Get The Most Updated CAS-004 Dumps To CompTIA CASP Certification [Q53-Q75]

Get The Most Updated CAS-004 Dumps To CompTIA CASP Certification

CompTIA Certified CAS-004  Dumps Questions Valid CAS-004 Materials

NEW QUESTION # 53
A company is moving most of its customer-facing production systems to the cloud-facing production systems to the cloud. IaaS is the service model being used. The Chief Executive Officer is concerned about the type of encryption available and requires the solution must have the highest level of security.
Which of the following encryption methods should the cloud security engineer select during the implementation phase?

• A. Array controller-based
• B. Proxy-based
• C. Instance-based
• D. Storage-based

Answer: D

Explanation:
We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks.
Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM- Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage.

NEW QUESTION # 54
A security analyst needs to recommend a remediation to the following threat:

Which of the following actions should the security analyst propose to prevent this successful exploitation?

• A. Enable TLS 1.2.
• B. Update the antivirus.
• C. Patch the system.
• D. Install a host-based firewall.

Answer: A

NEW QUESTION # 55
A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:

Which of the following would BEST mitigate this vulnerability?

• A. Data encoding
• B. CAPTCHA
• C. Network intrusion prevention
• D. Input validation

Answer: D

NEW QUESTION # 56
A company requires a task to be carried by more than one person concurrently. This is an example of:

• A. least privilege
• B. dual control
• C. separation of d duties.
• D. job rotation

Answer: B

Explanation:
Dual control is a security principle that requires two or more authorized individuals to perform a task concurrently. This reduces the risk of fraud, error, or misuse of sensitive assets or information. Verified Reference: https://www.comptia.org/training/books/casp-cas-004-study-guide , https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/using-dual-control-to-mitigate-risk

NEW QUESTION # 57
A recent data breach stemmed from unauthorized access to an employee's company account with a cloud-based productivity suite. The attacker exploited excessive permissions granted to a third-party OAuth application to collect sensitive information.
Which of the following BEST mitigates inappropriate access and permissions issues?

• A. SIEM
• B. CASB
• C. WAF
• D. SOAR

Answer: C

NEW QUESTION # 58
A company wants to improve Its active protection capabilities against unknown and zero-day malware. Which of the following Is the MOST secure solution?

• A. Sandbox detonation
• B. HIDS
• C. NIDS
• D. Endpoint log collection
• E. Application allow list

Answer: A

NEW QUESTION # 59
An organization recently started processing, transmitting, and storing its customers' credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers' information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?

• A. ISO
• B. GDPR
• C. NIST
• D. PCI DSS

Answer: D

Explanation:
PCI DSS - Payment Card Industry Data Security Standard.
Deals specifically with anything to do with card transactions.

NEW QUESTION # 60
A security engineer is troubleshooting an issue in which an employee is getting an IP address in the range on the wired network. The engineer plus another PC into the same port, and that PC gets an IP address in the correct range. The engineer then puts the employee' PC on the wireless network and finds the PC still not get an IP address in the proper range. The PC is up to date on all software and antivirus definitions, and the IP address is not an APIPA address. Which of the following is MOST likely the problem?

• A. The WiFi network is using WPA2 Enterprise, and the computer certificate has the wrong IP address in the SAN field.
• B. The DHCP server has a reservation for the PC's MAC address for the wired interface.
• C. The DHCP server is unavailable, so no IP address is being sent back to the PC.
• D. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.

Answer: D

NEW QUESTION # 61
A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
Must have a minimum of 15 characters
Must use one number
Must use one capital letter
Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security?

• A. Password complexity
• B. Account lockout
• C. Shared accounts
• D. Password history
• E. Time-based logins

Answer: B

NEW QUESTION # 62
A security analyst wants to keep track of alt outbound web connections from workstations. The analyst's company uses an on-premises web filtering solution that forwards the outbound traffic to a perimeter firewall. When the security analyst gets the connection events from the firewall, the source IP of the outbound web traffic is the translated IP of the web filtering solution. Considering this scenario involving source NAT.
Which of the following would be the BEST option to inject in the HTTP header to include the real source IP from workstations?

• A. X-Forwarded-For
• B. Cache-Control
• C. Content-Security-Policy
• D. X-Forwarded-Proto
• E. Strict-Transport-Security

Answer: A

Explanation:
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

NEW QUESTION # 63
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the NEXT step of the incident response plan?

