CompTIA SecurityX CAS-004 (CAS-004) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

During a security assessment, a penetration tester discovers that a web application fails to validate the size of user input, leading to a buffer overflow. Which application security control would have BEST prevented this vulnerability?

A.Input validation
B.Static application security testing (SAST)
C.Web application firewall (WAF)
D.Rate limiting
AnswerA

Input validation directly prevents malformed input from causing buffer overflows.

Why this answer

Input validation ensures that data conforms to expected formats and sizes, preventing malformed input from causing overflows.

527
MCQmedium

A SOC manager is considering implementing a SOAR platform. Which is the primary benefit of SOAR in day-to-day operations?

A.Automated playbook execution and orchestration of response actions
B.Centralized storage of all security logs
C.Elimination of the need for human analysts
D.Reduction in false positive alerts from the SIEM
AnswerA

SOAR automates incident response playbooks, reducing manual effort and response time.

Why this answer

Option A is correct because SOAR automates repetitive tasks and orchestrates workflows, enabling faster and consistent incident response. Option B is wrong because SOAR does not directly reduce false positives; that's SIEM tuning. Option C is wrong because SOAR does not replace people.

Option D is wrong because SOAR is not primarily for log storage.

528
MCQhard

A financial services company uses a continuous integration/continuous delivery (CI/CD) pipeline to deploy microservices. The security team wants to ensure that no secrets (e.g., API keys, database passwords) are hard-coded in source code repositories. Which tool or practice is most appropriate for detecting secrets before they are committed?

A.Run dynamic application security testing (DAST) on deployed apps
B.Implement a pre-commit hook using git-secrets or similar
C.Perform static application security testing (SAST) in the build pipeline
D.Deploy runtime application self-protection (RASP)
AnswerB

Scans code before commit, blocking secrets from being pushed.

Why this answer

Option A (Pre-commit hook with git-secrets) is correct because it scans code before commit, preventing secrets from entering the repository. Option B (DAST) tests running apps; Option C (SAST) analyzes source but often after commit; Option D (RASP) protects at runtime.

529
MCQmedium

An organization is deploying deception technology to detect lateral movement by attackers. Which of the following would be the most effective to detect an attacker who has gained access to the internal network and is attempting to move to a sensitive server?

A.A honeytoken in the form of a fake password file on a file server
B.A network-based intrusion detection system (NIDS) on the segment
C.A honeypot configured to mimic a high-value database server
D.An endpoint detection and response (EDR) agent on all workstations
AnswerA

Honeytokens like fake credentials are effective because they trigger alerts when an attacker attempts to use them for authentication.

Why this answer

Honeytokens are deceptive data (e.g., fake credentials) placed on systems; if an attacker uses them, it triggers an alert. This is effective for detecting lateral movement without requiring interaction with a full honeypot.

530
MCQhard

A security architect is designing a deception-based detection system for a high-security environment. The goal is to detect lateral movement by attackers who have already breached the perimeter. Which of the following deception techniques would be most effective at identifying an attacker without alerting them to the deception?

A.Configure a network share with honey files and monitor for file access.
B.Create a honeypot web server with known vulnerabilities and monitor for interactions.
C.Deploy fake database tables containing plausible but fictitious data.
D.Plant honey credentials (username/password) for non-existent Active Directory accounts in a common password manager.
AnswerD

Honey credentials are low interaction and high value; usage indicates compromise without tipping off attackers.

Why this answer

Option A is correct because honey tokens that appear as real credentials will be used only by attackers, and if used, provide high-confidence detection. Option B will alert attackers. Option C is easily detectable by experienced attackers.

Option D may be ignored if attackers don't use network shares.

531
MCQmedium

A SOC analyst is investigating an alert from the EDR system indicating that a user's workstation made multiple failed login attempts to a sensitive server, followed by a successful login from an unusual IP address. The analyst suspects a brute force attack. Which type of threat hunting methodology is being used?

A.Hypothesis-driven hunting
B.TTP-driven hunting
C.IoC-driven hunting
D.Baseline-driven hunting
AnswerA

The analyst formed a hypothesis based on an alert and is investigating.

Why this answer

This is hypothesis-driven threat hunting, as the analyst starts with a hypothesis (brute force attack) and then searches for evidence to confirm or deny it based on the alert.

532
MCQmedium

A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?

A.A clause on data portability and format standards
B.A service level agreement guaranteeing 99.999% uptime
C.A stipulation that encryption keys are managed by the customer
D.A requirement for breach notification within 24 hours
AnswerA

Data portability ensures the organization can retrieve data.

Why this answer

Option B is correct because data portability ensures the provider can retrieve data if they switch vendors. Option A is wrong because uptime SLAs address availability, not ownership. Option C is wrong because breach notification is standard but doesn't address ownership.

Option D is wrong because encryption strength is important but not about ownership.

533
MCQmedium

A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?

A.Perform a forensic analysis of the workstation
B.Isolate the workstation from the network
C.Escalate the incident to the data protection officer (DPO)
D.Notify law enforcement
AnswerB

Isolation contains the incident and prevents further data transfer.

Why this answer

The first priority in any incident response is containment to prevent further data loss or network propagation. Isolating the workstation from the network (Option B) immediately stops the employee from exfiltrating additional data and prevents any potential lateral movement by malware that might be on the USB drive. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

CompTIA often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who confuse the order of the incident response phases (e.g., jumping to forensic analysis or legal escalation before stopping the bleeding).

How to eliminate wrong answers

Option A is wrong because forensic analysis is a post-containment step; performing it first could alter volatile evidence and does not stop ongoing data exfiltration. Option C is wrong because escalation to the DPO is a notification step that occurs after containment and initial triage, not as the first action. Option D is wrong because notifying law enforcement is a final step reserved for criminal activity after the incident is fully contained and evidence is preserved, and it is not the immediate priority.

534
MCQeasy

Which of the following is the primary security benefit of using immutable infrastructure in automated deployments?

A.Reduces operational costs by reusing existing servers
B.Eliminates configuration drift and unauthorized changes
C.Increases system performance through hardware acceleration
D.Simplifies monitoring by reducing the number of servers
AnswerB

Why this answer

Immutable infrastructure ensures that servers are never modified after deployment; instead, updates are made by replacing the entire instance with a new, pre-configured image. This eliminates configuration drift because any unauthorized or unintended changes are wiped out on the next deployment cycle, enforcing a consistent, known-good state across all environments.

