Sample questions
CompTIA SecurityX CAS-004 practice questions
An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?
Trap 1: It provides deep packet inspection to detect malicious traffic.
Deep packet inspection is a separate security function, not inherent to SDP.
Trap 2: It enforces multi-factor authentication for every session.
MFA can be added to both VPN and SDP; it is not unique to SDP.
Trap 3: It reduces latency by establishing direct peer-to-peer connections.
SDP often uses a broker to initiate connections, which may add latency compared to a persistent VPN tunnel.
- A
It provides deep packet inspection to detect malicious traffic.
Why wrong: Deep packet inspection is a separate security function, not inherent to SDP.
- B
It enforces multi-factor authentication for every session.
Why wrong: MFA can be added to both VPN and SDP; it is not unique to SDP.
- C
It reduces latency by establishing direct peer-to-peer connections.
Why wrong: SDP often uses a broker to initiate connections, which may add latency compared to a persistent VPN tunnel.
- D
It prevents unauthorized users from discovering the application infrastructure.
SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.
A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)
Trap 1: Apply Kubernetes network policies to restrict pod-to-pod…
Network policies control traffic flow but do not provide encryption or authentication.
Trap 2: Configure RPM package signing for all container images.
RPM signing is for binary packages, not container images; container images use image signing (e.g., Notary).
- A
Deploy a TLS termination gateway (e.g., NGINX ingress) with certificate management.
Terminates external TLS and can re-encrypt internally; manages certificates for external-facing services.
- B
Use Kubernetes Secrets mounted as volumes with integration to an external vault.
Kubernetes Secrets store sensitive data; integrating with an external vault ensures secure access and rotation.
- C
Apply Kubernetes network policies to restrict pod-to-pod communication.
Why wrong: Network policies control traffic flow but do not provide encryption or authentication.
- D
Implement a service mesh such as Istio to handle mTLS between pods.
Service mesh provides mutual TLS, authentication, and encryption between microservices.
- E
Configure RPM package signing for all container images.
Why wrong: RPM signing is for binary packages, not container images; container images use image signing (e.g., Notary).
An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?
Trap 1: WPA2-Personal
WPA2-Personal uses PSK, not 802.1X.
Trap 2: WEP
WEP is insecure and does not support AES or 802.1X.
Trap 3: WPA3-Enterprise
WPA3-Enterprise uses GCMP-256, not AES-CCMP.
- A
WPA2-Personal
Why wrong: WPA2-Personal uses PSK, not 802.1X.
- B
WEP
Why wrong: WEP is insecure and does not support AES or 802.1X.
- C
WPA3-Enterprise
Why wrong: WPA3-Enterprise uses GCMP-256, not AES-CCMP.
- D
WPA2-Enterprise
WPA2-Enterprise with AES-CCMP and 802.1X meets all requirements.
A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?
Trap 1: Use envelope encryption where a cloud KMS wraps a data key, and the…
The master key would be in the cloud KMS, not under the company's exclusive control.
Trap 2: Use server-side encryption with customer-provided keys (SSE-C).
The key is provided by the customer but still used by the cloud server; the cloud provider may have access to the key during encryption/decryption.
Trap 3: Use server-side encryption with cloud provider-managed keys…
The key is managed by the cloud provider, not the company's HSM.
- A
Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.
Why wrong: The master key would be in the cloud KMS, not under the company's exclusive control.
- B
Use server-side encryption with customer-provided keys (SSE-C).
Why wrong: The key is provided by the customer but still used by the cloud server; the cloud provider may have access to the key during encryption/decryption.
- C
Use server-side encryption with cloud provider-managed keys (SSE-S3).
Why wrong: The key is managed by the cloud provider, not the company's HSM.
- D
Use client-side encryption where the application encrypts data before sending it to the cloud.
The company controls the encryption key entirely on-premises; the cloud only stores ciphertext.
A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?
Trap 1: Deploy an SD-WAN with dynamic path selection and encryption for all…
SD-WAN optimizes routing but does not provide granular per-component access control.
