CompTIA SecurityX CAS-004 (CAS-004) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

A security architect is implementing network segmentation in a hybrid cloud environment. Which TWO controls are most effective for reducing east-west traffic risks?

Select 2 answers
A.Micro-segmentation
B.VPN concentrator
C.NAT gateway
D.East-west traffic inspection
E.Perimeter firewall
AnswersA, D

Micro-segmentation isolates workloads and limits lateral movement.

Why this answer

Micro-segmentation allows granular policies per workload, and east-west traffic inspection detects lateral movement. Both are key to reducing risks inside the network.

677
MCQmedium

A company is adopting the NIST Risk Management Framework (RMF). Which step in the RMF involves selecting security controls based on the risk assessment?

A.Select
B.Categorize
C.Assess
D.Implement
AnswerA

Select is the step where controls are chosen.

Why this answer

In NIST RMF, the 'Select' step involves choosing baseline controls and tailoring them based on the risk assessment results. 'Categorize' determines impact level. 'Implement' executes controls. 'Assess' evaluates effectiveness.

678
Multi-Selectmedium

Which two of the following are best practices for securing container orchestration platforms (e.g., Kubernetes)? (Select two.)

Select 2 answers
A.Apply network policies to isolate workloads.
B.Use privileged containers for system services.
C.Disable all security contexts to avoid restrictions.
D.Enable Role-Based Access Control (RBAC).
AnswersA, D

Why this answer

Network policies in Kubernetes act as a firewall for pods, controlling ingress and egress traffic at the IP address or port level (OSI layer 3 or 4). By default, all pods can communicate with each other; applying network policies enforces least-privilege segmentation, which is a core security best practice for container orchestration platforms.

Exam trap

The CAS-004 exam often tests the misconception that privileged containers are necessary for system services, when in fact they should be avoided and replaced with specific capability grants (e.g., CAP_NET_ADMIN) or security context constraints.

Why the other options are wrong

B

Privileged containers should be avoided as they have nearly unrestricted access to the host.

C

Security contexts enforce necessary restrictions; disabling them weakens security.

679
MCQeasy

Which of the following is the primary purpose of implementing a public key infrastructure (PKI)?

A.To store and verify password hashes for user authentication.
B.To sign software and files to verify integrity and origin.
C.To bind public keys to identities through certificates for authentication and encryption.
D.To provide a secure method for remote access via VPN.
AnswerC

PKI's main role is to create a framework of trust where certificates link public keys to entities, enabling secure communications.

Why this answer

Option A is correct because PKI provides certificate-based trust to enable authentication and encryption. Option B is wrong because VPNs use PKI but that's not the primary purpose. Option C is wrong because PKI can help with code signing but it's a subset.

Option D is wrong because password hashing is separate from PKI.

680
MCQeasy

An enterprise is deploying a multi-factor authentication (MFA) solution. The security team requires a factor that is resistant to phishing and does not rely on shared secrets. Which of the following MFA types BEST meets this requirement?

A.Biometric fingerprint scanner
B.SMS one-time passcodes
C.FIDO2/WebAuthn security keys
D.TOTP via authenticator app
AnswerC

FIDO2 uses public-key cryptography and is phishing-resistant.

Why this answer

FIDO2/WebAuthn uses public-key cryptography, with the private key stored on the device, and the protocol is designed to be phishing-resistant by binding credentials to the origin. TOTP/HOTP rely on shared secrets and are vulnerable to phishing. Hardware tokens like YubiKey can implement FIDO2.

Biometrics are a factor but not inherently phishing-resistant alone.

681
MCQmedium

A company is migrating sensitive workloads to the cloud and must comply with FedRAMP requirements. Which of the following is the most appropriate cloud deployment model?

A.Hybrid cloud
B.Community cloud
C.Private cloud
D.Public cloud
AnswerB

A community cloud shared by several organizations with similar compliance needs (e.g., government) can be FedRAMP compliant.

Why this answer

FedRAMP requirements are stringent and often best met by a government community cloud or a dedicated cloud environment that has been FedRAMP authorized.

682
MCQmedium

A financial organization's SOC analysts have observed repeated failed authentication attempts from a single external IP address against multiple user accounts, followed by a successful authentication from the same IP using one of those accounts. Which type of security monitoring rule would be most effective at detecting this attack pattern in real time?

A.Alert when multiple failed logins from a single source IP are followed by a successful login from that IP within 10 minutes.
B.Alert when a user account has three failed logins within 5 minutes followed by a successful login.
C.Alert when a successful authentication occurs immediately after a password reset.
D.Alert on any single failed login attempt from an external IP.
AnswerA

This correlation rule accurately detects the credential stuffing pattern across different accounts from one IP.

Why this answer

The attack pattern involves brute-force attempts followed by a success, which is a classic credential stuffing attack. Option C is a correlation rule that combines multiple failed logins with a subsequent success for the same source IP, which directly captures this behavior. Option A only detects a single failed login, not the pattern.

Option B detects a success after failures but for a single target user, not the source IP pattern. Option D detects a single login after a reset, which is unrelated.

683
MCQeasy

A small business wants to protect endpoints from malware without incurring per-device licensing costs. Which approach is MOST cost-effective?

A.Implement network-based IPS
B.Use open-source host firewall
C.Use built-in Windows Defender and periodically scan with free tools
D.Purchase enterprise EDR suite
AnswerC

Windows Defender is free and sufficient for small business; free scanning tools supplement without cost.

Why this answer

Built-in Windows Defender is free and adequate for basic protection. Periodically scanning with free tools (e.g., Microsoft Safety Scanner) enhances security at no cost. Enterprise EDR, network IPS, and host firewalls (some free) but enterprise products incur costs.

684
Multi-Selecthard

An organization is planning to deploy a new internal CA hierarchy. Which THREE considerations are critical for ensuring the security and manageability of the PKI?

Select 3 answers
A.Keep the root CA offline and only bring it online for cross-certification or disaster recovery.
B.Use a 4096-bit RSA key for the root CA and at least 2048-bit for issuing CAs.
C.Use SHA-1 for certificate signing to ensure compatibility with legacy systems.
D.Use a single-tier CA to simplify management.
E.Ensure all certificates include CRL distribution points and OCSP responder URLs.
AnswersA, B, E

An offline root CA reduces the risk of compromise.

Why this answer

A multi-tier hierarchy (root offline, issuing CAs) limits exposure; strong hashing and key algorithms are essential; CRL/OCSP distribution points must be accessible for revocation checking.

685
Multi-Selecthard

A security manager is developing key risk indicators (KRIs) for the organization's cybersecurity program. Which THREE of the following are examples of KRIs? (Select THREE.)

Select 3 answers
A.Number of failed login attempts per day
B.Total number of security incidents this quarter
C.Mean time to detect (MTTD)
D.Number of unpatched critical vulnerabilities
E.Percentage of users without multifactor authentication
AnswersA, D, E

May indicate brute-force attacks or credential stuffing.

Why this answer

KRIs are leading indicators that signal increasing risk. Number of unpatched critical vulnerabilities, percentage of users without MFA, and number of failed login attempts are KRIs. MTTD is a KPI, not a KRI.

