CompTIA SecurityX CAS-004 (CAS-004) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?

A.Unacceptable business downtime and potential contractual penalties
B.Need to reroute network traffic to the DR site
C.Higher cost for cyber insurance premiums
D.Increased recovery point objective (RPO) for the last backup
AnswerA

Missing RTO leads to unacceptable downtime and penalties.

Why this answer

Option C is correct because exceeding the RTO results in unacceptable downtime and potential revenue loss. Option A is wrong because RPO affects data loss, not uptime. Option B is wrong because rerouting does not fix the missed RTO.

Option D is wrong because insurance may cover financial loss but does not address the operational impact.

602
Multi-Selectmedium

A security architect is designing a cloud security strategy for a healthcare organization that uses a hybrid cloud environment with AWS and Azure. The organization must comply with HIPAA and needs to protect sensitive patient data. Which THREE cloud security controls should be prioritized? (Choose THREE.)

Select 3 answers
A.Virtual Private Cloud (VPC)
B.Cloud Workload Protection Platform (CWPP)
C.Cloud Access Security Broker (CASB)
D.Identity and Access Management (IAM)
E.Cloud Security Posture Management (CSPM)
AnswersB, C, E

CWPP secures workloads running in hybrid cloud, including vulnerability management and runtime protection.

Why this answer

Cloud Access Security Broker (CASB) provides visibility and data protection across cloud services, CSPM identifies misconfigurations that could lead to breaches, and Cloud Workload Protection Platform (CWPP) secures workloads in public clouds. IAM and VPC are important but are more basic controls; they are not the primary focus for this scenario.

603
MCQhard

Match each automation security concept (left) with its corresponding best practice (right).

Immutable infrastructure.Never modify a running instance; redeploy instead
Infrastructure as Code.Store all configuration files in version control
Secret management.Use a dedicated vault service to store credentials
CI/CD pipeline security scanning.Scan container images for vulnerabilities before deployment

Why this answer

This matching pairs key concepts with their best practices: Immutable infrastructure -> never modify after deployment, Infrastructure as Code -> version control all configurations, Secret management -> use vault for credentials, CI/CD pipeline scanning -> scan images before deployment.

Exam trap

Candidates might confuse 'immutable infrastructure' with 'infrastructure as code'.

604
Multi-Selecteasy

A security architect is reviewing firewall rules for a new application tier. Which TWO of the following principles should be applied when designing the firewall policy? (Choose two.)

Select 2 answers
A.Log all denied traffic
B.Use static IP addresses for all servers
C.Implement stateful packet inspection
D.Default allow all traffic
E.Allow only necessary ports and protocols
AnswersC, E

Stateful inspection allows rules based on connection state, improving security.

Why this answer

Allowing only necessary ports and protocols (B) implements least privilege, and implementing stateful packet inspection (C) enables intelligent traffic filtering. Default allow (A) is insecure, static IPs (D) are not a principle, and logging (E) is operational, not a design principle.

605
MCQhard

A company is preparing for post-quantum cryptography migration. According to NIST PQC standards, which algorithm is a candidate for key encapsulation?

A.CRYSTALS-Dilithium
B.SPHINCS+
C.Falcon
D.CRYSTALS-Kyber
AnswerD

Kyber is the NIST standard for key encapsulation.

Why this answer

CRYSTALS-Kyber is a NIST-selected algorithm for key encapsulation, designed to resist quantum attacks. It is used for establishing symmetric keys.

606
MCQeasy

Which of the following is the primary purpose of a honeypot in a security operations environment?

A.To encrypt sensitive data at rest
B.To replace the need for traditional firewalls
C.To block malicious traffic at the network perimeter
D.To provide early detection of unauthorized activity
AnswerD

Honeypots detect attackers by luring them.

Why this answer

Honeypots are decoy systems designed to attract attackers, allowing security teams to observe their tactics, techniques, and procedures without risking real assets.

607
MCQmedium

A security analyst receives an alert from the SIEM indicating multiple failed logon attempts from an external IP address followed by a successful logon for a domain admin account. Which phase of the incident response lifecycle is the analyst currently in?

A.Lessons learned
B.Containment
C.Detection
D.Preparation
AnswerC

The alert is part of the detection phase where potential incidents are identified.

Why this answer

The detection phase involves identifying potential incidents through alerts and analysis. The analyst has received an alert and is likely investigating, which is part of detection.

608
MCQeasy

A security analyst is reviewing a Kubernetes cluster's security configuration. Which component should be used to ensure that only authorized pods can communicate with each other?

A.Pod Security Policies (PSP)
B.Seccomp profiles
C.Network Policies
D.RBAC roles
AnswerC

Network policies define how groups of pods can communicate with each other and other network endpoints.

Why this answer

Kubernetes Network Policies allow you to define ingress and egress rules for pods, controlling traffic at the IP address or port level, which is essential for micro-segmentation.

609
MCQhard

A company must protect cryptographic keys used to sign financial transactions. The solution must be FIPS 140-2 Level 3 compliant and provide tamper-resistant hardware. Which technology should be deployed?

A.Software-based key management system
B.Hardware security module
C.Cloud KMS
D.TPM
AnswerB

HSMs are tamper-resistant hardware meeting FIPS 140-2 Level 3.

Why this answer

HSMs (Hardware Security Modules) provide tamper-resistant, FIPS 140-2 Level 3+ certified hardware for key generation, storage, and signing operations.

610
Multi-Selectmedium

A security architect is evaluating an API security strategy for a SaaS application that supports OAuth 2.0. Which TWO controls should the architect recommend to protect against token interception and replay attacks?

Select 2 answers
A.Using long-lived access tokens to reduce authentication frequency
B.Enforcing short-lived access tokens with refresh token rotation
C.Encrypting JWT payloads with a symmetric key
D.Implementing token binding to bind tokens to a specific client session
E.Implementing rate limiting on the token endpoint
AnswersB, D

Short-lived tokens limit the time window for misuse, and rotating refresh tokens adds security.

Why this answer

Using short-lived access tokens reduces the window of opportunity for replay attacks. Token binding (proof-of-possession) ties the token to the client, making interception less useful. Rate limiting mitigates brute force but not token interception.