Trap 2: Use network ACLs on the cloud VPC and on-premises routers to deny…
Network ACLs are stateless and less granular than stateful firewalls; they do not track connection state.
Trap 3: Deploy a site-to-site VPN and route all inter-component traffic…
VPN concentrators create a trust boundary but do not enforce least privilege at the component level.
- A
Deploy an SD-WAN with dynamic path selection and encryption for all inter-site traffic.
Why wrong: SD-WAN optimizes routing but does not provide granular per-component access control.
- B
Implement micro-segmentation with stateful firewalls and explicit allow rules between each workload.
Micro-segmentation with explicit allow rules ensures only necessary traffic is permitted, adhering to least privilege.
- C
Use network ACLs on the cloud VPC and on-premises routers to deny all traffic by default, then allow required ports.
Why wrong: Network ACLs are stateless and less granular than stateful firewalls; they do not track connection state.
- D
Deploy a site-to-site VPN and route all inter-component traffic through a VPN concentrator.
Why wrong: VPN concentrators create a trust boundary but do not enforce least privilege at the component level.
A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)
Trap 1: Configure a site-to-site VPN from the corporate network to the ICS…
VPN would allow inbound connections, increasing risk.
Trap 2: Implement a network-based intrusion prevention system (IPS) on the…
IPS is reactive and may not prevent all unauthorized access.
Trap 3: Segment the networks using VLANs only
VLANs without additional controls can be bypassed.
- A
Configure a site-to-site VPN from the corporate network to the ICS network
Why wrong: VPN would allow inbound connections, increasing risk.
- B
Implement a network-based intrusion prevention system (IPS) on the ICS network
Why wrong: IPS is reactive and may not prevent all unauthorized access.
- C
Deploy a unidirectional gateway (data diode) between the networks
Ensures traffic can only flow out, preventing inbound access.
- D
Place a bastion host in a DMZ accessible from both networks for monitoring traffic
Allows necessary monitoring without exposing the ICS network directly.
- E
Segment the networks using VLANs only
Why wrong: VLANs without additional controls can be bypassed.
A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?
Trap 1: Deploy SSH tunneling with certificate-based authentication and…
SSH tunnels are for port forwarding, not full IP routing; iptables rules are complex and not scalable.
Trap 2: Deploy an SSL/TLS VPN using client certificates and rely on the VPN…
SSL VPNs are application-layer and typically cannot enforce IP subnet restrictions; policy enforcement is server-side.
Trap 3: Deploy a RDP gateway with certificate authentication and restrict…
RDP is for remote desktop sessions, not general network access; group policies cannot restrict IP subnets dynamically.
- A
Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.
Why wrong: SSH tunnels are for port forwarding, not full IP routing; iptables rules are complex and not scalable.
- B
Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.
Why wrong: SSL VPNs are application-layer and typically cannot enforce IP subnet restrictions; policy enforcement is server-side.
- C
Deploy a RDP gateway with certificate authentication and restrict access via group policies.
Why wrong: RDP is for remote desktop sessions, not general network access; group policies cannot restrict IP subnets dynamically.
- D
Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.
IPsec provides network-layer access, RADIUS can enforce subnet restrictions based on user role.
Which of the following is the primary purpose of input validation in application security?
Trap 1: To improve application performance by filtering out large inputs
Performance improvement is a side effect, not the primary security goal.
Trap 2: To encrypt user input before storing it in the database
Encryption protects data at rest, but input validation focuses on input integrity.
Trap 3: To log all user input for auditing purposes
Logging is important but not the primary purpose of input validation.
- A
To improve application performance by filtering out large inputs
Why wrong: Performance improvement is a side effect, not the primary security goal.
- C
To encrypt user input before storing it in the database
Why wrong: Encryption protects data at rest, but input validation focuses on input integrity.
- D
To log all user input for auditing purposes
Why wrong: Logging is important but not the primary purpose of input validation.
A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?
