CompTIA SecurityX CAS-004 (CAS-004) — Questions 751825

1000 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?

A.Conduct a penetration test on the vendor's system.
B.Request the vendor to upgrade encryption algorithms to current standards.
C.Terminate the contract immediately.
D.Accept the risk because the vendor is technically compliant with the contract.
AnswerB

Directly asking the vendor to comply with the contract's best-practice clause is the most appropriate first step.

Why this answer

Option A is correct because the contract establishes the requirement, and requesting an upgrade is the proper first step to remedy the deficiency.

752
Multi-Selectmedium

A small business is implementing a privacy impact assessment (PIA) for a new application that processes personal data of EU citizens. Which TWO of the following are required under GDPR?

Select 2 answers
A.Obtain approval from a data protection authority before processing
B.Appoint a data protection officer (DPO)
C.Publish the PIA on the company website
D.Describe the processing operations and purposes
E.Assess the necessity and proportionality of the processing
AnswersD, E

Correct: The PIA must include a description of the processing.

Why this answer

GDPR requires a PIA when processing is likely to result in high risk to individuals, and the PIA must describe the processing and assess necessity and proportionality.

753
MCQhard

A security team is analyzing a suspicious binary using static analysis. They run the strings command and observe references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique is the binary likely employing?

A.DLL sideloading
B.Reflective DLL loading
C.Process injection
D.API hooking
AnswerC

These API calls are typical of process injection techniques.

Why this answer

CreateRemoteThread and WriteProcessMemory are commonly used for process injection, allowing code execution in another process's address space.

754
MCQeasy

A security architect is designing a VPN that requires both authentication and encryption. Which IPsec protocol provides both services in a single protocol?

A.AH in transport mode
B.IKEv2
C.ESP in tunnel mode
D.AH in tunnel mode
AnswerC

ESP offers both encryption and authentication, tunnel mode encapsulates the entire IP packet.

Why this answer

ESP provides both encryption and optional authentication, while AH only provides authentication without encryption.

755
MCQmedium

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

A.Adopt a unified policy based on GDPR as the strictest regulation
B.Create a unified policy meeting the most stringent requirements of all three regulations
C.Use a single policy based on the company's country of incorporation
D.Implement separate policies for each regulation
AnswerB

A unified baseline using the most restrictive elements ensures compliance with all three.

Why this answer

Option B is correct because a unified policy that meets the most stringent requirements of GDPR, CCPA, and LGPD ensures baseline compliance across all jurisdictions without violating any regulation. This approach minimizes conflicts by harmonizing data classification rules, such as consent management and data subject rights, under the highest common denominator, which is GDPR for most provisions like explicit consent and 72-hour breach notification.

Exam trap

CompTIA often tests the misconception that adopting the strictest single regulation (GDPR) is sufficient, but the trap is that each regulation has unique requirements (e.g., CCPA’s right to opt out of sale, LGPD’s appointment of a DPO under Article 41) that must be explicitly addressed in a unified policy to avoid compliance gaps.

How to eliminate wrong answers

Option A is wrong because adopting a unified policy based solely on GDPR as the strictest regulation may not address CCPA-specific requirements, such as the right to opt out of the sale of personal information (California Civil Code §1798.120) or LGPD’s unique legal basis for processing (e.g., legitimate interest under Article 10), leading to non-compliance. Option C is wrong because using a single policy based on the company's country of incorporation ignores extraterritorial scope requirements of GDPR (Article 3), CCPA (California Consumer Privacy Act), and LGPD (Article 3), creating gaps for data subjects in other jurisdictions. Option D is wrong because implementing separate policies for each regulation increases administrative overhead, risks conflicting data handling procedures (e.g., different retention periods), and fails to provide a unified data classification framework, which the CISO specifically proposed to minimize conflicts.

756
MCQmedium

A security manager is reviewing the company's security policy hierarchy. Which of the following correctly orders these documents from highest to lowest authority?

A.Standard, Policy, Procedure, Guideline
B.Policy, Standard, Guideline, Procedure
C.Policy, Guideline, Standard, Procedure
D.Procedure, Guideline, Standard, Policy
AnswerB

Correct order: Policy -> Standard -> Guideline -> Procedure.

Why this answer

The policy hierarchy typically follows: Policy (high-level, mandatory) -> Standard (specific requirements) -> Guideline (recommendations) -> Procedure (step-by-step instructions).

757
MCQhard

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

A.Allow all traffic within the corporate network
B.Assume breach and verify every request
C.Trust devices based on their IP address
D.Trust but verify for all internal traffic
AnswerB

Zero trust operates on the principle of never trusting and always verifying.

Why this answer

Zero trust architecture is built on the principle of 'never trust, always verify,' which explicitly requires that every access request—regardless of origin—be authenticated, authorized, and continuously validated. Option B ('Assume breach and verify every request') captures this core tenet, as it mandates that no implicit trust is granted based on network location or device status, and every request must be treated as potentially malicious until proven otherwise.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with zero trust, but zero trust explicitly eliminates the initial trust assumption, requiring verification before any access is granted, not after.

How to eliminate wrong answers

Option A is wrong because zero trust explicitly rejects the model of allowing all traffic within the corporate network; instead, it enforces micro-segmentation and least-privilege access, blocking all traffic by default and only permitting what is explicitly allowed. Option C is wrong because zero trust does not trust devices based on their IP address—IP addresses are easily spoofed and change frequently; trust is instead established through device identity, health posture, and continuous authentication (e.g., using certificates or device attestation). Option D is wrong because 'trust but verify' is the opposite of zero trust; zero trust assumes no trust at any point, requiring verification for every request, including internal traffic, rather than granting initial trust and then verifying.

758
MCQhard

A security manager is evaluating two risk quantification approaches: Factor Analysis of Information Risk (FAIR) and a qualitative heat map. Which of the following is a key advantage of using FAIR over the qualitative heat map?

A.FAIR is the only framework recognized by NIST
B.FAIR is easier to communicate to non-technical stakeholders
C.FAIR requires less data and expertise to implement
D.FAIR provides a monetary value for risk, enabling ROI calculations
AnswerD

Correct: FAIR produces dollar figures for risk, supporting cost-benefit decisions.

Why this answer

FAIR provides a more rigorous, quantitative analysis that enables cost-benefit analysis, unlike qualitative methods.

759
MCQeasy

During a secure SDLC, a development team wants to identify vulnerabilities in running code. Which type of testing should be performed?

A.IAST
B.SAST
C.DAST
D.RASP
AnswerC

DAST tests running code for vulnerabilities.

Why this answer

DAST (Dynamic Application Security Testing) tests running applications from the outside, simulating attacks to find vulnerabilities in runtime behavior.

760
MCQhard

During a security assessment, an engineer discovers that a smartcard used for authentication is vulnerable to side-channel attacks. Which countermeasure would best mitigate power analysis attacks?

