CompTIA SecurityX CAS-004 (CAS-004) — Questions 9761000

1000 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selecteasy

An analyst wants to automate incident response tasks in a SOC environment. Which THREE scripting languages are commonly used for automation? (Choose three.)

Select 3 answers
A.Python
B.PowerShell
C.Java
D.COBOL
E.Bash
AnswersA, B, E

Python is popular for its rich libraries and cross-platform support.

Why this answer

Python, Bash, and PowerShell are widely used for security automation due to cross-platform support, extensive libraries, and native system integration. Java is less common for quick automation, and COBOL is obsolete.

977
Multi-Selectmedium

A security architect is designing a secure OTA update mechanism for IoT devices. Which TWO features are essential to ensure the integrity and authenticity of firmware updates?

Select 2 answers
A.Firmware encryption with AES-256-CTR
B.Secure boot chain that verifies the signature of the update before installation
C.Use of a hardware security module (HSM) on the device for key storage
D.Compression of the firmware image to reduce transfer size
E.Digital signature using ECDSA P-384
AnswersB, E

Secure boot ensures that only signed updates are installed.

Why this answer

Digital signatures ensure authenticity and integrity; a secure boot chain verifies the signature before executing the update, preventing unauthorized firmware.

978
MCQhard

Refer to the exhibit. A web server is unable to connect to a local database socket. Which of the following actions would MOST likely resolve this issue?

A.Disable SELinux entirely
B.Restart the httpd service
C.Change the SELinux enforcing mode to permissive
D.Add an SELinux policy module to allow httpd_t to connectto unconfined_t
AnswerD

This creates a targeted policy rule to allow the specific connection while maintaining enforcement.

Why this answer

The SELinux denial indicates that the httpd process (in httpd_t domain) is not allowed to connect to a socket with context unconfined_t. Adding a custom SELinux policy module to allow this specific connection is the proper fix. Temporarily permissive mode or disabling SELinux is not a secure long-term solution.

Restarting the service will not change the policy.

979
MCQmedium

During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?

A.Export the Windows event logs related to network activity
B.Execute a network scan from the compromised host to identify active connections
C.Capture a full disk image using FTK Imager
D.Perform a memory capture using a tool like DumpIt or winpmem
AnswerD

Memory capture preserves the most volatile data, including running processes and network connections, which is critical for identifying malicious processes.

Why this answer

In digital forensics, the order of volatility dictates that volatile data (e.g., running processes, network connections) should be collected first because it is lost when the system is powered down. Memory capture preserves this data, including process information and active network connections.

980
MCQmedium

During a secure SDLC, a development team is reviewing code for security flaws early in the development process. Which type of testing is MOST appropriate for identifying vulnerabilities in source code before it is compiled?

A.DAST
B.SAST
C.IAST
D.RASP
AnswerB

SAST analyzes source code before compilation.

Why this answer

SAST (Static Application Security Testing) analyzes source code at rest to find vulnerabilities like injection flaws, without executing the code.

981
MCQmedium

A security engineer is implementing a solution to securely store and manage cryptographic keys for a fleet of IoT devices. The devices have limited processing power and cannot perform asymmetric operations. Which of the following is the BEST approach?

A.Use a cloud-based Hardware Security Module (HSM) to generate and store keys, and provision them to devices during manufacturing.
B.Install a Trusted Platform Module (TPM) in each device to store keys on the device.
C.Use a cloud KMS to generate and wrap keys, then store the wrapped key in the device.
D.Store keys in obfuscated form in the device firmware and use a custom algorithm for encryption.
AnswerA

A cloud HSM provides secure key generation, storage, and lifecycle management; provisioning keys during manufacturing ensures they are not exposed.

Why this answer

Option A is correct because a cloud HSM offers secure key management and offloads cryptographic operations, suitable for simple symmetric operations on IoTs. Option B is wrong because TPM is typically used for device identity and limited storage, not scalable for fleet management. Option C is wrong because storing keys in firmware is insecure; they can be extracted.

Option D is wrong because key wrapping via KMS still requires the IoT to store keys, which is insecure.