Trap 1: Focus only on the most stringent regulation
Ignores overlapping requirements
Trap 2: Implement automated GRC tools without changing controls
Does not address control consolidation
Trap 3: Maintain separate control sets for each regulation
Increases complexity and redundancy
- A
Adopt a unified control framework such as NIST SP 800-53
Allows mapping to multiple regulations
- B
Focus only on the most stringent regulation
Why wrong: Ignores overlapping requirements
- C
Implement automated GRC tools without changing controls
Why wrong: Does not address control consolidation
- D
Maintain separate control sets for each regulation
Why wrong: Increases complexity and redundancy
A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?
Trap 1: Perform separate PIAs for GDPR and CCPA requirements
Duplicative and inefficient
Trap 2: Skip PIAs for existing processing activities
PIAs are required for high-risk processing
Trap 3: Only perform PIAs when processing high-risk data
CCPA does not mandate PIAs for all but high-risk
- A
Perform separate PIAs for GDPR and CCPA requirements
Why wrong: Duplicative and inefficient
- B
Skip PIAs for existing processing activities
Why wrong: PIAs are required for high-risk processing
- C
Conduct a single PIA that covers both regulations' requirements
Comprehensive and efficient
- D
Only perform PIAs when processing high-risk data
Why wrong: CCPA does not mandate PIAs for all but high-risk
A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?
Trap 1: Request the provider's most recent SOC 3 report
SOC 3 is a summary and still may not cover HIPAA
Trap 2: Accept the risk and proceed with migration
Risk should be mitigated, not automatically accepted
Trap 3: Require the provider to encrypt all data at rest and in transit
Encryption is necessary but not sufficient without BAA
- A
Request the provider's most recent SOC 3 report
Why wrong: SOC 3 is a summary and still may not cover HIPAA
- B
Accept the risk and proceed with migration
Why wrong: Risk should be mitigated, not automatically accepted
- C
Require the provider to sign a Business Associate Agreement (BAA)
Mandatory under HIPAA for covered entities
- D
Require the provider to encrypt all data at rest and in transit
Why wrong: Encryption is necessary but not sufficient without BAA
An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?
Trap 1: Transfer the risk through cyber insurance
Transfer does not align with avoidance
Trap 2: Mitigate the risk by encrypting personal data
Mitigation still retains some risk
Trap 3: Accept the risk and self-insure
Inconsistent with low appetite
- A
Transfer the risk through cyber insurance
Why wrong: Transfer does not align with avoidance
- B
Mitigate the risk by encrypting personal data
Why wrong: Mitigation still retains some risk
- C
Avoid the risk by not collecting unnecessary personal data
Eliminates risk directly
- D
Accept the risk and self-insure
Why wrong: Inconsistent with low appetite
An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?
Trap 1: Require vendors to obtain ISO 27001 certification
Certification does not guarantee compliance
Trap 2: Send annual self-assessment questionnaires
Self-reported and may not be accurate
Trap 3: Perform quarterly penetration tests on vendor networks
Narrow scope and not continuous
- A
Include security requirements in contracts and conduct periodic audits
Legally binding and verifiable
- B
Require vendors to obtain ISO 27001 certification
Why wrong: Certification does not guarantee compliance
- C
Send annual self-assessment questionnaires
Why wrong: Self-reported and may not be accurate
- D
Perform quarterly penetration tests on vendor networks
Why wrong: Narrow scope and not continuous
A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?
Trap 1: The agency no longer needs to conduct any risk assessments
Agency retains responsibility
Trap 2: The CSP guarantees 100% security
No guarantee
Trap 3: The system automatically complies with all international regulations
Only FedRAMP
- A
The agency no longer needs to conduct any risk assessments
Why wrong: Agency retains responsibility
- B
The CSP guarantees 100% security
Why wrong: No guarantee
- C
The system automatically complies with all international regulations
Why wrong: Only FedRAMP
- D
The CSP's authorization can be reused, reducing the agency's assessment burden
Leverages existing authorization
A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?