Long-lived tokens increase risk. JWT encryption protects content but not replay.

611
MCQeasy

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

A.dd
B.Wireshark
C.FTK Imager (with memory capture)
D.Nmap
AnswerC

FTK Imager can capture an image of physical memory (RAM) for analysis.

Why this answer

FTK Imager with memory capture is the correct tool because it is specifically designed to acquire a bit-for-bit copy of volatile memory (RAM) from a live system while preserving forensic integrity. Unlike disk imaging tools, FTK Imager can capture the contents of physical memory, including running processes, network connections, and encryption keys, which are critical for incident response. This tool also generates a hash of the captured memory to ensure data integrity during analysis.

Exam trap

CompTIA often tests the misconception that dd can be used for memory capture because it is a common Linux imaging tool, but dd is designed for block-level disk copying and cannot reliably access volatile memory without specialized drivers or kernel patches.

How to eliminate wrong answers

Option A is wrong because dd is a disk imaging tool that copies block devices (e.g., hard drives) and cannot directly capture volatile memory; it lacks the ability to access the /dev/mem or /dev/kmem interfaces on modern systems without additional kernel modules, and it does not handle memory-specific structures like page tables. Option B is wrong because Wireshark is a network packet analyzer used for capturing and inspecting network traffic, not for acquiring volatile memory; it operates at Layer 2-7 of the OSI model and cannot access system RAM. Option D is wrong because Nmap is a network scanning tool used for port discovery and service enumeration; it has no capability to interact with system memory or perform forensic acquisition.

612
MCQmedium

Refer to the exhibit. A security analyst notices that traffic from external clients to the web server at 10.0.0.10 port 80 is being blocked. Which of the following is the MOST likely cause?

A.The ACL lacks a log statement
B.The ACL is misordered (deny before permit)
C.The web server is using port 443
D.The destination IP is incorrect
AnswerB

The deny all rule (line 1) blocks all traffic before the permit rule is evaluated.

Why this answer

The ACL is processed top-down. The 'deny ip any any' rule matches all traffic before the permit rule, so all traffic is blocked. Misordering is the cause.

The web server using HTTPS (443) is possible but not indicated, and the destination IP appears correct. Lack of logging is not the cause.

613
MCQhard

A security engineer is reviewing a TLS 1.3 configuration. Which of the following is a key feature of TLS 1.3 that improves security compared to earlier versions?

A.Mandatory forward secrecy using ephemeral Diffie-Hellman
B.Support for RC4 cipher suite
C.Support for static RSA key exchange
D.Ability to downgrade to TLS 1.2
AnswerA

TLS 1.3 requires ephemeral key exchange, ensuring forward secrecy.

Why this answer

TLS 1.3 removes support for insecure cipher suites like CBC mode and RC4, and only supports AEAD ciphers. It also provides forward secrecy by default.

614
Multi-Selecteasy

A company is implementing API security for its web services. Which THREE of the following are considered best practices for securing APIs? (Select THREE).

Select 3 answers
A.Rely solely on symmetric encryption for data at rest
B.Validate all input
C.Use WPA3 for transport encryption
D.Implement rate limiting
E.Use OAuth 2.0 for authorization
AnswersB, D, E

Input validation prevents injection and other attacks.

Why this answer

API security best practices include using OAuth 2.0 for authentication/authorization, implementing rate limiting to prevent abuse, and validating input to prevent injection attacks. WPA3 is for Wi-Fi; symmetric encryption alone is not a complete API security practice.

615
MCQmedium

During a digital forensics investigation, an analyst needs to acquire the contents of RAM from a compromised server. Which order of volatility should the analyst follow?

A.Capture the swap file first, then RAM
B.Capture network connections first, then RAM
C.Capture the hard drive image first, then RAM
D.Capture RAM first, then the hard drive
AnswerD

RAM is the most volatile and should be collected first.

Why this answer

The order of volatility dictates collecting the most volatile data first. RAM is highly volatile and should be captured before less volatile data like disks.

616
MCQhard

A company uses Terraform to deploy infrastructure on AWS. They have a compliance requirement that all containers running on Amazon ECS must have a read-only root filesystem and must not run as root. The security team needs an automated way to enforce this policy and provide an audit trail for any violations. Which solution best meets these requirements?

A.Review all container definitions manually during the change management process.
B.Add a Terraform policy that validates container definitions at deployment time.
C.Write a custom Python script that periodically scans running ECS tasks and reports violations.
D.Use Open Policy Agent (OPA) with Gatekeeper as an admission controller on Amazon EKS, and deploy EKS instead of ECS.
AnswerD

OPA/Gatekeeper enforces policies at runtime on Kubernetes, blocking non-compliant pods and providing audit logs. EKS replaced ECS to leverage this capability.

Why this answer

Kubernetes admission controllers like OPA/Gatekeeper enforce policies on pods at runtime. Option C is correct. Terraform (A) is for provisioning but cannot enforce runtime behavior.

Custom scripts (B) are reactive. Manual review (D) is not automated.

617
MCQeasy

A development team wants to deploy a microservices application using containers. They need a solution to automate the deployment, scaling, and management of the containers across a cluster. Which technology is most suitable?

A.VMware vSphere with container support.
B.Jenkins with Docker plugins.
C.Docker Compose with manual scaling.
D.Kubernetes with Helm charts.
AnswerD

Kubernetes provides automated deployment, scaling, and management; Helm simplifies configuration.

Why this answer

Kubernetes is designed for orchestrating containerized applications at scale. Option D is correct. Option A is for single hosts.

Option B is for VMs. Option C is for CI/CD.

618
MCQmedium

A PKI administrator is deploying certificates for code signing. Which certificate type should be used to ensure that the signed code can be verified by clients without requiring a full chain validation?

A.EV certificate
B.S/MIME certificate
C.Code signing certificate
D.DV certificate
AnswerC

Code signing certificates are specifically for signing code and are trusted by operating systems.

Why this answer

Code signing certificates are specifically designed for signing software; they are typically issued by a publicly trusted CA.