• A. Recovery
• B. Remediation
• C. Response
• D. Containment

Answer: D

Explanation:
https://www.sciencedirect.com/topics/computer-science/containment-strategy

NEW QUESTION # 64
While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?

• A. Notify law enforcement.
• B. Request that the affected servers be restored immediately.
• C. Isolate the servers to prevent the spread.
• D. Pay the ransom within 48 hours.

Answer: A

NEW QUESTION # 65
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources.
Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?

• A. Cgroups
• B. Device mapper
• C. Linux namespaces
• D. Union filesystem overlay

Answer: A

Explanation:
Cgroups (control groups) is a core Linux concept that reflects the ability to limit resource allocation to containers, such as CPU, memory, disk I/O, or network bandwidth. Cgroups can help prevent resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources, as it can enforce quotas or priorities for each container or group of containers. Union filesystem overlay is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a technique that allows multiple filesystems to be mounted on the same mount point, creating a layered representation of files and directories. Linux namespaces is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a feature that isolates and virtualizes system resources for each process or group of processes, creating independent instances of global resources. Device mapper is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a framework that provides logical volume management, encryption, or snapshotting capabilities for block devices. Verified References:
https://www.comptia.org/blog/what-is-cgroupshttps://partners.comptia.org/docs/default-source/resources/casp-co

NEW QUESTION # 66
A security engineer is reviewing a record of events after a recent data breach incident that Involved the following:
* A hacker conducted reconnaissance and developed a footprint of the company s Internet-facing web application assets.
* A vulnerability in a third-party horary was exploited by the hacker, resulting in the compromise of a local account.
* The hacker took advantage of the account's excessive privileges to access a data store and exfiltrate the data without detection.
Which of the following is the BEST solution to help prevent this type of attack from being successful in the future?

• A. User behavior analysis
• B. Software composition analysis
• C. Dynamic analysis
• D. Stateful firewall
• E. Secure web gateway

Answer: B

Explanation:
Software composition analysis (SCA) is the best solution to help prevent this type of attack from being successful in the future. SCA is a process of identifying the third-party and open source components in the applications of an organization. This analysis leads to the discovery of security risks, quality of code, and license compliance of the components. SCA can help the security engineer to detect and remediate any vulnerabilities in a third-party library that was exploited by the hacker, such as updating to a newer and more secure version of the library. SCA can also help to enforce secure coding practices and standards, such as following the principle of least privilege and avoiding excessive privileges for local accounts. By using SCA, the security engineer can improve the security posture and resilience of the web application assets against future attacks. Verified References:
* https://www.synopsys.com/glossary/what-is-software-composition-analysis.html
* https://www.geeksforgeeks.org/overview-of-software-composition-analysis/

NEW QUESTION # 67
A company is preparing to deploy a global service.
Which of the following must the company do to ensure GDPR compliance? (Choose two.)

• A. Provide opt-in/out for marketing messages.
• B. Provide optional data encryption.
• C. Provide alternative authentication techniques.
• D. Provide data deletion capabilities.
• E. Grant data access to third parties.
• F. Inform users regarding what data is stored.

Answer: D,F

Explanation:
Explanation
The main rights for individuals under the GDPR are to:
allow subject access
have inaccuracies corrected
have information erased
prevent direct marketing
prevent automated decision-making and profiling
allow data portability (as per the paragraph above)
source:https://www.clouddirect.net/11-things-you-must-do-now-for-gdpr-compliance/

NEW QUESTION # 68
An organization is running its e-commerce site in the cloud. The capacity is sufficient to meet the organization's needs throughout most of the year, except during the holidays when the organization plans to introduce a new line of products and expects an increase in traffic. The organization is not sure how well its products will be received. To address this issue, the organization needs to ensure that:
* System capacity is optimized.
* Cost is reduced.
Which of the following should be implemented to address these requirements? (Select TWO).

• A. Containerization
• B. CDN
• C. Microsegmentation
• D. Load balancer
• E. Autoscaling
• F. WAF

Answer: D,E

Explanation:
Explanation
Load balancer and autoscaling are the solutions that should be implemented to address the requirements of optimizing system capacity and reducing cost for an e-commerce site in the cloud. A load balancer is a device or service that distributes incoming network traffic across multiple servers or instances based on various criteria, such as availability, performance, or location. A load balancer can improve system capacity by balancing the workload and preventing overloading or underutilization of resources. Autoscaling is a feature that allows cloud services to automatically adjust the number of servers or instances based on the demand or predefined rules. Autoscaling can reduce cost by scaling up or down the resources as needed, avoiding unnecessary expenses or wastage.
References: [CompTIA CASP+ Study Guide, Second Edition, pages 406-407 and 410]

NEW QUESTION # 69
A security engineer is trying to identify instances of a vulnerability in an internally developed line of business software. The software is hosted at the company's internal data center. Although a standard vulnerability definition does not exist, the identification and remediation results should be tracked in the company's vulnerability management system. Which of the following should the engineer use to identify this vulnerability?