686
Matchingmedium

Match each command-line tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS query and lookup

Display network connections and listening ports

Capture and analyze network traffic

Perform SSL/TLS cryptographic operations

Network discovery and port scanning

Why these pairings

These tools are commonly used for network troubleshooting and security assessments.

687
MCQmedium

A security architect is implementing a zero trust model for a financial services company. The goal is to prevent lateral movement in the data center. Which approach best achieves this objective?

A.Using a software-defined perimeter to hide network resources
B.Implementing identity-centric access controls across all resources
C.Applying defense-in-depth layering by adding multiple security controls
D.Deploying micro-segmentation to isolate workloads and enforce granular policies
AnswerD

Micro-segmentation creates small network segments, allowing fine-grained policy enforcement that restricts lateral movement between workloads.

Why this answer

Micro-segmentation divides the network into small, isolated segments to restrict lateral movement, which is a key zero trust principle. Software-defined perimeter (SDP) focuses on user-to-resource access, but micro-segmentation directly limits east-west traffic. Defense-in-depth is broader and not specific to lateral movement.

Identity-centric access controls user authentication but does not prevent lateral movement.

688
MCQmedium

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

A.Enforce a minimum password complexity policy for all users.
B.Require multi-factor authentication for all SSH logins.
C.Implement rate limiting on SSH connections per source IP.
D.Add the external IP address to the firewall deny list and implement an IP allowlist for SSH access.
AnswerD

This immediately blocks the attack and prevents any further attempts from that IP.

Why this answer

Option D is correct because the attack is a brute-force or password-spraying attempt from a single external IP. Adding that IP to a firewall deny list immediately blocks all traffic from that source, while implementing an IP allowlist for SSH access ensures only trusted IPs can reach the service. This directly prevents the attack at the network layer, regardless of password strength or authentication method.

Exam trap

The trap here is that candidates often choose rate limiting (Option C) because it seems like a direct mitigation, but they fail to realize that rate limiting only slows the attack, whereas blocking the IP and using an allowlist stops it entirely.

How to eliminate wrong answers

Option A is wrong because enforcing minimum password complexity does not prevent brute-force or password-spraying attacks; it only makes passwords harder to guess, but the attacker can still attempt many combinations. Option B is wrong because requiring multi-factor authentication (MFA) for SSH logins would stop successful authentication even if credentials are guessed, but it does not prevent the attack itself—the attacker can still flood the system with login attempts, consuming resources and generating logs. Option C is wrong because rate limiting on SSH connections per source IP reduces the speed of the attack but does not stop it entirely; the attacker can still attempt logins at a slower rate or rotate through multiple source IPs.

689
MCQhard

Refer to the exhibit. A security analyst is reviewing the Nginx configuration. Which of the following is the most critical security flaw?

A.The SSL certificate key file is readable by all users (assuming default permissions)
B.The proxy_pass uses HTTP internally, which is not encrypted
C.The /api location does not have any access restrictions, exposing internal API
D.The /admin location restricts access by IP only, which can be bypassed by IP spoofing
AnswerC

Without any allow/deny directives, the /api endpoint is accessible to anyone who can reach the server, which could include external attackers.

Why this answer

Option C is correct because the /api location has no access restrictions, potentially exposing internal API services to unauthorized external access. Option A is a concern but not directly indicated. Option B is partially true but IP restriction is a valid control; however, the lack of restriction on /api is more critical.

Option D is common for internal traffic.

690
MCQhard

During a security incident, a forensic analyst needs to acquire a memory dump from a Linux server without altering the system state. Which tool is most appropriate for this task?

A.Volatility framework
B.LiME (Linux Memory Extractor)
C.dd if=/dev/mem of=mem.dump
D.memdump utility
AnswerB

LiME captures memory safely via a kernel module, preserving forensic integrity.

Why this answer

LiME (Linux Memory Extractor) is designed to acquire memory dumps with minimal impact, loading as a kernel module and exporting memory to a file or network. dd is for disk, memdump is limited, and Volatility is for analysis, not acquisition.

691
MCQhard

A large enterprise is implementing a SOAR platform to automate incident response. The security team wants to create a playbook for handling phishing emails reported by users. The playbook should: 1) validate the reported email by checking headers and attachments, 2) automatically block the sender's domain at the email gateway if malicious, 3) create a ticket, and 4) send an automated response to the user. Which of the following describes the best approach to design this playbook?

A.Create a ticket and route it to a junior analyst for manual investigation, then close after user acknowledgement.
B.Immediately sandbox the attachment and block the sender's domain if the sandbox reports malicious behavior.
C.Use an automated triage step that extracts indicators, then present the verdict to an analyst in a manual approval step before executing blocks.
D.Automatically delete the email from all users' inboxes and send a warning to the organization.
AnswerC

This balances automation with human oversight, reducing false positives.

Why this answer

Option A is correct because a tiered approach with human approval before blocking prevents false positives and aligns with typical SOAR best practices. Option B is too risky without validation. Option C bypasses automated analysis, which defeats automation.

Option D delays response and increases workload.

692
MCQeasy

A network administrator is configuring a firewall to allow only necessary traffic to a web server. The server should be accessible from the internet on port 443 and from a management subnet on port 22. Which firewall rule ensures least privilege?

A.Allow traffic from management subnet to port 443 and any to port 22
B.Allow traffic from any source to ports 443 and 22
C.Allow all traffic to the server, then block specific ports
D.Allow traffic from any to port 443, and from management subnet to port 22; deny all else
AnswerD

This restricts SSH to only the management subnet and HTTPS to all, with a default deny.

Why this answer

Allow only specific ports from specific sources, and block all other traffic.

693
MCQhard

Using the FAIR model, which of the following best describes the factor that represents the probable frequency of a threat acting on a vulnerability?

A.Threat event frequency (TEF)
B.Vulnerability
C.Loss event frequency (LEF)
D.Control effectiveness
AnswerA

TEF measures how often a threat acts on a vulnerability.

Why this answer

In FAIR, threat event frequency (TEF) is the probable number of times a threat agent will act on a vulnerability in a given timeframe.

694
Multi-Selectmedium

A company is migrating from RSA to elliptic curve cryptography for digital signatures. They require a signature algorithm that provides at least 128 bits of security strength and is resistant to quantum computing attacks in the foreseeable future. Which TWO algorithms meet these requirements? (Select TWO.)

Select 2 answers
A.ECDSA P-256
B.DSA 3072
C.Ed25519
D.RSA 4096
E.ECDSA P-384
AnswersC, E

Ed25519 provides 128-bit security and is resistant to known attacks.

Why this answer

ECDSA P-384 provides 192-bit security, and Ed25519 provides 128-bit security. Both are EC-based. DSA 3072 is not EC.

RSA 4096 is not EC. ECDSA P-256 provides 128-bit security but is less conservative.

695
MCQmedium

A security analyst is reviewing a suspicious process that has been identified on an endpoint. The analyst wants to determine if the process has any network connections and what data it might be sending. Which tool is most appropriate for analyzing the memory of the affected system to identify network connections and potential data exfiltration?