Exam trap

The trap here is that candidates confuse immutable infrastructure with traditional configuration management (e.g., Puppet, Ansible) that corrects drift by modifying existing servers, whereas immutable infrastructure prevents drift entirely by never modifying servers in place.

Why the other options are wrong

A

Immutable infrastructure typically increases costs because new instances are spun up instead of patching old ones.

C

Immutable infrastructure is about deployment methodology, not hardware performance.

D

Immutable infrastructure may actually increase server count due to frequent redeployments.

535
MCQeasy

During a security incident, the incident response team has identified the root cause and removed the threat from all affected systems. Which phase of the incident response lifecycle involves returning systems to normal operation and monitoring for any signs of recurrence?

A.Eradication
B.Containment
C.Recovery
D.Lessons Learned
AnswerC

Recovery restores systems and monitors for recurrence.

Why this answer

The incident response lifecycle includes preparation, detection, containment, eradication, recovery, and lessons learned. Recovery is the phase where systems are restored to normal operation and monitoring is implemented to ensure the threat does not return.

536
MCQmedium

A security operations center (SOC) analyst is investigating a potential malware infection on a workstation. The analyst wants to perform static analysis on a suspicious executable. Which tool or technique is most appropriate for examining the executable without executing it?

A.Run the executable in a sandbox
B.Use a memory forensics tool like Volatility
C.Use the strings command to extract readable ASCII and Unicode strings
D.Perform a network traffic capture
AnswerC

Strings is a common static analysis tool for extracting embedded text from binaries.

Why this answer

Static analysis involves examining the file without running it. Using a disassembler like IDA Pro or a tool to view strings and PE headers is typical. Strings utility extracts readable text from the binary, which can reveal clues about its functionality.

537
Multi-Selectmedium

A security administrator is evaluating ways to improve endpoint detection and response (EDR) capabilities. Which TWO of the following approaches would most effectively enhance the detection of fileless malware attacks?

Select 2 answers
A.Monitor PowerShell script block logging and execution events.
B.Install a network intrusion detection system (NIDS) to inspect traffic.
C.Monitor process creation chain events to detect anomalous parent-child relationships.
D.Enable file integrity monitoring (FIM) on critical system files.
E.Deploy advanced antivirus with machine learning signatures.
AnswersA, C

PowerShell is commonly abused for fileless execution.

Why this answer

Fileless malware often exploits memory and legitimate tools. Option A (monitoring process creation chains) detects abnormal parent-child relationships (e.g., wmic spawning cmd). Option D (monitoring PowerShell script execution) catches malicious scripts.

Option B focuses on files, which may miss fileless. Option C is less effective for memory-resident malware. Option E is generally for network-based detection.

538
MCQhard

A Kubernetes pod is defined with the above manifest. Which security concern is most critical?

A.The image tag "latest" might pull an outdated image.
B.The pod has added capabilities NET_ADMIN and SYS_ADMIN, which could allow network manipulation and system administration.
C.The readOnlyRootFilesystem prevents logging.
D.The pod runs as root by default.
AnswerB

These capabilities can lead to container escape or host compromise.

Why this answer

Option B is correct because NET_ADMIN and SYS_ADMIN capabilities allow significant host-level manipulation, such as network configuration and system administration. Option A is not explicitly set but default root user is a concern, but less critical than capabilities. Option C is a limitation, not a security risk.

Option D is a best-practice issue but less critical than capability escalation.

539
MCQmedium

A security analyst is tuning the SIEM and wants to create a correlation rule that detects potential lateral movement using pass-the-hash attacks. Which log sources are most essential for detecting this technique?

A.DNS logs and web proxy logs
B.Windows Security Event Logs (4624) and network flow logs
C.Application logs and antivirus logs
D.DHCP logs and VPN logs
AnswerB

These logs show authentication attempts and network connections.

Why this answer

Pass-the-hash attacks often use Windows authentication logs (Event ID 4624) and network logs for unusual remote connections. Windows Security Event Logs and network logs are key.

540
Multi-Selectmedium

Which TWO of the following are valid techniques to mitigate the risk of side-channel attacks on cryptographic implementations? (Select exactly 2.)

Select 2 answers
A.Obfuscating the source code of the cryptographic library.
B.Using a cryptographically secure random number generator for key generation.
C.Implementing constant-time algorithms to avoid timing variations.
D.Increasing the key length to 4096 bits.
E.Adding noise to power consumption or using power analysis resistant logic.
AnswersC, E

Constant-time code ensures that execution time does not depend on secret data, preventing timing attacks.

Why this answer

Options B and E are correct. Constant-time operations and power analysis protection are direct mitigations. Option A is wrong because longer keys do not prevent side-channel leakage.

Option C is wrong because using a CSPRNG is about key generation, not execution. Option D is wrong because obfuscation is not a cryptographic defense against side channels.

541
MCQmedium

A security architect is designing a PKI for a large enterprise. Which component is used to protect private keys and perform cryptographic operations in a tamper-resistant environment?

A.Hardware Security Module (HSM)
B.Certificate Revocation List (CRL)
C.Key Management Service (KMS)
D.Certificate Authority (CA)
AnswerA

HSM is designed for tamper-resistant key protection and cryptographic operations.

Why this answer

A hardware security module (HSM) provides secure generation, storage, and management of cryptographic keys in a tamper-resistant device.

542
Multi-Selecthard

A company is migrating its legacy VPN to use IPsec with IKEv2. The security team wants to ensure the strongest possible security. Which THREE configuration options should be selected?

Select 3 answers
A.Use ECDSA P-384 for authentication
B.Use SHA-1 for integrity
C.Use AES-256-GCM for encryption
D.Use IKEv1 instead of IKEv2
E.Enable perfect forward secrecy (DHE)
AnswersA, C, E

ECDSA P-384 provides strong public key authentication.

Why this answer

IKEv2, AES-256-GCM for encryption, and ECDSA for authentication provide strong security. AES-128 is weaker, SHA-1 is deprecated, and IKEv1 is legacy.

543
MCQhard

A SOC analyst is investigating a suspicious process that is making outbound connections to an unknown IP address. The analyst wants to examine the process memory for injected code. Which Volatility plugin is most appropriate for detecting code injection by listing all Virtual Address Descriptors (VADs) that are mapped as executable and writable?

A.netscan
B.malfind
C.pslist
D.dlllist
AnswerB

malfind detects injected code by examining VADs.