982
MCQhard

A security engineer is configuring a SIEM correlation rule to detect a potential data exfiltration attempt. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address that has never been communicated with before, within a 5-minute window. Additionally, the external IP should not be on any whitelist. Which correlation logic best implements this detection?

A.Alert when a host sends >10 MB to an external IP that is not in the whitelist and not seen in the last 24 hours, aggregated over 5 minutes.
B.Alert when a host sends >10 MB to an external IP not in the whitelist and the destination port is 443.
C.Alert when any host sends >10 MB to an external IP not in the whitelist within 5 minutes.
D.Alert when a host sends >10 MB to any external IP aggregated over 5 minutes, then filter out whitelisted IPs.
AnswerA

Correctly aggregates volume and checks for new destination and whitelist.

Why this answer

The rule must aggregate data transfer from a single source IP to a single destination IP over 5 minutes, check the volume exceeds 10 MB, and verify the destination IP is new (unseen in previous 24 hours) and not whitelisted. Option B correctly uses aggregation and lookups.

983
MCQhard

During a security review, a developer discovers that a containerized application runs with root privileges. Which of the following is the most secure approach to mitigate this risk while maintaining functionality?

A.Set the container to run as a non-root user and drop all unnecessary capabilities
B.Disable root login inside the container by modifying /etc/passwd
C.Use a read-only root filesystem for the container
D.Enable SELinux or AppArmor on the host
AnswerA

Why this answer

Running a container as a non-root user with dropped capabilities is the most secure approach because it follows the principle of least privilege. By default, containers run as root, which grants unnecessary kernel capabilities that could be exploited for privilege escalation. Setting a non-root user and using `--cap-drop=ALL` with selective `--cap-add` ensures the application retains only required permissions, reducing the attack surface without breaking functionality.

Exam trap

The CAS-004 exam often tests the misconception that disabling root login or using filesystem restrictions (read-only) is sufficient, when the real risk is the container process running as UID 0 with full capabilities, which requires explicit user context and capability dropping to mitigate.

Why the other options are wrong

B

Disabling root login does not prevent the container process from running as root; the process still has root privileges.

C

A read-only filesystem limits writes but does not reduce privileges; the container still runs as root.

D

These are mandatory access control mechanisms that can confine a process, but they do not directly address the root privilege issue; combining with non-root user is better.

984
Multi-Selecthard

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Select 3 answers
A.Use tokenization for all PII fields in the database.
B.Implement a key management system (KMS) with automatic key rotation.
C.Enable transparent data encryption (TDE) on the database.
D.Use AES-256 encryption for all stored data.
E.Configure TLS 1.3 for all data connections.
AnswersB, C, D

Proper key management and rotation are critical to maintaining encryption security.

Why this answer

Option B is correct because a key management system (KMS) with automatic key rotation ensures that encryption keys are securely stored, rotated, and managed, which is essential for protecting data at rest. Without proper key management, encryption can be rendered ineffective if keys are compromised or stale. This control directly supports the confidentiality of PII stored in the cloud.

Exam trap

The CAS-004 exam often tests the distinction between encryption for data at rest (e.g., TDE, AES-256, KMS) and encryption for data in transit (e.g., TLS), so candidates mistakenly select TLS as a data-at-rest control.

985
MCQmedium

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

A.Isolate VNFs to prevent lateral movement if one VNF is compromised
B.Ensure VNFs are deployed across multiple physical hosts for redundancy
C.Encrypt all traffic between VNFs to prevent eavesdropping
D.Implement quality of service (QoS) to guarantee bandwidth for critical VNFs
AnswerA

Isolation is critical because VNFs share hypervisor; a compromise could spread.

Why this answer

Isolating VNFs is the most important security consideration because VNFs share the same hypervisor and commodity hardware, so a compromise in one VNF could allow an attacker to move laterally to other VNFs or the underlying host. Without proper isolation (e.g., using VLANs, VXLANs, or micro-segmentation), the entire multi-tenant environment is at risk, undermining the high-availability design.

Exam trap

The trap here is that candidates confuse operational requirements (redundancy, QoS, encryption) with security controls, overlooking that isolation is the foundational security measure in a shared virtualized environment.