A.Wireshark
B.Volatility
C.Autopsy
D.Nmap
AnswerB

Volatility is used for memory forensics and can extract network connections and other runtime artifacts.

Why this answer

Volatility is a memory forensics tool that can analyze RAM dumps to extract network connections, processes, and other artifacts. It is the best choice for this task.

696
Multi-Selecthard

Which THREE of the following are required for PCI DSS compliance regarding cardholder data?

Select 3 answers
A.Maintain a vulnerability management program.
B.Store cardholder data after authorization.
C.Restrict access to cardholder data by business need-to-know.
D.Encrypt transmitted cardholder data over open networks.
E.Implement multifactor authentication for all physical access to data centers.
AnswersA, C, D

Requirements 6 and 11 require a vulnerability management program to identify and remediate vulnerabilities.

Why this answer

PCI DSS requires encryption of transmissions (Req 4), access restriction (Req 7), and vulnerability management (Req 6/11). MFA for physical access is not required; data storage after authorization is limited.

697
Multi-Selecteasy

A cloud security architect is designing a key management system for a multi-tenant SaaS application. Which TWO practices are essential for ensuring cryptographic key security? (Select TWO).

Select 2 answers
A.Separate key management from data storage
B.Store keys in plaintext configuration files for easy retrieval
C.Implement key rotation policies
D.Use a single master key for all customers
E.Audit all key access events
AnswersA, C

Logical separation ensures a breach of data storage does not reveal keys.

Why this answer

Key rotation limits exposure if a key is compromised, and separating key management from data storage reduces attack surface. Storing keys in plaintext is insecure, using a single master key increases risk, and auditing is a detective control but not as fundamental as the other two.

698
MCQeasy

A small business has a single physical server running multiple virtual machines (VMs) using Type 2 hypervisor software on a Windows Server host. The host is not joined to a domain. The VMs include an Active Directory domain controller, a file server, and a web server. The company recently suffered a ransomware attack that encrypted all data on the file server VM. The IT administrator restored the file server from a backup, but the ransomware returned within hours. Analysis shows that the ransomware is now spreading to other VMs. The administrator suspects that the hypervisor host itself may be compromised. Which of the following is the MOST effective immediate action to contain the spread and secure the environment?

A.Run a full antivirus scan on the host operating system.
B.Disconnect the physical host from the network immediately.
C.Apply the latest security patches to the hypervisor software.
D.Restore all VMs from known clean backups taken before the attack.
AnswerB

Isolating the host stops the ransomware from spreading to other systems and buys time for remediation.

Why this answer

Option B is correct because immediately disconnecting the physical host from the network is the most effective immediate action to contain the spread of ransomware. Since the host is compromised and the Type 2 hypervisor runs on top of a Windows Server OS, the attacker can pivot from the host to any VM via the virtual switch. Cutting network connectivity stops all lateral movement and outbound command-and-control traffic, buying time for forensic analysis and remediation.

Exam trap

The trap here is that candidates often choose to run antivirus scans or apply patches first, mistakenly believing these are immediate containment actions, when in reality they are slow, disruptive, and ineffective against an actively spreading ransomware outbreak on a compromised host.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan on the host OS is a reactive, time-consuming step that does not stop active ransomware propagation; the malware may already be executing in memory or have disabled the scanner. Option C is wrong because applying the latest security patches to the hypervisor software is a preventive measure, not an immediate containment action; patching requires a reboot and does not halt ongoing encryption or lateral movement. Option D is wrong because restoring all VMs from known clean backups taken before the attack is premature and dangerous if the host remains compromised; the restored VMs would be re-infected immediately via the compromised hypervisor or virtual switch.

699
MCQmedium

Refer to the exhibit. A security analyst reviews the following firewall rule on a border firewall. Which vulnerability is present?

A.HTTPS is only allowed from a single host
B.SSH access is allowed from any source
C.HTTP is allowed from the internal network
D.An implicit deny rule is missing
AnswerB

Permitting SSH from any source exposes the server to unauthorized access attempts.

Why this answer

Option A is correct because the rule permits SSH (TCP/22) from any source, increasing the risk of brute-force attacks. Option B describes a legitimate restrictive rule for HTTPS. Option C is an intended internal network rule for HTTP.

Option D is incorrect because an explicit deny all is present at the end.

700
MCQmedium

A defense contractor is developing a new secure messaging application for classified communications. The application must ensure end-to-end encryption, perfect forward secrecy, and resistance to quantum computing attacks. The development team proposes using ECDH for key exchange and AES-256-GCM for message encryption. The security architect reviews the design and identifies a weakness: the current key exchange does not authenticate the public keys, making it vulnerable to man-in-the-middle attacks. The team suggests adding digital signatures using RSA-2048. However, the architect is concerned about quantum resistance. What should the architect recommend?

A.Replace ECDH with Diffie-Hellman using 4096-bit prime modulus and use RSA-4096 signatures.
B.Implement ECDH with Edwards-curve Digital Signature Algorithm (EdDSA) using Curve25519 and hash-based signatures for long-term keys.
C.Use pre-shared keys (PSK) for both key exchange and encryption, eliminating the need for public key authentication.
D.Use ECDH with RSA-2048 signatures for authentication and plan to migrate to CRYSTALS-KYBER when standardized.
AnswerD

This hybrid approach provides immediate authentication and a clear path to quantum resistance.

Why this answer

Option A is correct because it immediately addresses the lack of authentication by using RSA-2048 signatures while also planning for quantum resistance by migrating to CRYSTALS-KYBER, a NIST-standardized post-quantum key encapsulation mechanism. This hybrid approach ensures security now and in the future. Option B is wrong because larger Diffie-Hellman parameters do not provide quantum resistance and do not solve authentication.

Option C is wrong because pre-shared keys break perfect forward secrecy and are not scalable. Option D is wrong because EdDSA with Curve25519 is not quantum-resistant, and hash-based signatures are not practical for real-time key exchange.

701
Multi-Selectmedium

A security manager is selecting metrics to present to the board. Which two of the following are key risk indicators (KRIs) that would be most relevant for executive oversight? (Choose two.)

Select 2 answers
A.Average time to patch critical vulnerabilities
B.Mean time to detect (MTTD)
C.Number of security incidents per quarter
D.Number of security awareness training completions
E.Percentage of systems with critical vulnerabilities
AnswersC, E

This indicates the level of threat activity.

Why this answer

KRIs provide early warning of increasing risk. Percentage of systems with critical vulnerabilities indicates exposure; number of security incidents indicates threat activity.

702
MCQhard

A mid-sized e-commerce company has recently experienced a data breach where customer payment card information was exfiltrated. The security team has identified that the breach originated from a compromised web server that was part of a PCI DSS compliant environment. The server was running outdated software and had several known vulnerabilities. Post-incident analysis reveals that the attacker exploited a SQL injection vulnerability in the order-tracking feature. The incident response team followed NIST SP 800-61 guidelines: they contained the threat, eradicated the malicious code, and restored the server from a known clean backup. However, two weeks after the restoration, the same server is again showing signs of similar malicious activity. The server is still in production and handling credit card transactions. Which of the following is the MOST effective course of action to prevent this recurring compromise?