A.Adding redundant cryptographic operations to equalize power consumption
B.Using a shielded enclosure to reduce electromagnetic emissions
C.Increasing the key length
D.Implementing a hardware random number generator
AnswerA

This makes power consumption more uniform, reducing leakage.

Why this answer

Power analysis attacks exploit variations in power consumption; constant-time algorithms and power smoothing hardware help mitigate this.

761
MCQhard

An organization is implementing a hybrid cloud architecture and must ensure secure connectivity between its on-premises network and a public cloud VPC. The traffic includes sensitive data that must not traverse the internet. The solution must provide high bandwidth and low latency. Which connectivity option should the architect choose?

A.AWS Direct Connect
B.Site-to-Site VPN over the internet
C.AWS Client VPN
D.Internet gateway with encryption
AnswerA

Direct Connect provides a private, dedicated connection with high bandwidth and low latency.

Why this answer

Direct Connect provides a dedicated, private, high-bandwidth connection between on-premises and cloud, bypassing the internet.

762
Multi-Selecthard

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Select 3 answers
A.Indemnification clause for breaches
B.Permitted and required uses of PHI
C.Requirement to store data in the United States
D.Safeguards to protect PHI
E.Procedures for breach notification
AnswersB, D, E

Must be specified

Why this answer

A Business Associate Agreement (BAA) must specify the permitted and required uses of Protected Health Information (PHI) by the business associate. This is a core requirement under HIPAA §164.504(e)(2)(i) to ensure the business associate does not use or disclose PHI beyond what is authorized by the covered entity or required by law.

Exam trap

The CAS-004 exam often tests the distinction between mandatory BAA elements (permitted uses, safeguards, breach notification) and optional contractual terms (indemnification, data storage location) to see if candidates confuse common business contract clauses with HIPAA regulatory requirements.

763
Multi-Selectmedium

An organization is deploying a Kubernetes cluster and needs to harden security. Which THREE controls should be implemented? (Choose three.)

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Admission controllers
C.Seccomp profiles
D.Network policies
E.Service mesh
AnswersA, B, D

RBAC restricts user and service account permissions.

Why this answer

RBAC controls access, network policies segment traffic, and admission controllers enforce policies before pods are created.

764
Multi-Selecteasy

A penetration tester is planning a test for a client that has a critical web application. The rules of engagement specify that the tester must avoid causing a denial of service (DoS). Which THREE actions are appropriate for the tester to include in the scope? (Select THREE.)

Select 3 answers
A.Conducting social engineering attacks against employees without prior approval
B.Port scanning to identify open services on the web server
C.Performing a distributed denial-of-service (DDoS) attack to test resilience
D.Attempting to brute-force directories and files on the web server
E.Testing for SQL injection vulnerabilities in input fields
AnswersB, D, E

Port scanning is a standard reconnaissance technique that does not cause DoS.

Why this answer

Port scanning, SQL injection testing, and directory brute-forcing are common penetration testing activities that do not inherently cause DoS. DoS attacks and social engineering without approval are typically out of scope.

765
MCQeasy

A security architect is implementing defense-in-depth for a critical application. Which of the following is an example of a detective control?

A.Data encryption
B.Access control list
C.Firewall
D.Intrusion detection system
AnswerD

Correct; IDS monitors and alerts on potential incidents.

Why this answer

Detective controls identify and record security events after they occur; an IDS monitors traffic for suspicious activity.

766
Matchingmedium

Match each error code or HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forbidden

Not Found

Internal Server Error

Bad Gateway

Unauthorized

Why these pairings

HTTP status codes are important for web security and troubleshooting.

767
Multi-Selecthard

During a penetration test, an assessor successfully exploits a timing side-channel attack to extract an ECDSA private key from a secure enclave. Which TWO mitigations should the development team implement to prevent such attacks? (Select TWO.)

Select 2 answers
A.Implement constant-time cryptographic operations
B.Add random delays to cryptographic operations
C.Disable debug interfaces on the secure enclave
D.Use blinding techniques for ECDSA signing
E.Replace ECDSA with Ed25519
AnswersA, D

Constant-time code ensures execution time is independent of secret data, thwarting timing attacks.

Why this answer

Timing attacks exploit variations in execution time based on secret data. Constant-time algorithms ensure that execution time does not depend on secret inputs. Blinding techniques randomize the computation so that timing variations are independent of the secret.

Using stronger algorithms like Ed25519 does not inherently prevent timing attacks; constant-time implementation is needed. Adding noise to operations can help but is less effective than constant-time. Disabling debug interfaces is not a direct mitigation for timing attacks.

768
MCQhard

To protect against quantum computing attacks, a security architect is planning to transition to post-quantum cryptography. Which algorithm has been selected by NIST for general encryption (key encapsulation) in the PQC standard?

A.Falcon
B.CRYSTALS-Dilithium
C.CRYSTALS-Kyber
D.SPHINCS+
AnswerC

Correct – Kyber is the key encapsulation mechanism.

Why this answer

NIST selected CRYSTALS-Kyber for key encapsulation (encryption) and CRYSTALS-Dilithium for digital signatures.

769
MCQhard

During a security assessment, a tester finds that a web application accepts user input and directly uses it in an LDAP query without sanitization. Which of the following attacks is most likely to be successful?

A.Cross-site scripting
B.SQL injection
C.Remote file inclusion
D.LDAP injection
AnswerD

LDAP injection occurs when user input is improperly concatenated into LDAP queries.

Why this answer

Option C is correct because unsanitized input in an LDAP query leads to LDAP injection. Option A (SQL injection) applies to SQL queries. Option B (XSS) applies to output in web pages.

Option D (remote file inclusion) is for file inclusion vulnerabilities.

770
Multi-Selectmedium

A DevOps engineer is automating the deployment of a web application using containers. Which of the following security practices should be implemented to reduce the attack surface of the containers? (Select TWO.)

Select 2 answers
A.Run containers as a non-root user
B.Build images with embedded database credentials
C.Use minimal base images like Alpine or distroless
D.Expose port 22 for SSH debugging
E.Grant all Linux capabilities to the container
AnswersA, C

Why this answer

Running containers as a non-root user (option A) is a fundamental security best practice because it limits the privileges available to processes inside the container. If an attacker compromises the application, they will not have root access to the host or the container runtime, reducing the potential for privilege escalation or host-level damage. This aligns with the principle of least privilege, which is critical for container security.

Exam trap

CompTIA often tests the misconception that containers are inherently secure because they are isolated, but the trap here is that default root execution and bloated base images are common misconfigurations that dramatically increase the attack surface, and candidates may overlook the need to explicitly drop privileges and minimize image content.

Why the other options are wrong

B

Embedding secrets in images is insecure; they should be injected at runtime.

D

Exposing SSH adds an attack vector and is unnecessary in production.