How to eliminate wrong answers

Option B is wrong because deploying VNFs across multiple physical hosts for redundancy is a high-availability design requirement, not a security consideration; it does not address the risk of lateral movement or compromise. Option C is wrong because encrypting traffic between VNFs (e.g., with IPsec or TLS) protects data in transit but does not prevent a compromised VNF from attacking other VNFs on the same host; isolation is a prerequisite for security. Option D is wrong because QoS guarantees bandwidth for critical VNFs, which is a performance and availability concern, not a security control; it does not mitigate the risk of a VNF being compromised and used to pivot within the network.

986
MCQmedium

A security analyst is writing a script to scan container images for known vulnerabilities before deployment. Which of the following best practices should the analyst implement to ensure the script runs securely?

A.Hardcode API keys into the script for simplicity
B.Use parameterized queries or input sanitization for any user-supplied data
C.Run the script with root privileges to ensure it has access to all images
D.Store credentials in a world-readable configuration file
AnswerB

Why this answer

Option B is correct because input sanitization and parameterized queries prevent injection attacks when the script processes user-supplied data, such as image names or tags. In the context of container scanning, unsanitized input could lead to command injection or SQL injection if the script queries a vulnerability database. This aligns with secure coding practices for automation scripts, ensuring that the script does not inadvertently execute malicious commands or expose sensitive data.

Exam trap

The CAS-004 exam often tests the principle of least privilege and secure credential handling in automation contexts, and the trap here is that candidates may choose root privileges (Option C) thinking it ensures full access to all images, overlooking the security risk of excessive permissions.

Why the other options are wrong

A

Hardcoding credentials is a major security risk; they can be exposed in version control.

C

Running with least privilege is a security best practice; root access increases the attack surface.

D

Credentials should be stored securely (e.g., vault, environment variables), not world-readable.

987
MCQhard

During a threat hunting exercise, a hunter uses the MITRE ATT&CK framework to identify a series of behaviors: an attacker used PowerShell to download a payload, then created a scheduled task for persistence, and finally performed credential dumping via LSASS. Which ATT&CK tactic is associated with the credential dumping technique?

A.Defense Evasion
B.Credential Access
C.Execution
D.Persistence
AnswerB

Credential Access is the tactic for stealing credentials, such as dumping LSASS.

Why this answer

Credential dumping, specifically from LSASS, is a technique under the Credential Access tactic in the MITRE ATT&CK framework. The tactic describes the adversary's goal of stealing credentials.

988
MCQeasy

A security architect is evaluating a new identity management solution. The requirement is to allow users to authenticate using their existing social media accounts while maintaining corporate control over access policies. Which architecture best meets this requirement?

A.Privileged access management (PAM) solution
B.Single sign-on (SSO) using a corporate LDAP directory
C.Public Key Infrastructure (PKI) with digital signatures
D.Federated identity management using Security Assertion Markup Language (SAML)
AnswerD

Federation allows external IdPs like social media, while the enterprise controls policies.

Why this answer

Federated identity management allows external identity providers (e.g., social media) to be used, while the enterprise retains policy control through a federation server. Option A is wrong because it refers to non-repudiation. Option B is wrong because it describes SSO without federation.

Option D is wrong because it describes credential management.

989
MCQmedium

A security analyst is reviewing TLS 1.3 configuration for a web server. The analyst wants to ensure that the configuration provides forward secrecy and prevents the reuse of session keys. Which of the following is a characteristic of TLS 1.3 that supports these goals?

A.0-RTT session resumption
B.Support for static RSA key exchange
C.Use of ephemeral Diffie-Hellman key exchange
D.Removal of CBC mode cipher suites
AnswerC

Ephemeral Diffie-Hellman ensures that session keys are not derived from long-term keys, providing forward secrecy.

Why this answer

TLS 1.3 mandates ephemeral Diffie-Hellman key exchange (ECDHE or DHE), which provides forward secrecy by generating unique session keys for each session.

990
MCQeasy

An organization needs to ensure consistent configuration across multiple Linux servers. They want to automate this process with a solution that requires minimal agent installation and uses push-based communication. Which approach is most appropriate?

A.Use PowerShell Desired State Configuration (DSC) with Linux extensions.
B.Use Ansible playbooks to define and enforce server configurations.
C.Run a Docker container on each server with a configuration management tool inside.
D.Deploy Puppet with a master server and agents on each system.
AnswerB

Ansible is agentless, uses SSH for push, and is widely used for configuration management.