A.Conduct a thorough code review of the order-tracking feature, implement parameterized queries, and then redeploy the application after passing a static code analysis scan.
B.Replace the web server with a new server running the latest OS and web server version, then redeploy the same web application code.
C.Implement network segmentation to isolate the web server and restrict outbound traffic to only essential services.
D.Increase logging and deploy a WAF in front of the server with rules to block common SQLi patterns.
AnswerA

Directly addresses the SQLi vulnerability at the code level.

Why this answer

The correct answer is C. The root cause is a code-level vulnerability (SQLi) that was not fixed. Just patching the OS or rebuilding with the same software will not remove the vulnerability.

The application code must be reviewed and the SQLi flaw remediated. Option A (replacing the server) does not fix the underlying code. Option B (network segmentation) only contains but does not fix the application vulnerability.

Option D (increasing monitoring) is reactive and does not prevent exploitation.

703
MCQmedium

A financial institution needs to ensure that transaction logs are tamper-proof after creation. Which solution should be implemented?

A.Cryptographic hashing with chain hashing
B.Access control lists
C.Encryption with AES
D.Digital signatures on each log entry
AnswerA

Chain hashing creates a tamper-evident log by linking entries cryptographically.

Why this answer

Cryptographic chained hashing (e.g., blockchain) links each log entry to the previous one via a hash, making tampering detectable. Encryption does not protect integrity. ACLs can be bypassed.

Digital signatures are effective but more complex to manage for every entry.

704
MCQhard

A security analyst is analyzing a memory dump using Volatility. The analyst wants to list all running processes and identify any hidden processes. Which Volatility plugin should be used?

A.psxview
B.pslist
C.pstree
D.psscan
AnswerD

psscan scans for processes in memory pools and can detect hidden or terminated processes.

Why this answer

The pslist plugin lists processes from the doubly linked list, while psscan uses pool tag scanning to find hidden processes that are not in the linked list.

705
MCQeasy

A company is implementing a passwordless authentication solution using FIDO2/WebAuthn. What is the primary security advantage of this approach over traditional password-based authentication?

A.It allows users to share passwords securely.
B.It reduces server storage requirements.
C.It eliminates the need for multi-factor authentication.
D.It prevents phishing attacks by using cryptographic keys.
AnswerD

FIDO2's origin-bound keys prevent phishing.

Why this answer

FIDO2 uses public key cryptography, so private keys never leave the device, preventing credential theft.

706
MCQeasy

An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?

A.Identify the vendor and the type of data it will handle
B.Conduct an on-site audit of the vendor's facilities
C.Review the vendor's contractual security clauses
D.Determine risk treatment options
AnswerA

First step is understanding the vendor and data.

Why this answer

Option A is correct because identifying the vendor and the data it will access is foundational. Option B is wrong because a contract review comes later. Option C is wrong because on-site audits occur after initial assessment.

Option D is wrong because risk treatment is after assessment.

707
MCQhard

After a risk assessment, a company identifies that the residual risk for a critical application is higher than the risk appetite. The risk owner proposes implementing additional controls to reduce the risk further. Which risk treatment option does this represent?

A.Risk transfer
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
AnswerB

Correct: adding controls to reduce risk.

Why this answer

Implementing additional controls to reduce risk is an example of risk mitigation. Residual risk is the risk remaining after controls are applied; if it still exceeds appetite, further mitigation is needed.

708
MCQmedium

A penetration tester is performing a test against a web application. The rules of engagement prohibit any denial of service (DoS) attacks. Which of the following actions is most likely prohibited by this restriction?

A.Performing a SQL injection that deletes a table
B.Exploiting a file upload vulnerability to upload a web shell
C.Using a tool to send thousands of requests to overwhelm the server
D.Running a directory brute-force tool
AnswerC

Overwhelming the server is a DoS attack, explicitly prohibited.

Why this answer

A SQL injection that causes a database crash constitutes a denial of service, which is prohibited.

709
MCQmedium

A security manager is reviewing the organization's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest level of authority?

A.Guideline, Policy, Procedure, Standard
B.Standard, Policy, Procedure, Guideline
C.Policy, Standard, Guideline, Procedure
D.Procedure, Guideline, Standard, Policy
AnswerC

Correct. Policy is top-level, then standard, guideline, procedure.

Why this answer

The typical hierarchy is: policy (high-level, mandatory), standard (specific requirements), guideline (recommendations), procedure (step-by-step instructions).

710
Drag & Dropmedium

Drag and drop the steps to respond to a ransomware incident in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows NIST framework: isolate, identify, contain, eradicate, recover.

711
MCQmedium

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

A.L2TP/IPsec with ESP
B.SSL/TLS VPN
C.ESP in tunnel mode with null encryption
D.AH in transport mode
AnswerC

ESP can be configured with null encryption to provide integrity and authentication without confidentiality.

Why this answer

Option C is correct because ESP in tunnel mode with null encryption provides authentication and integrity via HMAC (e.g., HMAC-SHA256) while omitting encryption (ESP_NULL, RFC 2410). This satisfies the requirement for strong authentication and integrity without confidentiality for non-sensitive traffic, as the payload is authenticated but not encrypted.

Exam trap

The trap here is that candidates often assume ESP always requires encryption, but ESP_NULL (RFC 2410) explicitly allows authentication-only mode, making it ideal when confidentiality is not needed.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec with ESP typically uses encryption (e.g., AES) for confidentiality, which is unnecessary and adds overhead for non-sensitive traffic. Option B is wrong because SSL/TLS VPN inherently provides confidentiality via encryption (e.g., AES-GCM), which is not required and may be excessive. Option D is wrong because AH in transport mode provides authentication and integrity but does not support null encryption; it authenticates the entire packet (including immutable IP header fields) and cannot be used with ESP_NULL, making it unsuitable for this scenario where only payload integrity is needed.

712
Multi-Selectmedium

A penetration tester is preparing for an engagement and must define the rules of engagement (ROE) with the client. Which TWO of the following should be included in the ROE? Select TWO.

Select 2 answers
A.Time window for testing (e.g., after hours)
B.Scope of testing (IP ranges and systems)
C.List of vulnerabilities to be tested
D.Testing credentials provided by the client
E.Vendor contact information
AnswersA, B

Specifies when testing can occur to minimize impact.

Why this answer

Rules of engagement should include scope (IP ranges, systems), limitations (what is off-limits), and authorization. Testing credentials and vulnerability details are not part of ROE.

713
MCQhard

A security team is auditing a Kubernetes cluster. They find a pod running with `securityContext`: `privileged: true` and `runAsUser: 0`. Which of the following is the most critical risk?

A.The pod cannot communicate with other pods.
B.The pod cannot mount volumes.
C.The pod can access all node resources and potentially escape to the host.
D.The pod will be killed by Kubernetes if it consumes too much memory.
AnswerC

Privileged mode grants unrestricted host access.

Why this answer

Option A is correct because a privileged container with root user can escape to the host and access all node resources. Options B and D are not necessarily true. Option C is a resource management issue, not a security risk.

714
Multi-Selecthard

A company is migrating critical applications to a multi-cloud architecture using AWS and Google Cloud Platform (GCP). The security team must ensure secure connectivity between on-premises data centers and cloud environments while meeting data residency requirements in the EU. Which TWO solutions should the architect implement to address these requirements? (Choose TWO.)