Why this answer

Volatility's 'malfind' plugin scans VADs and looks for executable and writable pages that may indicate injected code. It is commonly used for detecting code injection.

544
MCQeasy

Which of the following is the primary advantage of using STIX and TAXII for threat intelligence sharing?

A.They replace the need for a SIEM system
B.They perform dynamic analysis of malware samples
C.They provide real-time blocking of malicious IPs
D.They allow automated sharing of threat intelligence in a standardized format
AnswerD

Standardization and automation are key benefits.

Why this answer

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) provide a standardized framework for representing and exchanging threat intelligence, enabling interoperability between different tools and organizations.

545
Multi-Selectmedium

A security architect is designing a just-in-time (JIT) privileged access management (PAM) solution. Which TWO of the following are key characteristics of JIT access?

Select 2 answers
A.Privileges are permanent but require approval each time.
B.Access rights are automatically revoked after use or expiry.
C.Break-glass accounts are used for emergency access.
D.Privileges are granted on-demand for a limited time period.
E.Users have standing privileges for routine tasks.
AnswersB, D

Automatic revocation ensures that privileges are not left open.

Why this answer

JIT access provisioning grants temporary privileges that are automatically revoked after a set time or after use. This reduces the attack surface. Standing privileges are the opposite.

Approval workflows are not necessarily part of JIT; JIT can be automatic. Break-glass accounts are for emergency access, which is a separate concept.

546
MCQhard

An organization is migrating to a zero-trust architecture. Which of the following components is CRITICAL for enforcing policy decisions based on user identity, device health, and context?

A.Intrusion prevention system (IPS)
B.Web application firewall (WAF)
C.Policy enforcement point (PEP)
D.Network access control (NAC)
AnswerC

PEP is the decision point that enforces access policies based on identity and context.

Why this answer

The Policy Enforcement Point (PEP) is the component that makes access decisions in a zero-trust architecture, often integrating with a policy engine. NAC, WAF, and IPS are related but not the core enforcement component in zero-trust.

547
MCQhard

A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?

A.Risk avoidance
B.Risk mitigation
C.Risk acceptance
D.Risk transference
AnswerB

Mitigation would require offsite backups to reduce risk.

Why this answer

Storing backups at a separate site is risk mitigation through redundancy. The current practice increases risk due to common physical location. Acceptance, transference, and avoidance are not directly addressed here.

548
MCQhard

A technology company suspects an insider threat is exfiltrating intellectual property. The security team has deployed user and entity behavior analytics (UEBA) and set up data loss prevention (DLP) rules. A UEBA alert flags a senior developer who is accessing the source code repository at 2 AM from a VPN connection that routes through a foreign country. The developer also recently downloaded a large quantity of source code—more than 10 times the normal volume. DLP policies are configured to block emails with attachments over 10 MB. Which of the following should the incident response team do FIRST?

A.Implement stricter DLP policies to block large downloads from the repository.
B.Conduct an informal interview with the developer to ask about the unusual activity.
C.Isolate the developer's workstation and revoke access to the source code repository immediately.
D.Review DLP logs to confirm that no emails containing source code were sent.
AnswerC

Containment is critical given the high risk of active exfiltration.

Why this answer

Option A is correct because the UEBA alert combined with anomalous behavior strongly suggests malicious activity. Immediate isolation prevents exfiltration and preserves evidence. Option B interviews the user, which could alert them and lead to data destruction.

Option C focuses only on DLP, but the exfiltration may not be via email. Option D is a long-term preventive measure, not immediate response.

549
Multi-Selectmedium

A security architect is designing a data lifecycle management program. Which TWO of the following are phases of the data lifecycle? (Select TWO.)

Select 2 answers
A.Data replication
B.Data anonymization
C.Data creation
D.Data destruction
E.Data monetization
AnswersC, D

The initial phase where data is generated.

Why this answer

The data lifecycle typically includes creation, storage, use, sharing, archiving, and destruction. Creation and destruction are standard phases.

550
Multi-Selecthard

Which THREE of the following are key components of a zero-trust security architecture? (Select THREE).

Select 3 answers
A.VPN concentrator
B.Micro-segmentation
C.Implicit trust for internal network traffic
D.Least privilege access control
E.Continuous monitoring of user and device behavior
AnswersB, D, E

Micro-segmentation divides the network into isolated zones to contain threats.

Why this answer

Zero trust requires micro-segmentation to limit lateral movement, continuous monitoring to verify every session, and least privilege access to enforce minimal permissions. VPN is a perimeter technology, and implicit trust violates zero trust principles.

551
Multi-Selectmedium

Which TWO of the following are key components of a governance framework? (Select TWO)

Select 2 answers
A.Policies and procedures
B.Vulnerability scanning schedule
C.Firewall rules
D.Penetration test results
E.Defined roles and responsibilities
AnswersA, E

Core governance documents

Why this answer

Policies and procedures are foundational to a governance framework because they define the rules, standards, and operational guidelines that an organization must follow to ensure compliance, security, and risk management. They establish the 'what' and 'how' for decision-making and behavior, aligning with frameworks like ISO 27001 or NIST SP 800-53. Without documented policies and procedures, governance lacks enforceable structure and accountability.

Exam trap

CompTIA often tests the distinction between governance components (policies, roles) and operational or technical controls (schedules, rules, results), leading candidates to mistake tactical activities for strategic framework elements.

552
MCQmedium

An IAM policy is applied to an AWS user. Which of the following actions is permitted?

A.Delete objects in example-bucket
B.Put objects in secret-bucket
C.List objects in secret-bucket
D.List objects in example-bucket
AnswerD

The Allow statement grants s3:ListBucket on example-bucket.

Why this answer

The policy explicitly allows s3:ListBucket on example-bucket. The Deny statement for secret-bucket applies to all S3 actions on that bucket. There is no Allow for Delete or Put on example-bucket, so those are implicitly denied.

553
MCQhard

Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?

A.Accept the risk as the data is not public
B.Remove the credit card numbers from the database
C.Create a new classification level for mixed data
D.Reclassify the database as 'Critical' to reflect the highest required level
AnswerD

Aligns with policy rule that PCI data must be Critical.

Why this answer

The database should be reclassified to 'Critical' because it contains PCI data, which requires the highest level. Creating a new level is unnecessary; accepting risk violates policy; removing data is not the first step.