Trap 1: Corrective control failure
Corrective controls activate after an incident
Trap 2: Administrative control failure
Policy existed but was not enforced
Trap 3: Detective control failure
Detection occurs after the event
- A
Preventive control failure
A DLP solution should have prevented the email
- B
Corrective control failure
Why wrong: Corrective controls activate after an incident
- C
Administrative control failure
Why wrong: Policy existed but was not enforced
- D
Detective control failure
Why wrong: Detection occurs after the event
Which TWO of the following are examples of administrative controls? (Select TWO)
Trap 1: Firewall rules
Technical control
Trap 2: Encryption of data at rest
Technical control
Trap 3: Intrusion detection system
Technical control
- A
Firewall rules
Why wrong: Technical control
- B
Encryption of data at rest
Why wrong: Technical control
- C
Security awareness training
Administrative control
- D
Access control policy
Administrative control
- E
Intrusion detection system
Why wrong: Technical control
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
Trap 1: Identify vulnerabilities and threats
That's risk assessment
Trap 2: Determine recovery time objectives (RTOs)
RTOs are derived from BIA, not its primary purpose
Trap 3: Develop continuity strategies
Continuity strategies are developed after BIA
- A
Identify vulnerabilities and threats
Why wrong: That's risk assessment
- B
Identify critical business processes and their impact if disrupted
Core purpose of BIA
- C
Determine recovery time objectives (RTOs)
Why wrong: RTOs are derived from BIA, not its primary purpose
- D
Develop continuity strategies
Why wrong: Continuity strategies are developed after BIA
Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)
Trap 1: Over-automation of risk scoring
Automation is beneficial
Trap 2: Excessive cooperation from vendors
Not typical
- A
Lack of visibility into vendor security practices
Common challenge
- B
Over-automation of risk scoring
Why wrong: Automation is beneficial
- C
Resource constraints for conducting assessments
Common challenge
- D
Inconsistent assessment criteria across vendors
Common challenge
- E
Excessive cooperation from vendors
Why wrong: Not typical
You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?
Trap 1: Encrypt all cardholder data at rest and in transit
Encryption does not remove systems from scope
Trap 2: Replace the database with a tokenization service and remove the…
Tokenization can reduce scope but the question is about segmentation
Trap 3: Move all servers to a DMZ and implement host-based firewalls
Still in scope if they handle cardholder data
- A
Encrypt all cardholder data at rest and in transit
Why wrong: Encryption does not remove systems from scope
- B
Replace the database with a tokenization service and remove the database from the CDE
Why wrong: Tokenization can reduce scope but the question is about segmentation
- C
Move all servers to a DMZ and implement host-based firewalls
Why wrong: Still in scope if they handle cardholder data
- D
Deploy a firewall between the CDE and corporate network, allowing only necessary traffic
Segmenting the CDE reduces scope
A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)
Trap 1: Deploy geo-fencing to block access from non-EU countries.
Geo-fencing is not a regulatory requirement; GDPR permits data transfer with safeguards.
Trap 2: Retain all access logs for a minimum of 7 years.
GDPR requires data minimization; PCI DSS requires 1 year retention.
- A
Deploy geo-fencing to block access from non-EU countries.
Why wrong: Geo-fencing is not a regulatory requirement; GDPR permits data transfer with safeguards.
- B
Implement a process for customers to request deletion of their personal data.
Right to erasure is a key GDPR requirement.
- C
Use data masking for customer data in development and testing environments.
Both GDPR and PCI DSS recommend masking to reduce exposure of sensitive data.
- D
Implement encryption at rest and in transit for all sensitive data.
Required by both GDPR (data protection) and PCI DSS (encryption of cardholder data).
- E
Retain all access logs for a minimum of 7 years.
Why wrong: GDPR requires data minimization; PCI DSS requires 1 year retention.
A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?
Trap 1: Deploy an intrusion prevention system (IPS) in inline mode in front…
Inline IPS adds latency and may drop legitimate traffic; not suitable for low-latency environments.
Trap 2: Move the matching engine to a cloud provider with elastic…
Cloud migration may introduce network latency and does not inherently prevent DDoS; scaling can be expensive.
Trap 3: Implement a reverse proxy with rate limiting and IP blacklisting.
Rate limiting can cause false positives and adds latency; reverse proxy is not designed for high-volume DDoS mitigation.