E

Granting all capabilities weakens isolation; should drop all unnecessary capabilities.

771
MCQhard

An organization is implementing a CASB to secure their SaaS applications. Which CASB deployment mode is most appropriate for monitoring and controlling data in transit between users and cloud apps without modifying the user's device?

A.API-based
B.Reverse proxy
C.Forward proxy
D.Inline gateway
AnswerA

Correct; API-based CASB uses cloud provider APIs for visibility and control without modifying endpoints.

Why this answer

API-based CASB connects directly to the cloud app's API to monitor and control data, without requiring client software.

772
MCQhard

A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect a known attack pattern that involves multiple failed logins followed by a successful login from a different IP address. Which approach best reduces false positives while maintaining detection effectiveness?

A.Use User Behavior Analytics (UBA) to baseline normal login patterns
B.Create a rule that alerts on any failed login
C.Correlate only with known malicious IP addresses
D.Set a threshold of 10 failed logins within 5 minutes
AnswerA

UBA adapts to user behavior, reducing false positives.

Why this answer

UBA establishes a baseline of user behavior and flags deviations, reducing false positives from legitimate multiple failed logins (e.g., forgotten passwords) while still detecting anomalous patterns.

773
MCQmedium

During an incident response, a security analyst identifies a previously unknown malware variant. Which type of threat intelligence feed would provide the most timely and structured information about this threat?

A.STIX/TAXII feed
B.An ISAC
C.Open source intelligence (OSINT)
D.A commercial threat feed
AnswerA

STIX/TAXII provides structured, machine-readable threat intelligence.

Why this answer

STIX/TAXII enables sharing of structured threat intelligence in a standardized format, allowing for automated consumption and immediate updates.

774
MCQeasy

A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?

A.Implement logging and monitoring of all access to cardholder data
B.Encrypt all cardholder data at rest
C.Conduct vulnerability scans on a monthly basis
D.Perform continuous penetration testing
AnswerA

PCI DSS Requirement 10 requires logging and monitoring.

Why this answer

Option A is correct because PCI DSS Requirement 10 mandates logging and monitoring of access to cardholder data. Option B is wrong because encryption in transit is required, not at rest by all merchants. Option C is wrong because quarterly scans are required, not monthly.

Option D is wrong because penetration testing is required annually, not continuously.

775
MCQhard

A security engineer is implementing deception technology to detect lateral movement by adversaries. Which type of deception resource would be MOST effective for capturing adversary credential harvesting activities on a network segment that contains no real domain controllers?

A.A SIEM correlation rule for anomalous logins
B.A network-based intrusion detection system (NIDS)
C.A honeypot configured as a domain controller
D.A honeytoken in the form of a fake service account password
AnswerD

Honeytokens are lightweight and trigger alerts when used.

Why this answer

A honeytoken (e.g., a fake credential file or a service account password) planted on a system can trigger an alert when an adversary attempts to use it. A fake domain controller honeypot is also effective but may require more resources. However, a honeytoken is specifically designed to be used by attackers and is simple to deploy.

776
MCQmedium

A company has implemented a hardware security module (HSM) to manage cryptographic keys for a payment processing system. Which of the following best describes an advantage of using an HSM over software-based key storage?

A.Easier key rotation
B.Tamper-resistant key storage
C.Faster cryptographic operations
D.Lower implementation cost
AnswerB

HSMs provide physical and logical protections to prevent key extraction and tampering.

Why this answer

HSMs are tamper-resistant devices that protect keys from physical and logical attacks, offering a higher level of security than software-based storage. While HSMs can be costly and may have slower key generation, their primary advantage is physical security.

777
Multi-Selectmedium

A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)

Select 2 answers
A.Outsourcing the application hosting to a third party.
B.Obtaining senior management sign-off to accept the risk without additional controls.
C.Purchasing cyber insurance to cover potential losses.
D.Formally acknowledging the residual risk after controls are implemented.
E.Implementing an intrusion prevention system to reduce the likelihood of attacks.
AnswersB, D

Management sign-off is a documented acceptance.

Why this answer

Risk acceptance involves acknowledging the risk and taking no further action, or obtaining a formal waiver. Insurance transfers risk, not accepts. Implementing controls reduces risk.

Outsourcing transfers risk.

778
Multi-Selectmedium

A security architect is evaluating a CSPM tool for a multi-cloud environment. Which TWO capabilities should the architect consider essential for the CSPM? (Choose two.)

Select 2 answers
A.Continuous compliance monitoring against frameworks like CIS
B.Vulnerability scanning of container images
C.Configuration drift detection
D.Real-time web application firewall
E.Data loss prevention for cloud storage
AnswersA, C

Correct; CSPM monitors compliance.

Why this answer

CSPM automates security compliance and configuration monitoring across cloud environments.

779
MCQmedium

An IoT device manufacturer wants to ensure that firmware updates are authentic and have not been tampered with. The device has limited computational resources. Which cryptographic primitive is most appropriate for verifying the integrity and authenticity of firmware images?

A.Digital signature using ECDSA P-384
B.SHA-256 hash only
C.Symmetric MAC using AES-256-GCM
D.HMAC-SHA256 with a device-specific key
AnswerA

Digital signatures provide non-repudiation and authenticity without shared secrets; ECDSA is efficient for constrained devices.

Why this answer

Digital signatures provide both integrity and authenticity. RSA is too computationally intensive for constrained devices; ECDSA or Ed25519 are more suitable. The question asks for the primitive, so digital signatures is the correct category.

780
Multi-Selectmedium

A company is implementing privileged access management (PAM) for its critical servers. Which THREE practices should be included to enhance security? (Select THREE.)

Select 3 answers
A.Record and monitor all privileged sessions
B.Implement just-in-time (JIT) access provisioning
C.Use break-glass accounts for emergency access
D.Enforce multi-factor authentication for all users
E.Require periodic password rotation for all service accounts
AnswersA, B, C

Session recording ensures accountability and aids forensic analysis.

Why this answer

Just-in-time (JIT) access provisioning grants privileges only when needed, reducing standing privileges. Session recording and monitoring provides audit trails. Break-glass accounts provide emergency access with controls.

MFA for all users is a general practice, but for PAM, JIT, session monitoring, and break-glass are specific. Password rotation is good but not a core PAM practice compared to the others.

781
MCQeasy

Which of the following is a core principle of the Zero Trust security model?

A.Perimeter-based trust
B.Never trust, always verify
C.Trust based on network location
D.Trust but verify
AnswerB

This is the key principle of Zero Trust.

Why this answer

Zero Trust assumes no implicit trust and requires verification for every access request, regardless of location.

782
MCQeasy

Which security issue is addressed by this configuration?

A.Enables server-side includes
B.Prevents directory listing
C.Blocks access to all files
D.Enables CGI execution
AnswerB

`-Indexes` explicitly disables directory listing.