554
MCQmedium

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

A.deny ip 192.168.1.0 0.0.0.255 any
B.deny ip 192.168.1.0 0.0.0.0 any
C.deny ip 192.168.1.0 0.0.0.127 any
D.deny ip 192.168.1.0 255.255.255.0 any
AnswerA

Wildcard 0.0.0.255 matches the entire /24 subnet.

Why this answer

Option A is correct because in Cisco ACL syntax, the wildcard mask 0.0.0.255 matches all addresses in the 192.168.1.0/24 network. The 'deny ip 192.168.1.0 0.0.0.255 any' entry blocks any IP traffic from the source subnet 192.168.1.0 through 192.168.1.255 to any destination.

Exam trap

The trap here is that candidates often confuse subnet masks with wildcard masks, selecting option D (255.255.255.0) instead of the correct wildcard mask 0.0.0.255.

How to eliminate wrong answers

Option B is wrong because the wildcard mask 0.0.0.0 matches only the single host 192.168.1.0, not the entire /24 subnet. Option C is wrong because the wildcard mask 0.0.0.127 matches only the first 128 addresses (192.168.1.0–192.168.1.127), which is a /25 range, not the full /24. Option D is wrong because 255.255.255.0 is a subnet mask, not a wildcard mask; ACLs require inverse (wildcard) masks, so this entry would be syntactically invalid or misinterpreted.

555
MCQmedium

A security analyst is performing a quantitative risk assessment for a server that processes payment card data. The server has an asset value of $50,000. Based on historical data, the exposure factor (EF) for a ransomware attack is 80%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$20,000
B.$40,000
C.$50,000
D.$25,000
AnswerA

Correct calculation: SLE = AV × EF = $40,000, ALE = $40,000 × 0.5 = $20,000.

Why this answer

ALE = SLE × ARO, where SLE = AV × EF = $50,000 × 0.8 = $40,000, and ARO = 0.5, so ALE = $40,000 × 0.5 = $20,000.

556
MCQmedium

A security team is evaluating an EDR solution. Which of the following capabilities is a primary differentiator between EDR and traditional antivirus?

A.Centralized policy management
B.File integrity monitoring
C.Signature-based detection of known malware
D.Behavioral analysis and detection
AnswerD

Behavioral analysis is a key EDR capability, allowing detection of novel threats.

Why this answer

EDR focuses on continuous monitoring and recording of endpoint activities, enabling detection of suspicious behaviors that may indicate an attack, even if no known signature exists. Traditional antivirus relies on signature-based detection. Behavior-based detection is a core EDR capability.

557
MCQeasy

An organization wants to deploy a technology that lures attackers into a controlled environment to observe their tactics, techniques, and procedures (TTPs). Which deception technology should the organization implement?

A.Honeytoken
B.EDR
C.Honeypot
D.SIEM
AnswerC

Honeypots are decoy systems that mimic real assets to lure attackers.

Why this answer

A honeypot is a decoy system designed to attract attackers and gather intelligence.

558
MCQeasy

A developer is creating a REST API that handles sensitive data. Which HTTP method should be used for updates that are not idempotent?

A.DELETE
B.GET
C.PUT
D.POST
AnswerD

POST is non-idempotent and suitable for operations that create or update resources with potentially different results on each call.

Why this answer

POST is non-idempotent—multiple identical requests may result in different side effects (e.g., creating multiple resources). PUT is idempotent, GET is safe, DELETE is idempotent.

559
MCQmedium

A company uses Kubernetes for container orchestration. Which security control should be implemented to enforce that only specific images from a trusted registry can run in the cluster?

A.Pod security admission (PSA)
B.Admission controller (e.g., OPA/Gatekeeper)
C.Network policies
D.RBAC roles
AnswerB

Correct – admission controllers can validate image registry.

Why this answer

Admission controllers can intercept requests to the Kubernetes API server and enforce policies, such as allowing only images from a specific registry.

560
MCQmedium

A security engineer is configuring SSH for a jump host used to access critical servers. The engineer wants to restrict the cryptographic algorithms to the most secure options. Which of the following should be DISABLED?

A.Diffie-Hellman group-exchange with SHA-1
B.AES-256-CTR
C.Ed25519 for host keys
D.HMAC-SHA2-256
AnswerA

SHA-1 is deprecated due to collision attacks.

Why this answer

Diffie-Hellman group-exchange with SHA-1 is weak and should be disabled in favor of stronger key exchange algorithms.

561
Matchingmedium

Match each encryption standard or algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key cryptosystem

Hash function (one-way)

Elliptic curve digital signature algorithm

Keyed-hash message authentication code

Why these pairings

Understanding encryption types is critical for cryptography domain.

562
MCQhard

An organization's containerized application is deployed on Kubernetes. The security team wants to enforce that containers run with the least privilege and cannot access the host file system. Which Kubernetes security mechanism should be configured?

A.Secrets management with Vault
B.Role-based access control (RBAC) for service accounts
C.Network policies to restrict egress traffic
D.Pod Security Policy (PSP) with readOnlyRootFilesystem and runAsNonRoot
AnswerD

PSP enforces security contexts; readOnlyRootFilesystem prevents writes to host file system.

Why this answer

Pod Security Policies (now deprecated, but in CASP context is still valid) or Pod Security Standards control security contexts; readOnlyRootFilesystem and runAsNonRoot directly address the requirement. Option A is wrong because network policies control traffic, not file system. Option B is wrong because secrets management does not enforce file system restrictions.

Option D is wrong because RBAC controls API access, not container runtime privileges.

563
Multi-Selecteasy

A security team is implementing controls to meet PCI DSS requirements for cardholder data. Which THREE controls are required?

Select 3 answers
A.Encrypt cardholder data at rest
B.Implement multi-factor authentication for remote access
C.Regularly update antivirus software
D.Use unique IDs for each person with access
E.Perform quarterly vulnerability scans
AnswersA, B, D

Requirement 3.4 mandates encryption of stored cardholder data.

Why this answer

PCI DSS requires encryption of cardholder data at rest (Requirement 3.4), unique user IDs (Requirement 8.1.1), and quarterly vulnerability scans (Requirement 11.2). Regular antivirus updates (Requirement 5) are also required but many organizations also use MFA for remote access (Requirement 8.3); however, the three listed are undeniably mandatory per the current version.

564
MCQmedium

A vulnerability scanner reports a critical vulnerability with a CVSS base score of 9.8 on a public-facing web server. However, the server has a compensating control: a Web Application Firewall (WAF) that blocks exploit attempts. How should the security team prioritize patching this vulnerability?