619
MCQeasy

A forensic analyst needs to collect volatile data from a live Windows system. In which order should the analyst collect the following data? (Order of volatility)

A.Disk image, memory dump, network connections, running processes
B.Memory dump, network connections, running processes, disk image
C.Network connections, running processes, memory dump, disk image
D.Running processes, memory dump, network connections, disk image
AnswerB

This follows the order of volatility from most to least volatile.

Why this answer

Option B is correct because memory is the most volatile and should be collected first, followed by network connections, then processes, and finally disk data. Option A is wrong because disk is less volatile. Option C is wrong because processes should be after memory.

Option D is wrong because network state is more volatile than disk.

620
MCQmedium

A PKI administrator is concerned about the risk of a compromised issuing CA. Which certificate transparency feature helps detect unauthorized certificate issuance?

A.Certificate Transparency logs
B.CRL distribution points
C.OCSP stapling
D.Key usage extensions
AnswerA

CT logs enable public auditing of certificate issuance.

Why this answer

Certificate Transparency (CT) requires all certificates to be publicly logged in CT logs. This allows domain owners and CAs to monitor for misissuance.

621
MCQeasy

A Windows administrator needs to automate the retrieval of failed login events from the Security log. Which scripting language is most native and efficient for this task?

A.Bash
B.Ruby
C.PowerShell
D.Python
AnswerC

PowerShell natively supports querying Windows Event Log.

Why this answer

PowerShell has built-in cmdlets like Get-WinEvent to interact with Windows Event Log. Bash and Python require extra modules, and JavaScript is not suited.

622
MCQmedium

During a vendor risk assessment, a security analyst reviews a SOC 2 Type II report from a cloud provider. What is the primary value of this report?

A.It provides assurance over the design and operating effectiveness of controls over a period.
B.It offers a snapshot of the vendor's security posture at a single point in time.
C.It provides a real-time vulnerability scan of the vendor's network.
D.It verifies the vendor's compliance with PCI DSS.
AnswerA

Type II reports include testing of controls over a period.

Why this answer

A SOC 2 Type II report provides an independent assessment of controls over a period, confirming the vendor's control effectiveness.

623
Multi-Selectmedium

An organization is hardening its Kubernetes cluster. Which THREE of the following are effective controls to limit the blast radius of a compromised container?

Select 3 answers
A.Using RBAC to restrict service account permissions
B.Implementing Kubernetes network policies to restrict pod-to-pod communication
C.Performing regular container image scanning for vulnerabilities
D.Applying seccomp profiles to limit system call availability
E.Enforcing Pod Security Standards (PSS) such as 'restricted' policy
AnswersB, D, E

Network policies limit which pods can communicate, containing potential lateral movement.

Why this answer

Network policies restrict communication between pods, limiting lateral movement. Seccomp profiles restrict system calls, reducing attack surface. Pod Security Standards (PSS) enforce security contexts like not running as root.

RBAC controls user access, not container-to-container. Image scanning identifies vulnerabilities but does not limit blast radius.

624
MCQmedium

A SOC team is implementing a SOAR playbook to automate response to phishing emails reported by users. Which step should be included in the playbook to prevent other users from accessing the malicious link?

A.Isolate the reporter's workstation
B.Reset the reporter's password
C.Block the malicious URL in the web proxy
D.Delete the email from all mailboxes
AnswerC

Blocking the URL prevents access by all users.

Why this answer

URL blocking in a web proxy prevents other users from accessing the malicious link, which is a common automated response in phishing playbooks.

625
MCQeasy

A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?

A.Obtain explicit consent from users before data collection.
B.Store biometric data in hashed form on the device.
C.Implement strong encryption for data in transit and at rest.
D.Conduct a Data Protection Impact Assessment (DPIA) before development.
AnswerD

DPIA is mandated for high-risk processing and is a key part of data protection by design.

Why this answer

D is correct. A DPIA is required by GDPR for high-risk processing like biometrics. Consent is important but does not replace the DPIA.

Encryption is a technical control but the DPIA is foundational for 'by design'.

626
Multi-Selectmedium

Which TWO of the following are advantages of using a hardware security module (HSM) over a software-based cryptographic module? (Select exactly 2.)

Select 2 answers
A.Easier to deploy in cloud environments than software.
B.Automatically receive security patches without manual intervention.
C.Physical tamper resistance and protection against key extraction.
D.Lower cost than software modules.
E.Faster cryptographic operations due to dedicated hardware accelerators.
AnswersC, E

HSMs are designed to resist physical attacks, making them more secure for key storage.

Why this answer

Options B and D are correct. HSM provides tamper resistance and dedicated hardware acceleration. Option A is wrong because HSMs are generally more expensive.

Option C is wrong because HSMs can be integrated into cloud environments. Option E is wrong because HSMs are managed by the organization or provider, not automatically patched.

627
MCQeasy

An organization is implementing a PKI to issue certificates for internal applications. The security team wants to minimize the risk of compromise to the root CA. Which of the following is the BEST practice to protect the root CA?

A.Delegate root CA responsibilities to a public CA
B.Keep the root CA offline and store its private key in a hardware security module
C.Install the root CA on a VM with strict firewall rules
D.Use a self-signed certificate for the root CA and distribute it manually
AnswerB

This is the industry-standard approach to protect the root CA.

Why this answer

Keeping the root CA offline and using a hardware security module (HSM) for key storage ensures its private key is never exposed to network threats. This is a standard best practice.

628
MCQeasy

Which document in a security policy hierarchy provides specific step-by-step instructions for performing a task?

A.Guideline
B.Procedure
C.Standard
D.Policy
AnswerB

A procedure provides detailed instructions for a specific activity.

Why this answer

A procedure details the exact steps to implement a policy, standard, or guideline.

629
MCQhard

An organization uses a multi-cloud strategy with workloads in AWS and Azure. The security architect needs to implement a single identity provider for all cloud resources while maintaining on-premises Active Directory as the authoritative source. Which architecture minimizes latency and complexity?

