firewall is a Cisco ASA. Recently, users report intermittent connectivity to cloud resources. The security team reviews logs and finds the following message on the ASA: 'no matching crypto map entry for traffic from on-prem to cloud'. The team also suspects potential data leakage due to occasional unencrypted traffic. The corporate policy requires all traffic between environments to be encrypted. The engineer has verified that the IKEv2 proposals match on both sides. The cloud side uses a virtual private gateway with a static route to the on-premises network. Which of the following should the engineer do FIRST to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CAS-004 Practice Test 1 — 10 Questions→CAS-004 Practice Test 2 — 10 Questions→CAS-004 Practice Test 3 — 10 Questions→CAS-004 Practice Test 4 — 10 Questions→CAS-004 Practice Test 5 — 10 Questions→CAS-004 Practice Exam 1 — 20 Questions→CAS-004 Practice Exam 2 — 20 Questions→CAS-004 Practice Exam 3 — 20 Questions→CAS-004 Practice Exam 4 — 20 Questions→Free CAS-004 Practice Test 1 — 30 Questions→Free CAS-004 Practice Test 2 — 30 Questions→Free CAS-004 Practice Test 3 — 30 Questions→CAS-004 Practice Questions 1 — 50 Questions→CAS-004 Practice Questions 2 — 50 Questions→CAS-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Engineering setsAll Security Engineering questionsCAS-004 Practice Hub