A.Schedule patching during the next maintenance window
B.Defer patching indefinitely since the WAF mitigates the risk
C.Immediately patch the vulnerability as soon as possible
D.Increase the WAF rule strictness and delay patching
AnswerC

Critical vulnerabilities require immediate patching despite compensating controls.

Why this answer

Compensating controls can reduce risk, but patching should still be prioritized for critical vulnerabilities even if compensating controls are in place, as controls can be bypassed.

565
Multi-Selecteasy

A security analyst is evaluating security metrics for the security program. Which TWO of the following are considered key performance indicators (KPIs) for measuring the effectiveness of a security program?

Select 2 answers
A.Employee satisfaction score
B.Number of critical vulnerabilities identified
C.Patch compliance percentage
D.Total budget spent on security
E.Mean time to respond (MTTR) to incidents
AnswersC, E

Indicates how well the organization maintains patching.

Why this answer

KPIs measure the effectiveness of security controls and processes. Mean time to respond (MTTR) measures incident response effectiveness. Patch compliance percentage measures the effectiveness of patch management.

Number of vulnerabilities is a KRI, not a KPI per se. Budget spent is a financial metric. Employee satisfaction is HR-related.

566
Multi-Selecthard

A company is developing a secure software development lifecycle (SDLC) and wants to integrate security testing early. Which THREE techniques should be used to find vulnerabilities in code during development? (Choose three.)

Select 3 answers
A.Penetration testing
B.Software Bill of Materials (SBOM) analysis
C.Threat modeling
D.Dynamic Application Security Testing (DAST)
E.Static Application Security Testing (SAST)
AnswersC, D, E

Threat modeling identifies potential threats during design.

Why this answer

Threat modeling identifies design issues, SAST finds vulnerabilities in source code, and DAST finds vulnerabilities in running applications.

567
MCQeasy

Which of the following is the primary benefit of using infrastructure as code (IaC) for automating security configurations?

A.It eliminates the need for security testing
B.It ensures consistent and repeatable security configurations
C.It allows unapproved changes to be deployed faster
D.It increases manual oversight of security settings
AnswerB

Why this answer

Infrastructure as code (IaC) enables security configurations to be defined in declarative or procedural scripts (e.g., Terraform, AWS CloudFormation, Ansible). This ensures that every deployment applies the exact same security settings (e.g., firewall rules, IAM policies, encryption at rest) without drift, making configurations consistent and repeatable across environments. The primary benefit is eliminating manual, error-prone processes that lead to configuration inconsistencies.

Exam trap

The trap here is that candidates may think IaC eliminates the need for security testing (Option A) because automation implies perfection, but in reality, IaC code itself must be tested for security flaws, just like application code.

Why the other options are wrong

A

IaC does not eliminate testing; it automates deployment.

C

Unapproved changes are a risk, not a benefit.

D

IaC reduces manual oversight.

568
MCQmedium

A threat hunter is looking for signs of a ransomware attack that encrypts files and drops a ransom note. The hunter decides to search for processes that have modified many files in a short period. Which threat hunting methodology is being used?

A.TTP-driven hunting
B.Hypothesis-driven hunting
C.Machine learning-driven hunting
D.IoC-driven hunting
AnswerB

The hunter forms a hypothesis about ransomware behavior and searches for it.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about a threat and then searches for evidence. The hunter is hypothesizing about ransomware behavior.

569
Matchingmedium

Match each security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects web applications from attacks

Detects intrusions and alerts

Detects and blocks intrusions in real-time

Host-based intrusion detection system

Network-based intrusion detection system

Why these pairings

These tools are fundamental to network and host security monitoring.

570
MCQmedium

A penetration tester is performing a test against a web application. During active reconnaissance, the tester discovers that the application discloses version numbers in HTTP headers. Which phase of the penetration testing lifecycle does this activity belong to?

A.Reconnaissance
B.Post-exploitation
C.Exploitation
D.Reporting
AnswerA

Active reconnaissance is part of the reconnaissance phase, where the tester gathers information directly from the target.

Why this answer

Active reconnaissance involves directly interacting with the target to gather information, such as by sending probes and analyzing responses. Discovering version numbers via HTTP headers is a form of active reconnaissance because the tester is making requests and inferring information from the responses.

571
Multi-Selecteasy

An organization is developing a security policy hierarchy. Which TWO of the following correctly represent the typical order from highest to lowest level in a policy framework? (Select TWO.)

Select 2 answers
A.Policy, Standard, Guideline, Procedure
B.Policy, Procedure, Guideline, Standard
C.Guideline, Policy, Standard, Procedure
D.Standard, Policy, Procedure, Guideline
E.Policy is the highest level document
AnswersA, E

This is the correct hierarchy from highest to lowest.

Why this answer

The policy hierarchy typically is: Policy (high-level requirements), Standard (mandatory rules), Guideline (recommended practices), Procedure (step-by-step instructions). The correct order is Policy then Procedure is not correct; Policy, Standard, Guideline, Procedure is the full order.

572
MCQeasy

Which of the following is the correct order of the security policy hierarchy from highest to lowest?

A.Policy → Standard → Guideline → Procedure
B.Standard → Policy → Guideline → Procedure
C.Policy → Guideline → Standard → Procedure
D.Procedure → Guideline → Standard → Policy
AnswerA

Correct: Policy sets the direction, Standard defines mandatory requirements, Guideline offers recommendations, Procedure details steps.

Why this answer

The typical hierarchy is Policy (high-level), Standard (mandatory controls), Guideline (recommended), Procedure (step-by-step).

573
Multi-Selectmedium

A security engineer is evaluating a new Hardware Security Module (HSM) for a financial application that requires FIPS 140-2 Level 3 compliance. Which TWO features are required for Level 3 validation? (Select TWO.)

Select 2 answers
A.Encryption of all data at rest
B.Tamper-evident coatings or seals on the HSM
C.Role-based access control
D.Identity-based authentication for operators
E.Environmental failure protection
AnswersB, D

Level 3 requires physical security mechanisms that show evidence of tampering.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings or seals and identity-based authentication (e.g., passwords, biometrics). Level 2 requires tamper-evident coatings but not identity-based. Level 4 requires tamper detection and zeroization.

574
MCQmedium

A company processes personal data of EU citizens and wants to implement privacy by design. Which of the following is the BEST first step in this process?