Why this answer

The `-Indexes` option disables directory listing, preventing visitors from seeing the contents of a directory if no index file is present. `AllowOverride None` disables .htaccess overrides, and `Allow from all` permits access.

783
MCQhard

A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?

A.Segment the affected application from the rest of the network and remove the WAF from the data path.
B.Disable the WAF immediately to restore service and document the decision as a risk acceptance.
C.Accept the risk of transaction failures and keep the WAF in place until the rules are fully tested.
D.Temporarily modify the WAF rule set to allow legitimate traffic while maintaining security, and schedule a permanent fix within 24 hours.
AnswerD

Fine-tuning rules restores service without compromising the compensating control.

Why this answer

Option B is correct because fine-tuning the WAF rules quickly is the best approach to restore service while maintaining security. Option A is wrong because disabling the WAF would remove the compensating control and violate PCI DSS requirement 6.6. Option C is wrong because relying solely on network segmentation may not provide equivalent protection.

Option D is wrong because accepting risk without a compensating control is not permitted under PCI DSS.

784
MCQhard

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A.It provides deep packet inspection to detect malicious traffic.
B.It enforces multi-factor authentication for every session.
C.It reduces latency by establishing direct peer-to-peer connections.
D.It prevents unauthorized users from discovering the application infrastructure.
AnswerD

SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.

Why this answer

In a zero trust architecture, the primary security benefit of a software-defined perimeter (SDP) over a traditional VPN is that it hides the application infrastructure from unauthorized users. SDP uses a controller-based model where devices must authenticate and be authorized before they can even see the application servers, effectively creating a 'black cloud' that prevents discovery and reduces the attack surface. This aligns with the zero trust principle of 'never trust, always verify' and eliminates the network-level visibility that VPNs inherently provide to any connected client.

Exam trap

The trap here is that candidates confuse the 'direct' connection behavior of some SDP implementations with a security benefit, when in fact the core advantage is hiding infrastructure from unauthorized users, not reducing latency or enabling peer-to-peer connections.

How to eliminate wrong answers

Option A is wrong because deep packet inspection is a feature of next-generation firewalls or intrusion prevention systems, not a core or defining benefit of SDP; SDP focuses on access control and visibility hiding, not traffic inspection. Option B is wrong because multi-factor authentication is a common requirement in both SDP and modern VPN solutions; it is not unique to SDP and does not represent the primary security benefit over VPN. Option C is wrong because SDP typically uses a controller to broker connections and often routes traffic through a gateway or proxy, not direct peer-to-peer connections; reducing latency is not a primary security benefit, and direct connections can actually introduce security risks in a zero trust model.

785
Multi-Selecthard

Which TWO of the following are effective defenses against Server-Side Request Forgery (SSRF) attacks? (Select TWO.)

Select 2 answers
A.Whitelist allowed outbound IP addresses and domains
B.Use a web application firewall (WAF) to block SSRF signatures
C.Enforce strict referrer headers on requests
D.Disable unused URL schemes (e.g., file://, dict://)
E.Implement input validation on all user-supplied URLs
AnswersA, D

Restricting outbound connections to known safe destinations prevents the server from making requests to internal or malicious hosts.

Why this answer

Options A and B are correct. Whitelisting allowed outbound destinations (A) and disabling unused URL schemes (B) are direct defenses. Option C (input validation) is helpful but can be bypassed.

Option D (WAF) is signature-based and not a primary defense. Option E (referrer headers) is not specific to SSRF.

786
Multi-Selecteasy

Which two are best practices for securing Docker container images? (Select TWO.)

Select 2 answers
A.Use multi-stage builds to reduce image size
B.Store images on a public registry for easy sharing
C.Use the latest tag for base images
D.Run containers as a non-root user
E.Scan images for known vulnerabilities before deployment
AnswersD, E

Non-root containers limit the impact of a compromise.

Why this answer

Options B (Run containers as non-root) and C (Scan images for vulnerabilities) are correct. Option A (Use latest tag) is insecure as it can change unexpectedly. Option D (Store on public registry) exposes images.

Option E (Multi-stage builds) is a good practice but not primarily about security; however, it reduces attack surface, so it could be considered. But to align with standard best practices, B and C are more direct. Option E reduces attack surface but is often considered a build optimization that also helps security.

However, the most common security best practices are run as non-root and vulnerability scanning. So I'll stick with B and C.

787
MCQhard

An organization is migrating critical workloads to the cloud and must comply with FedRAMP. Which cloud service model provides the most customer control over security configuration while still leveraging the provider's FedRAMP authorization?

A.Software as a Service (SaaS)
B.Infrastructure as a Service (IaaS)
C.Platform as a Service (PaaS)
D.Function as a Service (FaaS)
AnswerB

Correct – IaaS offers maximum customer control over security.

Why this answer

IaaS gives the customer control over OS, applications, and security configurations, while the provider manages the physical infrastructure. FedRAMP authorization can cover the IaaS layer.

788
MCQmedium

After a security incident, the IR team identifies that the attacker used a spear-phishing email with an attached malicious macro. Which log source would be MOST crucial to determine the scope of the compromise?

A.Endpoint detection and response (EDR) telemetry
B.Windows Event Logs (Event ID 4688)
C.Proxy server logs
D.Email server logs
AnswerC

Proxy logs reveal connections to C2 servers and data exfiltration attempts.

Why this answer

Option C is correct because proxy logs show outbound HTTP/HTTPS connections, which malware often uses for C2 and data exfiltration. Option A shows email from/to but not system activity. Option B shows local process execution but may not show network connections.

Option D shows endpoint network connections but may not capture all outbound traffic if it's not forwarded.

789
MCQmedium

An organization is concerned about quantum computer attacks on its current cryptographic infrastructure. Which of the following NIST-approved post-quantum cryptographic algorithms is designed for key encapsulation?

A.RSA-4096
B.CRYSTALS-Kyber
C.ECDHE
D.CRYSTALS-Dilithium
AnswerB

Correct NIST-selected KEM.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism (KEM) selected by NIST for post-quantum cryptography.

790
Multi-Selecteasy

An organization is implementing a public key infrastructure (PKI). Which THREE of the following are essential components?

Select 3 answers
A.Key escrow agent
B.Certificate authority (CA)
C.Certificate database and CRL
D.Registration authority (RA)
E.Time-stamping authority (TSA)
AnswersB, C, D

The CA signs and issues certificates.

Why this answer

A CA issues certificates, a RA verifies identity before certificate issuance, and the certificate database stores issued certificates and CRLs.

791
MCQeasy

An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?

A.Obtain explicit consent for all data processing
B.Notify supervisory authority of a breach within 24 hours
C.Implement data protection by design and default
D.Store all personal data within the EU
AnswerC

GDPR requires data protection by design and default.