- A
Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.
Scrubbing services filter attacks at the cloud edge, adding minimal latency if the provider is close to the origin; they preserve low latency for clean traffic.
- B
Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.
Why wrong: Inline IPS adds latency and may drop legitimate traffic; not suitable for low-latency environments.
- C
Move the matching engine to a cloud provider with elastic scalability.
Why wrong: Cloud migration may introduce network latency and does not inherently prevent DDoS; scaling can be expensive.
- D
Implement a reverse proxy with rate limiting and IP blacklisting.
Why wrong: Rate limiting can cause false positives and adds latency; reverse proxy is not designed for high-volume DDoS mitigation.
A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?
Trap 1: Use network access control (NAC) to allow only compliant devices…
NAC checks compliance but does not enforce encryption or wipe.
Trap 2: Require employees to connect via a corporate VPN and use two-factor…
VPNs secure the connection but do not enforce local encryption or remote wipe.
Trap 3: Implement remote desktop protocol (RDP) gateways for all remote…
RDP does not enforce local device encryption or remote wipe.
- A
Use network access control (NAC) to allow only compliant devices onto the network.
Why wrong: NAC checks compliance but does not enforce encryption or wipe.
- B
Deploy a mobile device management (MDM) solution that enforces device encryption and supports remote wipe.
MDM can enforce encryption and perform remote wipe to protect company data.
- C
Require employees to connect via a corporate VPN and use two-factor authentication.
Why wrong: VPNs secure the connection but do not enforce local encryption or remote wipe.
- D
Implement remote desktop protocol (RDP) gateways for all remote access.
Why wrong: RDP does not enforce local device encryption or remote wipe.
A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)
Trap 1: Store database credentials in AWS Secrets Manager and retrieve them…
Secrets Manager manages credentials but does not provide network connectivity or encryption.
Trap 2: Configure VPC peering between the AWS VPC and the on-premises…
VPC peering is for connecting VPCs within AWS, not for hybrid connections.
Trap 3: Configure the web application to connect to the database using TLS…
TLS encrypts the connection but does not hide the database's public IP; still exposed to internet unless combined with VPN.
- A
Establish an IPsec VPN tunnel between the AWS VPC and the on-premises network.
IPsec VPN provides encrypted tunnel over the internet, securing data in transit.
- B
Use AWS Direct Connect to create a dedicated private network connection from on-premises to AWS.
Direct Connect bypasses the internet, providing a private, low-latency connection; can be combined with encryption for extra security.
- C
Store database credentials in AWS Secrets Manager and retrieve them at runtime.
Why wrong: Secrets Manager manages credentials but does not provide network connectivity or encryption.
- D
Configure VPC peering between the AWS VPC and the on-premises network.
Why wrong: VPC peering is for connecting VPCs within AWS, not for hybrid connections.
- E
Configure the web application to connect to the database using TLS encryption.
Why wrong: TLS encrypts the connection but does not hide the database's public IP; still exposed to internet unless combined with VPN.
A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?
Trap 1: Escrow the encryption key with a third-party and rely on legal…
Key escrow does not provide technical revocation capability; it relies on legal processes.
Trap 2: Use the provider's default encryption with a customer-managed key…
The key is still managed by the provider's KMS, so revocation depends on the provider's controls.
Trap 3: Use a cloud hardware security module (HSM) to generate and store…
While secure, the HSM is still within the provider's infrastructure; revocation may not be immediate.
- A
Escrow the encryption key with a third-party and rely on legal agreements for revocation
Why wrong: Key escrow does not provide technical revocation capability; it relies on legal processes.
- B
Use the provider's default encryption with a customer-managed key stored in the provider's KMS
Why wrong: The key is still managed by the provider's KMS, so revocation depends on the provider's controls.
- C
Use a cloud hardware security module (HSM) to generate and store keys
Why wrong: While secure, the HSM is still within the provider's infrastructure; revocation may not be immediate.
- D
Implement bring-your-own-key (BYOK) with keys stored in a customer-controlled external KMS
BYOK with external KMS gives the customer full control to revoke access immediately.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.