A.Appointing a Data Protection Officer (DPO)
B.Implementing data encryption at rest and in transit
C.Developing a data retention policy
D.Conducting a Privacy Impact Assessment (PIA)
AnswerD

A PIA is a foundational step that identifies privacy risks and informs design decisions.

Why this answer

Privacy by design requires embedding privacy into the design of systems and processes from the outset. Conducting a Privacy Impact Assessment (PIA) early helps identify and mitigate privacy risks before implementation.

575
Multi-Selecthard

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Select 3 answers
A.Deploy a TLS termination gateway (e.g., NGINX ingress) with certificate management.
B.Use Kubernetes Secrets mounted as volumes with integration to an external vault.
C.Apply Kubernetes network policies to restrict pod-to-pod communication.
D.Implement a service mesh such as Istio to handle mTLS between pods.
E.Configure RPM package signing for all container images.
AnswersA, B, D

Terminates external TLS and can re-encrypt internally; manages certificates for external-facing services.

Why this answer

Option A is correct because a TLS termination gateway (e.g., NGINX ingress) with certificate management provides encryption of data in transit between external clients and the Kubernetes cluster, fulfilling the requirement for encryption of data in transit at the edge. It terminates TLS at the ingress point, allowing secure HTTPS connections and centralized certificate lifecycle management.

Exam trap

The CAS-004 exam often tests the distinction between network segmentation (network policies) and cryptographic controls (mTLS, TLS), leading candidates to mistakenly choose network policies as a solution for encryption or authentication.

576
MCQmedium

A security analyst is reviewing a suspicious email reported by a user. The email contains an attachment named 'invoice.pdf.exe'. Which type of malware analysis technique should the analyst perform first to determine if the file is malicious?

A.Reverse engineering
B.Static analysis
C.Dynamic analysis in a sandbox
D.Memory forensics
AnswerB

Static analysis is quick and safe to identify malicious characteristics without execution.

Why this answer

Static analysis (e.g., checking file extensions, strings, and hashes) is non-executing and safe to perform first to gather initial indicators.

577
MCQmedium

A security analyst reviews the ACL rules above. A host at 10.0.1.5 attempts to SSH (port 22) to a server at 10.0.2.10. What is the result?

A.The connection is denied by Rule 3.
B.The connection is permitted by Rule 4.
C.The connection is permitted by the implicit permit.
D.The connection is denied by Rule 1.
AnswerD

Rule 1 explicitly denies SSH from the 10.0.1.0/24 subnet.

Why this answer

Rule 1 denies all traffic from 10.0.1.0/24 to 10.0.2.0/24. Since the source (10.0.1.5) and destination (10.0.2.10) fall within these subnets, the SSH attempt is denied by Rule 1, regardless of any later rules. ACLs are processed top-down, and the first matching rule determines the action.

Exam trap

The CAS-004 exam often tests the first-match principle in ACLs, where candidates mistakenly think a later permit rule (like Rule 3 or 4) can override an earlier deny rule, but the order of evaluation is sequential and stops at the first match.

How to eliminate wrong answers

Option A is wrong because Rule 3 permits TCP traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 80, not port 22, so it does not apply to SSH. Option B is wrong because Rule 4 permits traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 443, not port 22, so it does not permit SSH. Option C is wrong because an implicit deny (not permit) exists at the end of all ACLs; there is no implicit permit, so traffic not explicitly permitted is denied.

578
MCQmedium

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

A.Implement a web application firewall (WAF) to filter outbound HTTP/HTTPS traffic.
B.Install a network-based intrusion detection/prevention system (IDS/IPS) with signature updates.
C.Use endpoint detection and response (EDR) agents on all workstations and servers.
D.Deploy a next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering.
AnswerD

NGFW can decrypt SSL/TLS traffic and inspect it for C2 patterns, then block malicious flows.

Why this answer

A next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering is the best choice because it can decrypt and inspect encrypted C2 traffic at the network layer, then apply application-aware rules to block malicious communications. This directly addresses the requirement to detect and block C2 traffic that uses encryption to evade traditional inspection.

Exam trap

The trap here is that candidates often choose a network-based IDS/IPS (Option B) thinking it can inspect encrypted traffic, but without SSL/TLS decryption, it can only see encrypted payloads and cannot detect C2 commands hidden inside the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) is designed to protect web servers from application-layer attacks (e.g., SQL injection, XSS) and typically filters inbound HTTP/HTTPS traffic, not outbound C2 traffic from internal malware. Option B is wrong because a network-based IDS/IPS with signature updates can detect known C2 patterns but cannot inspect encrypted traffic without decryption, so it would miss C2 traffic tunneled over TLS/SSL. Option C is wrong because endpoint detection and response (EDR) agents operate at the host/endpoint layer, not the network layer, and the question specifically requires a solution that operates at the network layer.

579
Multi-Selecthard

A security engineer is reviewing the results of a penetration test. The tester successfully exploited a vulnerability in a web application and escalated privileges to domain admin. Which THREE of the following findings should be included in the technical report to provide actionable remediation steps? (Select THREE.)

Select 3 answers
A.The estimated financial loss from the exploit
B.The recommendation to patch the web application
C.The exact command used to exploit the vulnerability
D.The name and contact of the penetration tester
E.The step-by-step path from initial access to domain admin
AnswersB, C, E

Actionable remediation is required in the technical findings.

Why this answer

The technical report should include specific recommendations (patch, input validation), evidence (command used), and impact (privilege escalation path). The business impact belongs in the executive summary.

580
MCQeasy

A security architect is designing a secure enclave for a high-value application. Which of the following is the BEST approach to isolate the application from the rest of the network?

A.Deploy the application in a DMZ behind a stateful firewall with least-privilege rules.
B.Install an intrusion detection system (IDS) on the application subnet.
C.Configure a jump box with two-factor authentication to access the application.
D.Place the application on a separate VLAN with an ACL.
AnswerA

A DMZ enclave with a stateful firewall ensures strict network isolation and policy enforcement, which is the best practice for high-value applications.

Why this answer

Option B is correct because an enclave uses a DMZ with strict firewall rules to isolate the application. Option A is wrong because VLANs alone do not provide the same level of isolation; they can be misconfigured or bypassed. Option C is wrong because jump boxes are for administrative access, not isolation.

Option D is wrong because IDS/IPS is detection, not isolation.

581
MCQmedium

A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?