Select 2 answers
A.Dedicated physical connections (e.g., AWS Direct Connect, GCP Dedicated Interconnect)
B.Private link services (e.g., AWS PrivateLink, GCP Private Service Connect)
C.Cloud Access Security Broker (CASB)
D.Secure Access Service Edge (SASE)
E.Site-to-site VPN with IPsec
AnswersA, B

Dedicated connections provide high bandwidth, low latency, and help meet data residency by keeping traffic within trusted networks.

Why this answer

Private link services (AWS PrivateLink, GCP Private Service Connect) provide secure connectivity without traversing the internet, maintaining data privacy. Direct Connect (or equivalent dedicated connections) ensures reliable, low-latency connectivity with compliance benefits. VPNs are less secure and not preferred for high-performance workloads.

CASB and SASE are not direct connectivity solutions.

715
MCQeasy

A security analyst is performing incident response and needs to collect evidence from a live system. Which of the following should be collected first to preserve volatile data?

A.Memory (RAM)
B.Network connections
C.Hard drive contents
D.System logs
AnswerA

Memory is the most volatile and must be captured first.

Why this answer

The order of volatility dictates that memory (RAM) is the most volatile and must be captured before any other evidence.

716
MCQeasy

A security analyst is investigating a potential malware infection on a user's workstation. The analyst wants to examine the file system for any suspicious files without altering the original data. Which forensic principle is the analyst following?

A.Chain of custody
B.Hashing
C.Order of volatility
D.Forensic imaging
AnswerA

Chain of custody documents the handling of evidence to maintain its integrity.

Why this answer

Preserving the chain of custody ensures that evidence is not tampered with and maintains its integrity for legal proceedings.

717
MCQmedium

A healthcare organization must comply with HIPAA. Which of the following is a key requirement for protecting electronic protected health information (ePHI)?

A.Data masking for all patient data
B.Encryption of ePHI at rest and in transit
C.Annual penetration testing
D.Public key infrastructure for all users
AnswerB

HIPAA Security Rule includes encryption as an addressable specification for ePHI.

Why this answer

HIPAA requires encryption of ePHI both at rest and in transit as an addressable implementation specification to ensure confidentiality.

718
MCQhard

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

A.Escrow the encryption key with a third-party and rely on legal agreements for revocation
B.Use the provider's default encryption with a customer-managed key stored in the provider's KMS
C.Use a cloud hardware security module (HSM) to generate and store keys
D.Implement bring-your-own-key (BYOK) with keys stored in a customer-controlled external KMS
AnswerD

BYOK with external KMS gives the customer full control to revoke access immediately.

Why this answer

Option D is correct because BYOK with keys stored in a customer-controlled external KMS ensures the organization retains full control over encryption keys, enabling immediate revocation of access to data at rest if the SaaS provider is compromised. This aligns with the shared responsibility model where the customer manages keys, and external KMS decouples key management from the provider's infrastructure, preventing the provider from accessing data after key revocation.

Exam trap

The CAS-004 exam often tests the misconception that using a provider's KMS or HSM (even with customer-managed keys) provides sufficient separation, but the trap is that any key stored within the provider's boundary can be accessed by the provider if their security is breached, whereas BYOK with an external KMS ensures true customer-only control.

How to eliminate wrong answers

Option A is wrong because escrowing keys with a third-party and relying on legal agreements introduces latency and lacks technical immediacy for revocation; legal processes cannot guarantee instant access removal during a breach. Option B is wrong because storing a customer-managed key in the provider's KMS still places the key under the provider's control, as the provider's KMS is part of their trusted environment, allowing potential access if the provider is compromised. Option C is wrong because using a cloud HSM within the provider's ecosystem still ties key management to the provider's infrastructure; while HSMs offer hardware security, the provider retains administrative access to the HSM service, undermining customer-only revocation capability.

719
Multi-Selectmedium

A security architect is designing a network segmentation strategy for a data center to reduce the attack surface. Which TWO of the following are best practices for implementing effective network segmentation?

Select 2 answers
A.Deploy network access control (NAC) to authenticate devices before granting network access.
B.Place all external-facing services in a single shared DMZ segment.
C.Allow any-to-any communication within each security zone to avoid performance bottlenecks.
D.Use VLANs to logically isolate traffic between different security zones.
E.Implement microsegmentation using host-based firewalls or virtual networking to restrict east-west traffic.
AnswersD, E

VLANs provide Layer 2 isolation, which is a fundamental segmentation technique.

Why this answer

Option A (Use VLANs for isolation) is correct because VLANs provide logical separation at Layer 2. Option B (Implement microsegmentation with firewalls) is correct because microsegmentation uses granular firewall rules to isolate workloads. Option C is incorrect because a shared DMZ for all external services increases risk.

Option D is incorrect because NAC focuses on device authentication, not segmentation. Option E is incorrect because any-to-any traffic defeats segmentation.

720
MCQeasy

A company is implementing a microservices architecture and needs to ensure secure service-to-service communication. Which of the following BEST describes the recommended approach?

A.Basic HTTP authentication
B.Mutual TLS (mTLS) with certificate authentication
C.IP whitelisting
D.Shared API keys
AnswerB

mTLS provides mutual authentication and encryption, ideal for microservices.

Why this answer

Mutual TLS (mTLS) provides mutual authentication and encryption, making it the most secure and scalable option for microservices. Shared API keys are less secure, IP whitelisting is not scalable, and basic HTTP authentication lacks encryption.

721
MCQeasy

A security engineer is configuring a VPN between two sites and needs to ensure data confidentiality and integrity. Which IPsec mode and protocol combination should be used to encrypt the entire IP packet including the header?

A.Transport mode with ESP
B.Transport mode with AH
C.Tunnel mode with AH
D.Tunnel mode with ESP
AnswerD

ESP in tunnel mode encrypts the entire IP packet, including the original header.

Why this answer

IPsec tunnel mode with ESP encrypts and authenticates the entire IP packet, providing confidentiality and integrity. Transport mode only encrypts the payload, and AH provides integrity without encryption.

722
MCQeasy

An organization wants to implement continuous compliance monitoring for PCI DSS. Which of the following tools would be MOST effective for this purpose?

A.Encryption solution
B.Network firewall
C.Vulnerability scanner
D.SIEM system
AnswerD

SIEM provides real-time log analysis and alerting for continuous monitoring.

Why this answer

A security information and event management (SIEM) system can collect and analyze logs in real-time, enabling continuous monitoring of security controls and compliance with PCI DSS requirements. Vulnerability scanners are periodic, not continuous. Firewalls are control devices, not monitoring tools.

Encryption is a protection mechanism.

723
Multi-Selectmedium

A company is migrating its monolithic application to a microservices architecture. The security team wants to implement controls to protect inter-service communication and ensure data integrity. Which THREE security controls should be implemented? (Select THREE.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Deploy an API gateway to enforce rate limiting and authentication
C.Implement mutual TLS (mTLS) for service-to-service authentication
D.Use a container orchestration platform to manage service discovery
E.Conduct static code analysis on all microservices
AnswersB, C

An API gateway centralizes security enforcement for microservices.