Why this answer

Option A is correct because GDPR mandates that data protection must be integrated into processing activities (Data Protection by Design and Default). Option B is wrong because data localization is not a blanket requirement. Option C is wrong because breach notification is within 72 hours, not 24.

Option D is wrong because consent is not always required; other lawful bases exist.

792
Multi-Selecthard

A CSIRT is developing a threat hunting hypothesis based on the MITRE ATT&CK framework. Which THREE of the following are techniques that threat hunters would commonly investigate for initial access? (Choose three.)

Select 3 answers
A.Exploit public-facing application
B.Spear-phishing attachment
C.Valid accounts
D.Remote services
E.Boot or logon autostart execution
AnswersA, B, C

Exploiting vulnerabilities in internet-facing applications is another common technique.

Why this answer

Options A, B, and D are correct. Spear-phishing, exploitation of public-facing applications, and valid accounts are common initial access techniques. Option C is for lateral movement, and Option E is for persistence.

793
MCQmedium

During a security incident, a SOC analyst identifies a process with a suspicious hash on several endpoints. The analyst wants to determine if this hash is known to be malicious by querying internal and external threat intelligence sources. Which standard should the analyst use to structure the threat intelligence data for automated sharing?

A.TAXII
B.STIX
C.OpenIOC
D.CybOX
AnswerB

STIX is the standard structured language for describing threat intelligence.

Why this answer

STIX (Structured Threat Information Expression) is a language for describing threat intelligence, often used in conjunction with TAXII for sharing. It structures data like indicators, observables, and campaigns.

794
Multi-Selecthard

A security team is automating incident response using playbooks. Which two of the following are critical considerations when designing automated response actions? (Select two.)

Select 2 answers
A.Execute all actions immediately to minimize damage.
B.Include a manual approval step for high-impact actions.
C.Ensure automated actions are reversible.
D.Use the same playbook for all incident types.
AnswersB, C

Why this answer

Option B is correct because high-impact automated actions, such as blocking a critical server or deleting user accounts, can cause significant collateral damage if triggered by a false positive. Including a manual approval step ensures a human verifies the alert before irreversible or disruptive actions are taken, aligning with the principle of least privilege and incident response best practices.

Exam trap

CompTIA often tests the misconception that speed is always the priority in automation, tempting candidates to select 'execute all actions immediately' without considering the need for validation and reversibility in high-stakes environments.

Why the other options are wrong

A

Immediate execution without validation can cause collateral damage.

D

Different incidents require tailored responses; one-size-fits-all is ineffective.

795
MCQeasy

A network architect is designing a DMZ for a web application. Which of the following is the MOST appropriate placement for a reverse proxy?

A.In the management network
B.In the DMZ
C.In the database tier
D.Inside the internal network
AnswerB

The DMZ is the appropriate security zone for externally facing services.

Why this answer

A reverse proxy should be placed in the DMZ to handle external requests and provide an additional layer of security by buffering the internal web servers. Placing it inside the internal network, database tier, or management network would defeat its purpose.

796
MCQmedium

A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?

A.Implement compensating controls such as network segmentation
B.Update the encryption algorithm to a FIPS 140-2 validated one
C.Accept the risk because the algorithm is still functional
D.Transfer the risk by purchasing cyber insurance
AnswerB

Updating aligns with NIST SP 800-53 cryptographic controls.

Why this answer

Option C is correct because updating the encryption algorithm aligns with NIST SP 800-53 controls for cryptographic protection. Option A is wrong because accepting risk without mitigation is not appropriate for a deprecated algorithm. Option B is wrong because compensating controls do not address the root cause.

Option D is wrong because transferring risk via cyber insurance does not fix the technical issue.

797
Multi-Selecthard

A DevOps team is automating server configuration using configuration management tools. Which THREE principles should be followed to ensure secure automation? (Choose three.)

Select 3 answers
A.Store secrets in encrypted variables or vaults
B.Implement least privilege for automation agents
C.Use idempotent scripts to ensure consistent state
D.Hardcode credentials in automation scripts
E.Perform unit testing on scripts
AnswersA, B, C

Encrypting secrets prevents exposure in scripts or logs.

Why this answer

Storing secrets encrypted, ensuring idempotency, and applying least privilege to automation agents are key security practices. Hardcoding credentials is insecure. While unit testing is good, it is not specifically a security principle.

798
Drag & Dropmedium

Drag and drop the steps to perform a secure code review for a web application into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure code review: understand code, automated scan, manual review, document, and communicate findings.

799
MCQmedium

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

A.Encrypt all emails containing any sensitive data and allow delivery
B.Block both top secret and confidential content with no override
C.Block top secret content and allow confidential content with an audit log
D.Block top secret content and allow confidential content with an override requiring a business justification
AnswerD

Balances security and usability

Why this answer

Option D is correct because it aligns with the firm's data classification policy by blocking top-secret 'Legal Strategy' content outright, while allowing 'Client Contact Info' (confidential) to be sent with a business justification override. This balances security with operational needs, as Microsoft 365 DLP supports policy tips and override options with justification for lower-sensitivity data, ensuring compliance without disrupting attorney-client communication.

Exam trap

The trap here is that candidates often confuse 'allow with audit log' (passive monitoring) with 'allow with override requiring justification' (active enforcement), overlooking the specific business requirement for a justification workflow.

How to eliminate wrong answers

Option A is wrong because encrypting all emails containing sensitive data does not prevent data leakage; it only protects data in transit, and the firm requires blocking top-secret content, not just encrypting it. Option B is wrong because blocking both top-secret and confidential content with no override is too restrictive; it would prevent attorneys from sending confidential client contact info even with a legitimate business need, violating the requirement to allow such communication with justification. Option C is wrong because allowing confidential content with only an audit log provides no enforcement mechanism; the firm explicitly requires a business justification override for confidential data, not just passive logging.

800
MCQhard

A security analyst reviews the syslog messages from the company's ASA firewall. Based on the exhibit, which of the following is the MOST likely cause of the denied traffic?

A.The external server is trying to initiate connections to the internal host on port 80.
B.Network address translation (NAT) is not configured correctly for the internal host.
C.The access-group "OUTSIDE_IN" is applied to the wrong interface or direction, blocking legitimate outbound traffic.
D.The internal host is attempting a port scan against the external server.
AnswerC

The access list name suggests it is meant for inbound traffic on the outside interface, but it is blocking outbound traffic, indicating a misapplication.

Why this answer

The syslog message shows traffic from the internal host (10.10.10.10) to the external server (209.165.200.225) on port 80 being denied by the access-group "OUTSIDE_IN" applied to the outside interface. Since the traffic is outbound (source inside, destination outside), an inbound access-list on the outside interface would block this legitimate outbound traffic because it evaluates packets entering the interface from the outside, not leaving it. The correct configuration would be to apply the access-group to the inside interface in the inbound direction or to the outside interface in the outbound direction.