A.Use a third-party cloud-based identity provider and sync AD to it
B.Synchronize AD to Azure AD and then use Azure AD as an identity source for AWS via SAML
C.Create separate identity stores in AWS and Azure and sync from AD
D.Federate on-premises AD directly with both AWS and Azure using ADFS
AnswerD

ADFS can federate with both clouds using SAML, minimizing synchronization and complexity.

Why this answer

Using Azure AD Connect for Azure and AWS SSO with SAML federation from on-premises AD centralizes identity without synchronizing to two clouds separately. Direct federation from on-prem to each cloud is acceptable but using separate identity sources increases complexity. A third-party IdP could work but adds cost.

630
MCQmedium

A company is implementing a zero-trust network architecture. Which of the following components is essential for enforcing micro-segmentation?

A.Security information and event management (SIEM) system
B.Software-defined networking (SDN) with distributed firewalls
C.Multi-factor authentication (MFA)
D.Network access control (NAC)
AnswerB

SDN allows granular, policy-driven segmentation at the virtual network level.

Why this answer

Micro-segmentation divides the network into small zones, each with its own security controls. Software-defined networking (SDN) enables dynamic policy enforcement at the hypervisor level. Option A is wrong because NAC controls access but not segmentation.

Option B is wrong because MFA is an authentication mechanism. Option D is wrong because a SIEM correlates logs but does not enforce policies.

631
MCQmedium

A healthcare organization is required to comply with HIPAA. During an audit, the auditor requests evidence of access controls for electronic protected health information (ePHI). Which of the following would be the BEST evidence to provide?

A.A report of employee security training completion
B.A signed copy of the access control policy
C.Access review logs showing periodic reviews of user permissions
D.A network diagram of the IT infrastructure
AnswerC

This demonstrates ongoing compliance with access control requirements.

Why this answer

Access review logs demonstrate ongoing monitoring and management of access rights, which is a key HIPAA requirement for administrative safeguards. A signed policy is insufficient without evidence of enforcement. A network diagram shows architecture, not control.

A training completion report addresses workforce training, not access controls.

632
MCQhard

During a security assessment, a penetration tester discovers that a web application's session tokens are predictable. The application uses a custom session management system. Which of the following is the MOST effective remediation to ensure secure session tokens?

A.Generate session tokens using a cryptographically secure random number generator (CSPRNG) with at least 128 bits of entropy.
B.Regenerate the session token on each page request.
C.Implement a short session timeout of 5 minutes.
D.Generate tokens using HMAC-SHA256 of a timestamp and a secret key.
AnswerA

CSPRNGs produce unpredictable values resistant to analysis, ensuring that session tokens cannot be guessed.

Why this answer

Option C is correct because using a cryptographically secure random number generator (CSPRNG) ensures unpredictability. Option A is wrong because a short timeout does not address the predictability issue; tokens must be random. Option B is wrong because HMAC of a timestamp offers some unpredictability but is not as robust as a CSPRNG; if the key is known, tokens can be predicted.

Option D is wrong because regenerating on each request is inefficient and does not fix root cause.

633
MCQmedium

A healthcare organization subject to HIPAA must ensure that patients can access their medical records. This requirement is an example of which data subject right under privacy regulations?

A.Right to be forgotten
B.Right to data portability
C.Right to rectification
D.Right to access
AnswerD

HIPAA requires covered entities to provide individuals access to their PHI.

Why this answer

HIPAA gives patients the right to access their protected health information (PHI). This aligns with the data subject right of access.

634
Multi-Selectmedium

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Select 2 answers
A.LDAP binds
B.OAuth 2.0 tokens
C.API keys
D.SAML assertions
E.Kerberos tickets
AnswersB, C

OAuth 2.0 is widely used for API authorization.

Why this answer

OAuth 2.0 tokens (B) are a standard method for securing REST APIs by providing delegated, scoped access without exposing user credentials. The client presents a bearer token (typically a JSON Web Token) in the Authorization header, which the API server validates to authorize the request. This aligns with RFC 6749 and is widely adopted for stateless, scalable API security.

Exam trap

The CAS-004 exam often tests the distinction between authentication and authorization protocols, leading candidates to select Kerberos or SAML because they are 'secure,' but they fail to recognize that REST APIs require stateless, lightweight token-based mechanisms like OAuth 2.0 or API keys.

635
MCQmedium

Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?

A.Block the email and notify the security team
B.Allow the email but reclassify the document as 'Internal'
C.Allow the email with an exception request
D.Encrypt the email automatically with S/MIME
AnswerA

The policy prohibits unencrypted transmission of Confidential data.

Why this answer

Option A is correct because the policy states that Confidential data must be transmitted via VPN or encrypted email; unencrypted email is not allowed, so the transmission should be blocked. Option B is wrong because the policy does not permit downgrading classification. Option C is wrong because no override clause is indicated.

Option D is wrong because unencrypted email is explicitly prohibited.

636
MCQhard

During a security audit, it was discovered that an HSM used for code signing is FIPS 140-2 Level 3 certified. The auditor is concerned about the key ceremony process. Which of the following is a required element of a secure key ceremony for an HSM at this level?

A.The HSM is configured to allow remote key backup over TLS
B.Keys are backed up to a USB drive stored in a safe
C.Keys are generated inside the HSM using a key ceremony with multiple officers
D.Keys are generated on a laptop and then imported into the HSM
AnswerC

This ensures keys never leave the HSM in plaintext.

Why this answer

FIPS 140-2 Level 3 requires that cryptographic keys be created and stored in the HSM and never exist in plaintext outside the device. A key ceremony involves splitting keys into parts (m of n) and distributing them to multiple trusted individuals.

637
Multi-Selectmedium

An organization is designing a PKI for certificate lifecycle management. Which TWO practices are critical for maintaining the security of the certificate authority (CA)? (Select TWO.)

Select 2 answers
A.Setting long certificate validity periods to reduce renewal frequency
B.Storing the root CA private key in a hardware security module (HSM)
C.Using certificate pinning to prevent man-in-the-middle attacks
D.Using self-signed certificates for all internal services
E.Implementing Online Certificate Status Protocol (OCSP) for revocation checking
AnswersB, E

HSMs provide tamper-resistant key storage.