• A. OVAL
• B. SIEM
• C. SCAP
• D. CASB

Answer: C

Explanation:
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation. Using SCAP can help to identify vulnerabilities, including those without standard definitions, and ensure they are tracked and managed effectively.

NEW QUESTION # 70
During a recent incident, sensitive data was disclosed and subsequently destroyed through a properly secured, cloud-based storage platform. An incident response technician is working with management to develop an after action report that conveys critical metrics regarding the incident.
Which of the following would be MOST important to senior leadership to determine the impact of the breach?

• A. The likely per-record cost of the breach to the organization
• B. The number of records compromised
• C. The legal or regulatory exposure that exists due to the breach
• D. The amount of downtime required to restore the data

Answer: C

NEW QUESTION # 71
A developer wants to develop a secure external-facing web application. The developer is looking for an online community that produces tools, methodologies, articles, and documentation in the field of web-application security Which of the following is the BEST option?

• A. OWASP
• B. NIST
• C. CSA
• D. PCI DSS
• E. ICANN

Answer: A

NEW QUESTION # 72
A company launched a new service and created a landing page within its website network for users to access the service. Per company policy, all websites must utilize encryption for any authentication pages. A junior network administrator proceeded to use an outdated procedure to order new certificates. Afterward, customers are reporting the following error when accessing a new web page: NET:ERR_CERT_COMMON_NAME_INVALID. Which of the following BEST describes what the administrator should do NEXT?

• A. Request a new certificate with the same information but including the old certificate on the CRL.
• B. Request a new certificate with the correct subject alternative name that includes the new websites.
• C. Request a new certificate with the correct organizational unit for the company's website.
• D. Request a new certificate with a stronger encryption strength and the latest cipher suite.

Answer: A

NEW QUESTION # 73
A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password. Which of the following describes why this request is a security concern? (Choose two.)

• A. The request is evidence that the password is more open to being captured via a keylogger.
• B. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access.
• C. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password.
• D. The request proves that salt has not been added to the password hash, thus making it vulnerable to rainbow tables.
• E. The request proves the password is encoded rather than encrypted and thus less secure as it can be easily reversed.
• F. The request proves the password must be in cleartext during transit, making it open to on-path attacks.

Answer: B,C

Explanation:
The request to enter specific characters of the password rather than the full password may be a security measure intended to make it more difficult for an attacker to gain access to the account by guessing the password. However, it also means that a potential attacker only needs to be able to guess or brute force three characters of the password rather than all 12 characters.
In addition, the fact that the system is able to retrieve specific characters of the password suggests that the password is stored in a reversible format, which means that it can be read by anyone who has access to it.

NEW QUESTION # 74
A company has moved its sensitive workloads lo the cloud and needs to ensure high availability and resiliency of its web-based application. The cloud architecture team was given the following requirements
* The application must run at 70% capacity at all times
* The application must sustain DoS and DDoS attacks.
* Services must recover automatically.
Which of the following should the cloud architecture team implement? (Select THREE).

• A. CDN
• B. Encryption
• C. Read-only replicas
• D. Autoscaling
• E. BCP
• F. WAF
• G. Containenzation
• H. Continuous snapshots

Answer: B,D,F

Explanation:
The cloud architecture team should implement Autoscaling (C), WAF (D) and Encryption (F). Autoscaling (C) will ensure that the application is running at 70% capacity at all times. WAF (D) will protect the application from DoS and DDoS attacks. Encryption (F) will protect the data from unauthorized access and ensure that the sensitive workloads remain secure.

NEW QUESTION # 75
......

Achieving the CompTIA CASP+ certification demonstrates a high level of expertise in cybersecurity and can open up new career opportunities. CompTIA Advanced Security Practitioner (CASP+) Exam certification is recognized by many employers and government agencies around the world as a valuable credential for cybersecurity professionals.

 

CAS-004 Premium PDF & Test Engine Files with 445 Questions & Answers: https://prep4sure.real4dumps.com/CAS-004-prep4sure-exam.html