Exam trap

CompTIA often tests the concept that an access-list applied inbound on the outside interface filters traffic entering from the outside, not traffic leaving the inside, causing candidates to mistakenly think the ACL blocks inbound traffic when it actually blocks outbound traffic.

How to eliminate wrong answers

Option A is wrong because the denied traffic is from the internal host to the external server on port 80, not the reverse; the syslog shows source 10.10.10.10 and destination 209.165.200.225, so the external server is not initiating connections. Option B is wrong because NAT misconfiguration would typically result in translation failures or asymmetric routing, not a deny by an access-list named "OUTSIDE_IN"; the syslog explicitly shows the deny is due to the access-group, not a NAT issue. Option D is wrong because there is no evidence of a port scan in the single syslog entry; a port scan would generate multiple denied packets to different ports or sequential IPs, and the log shows only a single TCP SYN to port 80, which is normal web traffic.

801
MCQmedium

A security architect is evaluating a SASE solution. Which capability is expected to be part of a SASE platform?

A.Intrusion prevention system (IPS) at the data center
B.Network segmentation via VLANs
C.Secure web gateway (SWG)
D.Virtual private network (VPN) concentrator
AnswerC

SWG is a core security function in SASE for filtering web traffic.

Why this answer

SASE converges network and security services, including secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), and firewall as a service (FWaaS). SD-WAN is the networking component.

802
MCQmedium

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

A.Use stored procedures exclusively for database access.
B.Deploy a web application firewall (WAF) with SQL injection rules.
C.Use parameterized queries or prepared statements for all database interactions.
D.Implement client-side input validation and sanitize all user input.
AnswerC

Parameterized queries ensure data is treated as data, effectively preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) are the most effective defense against SQL injection because they separate SQL logic from user-supplied data at the database driver level. This ensures that user input is always treated as a literal value, never as executable SQL code, regardless of any malicious content. This approach directly prevents the attacker from altering the query structure, which is the root cause of SQL injection.

Exam trap

The trap here is that candidates often choose stored procedures (Option A) thinking they are inherently safe, but Cisco tests the nuance that stored procedures are only safe if they use parameterized queries internally, not if they concatenate input into dynamic SQL.

How to eliminate wrong answers

Option A is wrong because stored procedures alone do not prevent SQL injection if they are called with dynamically concatenated SQL strings or if the stored procedure itself uses dynamic SQL without parameterization. Option B is wrong because a WAF is a reactive, signature-based defense that can be bypassed with encoding variations or novel attack patterns; it does not fix the underlying vulnerability in the application code. Option D is wrong because client-side validation is easily bypassed (e.g., by disabling JavaScript or using tools like Burp Suite), and server-side sanitization is error-prone and often insufficient against all injection vectors.

803
Multi-Selectmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

Select 2 answers
A.Enable SQL injection signature rules.
B.Enable input validation for all query parameters.
C.Enable rate limiting on login endpoints.
D.Enable IP reputation blocking.
E.Enable SSL/TLS inspection for all traffic.
AnswersA, B

Signature rules detect known SQL injection patterns.

Why this answer

Option A is correct because enabling SQL injection signature rules allows the WAF to inspect HTTP requests for known SQL injection patterns, such as UNION, OR 1=1, or comment sequences like '--', using a predefined rule set. Option B is correct because input validation for all query parameters ensures that user-supplied data is sanitized or rejected before reaching the application, preventing malicious SQL syntax from being interpreted by the database. Together, these controls provide both signature-based detection and behavioral prevention against SQL injection attacks.

Exam trap

The trap here is that candidates often confuse rate limiting or IP reputation as general security measures that would stop SQL injection, but these controls address different attack vectors (DoS and network-layer filtering) and do not inspect the content of requests for malicious SQL syntax.

804
MCQhard

A security engineer is reviewing a PKI deployment where the root CA is kept offline. The issuing CA signs certificates for internal applications. Recently, a subordinate CA was compromised, and the engineer needs to revoke all certificates issued by that CA. Which of the following is the most efficient method to revoke these certificates?

A.Re-issue all certificates from a different issuing CA without revocation
B.Use OCSP to individually check and revoke each certificate
C.Publish a CRL from the compromised CA listing all certificates it issued
D.Revoke the compromised CA certificate and issue a new CRL from the root CA
AnswerC

Publishing a CRL from the compromised CA marks those certificates as revoked, while the CA certificate remains valid for CRL issuance.

Why this answer

The best method is to use a CRL issued by the compromised CA, marking all its unexpired certificates as revoked. Revoking the CA certificate itself invalidates all certificates issued by it, including valid ones. Distributing a new CRL from the root CA would require the root to be online.

Individual certificate revocation is inefficient.

805
Multi-Selecteasy

An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)

Select 3 answers
A.Top Secret
B.Private
C.Secret
D.Confidential
E.Public
AnswersA, C, D

Top Secret is a standard classification.

Why this answer

Common government classification levels are Unclassified, Confidential, Secret, and Top Secret. Private and Public are common in commercial but not standard in government classification.

806
MCQeasy

A security analyst is reviewing a SIEM alert that indicates a user's credentials were used to log in from two different countries within a span of 10 minutes. This is likely an indicator of what type of attack?

A.Brute-force attack
B.Man-in-the-middle attack
C.Credential theft and reuse
D.Pass-the-hash attack
AnswerC

The attacker is using stolen credentials from a different location.

Why this answer

A login from two distant locations in a short time suggests credential theft and reuse, which is characteristic of a credential stuffing or account takeover attack. The attacker likely obtained the credentials and is using them from a different location.

807
MCQhard

During a security assessment, a penetration tester discovers that a smart card used for authentication is vulnerable to a timing attack. The card uses a cryptographic algorithm that has data-dependent timing variations. Which of the following algorithms is MOST likely being used on the smart card?

A.ECDSA P-384
B.SHA-256
C.AES-256-CBC
D.RSA with Chinese Remainder Theorem
AnswerD

RSA-CRT implementations often have timing variations that can be exploited to recover the private key.

Why this answer

RSA decryption (using CRT) is known to be vulnerable to timing attacks if not implemented with constant-time functions. AES is typically resistant if implemented correctly. SHA-256 is a hash function, not used for signing/decryption.

ECDSA can be vulnerable to timing attacks if not constant-time, but RSA is more commonly associated with classic timing vulnerabilities.

808
Multi-Selectmedium

A security architect is reviewing API security for a financial services platform that uses OAuth 2.0 for authorization and JWTs for token exchange. The platform must protect against common API threats such as token theft and injection attacks. Which TWO controls should be implemented to mitigate these specific threats? (Choose TWO.)