Why this answer

HSMs protect private keys, and OCSP provides real-time revocation status. Both are essential for CA security.

638
MCQhard

An organization is using the FAIR framework to quantify risk. The analyst estimates the probable loss event frequency (LEF) as 4 per year and the probable loss magnitude (LM) as $25,000 per event. What is the annualized loss expectancy (ALE) under FAIR?

A.$6,250
B.$125,000
C.$100,000
D.$25,000
AnswerC

Correct calculation.

Why this answer

In FAIR, ALE = LEF × LM. Here, LEF=4 and LM=$25,000, so ALE = 4 × $25,000 = $100,000.

639
MCQmedium

An organization discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which of the following is the BEST compensating control to reduce risk?

A.Increase logging and monitoring
B.Apply a virtual patch using an intrusion prevention system (IPS)
C.Implement network segmentation to isolate the application
D.Decommission the application immediately
AnswerC

Segmentation limits exposure and protects the rest of the network.

Why this answer

Network segmentation isolates the vulnerable system, reducing the attack surface and limiting potential damage.

640
MCQhard

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

A.Request the provider's most recent SOC 3 report
B.Accept the risk and proceed with migration
C.Require the provider to sign a Business Associate Agreement (BAA)
D.Require the provider to encrypt all data at rest and in transit
AnswerC

Mandatory under HIPAA for covered entities

Why this answer

Option B is correct because a BA agreement is required under HIPAA to ensure the provider contractually agrees to safeguard ePHI. Option A is wrong because the risk assessment should drive decisions, not just acceptance. Option C is wrong because encryption does not eliminate the need for contractual protections.

Option D is wrong because a SOC 2 report without HIPAA coverage does not suffice.

641
Multi-Selecthard

A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)

Select 2 answers
A.Conducting static application security testing (SAST) during coding
B.Performing penetration testing only after production deployment
C.Using dependency scanning to check for known vulnerabilities in libraries
D.Implementing runtime application self-protection (RASP) in development
E.Deploying a web application firewall (WAF) in staging
AnswersA, C

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binaries without executing the program, allowing developers to identify vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting during the coding phase. Integrating SAST early in the SSDLC reduces the cost and effort of fixing security flaws by catching them before they reach later stages like testing or production.

Exam trap

The CAS-004 exam often tests the distinction between security controls applied during development (SAST, dependency scanning) versus runtime controls (RASP, WAF) or post-deployment activities (penetration testing), leading candidates to select options that are valid security measures but not essential to the SSDLC itself.

Why the other options are wrong

B

Pen testing is important but occurs later; it's not integrated into the development process early.

D

RASP is a runtime control, not typically integrated into the development phase.

E

WAF is a network security control, not a development practice.

642
MCQeasy

A security architect is designing a zero trust architecture for a financial institution. Which principle is fundamental to the zero trust model?

A.Trust but verify all network traffic
B.Use VPNs for all remote access
C.Perimeter-based security is sufficient
D.Assume breach and verify explicitly
AnswerD

This is the foundational principle of zero trust: never trust, always verify.

Why this answer

Zero trust assumes no implicit trust based on network location; all access requests must be authenticated and authorized regardless of origin. Micro-segmentation and identity-centric controls support this, but the core principle is 'trust no one by default'.

643
MCQmedium

Refer to the exhibit. A security analyst notices that the pod is running with a service account token mounted. Which security best practice should be implemented to reduce the risk of token theft in container environments?

A.Store the token in a Kubernetes secret and mount it.
B.Use a different container runtime.
C.Disable the service account for the pod.
D.Set automountServiceAccountToken to false in the pod spec.
AnswerD

This prevents automatic mounting of the token, reducing theft risk while allowing explicit mounting if needed.

Why this answer

Option B is correct because setting automountServiceAccountToken to false in the pod spec prevents the automatic mounting of the service account token, reducing the risk of theft. Option A is incorrect because disabling the entire service account may break functionality if the pod needs API access; the goal is to prevent token exposure while still allowing explicit token mounting if necessary. Option C is incorrect because changing the container runtime does not address token mounting.

Option D is incorrect because storing the token in a secret and mounting it increases exposure rather than reducing it.

644
Multi-Selecteasy

Which TWO are key metrics used in business continuity planning?

Select 2 answers
A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Recovery Point Objective (RPO)
D.Service Level Agreement (SLA)
E.Mean Time Between Failures (MTBF)
AnswersB, C

RTO is the maximum acceptable downtime.

Why this answer

Options A and B are correct. RTO defines acceptable downtime; RPO defines acceptable data loss. MTBF, MTTR, and SLA are not specifically business continuity metrics.

645
MCQeasy

A company is deploying a new cloud-based application that processes sensitive customer data. The security architect has proposed a zero-trust architecture to secure remote access. The architecture includes identity-aware proxies, microsegmentation, and continuous monitoring. During the transition, several remote users report being unable to access the application. The security architect verifies that the identity-aware proxy is correctly configured and that users are authenticated via SSO. However, access attempts are still failing. The architect suspects that the issue may be related to the microsegmentation rules. What should the security architect do FIRST to resolve the problem?

A.Deploy a VPN to provide a secure tunnel for remote users.
B.Reset the affected users' credentials and force them to re-authenticate.
C.Review the microsegmentation firewall rules to ensure that traffic to the application's subnet is permitted.
D.Increase logging verbosity on the identity-aware proxy to capture more details.
AnswerC

The architect suspects microsegmentation; reviewing rules is the logical first step.

Why this answer

Option B (Review microsegmentation firewall rules for the application's subnet) is the most direct step because the architect suspects the microsegmentation rules are blocking traffic. Option A (Deploy a VPN) would bypass zero-trust principles. Option C (Increase log verbosity) is a diagnostic step but not the first action.

Option D (Reset user credentials) is unrelated to the issue.

646
MCQhard

An organization is implementing continuous compliance monitoring. Which of the following metrics would best indicate whether the organization is maintaining compliance with PCI DSS Requirement 10 (log management)?