Why this answer

Mutual TLS ensures both services authenticate each other. An API gateway provides a central point for enforcing security policies. Static code analysis is a development-time control, not runtime.

Data encryption at rest protects stored data, not inter-service communication. Container orchestration is a management tool, not a direct security control for inter-service communication.

724
MCQeasy

Which of the following is the BEST practice for securely storing secrets (e.g., database passwords) in a cloud-native application?

A.Embed the secrets in the application's source code
B.Store them in environment variables
C.Use a secrets management service with encryption and access policies
D.Store them in a configuration file with restricted file permissions
AnswerC

Why this answer

Option C is correct because cloud-native applications should rely on a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) that encrypts secrets at rest and in transit, enforces fine-grained access policies via IAM, and supports automatic rotation. This approach decouples secrets from code and infrastructure, eliminating the risks of exposure through version control, logs, or misconfigured permissions.

Exam trap

The CAS-004 exam often tests the misconception that environment variables are a secure storage method because they are not in source code, but the trap is that they are still plaintext and accessible via runtime introspection, logging, or orchestration APIs, lacking the encryption and access control of a dedicated secrets manager.

Why the other options are wrong

A

Hardcoding secrets exposes them in version control and to anyone with code access.

B

Environment variables can be leaked through debugging interfaces or process listings; they are not encrypted.

D

File permissions can be bypassed; configuration files are often not encrypted.

725
MCQhard

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

A.The HTTPS rule is overriding the SSH rule.
B.The SSH service is being blocked by a firewall rule that drops TCP port 22 traffic.
C.The SSH service is only allowed from the 10.0.0.0/8 subnet.
D.The SSH service is misconfigured and not listening on the correct interface.
AnswerB

The DROP rule for tcp dpt:22 is blocking SSH.

Why this answer

The exhibit shows a firewall rule that explicitly drops TCP port 22 traffic, which is the default port for SSH. Since HTTP (port 80) and HTTPS (port 443) are unaffected, the issue is isolated to SSH. This rule is the most direct cause of the connection failures, as it blocks all SSH traffic regardless of source or destination.

Exam trap

The trap here is that candidates may assume SSH is failing due to a service misconfiguration (Option D) or an overly restrictive allow rule (Option C), but the exhibit clearly shows a specific drop rule for port 22, which is the definitive cause.

How to eliminate wrong answers

Option A is wrong because HTTPS (port 443) and SSH (port 22) are different protocols and ports; firewall rules are evaluated in order, and unless the HTTPS rule explicitly matches SSH traffic (which it does not), it cannot override the SSH rule. Option C is wrong because the exhibit does not show any source subnet restriction for SSH; the rule simply drops all TCP port 22 traffic without any allow condition for 10.0.0.0/8. Option D is wrong because if the SSH service were misconfigured to listen on the wrong interface, the failure would be at the application layer, but the firewall rule explicitly drops the traffic before it reaches the SSH daemon, making a misconfiguration irrelevant to the observed symptom.

726
MCQmedium

A security architect is designing a zero-trust network architecture. Which of the following is a fundamental principle of zero trust?

A.Place all resources on the internal network and rely on perimeter firewalls.
B.Authenticate and authorize every device and user for every resource access, and encrypt all communication.
C.Implement VLANs to separate traffic based on user roles.
D.Use a VPN to secure all remote access to the corporate network.
AnswerB

This is the core of zero trust: never trust, always verify, and ensure encrypted communication.

Why this answer

Option B is correct because zero trust requires all resources to be accessed securely regardless of location, and all communication should be encrypted. Option A is wrong because zero trust does not rely on network perimeter; it assumes no implicit trust. Option C is wrong because VPNs are a perimeter technology; zero trust uses micro-segmentation.

Option D is wrong because VLANs are not a primary zero-trust control; they are network segmentation.

727
MCQmedium

A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?

A.Accept the SOC 2 report as sufficient
B.Implement continuous monitoring of the provider
C.Request a penetration test report covering the current year
D.Request a third-party audit of the SOC 2 report
AnswerC

Provides current assessment of security posture.

Why this answer

A penetration test report provides current, independent validation of security controls. Option B relies on a historical report; Option C is duplicative; Option D is not a standard assurance method.

728
MCQmedium

A security architect is designing a secure connection between an on-premises data center and a cloud provider's virtual network. The connection must be private, low-latency, and not traverse the public internet. Which solution should they recommend?

A.Software-Defined WAN (SD-WAN)
B.Cloud Access Security Broker (CASB)
C.Site-to-site VPN over the internet
D.Direct Connect / ExpressRoute
AnswerD

This is a dedicated private connection that does not use the internet.

Why this answer

Direct Connect (or AWS Direct Connect, Azure ExpressRoute) provides a dedicated private network connection from on-premises to the cloud, bypassing the internet for lower latency and increased security.

729
MCQeasy

A company's development team uses a CI/CD pipeline hosted in a public cloud. The pipeline builds container images, pushes them to a private registry, and deploys them to a Kubernetes cluster. A security engineer must ensure that only signed and vulnerability-scanned images are deployed. The engineer has configured the registry to require signatures and the CI/CD pipeline to scan images. However, deployments are still failing because unsigned images are being pulled. The engineer discovers that developers can push images directly to the registry bypassing the CI/CD pipeline and that Kubernetes nodes can pull images without signature verification. Which of the following should the engineer implement to enforce image signing and scanning?

A.Implement a manual approval step in the pipeline for each deployment.
B.Use network policies to block all outbound traffic from developer workstations to the container registry.
C.Restrict registry write access to the CI/CD service account and enable image signature verification via admission controller in Kubernetes.
D.Configure the CI/CD pipeline to perform vulnerability scanning after every build.
AnswerC

Restricts pushes to authorized accounts and verifies signatures at deployment time.

Why this answer

Option C is correct because it addresses both root causes: restricting registry write access to only the CI/CD service account prevents developers from bypassing the pipeline, and enabling image signature verification via an admission controller (e.g., using Kubernetes ImagePolicyWebhook or a tool like Cosign with OCI signatures) ensures that only signed and scanned images are allowed to run in the cluster. This combination enforces the security policy at both the registry and the cluster level, closing the gaps identified in the scenario.

Exam trap

The trap here is that candidates often focus only on the CI/CD pipeline (e.g., scanning or approvals) and overlook the need to restrict direct registry access and enforce signature verification at the cluster level, which are the two distinct vulnerabilities described in the scenario.

How to eliminate wrong answers

Option A is wrong because a manual approval step in the pipeline does not prevent developers from pushing unsigned images directly to the registry, nor does it enforce signature verification at the Kubernetes level; it only adds a human gate in the CI/CD process. Option B is wrong because network policies blocking outbound traffic from developer workstations to the registry would not stop developers from pushing images via other means (e.g., through a jump host or VPN), and it does not address the lack of signature verification on Kubernetes nodes. Option D is wrong because configuring the pipeline to perform vulnerability scanning after every build does not prevent unsigned images from being deployed; scanning alone does not enforce signature verification, and it does not restrict direct pushes to the registry or enforce admission control.