A.Implementing DLP solutions.
B.Manual labeling by data owners.
C.User training and awareness.
D.Automated classification based on data content.
AnswerD

Automated tools using content analysis ensure consistent and accurate labeling without human error.

Why this answer

Option D is correct because automated classification minimizes human error and provides uniform application of labels.

582
Multi-Selecteasy

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Select 2 answers
A.Vulnerability scanning
B.Preparation
C.Patch management
D.User training
E.Detection and Analysis
AnswersB, E

Preparation is a foundational phase of the incident response lifecycle.

Why this answer

NIST SP 800-61 defines the incident response lifecycle as having four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation (Option B) is the foundational phase that ensures the organization has the tools, policies, and trained personnel ready before an incident occurs. Detection and Analysis (Option E) is the second phase, focusing on identifying and validating security incidents through monitoring, alerting, and forensic analysis.

Exam trap

The CAS-004 exam often tests the distinction between activities that are part of the incident response lifecycle phases versus supporting security processes, leading candidates to mistakenly select vulnerability scanning or patch management as core components when they are actually separate operational tasks.

583
MCQhard

Based on the exhibit, which security issue does this IAM policy represent?

A.No versioning configured
B.Overly permissive resource access
C.Missing server-side encryption
D.Insufficient logging and monitoring
AnswerB

Allowing all principals (*) to get any object in the bucket is a significant security risk.

Why this answer

Option B is correct because the policy allows any principal to read all objects in the bucket, making it overly permissive. Option A is wrong encryption is not addressed. Option C is wrong versioning is not relevant.

Option D is wrong logging is not mentioned.

584
MCQhard

An organization is implementing a privacy by design approach for a new customer-facing application. Which of the following actions best exemplifies this principle?

A.Adding a privacy notice to the application post-launch
B.Conducting a privacy impact assessment after the application is deployed
C.Minimizing data collection to only what is necessary for the application's function
D.Encrypting data at rest and in transit
AnswerC

Correct. Data minimization is a core privacy by design principle.

Why this answer

Privacy by design means embedding privacy into the design and architecture of systems, not as an afterthought. Data minimization (collecting only what is necessary) is a key principle.

585
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A.Identify vulnerabilities and threats
B.Identify critical business processes and their impact if disrupted
C.Determine recovery time objectives (RTOs)
D.Develop continuity strategies
AnswerB

Core purpose of BIA

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the operational and financial impact if they were disrupted. This foundational step determines which systems and functions are essential to the organization's survival, directly informing the selection of recovery strategies and objectives. Without a BIA, continuity planning lacks a data-driven basis for prioritizing resources.

Exam trap

The trap here is that candidates confuse the BIA's role as a data-gathering and analysis phase with the subsequent planning outputs (RTOs, strategies), leading them to select a downstream deliverable instead of the primary purpose.

How to eliminate wrong answers

Option A is wrong because identifying vulnerabilities and threats is the primary purpose of a risk assessment, not a BIA; a BIA focuses on impact to business processes, not the specific threats that could cause disruption. Option C is wrong because determining recovery time objectives (RTOs) is an output derived from the BIA's impact analysis, not the primary purpose itself; the BIA provides the data (e.g., maximum tolerable downtime) that allows RTOs to be set. Option D is wrong because developing continuity strategies is a subsequent phase that uses the BIA's findings (critical processes and impact tolerances) to design recovery plans, not the BIA's core goal.

586
MCQhard

An organization has implemented a risk treatment plan that includes purchasing cyber insurance for potential data breach costs. Which risk treatment option does this represent?

A.Risk mitigation
B.Risk avoidance
C.Risk acceptance
D.Risk transfer
AnswerD

Insurance transfers the financial impact to a third party.

Why this answer

Cyber insurance transfers the financial risk to an insurance company, which is risk transfer.

587
Multi-Selectmedium

A security architect is implementing a zero trust architecture for a corporate network. Which TWO principles are fundamental to the zero trust approach? (Choose two.)

Select 2 answers
A.Grant access based on network location
B.Assume implicit trust for internal users
C.Use a single perimeter firewall
D.Verify every access request regardless of source
E.Implement least privilege access
AnswersD, E

All access must be authenticated and authorized.

Why this answer

Zero Trust requires verifying every request and limiting access to only what is needed, regardless of user location or network.

588
MCQmedium

An organization is implementing a risk management framework and wants to align with a standard that emphasizes a continuous, iterative process for identifying, assessing, and responding to risk. Which framework is most appropriate?

A.FAIR
B.ISO 27005
C.COBIT
D.NIST RMF
AnswerD

Correct. NIST RMF defines a continuous, iterative process for risk management.

Why this answer

The NIST Risk Management Framework (RMF) describes a continuous process that includes steps like categorize, select, implement, assess, authorize, and monitor.

589
MCQmedium

A vulnerability management team is prioritizing patches for a set of critical vulnerabilities. Vulnerability A has a CVSS base score of 9.8, vulnerability B has a CVSS base score of 7.5, and vulnerability C has a CVSS base score of 8.2. However, vulnerability B is actively being exploited in the wild, while the others are not. Which vulnerability should be patched first according to best practices?

A.All three should be patched simultaneously
B.Vulnerability B because it is actively exploited
C.Vulnerability C because it has a higher base score than B
D.Vulnerability A because it has the highest base score
AnswerB

Active exploitation increases the vulnerability's temporal score and priority.

Why this answer

While CVSS base score is important, temporal factors like active exploitation increase risk. Vulnerability B, despite a lower base score, is being exploited and thus poses a more immediate threat. Patching should prioritize actively exploited vulnerabilities.

590
MCQhard

An analyst is examining a memory dump with Volatility and finds a suspicious process that has no parent process (parent PID 0). Which technique is the malware likely using to hide?

A.Rootkit
B.DLL injection
C.Process hollowing
D.WMI persistence
AnswerC

Process hollowing can result in a process with no parent.

Why this answer

Process hollowing replaces the memory of a legitimate process with malicious code. The parent PID 0 indicates that the process was spawned by the kernel, which can occur after hollowing.

591
Multi-Selecteasy

An organization is implementing a privacy program in accordance with GDPR. Which TWO of the following are data subject rights under GDPR? (Select TWO.)

Select 2 answers
A.Right to transfer
B.Right to data portability
C.Right to rectification
D.Right to be informed
E.Right to be forgotten
AnswersB, E

Data subjects can obtain and reuse their personal data across services.