Select 2 answers
A.Implementing an API gateway
B.Using OAuth 2.0 scopes
C.Rate limiting on API endpoints
D.Input validation and sanitization
E.Short token expiration times
AnswersC, D

Rate limiting mitigates brute-force attacks on tokens and prevents denial of service.

Why this answer

Rate limiting helps prevent token brute-force and DoS attacks, while input validation prevents injection attacks (e.g., SQL injection, XSS) on API endpoints. OAuth 2.0 scopes define permissions but do not directly mitigate token theft. API gateways can enforce many policies but are not a specific control.

Short token lifetimes reduce the window of token theft but do not prevent injection.

809
MCQmedium

A DevOps team uses Ansible to automate server configuration. They need to ensure that sensitive variables like passwords are not exposed in playbook logs or version control. What is the recommended approach?

A.Use Ansible Vault to encrypt sensitive variables
B.Use environment variables only
C.Store secrets in plain text within the playbook
D.Encrypt the entire playbook file
AnswerA

Ansible Vault encrypts specific variables or files, protecting secrets.

Why this answer

Ansible Vault encrypts sensitive data, preventing exposure. Storing in plain text is insecure, environment variables can leak in logs, and encrypting the whole playbook is unnecessary and hampers readability.

810
MCQmedium

A security team is measuring the effectiveness of its incident response process. Which of the following metrics would best indicate how quickly the team can contain an incident after it is detected?

A.Mean time to respond (MTTR)
B.Vulnerabilities by severity
C.Patch compliance percentage
D.Mean time to detect (MTTD)
AnswerA

Correct: MTTR measures the time to respond and contain an incident.

Why this answer

Mean time to respond (MTTR) measures the time from detection to containment, which is directly relevant to incident response effectiveness.

811
MCQeasy

What is the primary benefit of using infrastructure as code (IaC) tools like Terraform for cloud resource provisioning?

A.It reduces cloud costs by optimizing resource usage.
B.It eliminates the need for manual configuration management.
C.It provides a declarative language to define resources, enabling version control and repeatability.
D.It automatically applies security patches to resources.
AnswerC

Declarative IaC ensures consistent and tracked deployments.

Why this answer

Option B is correct because IaC allows declarative definition of resources, enabling version control, repeatability, and consistency. Option A is exaggerated; manual configuration is still needed. Option C is not automatic.

Option D is not a primary benefit.

812
MCQeasy

Refer to the exhibit. A security review is being conducted on the Python application configuration. Which of the following security issues is present?

A.The DB_CONNECTION environment variable is missing a default value
B.The default database connection is SQLite, which is insecure for production
C.The code does not handle the case where API_KEY is not set, potentially causing an error
D.The API key is stored in an environment variable, which is insecure
AnswerC

Using os.environ with no default will raise an exception if the variable is missing, which can lead to information disclosure or denial of service.

Why this answer

Option D is correct because os.environ['API_KEY'] will raise a KeyError if the environment variable is not set, causing the application to crash and potentially reveal error messages. Option A (environment variables are insecure) is false; they are a standard method. Option B (missing default) is false because getenv provides a default.

Option C (SQLite insecure) is not necessarily true and not the immediate issue.

813
MCQmedium

A company deploys a web application behind a WAF. The security team discovers that the WAF allows traffic from a known malicious IP. After investigating, they find the WAF is configured to allow all traffic from a specific country for business reasons. Which of the following is the BEST course of action?

A.Deploy an additional IPS device to block the IP.
B.Remove the country-based allow rule immediately.
C.Add a specific deny rule for the malicious IP within the country allow rule, using an exception list.
D.Change the WAF from detection mode to blocking mode.
AnswerC

This allows legitimate traffic from the country while blocking the known malicious IP, addressing the threat without disrupting business.

Why this answer

Option C is correct because creating a geo-IP exception list for the malicious IP within the allowed country maintains business requirements while blocking the threat. Option A is wrong because removing the entire country block may disrupt business and is too broad. Option B is wrong because an IPS is a different control; adjusting WAF rules is more direct.

Option D is wrong because changing the WAF to block mode may cause false positives and is a drastic change.

814
MCQhard

An enterprise is securing a hybrid cloud environment with on-premises and AWS workloads. They need to ensure that on-premises systems can privately access VPC resources without traversing the public internet. Which AWS service should they use?

A.AWS VPN (site-to-site)
B.AWS Transit Gateway
C.AWS PrivateLink
D.AWS Direct Connect
AnswerD

Direct Connect provides a dedicated private connection from on-premises to AWS.

Why this answer

AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the internet for lower latency and increased security.

815
MCQmedium

A threat hunter hypothesizes that a sophisticated attacker is using DNS tunneling for command and control. Which data source would most likely confirm this activity?

A.Network flow data (NetFlow)
B.DNS query logs from authoritative/internal DNS servers
C.Endpoint antivirus alerts
D.Web proxy logs
AnswerB

DNS logs contain query names and types; tunneling leaves unusual patterns.

Why this answer

Option B is correct because DNS logs contain queries and responses; anomalous patterns like large TXT records or high frequency indicate tunneling. Option A is wrong because firewall logs may show traffic but not DNS content. Option C is wrong because antivirus may not detect tunneling.

Option D is wrong because web proxy logs show HTTP traffic.

816
MCQhard

A security team needs to automate the enforcement of cloud security policies across multiple accounts in AWS. They want a solution that uses code to define policies and automatically remediate violations. Which approach best meets these requirements?

A.Write Python boto3 scripts that run on a schedule to check and update security groups.
B.Use AWS Config with managed rules and custom Lambda functions for auto-remediation.
C.Enable AWS GuardDuty and rely on its threat detection alerts.
D.Deploy a third-party cloud security posture management (CSPM) tool like Prisma Cloud.
AnswerB

AWS Config rules are defined in code (JSON) and remediation via Lambda automates enforcement.

Why this answer

AWS Config Rules with custom Lambda functions can automate remediation. Option C is correct. Option A is manual.

Option B is a separate tool. Option D is reactive, not automated.

817
MCQeasy

A company wants to automate the creation of IAM roles and policies in AWS using infrastructure as code. Which tool is specifically designed for provisioning cloud infrastructure across multiple providers?

A.Terraform
B.Jenkins
C.Docker
D.Ansible
AnswerA

Terraform is a declarative IaC tool for cloud provisioning.

Why this answer

Terraform is a IaC tool focused on provisioning resources across cloud providers. Docker handles containers, Ansible is configuration management, and Jenkins is CI/CD.

818
MCQmedium

A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

A.Implement temporary compensating controls until the CAB approves.
B.Apply the patches immediately without waiting for CAB approval.
C.Notify the system owners and leave the decision to them.
D.Document the issue and wait for the CAB meeting.
AnswerA

Compensating controls mitigate risk while following the change management process.

Why this answer

C is correct. Implementing compensating controls reduces immediate risk while awaiting formal approval. Immediate patching bypasses change control and may cause instability.