A.Number of failed login attempts per day
B.Percentage of systems with centralized logging enabled
C.Mean time to detect (MTTD) for security incidents
D.Vulnerability scan pass rate
AnswerB

Correct: This directly measures compliance with logging requirements.

Why this answer

PCI DSS Requirement 10 requires tracking and monitoring access to network resources and cardholder data. Log coverage percentage directly measures whether all necessary systems are logging.

647
MCQmedium

During a vendor risk assessment, a third-party vendor refuses to provide a SOC 2 report but offers a completed security questionnaire. The vendor handles sensitive customer data. Which of the following is the BEST course of action?

A.Immediately terminate the relationship.
B.Lower the data classification to reduce risk.
C.Require a right-to-audit clause to conduct an on-site assessment.
D.Accept the questionnaire as sufficient evidence.
AnswerC

This allows the organization to verify controls directly.

Why this answer

If a vendor refuses to provide independent audit evidence, the organization should consider the risk level. For sensitive data, a SOC 2 report is a strong control. The organization should require a right-to-audit clause to perform its own assessment, as the questionnaire alone may be insufficient.

648
MCQmedium

A company is implementing a privileged access management (PAM) solution to reduce the risk of standing privileges. Which feature allows users to request temporary elevated access for a specific task, which is automatically revoked after the task is completed?

A.Break-glass accounts
B.Password vaulting
C.Session recording
D.Just-in-time (JIT) access provisioning
AnswerD

JIT grants temporary privileges that expire automatically.

Why this answer

Just-in-time (JIT) access provisioning grants temporary privileges that expire after use, reducing standing privileges. Break-glass accounts are emergency accounts, not time-based.

649
MCQmedium

An organization is designing a PKI to issue certificates to thousands of IoT devices. Which architectural decision will BEST support automated certificate lifecycle management?

A.Online root CA with self-signed certificates
B.Automated enrollment using SCEP
C.Using a public CA for all IoT devices
D.Offline root CA with manual issuance
AnswerB

SCEP automates certificate enrollment for large numbers of devices.

Why this answer

Automated certificate enrollment using SCEP or ACME protocols enables devices to request and renew certificates without manual intervention.

650
MCQmedium

A security analyst discovers that a web application is vulnerable to directory traversal. Which of the following is the MOST effective mitigation?

A.Whitelist of allowed file paths
B.Encrypting all files on the server
C.Chroot jail
D.Input validation that rejects paths containing '..'
AnswerA

A whitelist ensures only explicitly permitted files are served, regardless of traversal attempts.

Why this answer

Using a whitelist of allowed file paths ensures only intended files can be accessed, eliminating traversal attempts. Input validation rejecting '..' can be bypassed with encoding. Chroot jail limits scope but may not cover all scenarios.

Encryption does not prevent traversal.

651
MCQhard

A security analyst is investigating a malware sample and wants to determine its capabilities without executing it. The analyst examines the binary's imports, strings, and structure. What type of analysis is being performed?

A.Memory analysis
B.Static analysis
C.Reverse engineering
D.Dynamic analysis
AnswerB

Static analysis is performed without executing the file.

Why this answer

Static analysis examines the malware without executing it, focusing on file metadata, strings, imports, and other characteristics.

652
MCQmedium

An enterprise is implementing a cloud security posture management (CSPM) solution. What is the primary function of CSPM?

A.Monitoring and remediating misconfigurations
B.Brokering access to cloud apps
C.Protecting workloads from malware
D.Encrypting data at rest
AnswerA

CSPM focuses on posture management via configuration assessment.

Why this answer

CSPM continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, providing automated remediation and reporting.

653
MCQmedium

A security architect is designing a secure coding standard for a web application. Which of the following should be prioritized to mitigate cross-site scripting (XSS) risks?

A.Input validation
B.Output encoding
C.Secure cookies
D.Parameterized queries
AnswerB

Output encoding converts special characters to HTML entities, preventing script execution in the browser.

Why this answer

Output encoding is the most direct mitigation for XSS, as it ensures user input is rendered as data, not executable code. Input validation and parameterized queries address other vulnerabilities, while secure cookies help with session hijacking.

654
MCQeasy

An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?

A.Encrypt all personal data at rest and in transit
B.Minimize the collection of personal data
C.Implement a process to respond to access requests within one month
D.Appoint a Data Protection Officer (DPO)
AnswerC

GDPR mandates response to access requests within one month.

Why this answer

Option B is correct because GDPR requires responses to access requests within one month. Option A is wrong while encryption is important, it is not the primary control for access requests. Option C is wrong a DPO is required but not specifically for access requests.

Option D is wrong data minimization is a principle but does not directly address access requests.

655
Multi-Selecteasy

A security analyst is reviewing CVSS scores for vulnerability prioritization. Which TWO of the following are component metric groups in CVSS v3?

Select 2 answers
A.Impact
B.Temporal
C.Exploitability
D.Environmental
E.Attack Vector
AnswersB, D

Temporal is one of the three metric groups.

Why this answer

CVSS v3 consists of Base, Temporal, and Environmental metric groups. Exploitability and Impact are sub-scores within the Base group, not separate groups.

656
MCQhard

A security architect is designing an API security strategy for a microservices-based application. The architect needs to ensure that only authenticated and authorized clients can invoke APIs, and that rate limiting is enforced to prevent abuse. Which technology should be placed in front of the microservices?

A.API Gateway
B.Web Application Firewall (WAF)
C.Reverse proxy
D.Load balancer
AnswerA

API gateway can enforce authentication, authorization, rate limiting, and input validation.

Why this answer

An API gateway handles authentication, authorization, rate limiting, and routing, providing a central security control point.

657
MCQeasy

A security administrator needs to ensure that only authorized devices can access the corporate network. Which technology would best enforce this requirement at the network access layer?

A.TLS 1.3
B.IPsec VPN
C.802.1X
D.DNSSEC
AnswerC

Correct; 802.1X authenticates devices before granting network access.

Why this answer

802.1X provides port-based authentication, allowing only authorized devices to connect to the network.

658
MCQhard

During a forensic investigation, the examiner discovers that the chain of custody documentation was not properly maintained for a critical hard drive. What is the most likely consequence?