730
Multi-Selecteasy

An IoT device manufacturer wants to ensure the security of over-the-air (OTA) firmware updates. Which TWO measures are essential to protect the update process?

Select 2 answers
A.Sign the firmware with a trusted code signing certificate
B.Use a simple checksum for integrity verification
C.Implement a secure boot chain that verifies the signature before applying the update
D.Encrypt the firmware using a hardcoded key
E.Allow firmware downgrades to previous versions
AnswersA, C

Digital signatures verify the firmware comes from a trusted source and has not been modified.

Why this answer

Code signing ensures firmware integrity and authenticity. A secure boot chain verifies the signature before execution. Encrypting the firmware in transit protects confidentiality, but integrity is paramount.

Hardcoding keys is insecure. Rolling back firmware can introduce vulnerabilities.

731
MCQmedium

Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?

A.Only allows access during business hours.
B.Only allows access from a specific IAM user.
C.Only allows access to a specific S3 bucket.
D.Only allows access from a specific VPC endpoint.
AnswerD

The condition 'aws:sourceVpce' restricts the source to a specific VPC endpoint ID.

Why this answer

Option B is correct because the condition string requires the request to originate from the specified VPC endpoint, enforcing a network-level constraint.

732
MCQhard

A security architect is designing a hybrid cloud environment with workloads in AWS and on-premises. The architect needs to ensure secure, low-latency connectivity between the two environments without traversing the internet. Which solution should be used?

A.AWS Direct Connect
B.Site-to-site VPN over the internet
C.AWS Client VPN
D.AWS Transit Gateway with internet gateway
AnswerA

Direct Connect provides a dedicated private connection meeting the requirements.

Why this answer

AWS Direct Connect provides dedicated private network connectivity from on-premises to AWS, offering low latency and security without internet exposure.

733
MCQhard

A financial institution is implementing a privacy program based on GDPR principles. Which of the following best describes the concept of 'privacy by design'?

A.Ensuring that data subjects can exercise their rights upon request
B.Appointing a Data Protection Officer to oversee all privacy matters
C.Embedding privacy controls into the design and architecture of systems and processes
D.Conducting a privacy impact assessment after a data breach
AnswerC

This is the essence of privacy by design.

Why this answer

Privacy by design is a proactive approach that integrates privacy into the system development lifecycle, not just a one-time assessment.

734
MCQmedium

During a merger, two companies need to integrate their networks securely. Company A uses RFC 1918 addresses (10.0.0.0/8) and Company B also uses 10.0.0.0/8. Which architectural solution prevents routing conflicts and maintains security?

A.Configure a site-to-site VPN with no address translation
B.Enable direct BGP peering between the two networks
C.Implement a firewall between the networks and allow all traffic
D.Deploy network address translation (NAT) on the border routers to translate one company's addresses to a unique range
AnswerD

NAT resolves IP overlap and allows secure communication.

Why this answer

NAT at the boundary translates overlapping addresses, allowing communication without conflict. Option A is wrong because it disrupts routing. Option B is wrong without NAT, traffic may not route correctly.

Option D is wrong as it does not address IP overlap.

735
MCQhard

An organization is concerned about future quantum computer attacks on their public key infrastructure. Which NIST-standardized algorithm is designed for digital signatures and is resistant to quantum attacks?

A.CRYSTALS-Dilithium
B.Falcon
C.RSA-4096
D.CRYSTALS-Kyber
AnswerA

Correct; Dilithium is a digital signature algorithm.

Why this answer

CRYSTALS-Dilithium is a NIST PQC standard for digital signatures.

736
MCQhard

A security engineer is writing a Python script to automate the revocation of compromised certificates using the ACME protocol. The script uses the `acme` library and requires secure credential storage. Which method is MOST appropriate for storing the ACME account private key used for authentication?

A.Store the key in the operating system's keychain (e.g., macOS Keychain, Windows Credential Manager) or a HSM
B.Store the key in a configuration file with 600 permissions
C.Embed the key directly in the script as a string variable
D.Store the key in an environment variable
AnswerA

Why this answer

The ACME account private key is a highly sensitive cryptographic credential used to authenticate against the ACME server (RFC 8555). Storing it in the OS keychain or a Hardware Security Module (HSM) provides encryption at rest, access control via OS-level permissions, and protection against accidental exposure. This aligns with the principle of least privilege and secure key management required for automation scripts handling certificate revocation.

Exam trap

The CAS-004 exam often tests the misconception that file permissions (e.g., 600) or environment variables are sufficient for secure credential storage, when in fact they lack encryption at rest and are vulnerable to broader system-level access.

Why the other options are wrong

B

The key remains in plaintext on disk; even with restricted permissions, it can be read by any process running as the same user or through privilege escalation.

C

The key is exposed in source code, version control, and accessible to anyone who can read the script.

D

Environment variables are often written to logs, process dumps, and are not encrypted at rest; they are not designed for long-term cryptographic key storage.

737
Multi-Selecteasy

A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?

Select 2 answers
A.Remediation deadlines
B.Risk register with scores
C.Executive summary
D.Names of employees responsible
E.Detailed control configurations
AnswersB, C

Provides detailed risk information for decision-making.

Why this answer

An executive summary provides high-level findings, and a risk register details identified risks. Other options are operational details not suitable for senior management.

738
MCQhard

A security architect is designing a data classification scheme. Which classification level should be used for data that, if disclosed, could cause serious damage to the organization's reputation or financial standing?

A.Confidential
B.Public
C.Internal
D.Restricted
AnswerD

Correct. Restricted data is the most sensitive, causing serious damage if disclosed.

Why this answer

Restricted data is typically the highest level, where unauthorized disclosure could cause severe harm. Confidential is often a lower level.

739
MCQhard

A cloud security architect is designing a multi-region active-active application. The application must maintain high availability even if an entire AWS region fails. Which architecture BEST meets this requirement?

A.Active-active in one region with auto scaling
B.Deploy identical stacks in two regions with Route 53 weighted routing and DynamoDB global tables
C.Single region with multiple AZs and RDS Multi-AZ
D.Two regions with active-passive failover using Route 53 health checks
AnswerB

This provides active-active multi-region with automatic traffic distribution and data replication.

Why this answer

Active-active across two regions with Route 53 weighted routing and DynamoDB global tables provides automatic failover and data replication without human intervention. Single-region setups cannot survive a region outage. Active-passive requires manual failover.

740
Multi-Selecthard

A company is implementing a zero-trust network architecture. Which THREE of the following are critical components of this approach?

Select 3 answers
A.VPN for all remote access
B.Default-deny access policies (least privilege)
C.Continuous monitoring and authentication
D.Micro-segmentation of network resources
E.A single perimeter firewall
AnswersB, C, D

Users and devices are given only the access necessary.

Why this answer

Zero-trust requires that no entity is trusted by default, even inside the network. Micro-segmentation, continuous authentication, and least privilege are core principles.

741
MCQmedium

A company is adopting a DevOps model and wants to integrate security into CI/CD pipelines. Which of the following is the MOST effective approach?