Waiting is too slow. Leaving decision to owners abdicates responsibility.

819
MCQmedium

A vulnerability has a CVSS base score of 9.8. The vulnerability is present on a server that is not exposed to the internet but is accessible to internal users with valid credentials. Which CVSS metric should be adjusted to reflect the reduced risk?

A.None, the base score should be used as-is
B.Temporal score
C.Environmental score
D.Base score
AnswerC

Environmental score adjusts for local context, such as access restrictions.

Why this answer

The Environmental Score allows customization based on specific organizational context, such as modified access requirements.

820
MCQmedium

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

A.Deploy an SD-WAN with dynamic path selection and encryption for all inter-site traffic.
B.Implement micro-segmentation with stateful firewalls and explicit allow rules between each workload.
C.Use network ACLs on the cloud VPC and on-premises routers to deny all traffic by default, then allow required ports.
D.Deploy a site-to-site VPN and route all inter-component traffic through a VPN concentrator.
AnswerB

Micro-segmentation with explicit allow rules ensures only necessary traffic is permitted, adhering to least privilege.

Why this answer

Option B is correct because micro-segmentation with stateful firewalls and explicit allow rules enforces least privilege at the workload level, ensuring that only explicitly permitted inter-component traffic is allowed. This approach is fundamental to zero-trust architectures, as it reduces the attack surface by preventing lateral movement, even within the same subnet or VPC.

Exam trap

The CAS-004 exam often tests the misconception that network-layer controls like ACLs or VPNs are sufficient for zero-trust least privilege, when in fact they lack the workload-level granularity and stateful enforcement required for true micro-segmentation.

How to eliminate wrong answers

Option A is wrong because SD-WAN with dynamic path selection and encryption focuses on optimizing and securing inter-site connectivity, not on granular per-workload access control; it does not enforce least privilege between individual components. Option C is wrong because network ACLs and on-premises routers operate at the subnet or network layer, not at the workload level, and they lack stateful inspection, making them insufficient for fine-grained, per-component allow rules required for zero-trust. Option D is wrong because a site-to-site VPN with a concentrator creates a tunnel for all inter-component traffic but does not provide per-workload segmentation or explicit allow rules; it merely encrypts traffic without controlling which specific components can communicate.

821
Multi-Selectmedium

A SOC team is implementing a SOAR playbook to automate the response to phishing emails reported by users. The playbook should perform initial triage and, if the email is determined to be malicious, take containment actions. Which TWO of the following actions should be included in the playbook? (Choose TWO.)

Select 2 answers
A.Send an alert to the user's manager for approval
B.Automatically create a ticket in the service desk system
C.Automatically block the sender's email address in the email gateway
D.Initiate a full antivirus scan on the user's workstation
E.Extract embedded URLs and file hashes for threat intelligence lookup
AnswersC, E

This is a containment action to prevent further emails from that sender.

Why this answer

Common phishing response playbooks include extracting URLs and hashes for analysis and automatically blocking the sender's email address. Creating a ticket is not a containment action, and scanning the user's machine may be part of eradication but not initial containment.

822
MCQeasy

A company wants to ensure that only authorized code runs on its point-of-sale (POS) terminals. Which technology should be implemented?

A.Application whitelisting
B.Code signing
C.Trusted Platform Module (TPM)
D.Secure Boot
AnswerB

Code signing digitally signs executables, and the system validates the signature before allowing execution.

Why this answer

Code signing ensures that executables are digitally signed by a trusted publisher, and the system verifies the signature before execution. TPM is for attestation, application whitelisting is a policy, and secure boot focuses on boot-time integrity.

823
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. The analyst needs to preserve evidence for legal proceedings. Which two actions must the analyst take to maintain the chain of custody? (Select TWO).

Select 2 answers
A.Encrypt the evidence with a personal key
B.Share the evidence with all team members for analysis
C.Document every person who accesses the evidence and the time of access
D.Run antivirus scans on the evidence to ensure it is safe
E.Create a forensic image of the hard drive using a write-blocker
AnswersC, E

Chain of custody requires a record of evidence handling.

Why this answer

Documenting who handled evidence and when, and using forensic imaging with write-blockers ensures integrity and admissibility.

824
MCQmedium

An incident responder notices that a compromised host is sending encrypted C2 traffic over TCP port 443. The existing firewall rule allows outbound HTTPS (443) to any destination. Which change to the security architecture would best detect this behavior while minimizing impact on legitimate traffic?

A.Deploy a forward proxy with SSL/TLS inspection
B.Block outbound TCP 443 and require users to use a VPN
C.Enable logging on the firewall for all outbound 443 traffic
D.Install a network-based IDS on the internal side of the firewall
AnswerA

A proxy can decrypt, inspect, and re-encrypt traffic to detect malicious payloads.

Why this answer

An SSL/TLS inspection proxy can decrypt outbound traffic for inspection, allowing detection of malicious content while still allowing legitimate HTTPS. Option A is wrong because blocking all outbound 443 breaks functionality. Option B is wrong because increasing logging does not detect encrypted content.

Option D is wrong because IDS cannot inspect encrypted traffic without decryption.

825
MCQhard

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

A.Log shipping with a 5-minute delay.
B.Synchronous replication over dedicated low-latency fiber links.
C.Scheduled snapshot-based replication every 30 minutes.
D.Asynchronous replication with continuous data protection.
AnswerB

Synchronous replication ensures zero data loss and can meet the required RPO and RTO if latency is low enough.

Why this answer

Synchronous replication writes data to both the primary and secondary sites simultaneously before acknowledging the write to the application, ensuring zero data loss at the storage layer. With dedicated low-latency fiber links over 50 miles, the round-trip time can be kept under 1 ms, meeting the 1-minute RPO and enabling rapid failover within the 15-minute RTO. This strategy guarantees transactional consistency and immediate availability at the DR site.

Exam trap

The trap here is that candidates often choose asynchronous replication (Option D) thinking 'continuous data protection' implies zero data loss, but they overlook that asynchronous replication inherently introduces a write acknowledgment delay, which can still result in data loss during a failure, and the recovery process may not meet the aggressive RTO.

How to eliminate wrong answers

Option A is wrong because log shipping with a 5-minute delay introduces a recovery point of at least 5 minutes, exceeding the 1-minute RPO, and failover requires applying logs, which can take longer than 15 minutes. Option C is wrong because scheduled snapshot-based replication every 30 minutes creates a maximum data loss of 30 minutes, far exceeding the 1-minute RPO, and snapshots do not support rapid failover without additional recovery steps. Option D is wrong because asynchronous replication with continuous data protection (CDP) may reduce data loss to seconds but still risks some data loss due to the asynchronous write acknowledgment, and the recovery process for CDP can be complex and time-consuming, potentially exceeding the 15-minute RTO.

Page 10

Page 11 of 14

Page 12