A.The evidence may be ruled inadmissible in legal proceedings
B.The investigation can continue without any impact
C.The data on the drive is automatically deleted
D.The drive must be returned to the owner immediately
AnswerA

Chain of custody ensures evidence integrity; lack of it can lead to exclusion.

Why this answer

Option A is correct because without chain of custody, evidence could be tampered, making it inadmissible in court. Option B is wrong that investigators are still admissible if procedure is followed, but chain of custody is vital. Option C is wrong that analysis is still valid but legally challenged.

Option D is wrong because return to operations is not primary concern.

659
MCQmedium

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which of the following techniques would be most effective for identifying valid credentials that could be reused on the database server?

A.Running a port scan on the internal network
B.Deploying a web shell for persistent access
C.Conducting a SQL injection on the database server
D.Using Mimikatz to dump credentials from memory
AnswerD

Mimikatz extracts credentials that may be reused.

Why this answer

Mimikatz is a tool that extracts plaintext passwords, hashes, and Kerberos tickets from memory. It is commonly used for credential dumping to enable lateral movement.

660
Matchingmedium

Match each security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust relationships between identity providers

Controls and monitors admin accounts

Restricts access based on physical location

Obfuscates sensitive data in non-production environments

Replaces sensitive data with non-sensitive placeholders

Why these pairings

These features are covered in identity and access management and data protection domains.

661
MCQeasy

Which of the following is a key difference between a security guideline and a security procedure?

A.Both are equally enforceable
B.Procedures are high-level; guidelines are detailed
C.Guidelines are recommended; procedures are mandatory
D.Guidelines are mandatory; procedures are optional
AnswerC

This is correct: guidelines provide guidance, procedures must be followed.

Why this answer

A guideline suggests best practices and is not mandatory, while a procedure provides step-by-step instructions that are mandatory.

662
MCQhard

An organization wants to implement an immutable infrastructure for its containerized applications. Which security benefit is most directly achieved by immutability?

A.Eliminates need for runtime security monitoring
B.Prevents unauthorized modifications to running containers
C.Allows use of privileged containers securely
D.Reduces image scanning frequency
AnswerB

Correct – containers are replaced, not patched in place.

Why this answer

Immutable infrastructure ensures that once a container image is deployed, it is never modified. Any change requires a new image deployment, which prevents configuration drift and unauthorized changes.

663
Multi-Selecthard

An incident response team discovers that an attacker was able to forge a certificate for a legitimate domain. Which TWO mechanisms should the team implement to detect and prevent such misissuance in the future? (Select TWO.)

Select 2 answers
A.Certificate Revocation Lists (CRLs)
B.Implementing Extended Validation (EV) certificates
C.Online Certificate Status Protocol (OCSP) stapling
D.Certificate Transparency (CT) logging and monitoring
E.Certificate pinning in client applications
AnswersD, E

CT logs provide a public record of certificates; domain owners can monitor for unauthorized issuance.

Why this answer

Certificate Transparency (CT) logs provide an audit trail of all issued certificates, allowing domain owners to detect misissuance. Certificate pinning (or HTTP Public Key Pinning) can prevent the acceptance of fraudulent certificates by clients. OCSP stapling helps check revocation but does not prevent misissuance; CRLs are for revocation; OSCP itself doesn't prevent misissuance.

664
Matchingmedium

Match each cloud service model to its scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software delivered over the internet

Platform for application development and deployment

Virtualized computing resources over the internet

Disaster recovery as a service

Security services delivered via the cloud

Why these pairings

Cloud service models are fundamental to cloud security architecture.

665
MCQhard

A SOC analyst notices that a containerized application is making unexpected outbound connections. The container runs with minimal privileges. Which step should the analyst take first to investigate without compromising the environment?

A.Restore the container from a trusted image and re-deploy.
B.Use `docker exec` to attach a shell and run network diagnostic commands.
C.Immediately kill the container and analyze its filesystem from a backup.
D.Capture a network packet dump from the host and correlate with container logs.
AnswerD

This approach gathers evidence without interfering with the container.

Why this answer

Option C is correct because capturing packet dumps from the host and correlating with logs provides forensic evidence without altering the container state. Option A destroys evidence. Option B may alert the attacker or change state.

Option D skips investigation entirely.

666
MCQmedium

An organization is implementing SASE to secure remote user access. Which component of SASE is responsible for enforcing identity-based access policies and inspecting traffic?

A.SD-WAN
B.Cloud Access Security Broker
C.Next-Generation Firewall
D.Secure Web Gateway
AnswerD

SWG enforces web security policies and inspects traffic.

Why this answer

SWG (Secure Web Gateway) enforces security policies for web traffic, including URL filtering, malware detection, and data loss prevention.

667
MCQmedium

A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?

A.Check the vendor’s financial stability
B.Use a standardized security questionnaire and conduct on-site audits
C.Rely on the vendor’s self-assessment questionnaire
D.Review only public breach reports about the vendor
AnswerB

Combining a questionnaire with on-site audits provides thorough, independent verification.

Why this answer

Option C is correct because a standardized questionnaire and on-site audits provide a comprehensive assessment of vendor security practices. Option A is wrong because relying solely on vendor self-assessments may be biased and incomplete. Option B is wrong because financial stability does not guarantee security.

Option D is wrong because checking only public breaches is reactive and insufficient.

668
MCQmedium

A company uses a hybrid cloud model with workloads on AWS and on-premises. They need to ensure secure connectivity between the two environments with high bandwidth and low latency, bypassing the public internet. Which solution should they implement?

A.Configure AWS Direct Connect for dedicated private connectivity
B.Implement SD-WAN with integrated security
C.Establish a site-to-site VPN over the internet
D.Use AWS PrivateLink to access VPC endpoints
AnswerA

Direct Connect provides a dedicated, private, high-bandwidth, low-latency connection that avoids the public internet.

Why this answer

AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the public internet for reliable and secure connectivity. VPN over the internet is less reliable and has higher latency. Private link exposes services privately but does not connect on-premises to cloud.

SD-WAN can manage traffic but does not provide a direct dedicated connection.