Why this answer

Ansible is agentless and push-based via SSH. Option A is correct. Option B (Puppet) is pull-based and requires agents.

Option C (Docker) is for containers, not direct server config. Option D (PowerShell DSC) works well in Windows but is less common for Linux.

991
MCQhard

A company is implementing single sign-on using SAML 2.0. A security architect is reviewing the authentication flow and notices that the identity provider (IdP) does not digitally sign the SAML assertions. Which of the following is the most significant security risk?

A.The assertion could be modified in transit
B.The assertion could be intercepted and read
C.The IdP could be spoofed
D.The assertion could be replayed
AnswerA

Without a signature, the service provider cannot verify that the assertion was not tampered with, allowing attribute or identity changes.

Why this answer

Without signing, an attacker can modify the assertion in transit, potentially impersonating a user or altering attributes, leading to unauthorized access.

992
Multi-Selecthard

An incident responder is analyzing a compromised server. Which THREE indicators are MOST likely to confirm a successful attack?

Select 3 answers
A.Corrupted system files
B.Unusual outbound network connections
C.Multiple failed login attempts
D.High CPU usage due to legitimate processes
E.New unauthorized administrative accounts
AnswersA, B, E

Corrupted files can result from malware or unauthorized modification.

Why this answer

New unauthorized accounts indicate adversary persistence. Unusual outbound connections suggest command-and-control or data exfiltration. Corrupted system files are a sign of malware or unauthorized changes.

High CPU usage can be from legitimate loads, and failed logins are not proof of success.

993
Multi-Selectmedium

A penetration tester is conducting a test against a web application. The client has defined rules of engagement that prohibit any denial of service attacks. The tester discovers an endpoint that is vulnerable to command injection. Which THREE of the following actions should the tester take to validate the vulnerability while staying within scope? (Choose THREE.)

Select 3 answers
A.Use the echo command to write a file on the server
B.Run a whoami command to confirm the user context
C.Delete a random system file to observe impact
D.Flood the endpoint with multiple requests to test resilience
E.Execute a ping command to a controlled server to verify code execution
AnswersA, B, E

Writing a harmless file can prove execution without damage.

Why this answer

To validate command injection without causing damage, the tester should use non-destructive commands like ping, echo, and whoami. Deleting files or performing DoS would violate rules of engagement.

994
Multi-Selecthard

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Select 3 answers
A.Using signature-based intrusion detection systems (IDS) to match known attack patterns.
B.Conducting behavioral analysis of endpoint and network activity to detect unusual patterns.
C.Integrating threat intelligence feeds to correlate indicators of compromise (IOCs) with internal logs.
D.Implementing anomaly-based network traffic analysis to identify deviations from baseline behavior.
E.Deploying honeypots to attract and analyze attacker behavior.
AnswersB, C, D

Behavioral analysis can uncover APT activities such as lateral movement and data exfiltration.

Why this answer

Behavioral analysis (option B) is effective against APTs because it establishes a baseline of normal activity and flags deviations, such as unusual lateral movement or data exfiltration patterns, which APTs often exhibit. Unlike signature-based methods, behavioral analysis can detect novel or zero-day attack techniques that do not match known signatures, making it a critical component of an advanced threat detection strategy.

Exam trap

The CAS-004 exam often tests the distinction between detection techniques that rely on known indicators (signature-based) versus those that detect unknown threats (behavioral/anomaly-based), and candidates may mistakenly think signature-based IDS is sufficient for APTs because they focus on the 'advanced' aspect rather than the 'persistent' and 'unknown' nature of the threat.

995
Multi-Selecthard

An incident response team is handling a ransomware incident. The team has successfully contained the threat and is now in the eradication phase. Which THREE actions are appropriate for the eradication phase? (Select THREE.)

Select 3 answers
A.Restore systems from clean backups
B.Apply security patches to the vulnerability that allowed initial access
C.Revoke and reset all compromised user and service accounts
D.Delete all infected files and registry keys associated with the ransomware
E.Conduct a lessons learned meeting
AnswersB, C, D

Patching prevents re-infection.