Why this answer

GDPR grants data subjects rights including the right to erasure (right to be forgotten) and the right to data portability. Right to be informed is also a right but is not listed correctly; right to rectification is a right but not listed. Right to transfer is not a formal GDPR right.

592
MCQhard

A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?

A.Static Application Security Testing (SAST)
B.Dynamic Application Security Testing (DAST)
C.Software Composition Analysis (SCA)
D.Interactive Application Security Testing (IAST)
AnswerC

Why this answer

Software Composition Analysis (SCA) is the correct tool because it specifically analyzes open-source and third-party libraries (dependencies) for known vulnerabilities by cross-referencing them against databases like the National Vulnerability Database (NVD). In a CI/CD pipeline for a Java application, SCA tools (e.g., OWASP Dependency-Check, Snyk) scan build artifacts such as pom.xml or build.gradle to identify vulnerable components before deployment.

Exam trap

The CAS-004 exam often tests the distinction between SAST (source code analysis) and SCA (dependency analysis), so the trap here is that candidates mistakenly choose SAST because they think 'static' covers all pre-deployment scanning, but SAST does not analyze third-party libraries.

Why the other options are wrong

A

SAST analyzes source code for security flaws, not third-party libraries.

B

DAST tests running applications for vulnerabilities, not dependencies.

D

IAST combines SAST and DAST but still focuses on custom code, not dependencies.

593
Multi-Selecthard

A security analyst is reviewing cryptographic implementations for a new application. The application needs to support digital signatures that are quantum-resistant and provide high performance. Which TWO algorithms should the analyst consider? (Select TWO.)

Select 2 answers
A.Ed25519
B.XMSS (eXtended Merkle Signature Scheme)
C.ECDSA P-384
D.BLAKE3
E.CRYSTALS-Dilithium
AnswersB, E

XMSS is a hash-based signature scheme that is quantum-resistant.

Why this answer

Ed25519 is a high-performance signature algorithm based on Curve25519, but it is not quantum-resistant. BLAKE3 is a hash function, not a signature. ECDSA P-384 is also not quantum-resistant.

Currently, NIST is standardizing post-quantum algorithms like CRYSTALS-Dilithium and XMSS (hash-based). CRYSTALS-Dilithium is a lattice-based signature scheme, and XMSS is a hash-based signature scheme that is quantum-resistant. Both are suitable for high performance in software.

594
MCQhard

During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?

A.Cross-site request forgery (CSRF)
B.Cross-site scripting (XSS) via inline script injection
C.SQL injection
D.Man-in-the-middle (MITM) attack due to CDN inclusion
AnswerB

Why this answer

Option B is correct because the CSP includes 'unsafe-inline' in the script-src directive, which explicitly allows inline scripts. This bypasses the primary protection CSP offers against XSS, as an attacker can inject malicious JavaScript directly into the HTML (e.g., via a <script> tag or event handler) without violating the policy. The 'self' source only restricts external scripts to the same origin, but inline scripts remain permitted, leaving the application vulnerable to stored, reflected, or DOM-based XSS attacks.

Exam trap

The CAS-004 exam often tests the misconception that CSP alone prevents all XSS, but the trap here is that 'unsafe-inline' explicitly disables CSP's inline script protection, making XSS via script injection still possible despite the policy.

Why the other options are wrong

A

CSP does not directly prevent CSRF; CSRF is mitigated by anti-CSRF tokens.

C

CSP is a browser-side security mechanism and does not prevent server-side SQL injection.

D

The CDN is over HTTPS, so MITM is not the primary vulnerability; 'unsafe-inline' is the issue.

595
MCQhard

A security team is hardening a Kubernetes cluster. Which control should be implemented to restrict a container's system calls to only those required by the application?

A.Seccomp
B.AppArmor
C.Network policies
D.Pod security policies
AnswerA

Seccomp restricts system calls for containers.

Why this answer

seccomp (secure computing mode) filters system calls a process can make, reducing the kernel attack surface. It is a Linux kernel feature commonly used in container security.

596
MCQeasy

A web application generates an Ansible playbook from user input as shown. What is the primary security risk?

A.The application is vulnerable to SQL injection.
B.The user input could be crafted to execute arbitrary Ansible modules.
C.The application is vulnerable to LDAP injection.
D.The playbook may fail to run if input contains special characters.
AnswerB

YAML injection can lead to arbitrary module execution, compromising hosts.

Why this answer

Option B is correct because replacing the placeholder with user input can allow YAML injection, enabling arbitrary module execution. Option A is operational, not security. Option C is SQL injection, irrelevant here.

Option D is LDAP injection, not applicable.

597
MCQeasy

Which of the following is a key benefit of using an Extended Detection and Response (XDR) solution over traditional Endpoint Detection and Response (EDR)?

A.XDR only works with a single vendor's products
B.XDR eliminates the need for SIEM and SOAR systems
C.XDR only focuses on network traffic analysis
D.XDR provides centralized visibility across multiple security layers including endpoints, network, and cloud
AnswerD

XDR integrates data from various sources for holistic detection and response.

Why this answer

XDR extends detection beyond endpoints to include network, email, cloud, and other data sources, providing broader visibility and correlation across the entire environment.

598
Drag & Dropmedium

Drag and drop the steps to configure a RADIUS server for 802.1X authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RADIUS setup: install NPS, register in AD, add RADIUS client, configure connection policy, then network policy.

599
MCQeasy

In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer?

A.Data classification and encryption
B.Physical security of data centers
C.Network infrastructure security
D.Hypervisor security
AnswerA

Customers are responsible for classifying and encrypting their own data.

Why this answer

The customer is responsible for securing their data, applications, and access management, while the provider secures the infrastructure.

600
Multi-Selecthard

A DevSecOps team is integrating security into the CI/CD pipeline. Which THREE practices should be included to ensure supply chain security?

Select 3 answers
A.Network segmentation
B.Dependency analysis
C.Container image scanning
D.Runtime application self-protection
E.Software Bill of Materials (SBOM)
AnswersB, C, E

Scans dependencies for known vulnerabilities.

Why this answer

SBOMs provide transparency of components, dependency scanning reveals known vulnerabilities, and image scanning ensures container images are free of malware. Together they strengthen supply chain security.

Page 7

Page 8 of 14

Page 9
CompTIA SecurityX CAS-004 CAS-004 Questions 526–600 | Page 8/14 | Courseiva