669
MCQeasy

A security analyst is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$0
B.$5,200
C.$1,000
D.$25,000
AnswerC

Correct: $5,000 × 0.2 = $1,000.

Why this answer

ALE = SLE × ARO = $5,000 × 0.2 = $1,000.

670
Multi-Selectmedium

A security engineer is evaluating hardware security modules (HSMs) for key management. The HSM must support key generation, storage, and cryptographic operations without exposing private keys. Additionally, the solution must comply with FIPS 140-2 Level 3. Which THREE features are essential for this requirement? (Select THREE.)

Select 3 answers
A.Physical security mechanisms (e.g., locks, tamper switches)
B.Cryptographic boundary
C.Key ceremony support
D.Tamper-evident seals and coatings
E.Secure boot of the HSM firmware
AnswersA, B, D

Level 3 requires physical security mechanisms to prevent unauthorized access.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings, physical security, and cryptographic boundary. Key ceremony is a procedural control, not a feature of the HSM itself. Secure boot is for general computing.

Multi-factor authentication is a user access control, not a core HSM feature.

671
MCQmedium

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

A.Purchase cyber insurance covering vendor breaches
B.Terminate the vendor relationship immediately
C.Add a breach notification clause in vendor contracts
D.Conduct more frequent vendor risk assessments
AnswerC

Legally obligates vendor to notify

Why this answer

Adding a breach notification clause directly addresses the contractual gap that left the organization without recourse or timely notification when the vendor suffered a data breach. This contractual remedy ensures that future incidents trigger a predefined notification process, aligning with regulatory requirements such as GDPR or HIPAA that mandate breach notification obligations for data processors. Without such a clause, the organization has no enforceable mechanism to compel the vendor to report breaches, regardless of other risk management activities.

Exam trap

CompTIA often tests the distinction between preventive controls (contractual clauses) and detective/reactive controls (assessments, insurance), leading candidates to choose 'more frequent risk assessments' because it sounds proactive, but only a contract clause creates a binding obligation.

How to eliminate wrong answers

Option A is wrong because cyber insurance covers financial losses after a breach but does not prevent the breach or ensure notification; it is a reactive financial tool, not a preventive contractual control. Option B is wrong because terminating the vendor relationship immediately does not address the root cause—lack of contractual safeguards—and may disrupt operations without guaranteeing that a replacement vendor will have better terms. Option D is wrong because conducting more frequent vendor risk assessments can identify risks but cannot enforce notification obligations; without a contractual clause, the vendor has no legal duty to report breaches discovered during or after assessments.

672
Multi-Selecteasy

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. Which TWO principles should be implemented to enforce the "never trust, always verify" model?

Select 2 answers
A.Micro-segmentation between workloads
B.Trust based on network location
C.Implicit trust for internal IP ranges
D.Continuous authentication and authorization for every request
E.Use of a single VPN for all remote access
AnswersA, D

Micro-segmentation enforces least privilege.

Why this answer

Micro-segmentation and continuous authentication are core zero-trust principles. Options A and D imply implicit trust based on network location, which violates zero-trust. Option E is a technology, not a principle.

673
Multi-Selectmedium

A company is conducting a third-party risk assessment of a cloud service provider. Which TWO of the following are appropriate sources of evidence for evaluating the provider's security controls? (Select TWO.)

Select 2 answers
A.SOC 2 Type II report
B.Supply chain bill of materials
C.Penetration test report from a qualified third party
D.Security questionnaire completed by the vendor
E.Right-to-audit clause in the contract
AnswersA, C

Provides independent audit over security controls.

Why this answer

SOC 2 reports provide independent assurance of controls. Penetration test reports demonstrate the effectiveness of security testing. Security questionnaires are self-reported and less reliable.

Right-to-audit clauses are contractual, not evidence. Supply chain documentation may be relevant but is not a direct evidence source for security controls.

674
MCQhard

During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?

A.Insert a right-to-audit clause allowing the organization to inspect the CSP's facilities.
B.Include a Data Processing Agreement (DPA) that requires data to be stored only in approved jurisdictions.
C.Negotiate a service-level agreement (SLA) guaranteeing 99.99% uptime.
D.Require the CSP to sign a business associate agreement (BAA) under HIPAA.
AnswerB

A DPA with data residency clauses legally restricts where data can be stored, addressing the compliance risk.

Why this answer

A Data Processing Agreement (DPA) is the correct contractual mechanism to enforce data residency restrictions. By requiring the CSP to store data only in approved jurisdictions, the DPA directly addresses the compliance risk of conflicting privacy laws and potential regulatory penalties, as it legally binds the provider to specific geographic data handling requirements.

Exam trap

The CAS-004 exam often tests the distinction between operational controls (audit clauses, SLAs) and legal/compliance controls (DPAs), trapping candidates who confuse visibility with enforcement or apply US-specific agreements (like BAAs) to global privacy issues.

How to eliminate wrong answers

Option A is wrong because a right-to-audit clause allows the organization to inspect the CSP's facilities and processes, but it does not proactively restrict where data is stored; it only provides visibility after the fact, not a preventive control. Option C is wrong because an SLA guaranteeing 99.99% uptime addresses availability and performance, not data residency or privacy law compliance; it is irrelevant to the jurisdictional conflict. Option D is wrong because a Business Associate Agreement (BAA) under HIPAA is specific to protected health information (PHI) in the United States and does not apply to general privacy law conflicts in other jurisdictions; it also does not restrict data storage locations.

675
MCQmedium

An organization uses a TPM 2.0 for measured boot and attestation. Which TPM feature ensures that the boot process has not been tampered with by measuring each component before it executes?

A.Platform Configuration Registers (PCRs)
B.Endorsement Key (EK)
C.Secure boot
D.Sealed storage
AnswerA

PCRs store measurements that can be used for attestation.

Why this answer

Platform Configuration Registers (PCRs) store hash measurements of boot components. Any change in the boot sequence will result in different PCR values, alerting to tampering.

Page 8

Page 9 of 14

Page 10
CompTIA SecurityX CAS-004 CAS-004 Questions 601–675 | Page 9/14 | Courseiva