Why this answer

Eradication involves removing the threat completely: deleting malware, revoking compromised credentials, and patching vulnerabilities.

996
MCQmedium

A security architect is reviewing the network segmentation of a healthcare organization that must comply with HIPAA. The current flat network allows all devices to communicate. Which segmentation approach provides the best balance of security and manageability?

A.Create a physical air gap between all systems
B.Assign each device its own VLAN with no inter-VLAN routing
C.Segment using VLANs and ACLs to limit traffic to necessary flows
D.Place all critical systems in a single DMZ subnet
AnswerC

VLANs with ACLs provide logical isolation, reducing attack surface while maintaining manageability.

Why this answer

Implementing VLANs with access control lists (ACLs) to restrict communication between segments provides logical isolation without requiring new hardware. Air gaps are impractical. DMZ for all systems is not appropriate.

Full 1:1 VLAN per device is unmanageable.

997
MCQhard

A company wants to implement continuous compliance monitoring. Which of the following approaches BEST supports this goal?

A.Manual review of compliance reports quarterly
B.Deploying a Security Information and Event Management (SIEM) system
C.Implementing automated compliance auditing tools
D.Annual external audits
AnswerC

Automated tools can provide ongoing monitoring and immediate feedback.

Why this answer

Continuous compliance monitoring requires automated, real-time checks against policies and regulations. Automated auditing tools can continuously assess controls and generate alerts.

998
Multi-Selecthard

A compliance officer is preparing for a GDPR audit. Which THREE of the following are key data subject rights under GDPR that the organization must be able to demonstrate?

Select 3 answers
A.Right to object to processing
B.Right to unlimited data storage
C.Right to erasure (right to be forgotten)
D.Right to data monetization
E.Right to data portability
AnswersA, C, E

Article 21 allows data subjects to object to processing based on legitimate interests.

Why this answer

GDPR grants data subjects several rights, including the right to erasure (right to be forgotten), right to data portability, and right to object to processing. The right to rectification is also a right but is not listed as an option. The right to data monetization and right to unlimited storage are not GDPR rights.

999
MCQhard

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

A.The agency no longer needs to conduct any risk assessments
B.The CSP guarantees 100% security
C.The system automatically complies with all international regulations
D.The CSP's authorization can be reused, reducing the agency's assessment burden
AnswerD

Leverages existing authorization

Why this answer

The primary benefit of using a FedRAMP Authorized CSP is that the CSP has already undergone a rigorous third-party assessment and continuous monitoring process. This allows the agency to reuse the existing authorization (via the 'JAB' or agency Provisional Authorization), significantly reducing the time, cost, and effort required for the agency's own assessment and authorization (ATO) process. It does not eliminate the agency's responsibility for risk management or compliance with FedRAMP Moderate controls, but it leverages the CSP's proven security posture.

Exam trap

The CAS-004 exam often tests the misconception that FedRAMP authorization absolves the agency of all compliance work, when in fact the agency must still perform a system-specific risk assessment and maintain its own ATO for the overall system.

How to eliminate wrong answers

Option A is wrong because the agency is still required to conduct its own risk assessments, including a system-specific risk assessment for the overall system and the CSP's inherited controls; FedRAMP authorization does not eliminate the agency's risk management responsibilities. Option B is wrong because no CSP or system can guarantee 100% security; FedRAMP authorization indicates a baseline of security controls have been implemented and assessed, but residual risk always remains. Option C is wrong because FedRAMP is a U.S. federal program and does not automatically confer compliance with international regulations such as GDPR, ISO 27001, or the EU Cloud Code of Conduct; separate assessments are needed for international frameworks.

1000
Multi-Selecthard

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC)?

Select 3 answers
A.Continuous deployment
B.Static application security testing (SAST)
C.Code signing
D.Threat modeling
E.Penetration testing
AnswersB, D, E

SAST analyzes source code for vulnerabilities during the development phase.

Why this answer

Threat modeling identifies risks early; SAST automates code scanning for vulnerabilities; penetration testing validates security controls. Code signing ensures integrity but is not a core SSDLC process; continuous deployment is a DevOps practice, not a security activity.

Page 13

Page 14 of 14