A.Annual vulnerability scans
B.Post-deployment security testing
C.Manual security reviews before each release
D.Automated security scanning in the pipeline with fail-fast
AnswerD

Automation with fail-fast provides immediate feedback and prevents vulnerable code from progressing.

Why this answer

Automated security scanning with fail-fast ensures that vulnerabilities are caught early in the pipeline, aligning with DevOps speed. Manual reviews, annual scans, and post-deployment testing are too slow or reactive.

742
MCQhard

Refer to the exhibit. A cloud security engineer is reviewing an AWS S3 bucket policy. What security issue does the policy contain?

A.No server-side encryption is specified
B.Public read access is allowed
C.No version ID is specified in the resource
D.No logging is enabled for the bucket
AnswerB

Principal '*' with Allow effect grants anonymous access to objects, making them public.

Why this answer

The policy allows any principal ('*') to perform s3:GetObject on the bucket, making the bucket publicly readable. This exposes objects to anyone on the internet. No encryption, logging, or versioning issues are indicated by this JSON snippet.

743
MCQmedium

A security architect is designing a defense-in-depth strategy for a web application. Which combination of controls provides overlapping protection against SQL injection attacks?

A.Encryption and hashing
B.Input validation and parameterized queries
C.Intrusion detection system (IDS) and antivirus
D.Web application firewall (WAF) and network segmentation
AnswerB

Input validation prevents malicious input, and parameterized queries prevent injection in database calls; together they provide overlapping protection.

Why this answer

Defense-in-depth layers multiple controls. Input validation prevents malicious input from reaching the application, while parameterized queries ensure that SQL statements are safe even if validation fails. WAFs can detect and block injection attempts at the network layer.

744
MCQhard

A security analyst is investigating a potential advanced persistent threat (APT) that has evaded traditional signature-based defenses. The analyst hypothesizes that the attacker is using a specific technique from the MITRE ATT&CK framework: process injection. Which threat hunting methodology is most appropriate for this scenario?

A.TTP-driven hunting by analyzing adversary behaviors mapped to the ATT&CK framework
B.Hypothesis-driven hunting based on a specific technique (process injection) and searching for evidence in memory and process activity
C.Automated hunting using SIEM correlation rules that trigger on known malicious file hashes
D.IoC-driven hunting using known indicators of compromise from open-source feeds
AnswerB

Hypothesis-driven hunting starts with a hypothesis about adversary behavior and proactively searches for evidence, making it ideal for detecting novel or evasive techniques.

Why this answer

Hypothesis-driven hunting starts with a specific hypothesis based on threat intelligence or a known TTP, such as process injection. This approach is proactive and focuses on detecting behaviors consistent with the hypothesis, unlike IoC-driven hunting which relies on known indicators.

745
Multi-Selectmedium

A financial institution is implementing a secure software development lifecycle (SSDLC) for a new web application that will handle sensitive transactions. The security architect must ensure that application security testing is integrated into the development process. Which THREE testing techniques should be used to identify vulnerabilities early and throughout the lifecycle? (Choose THREE.)

Select 3 answers
A.Static Application Security Testing (SAST)
B.Runtime Application Self-Protection (RASP)
C.Interactive Application Security Testing (IAST)
D.Dynamic Application Security Testing (DAST)
E.Threat modeling
AnswersA, C, D

SAST scans source code for vulnerabilities early in development, enabling low-cost remediation.

Why this answer

SAST (Static Application Security Testing) identifies vulnerabilities in source code early, DAST (Dynamic Application Security Testing) tests running applications for runtime vulnerabilities, and IAST (Interactive Application Security Testing) combines aspects of both for real-time analysis. RASP is a runtime protection tool, not a testing technique. Threat modeling is a design-phase activity, not a testing technique.

746
Multi-Selecthard

During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)

Select 3 answers
A.Conduct a full forensic analysis of affected systems.
B.Identify gaps in security controls and recommend improvements.
C.Update the incident response plan based on findings.
D.Document the timeline of events and actions taken.
E.Disable the compromised accounts immediately.
AnswersB, C, D

Identifying gaps and recommending improvements is a core lesson learned activity.

Why this answer

A, C, and E are correct. Lessons learned includes updating the plan, identifying gaps, and documenting events. B is part of investigation, not lessons learned.

D is immediate containment.

747
MCQhard

An organization uses a CI/CD pipeline that builds Docker images and pushes them to a private registry. A security analyst discovers that some images contain environment variables with database credentials. Which of the following is the most effective way to prevent this in the future?

A.Use a .dockerignore file to exclude credential files.
B.Implement multi-stage builds to separate build and runtime environments.
C.Scan images with a vulnerability scanner after build.
D.Reduce the base image size to minimize attack surface.
AnswerB

Why this answer

The best approach is to use multi-stage builds: build the application in one stage, then copy only the artifact to a final, clean image. This avoids including build-time secrets in the final image. Additionally, using Docker BuildKit's --secret flag can inject secrets without persisting them.

Exam trap

Candidates often choose 'Use .dockerignore to exclude files' because it can prevent some files from being copied, but environment variables set via ENV or passed at build time are not files. Multi-stage builds address the root cause.

Why the other options are wrong

A

.dockerignore prevents copying files but does not eliminate secrets set via ENV or build args.

C

Scanning detects known vulnerabilities, not embedded secrets.

D

Size reduction does not remove secrets already embedded.

748
MCQmedium

A company uses a multi-cloud strategy with workloads in AWS and Azure. They need a centralized solution to enforce consistent security policies across both cloud environments. Which type of tool should they deploy?

A.Cloud Access Security Broker (CASB)
B.Cloud Security Posture Management (CSPM)
C.Cloud Workload Protection Platform (CWPP)
D.Security Information and Event Management (SIEM)
AnswerB

CSPM automates the identification and remediation of risks across cloud infrastructure configurations.

Why this answer

A Cloud Security Posture Management (CSPM) tool provides visibility and policy enforcement across multiple cloud providers, helping to ensure compliance with security best practices.

749
MCQmedium

A company's security policy requires all sensitive data to be encrypted at rest. However, a business unit requests an exception to store certain data unencrypted due to performance constraints. Which document should govern the exception process?

A.Security policy
B.Risk treatment plan
C.Acceptable use policy
D.Data classification standard
AnswerA

The security policy should include an exception management clause.

Why this answer

An exception management process is typically defined within the security policy or a related standard, outlining how to request, approve, and track exceptions.

750
MCQhard

A security analyst is using a SOAR platform to automate response to phishing emails reported by users. The playbook should perform the following actions in order: (1) extract indicators from the email, (2) query threat intelligence feeds for reputation, (3) if malicious, block the sender's domain at the email gateway and delete the email from all user inboxes. Which type of playbook step is most appropriate for step 3?

A.Playbook trigger
B.Output step
C.Action step
D.Conditional step
AnswerC

Action steps execute automated tasks such as API calls to block or delete.

Why this answer

In SOAR, an action step performs a specific operation like blocking a domain or deleting emails. Conditional steps would check conditions, but the playbook already determined the email is malicious, so an action is needed.

Page 9

Page 10 of 14

Page 11
CompTIA SecurityX CAS-004 CAS-004 Questions 676–750 | Page 10/14 | Courseiva