CompTIA Advanced Security Practitioner (CASP+) Exam Practice Tests 2023 | Pass CAS-004 with confidence!
Practice CompTIA CASP CAS-004 exam. Online Exam Practice Tests with detailed explanations!
The CompTIA CAS-004 certification exam is designed to test the knowledge and skills of IT professionals in advanced security practices. This certification is intended for individuals who have a minimum of 5 years of experience in IT administration, including at least 10 years of experience in information security. The exam is a validation of the expertise and proficiency of an individual in the field of cybersecurity, and passing it is a recognition of their advanced knowledge and skills.
NEW QUESTION # 148
An attacker infiltrated the code base of a hardware manufacturer and inserted malware before the code was compiled. The malicious code is now running at the hardware level across a number of industries and sectors.
Which of the following categories BEST describes this type of vendor risk?
- A. SDLC attack
- B. Remote code signing
- C. Supply chain attack
- D. Side-load attack
Answer: C
NEW QUESTION # 149
Device event logs sources from MDM software as follows:
Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?
- A. Resource leak; recover the device for analysis and clean up the local storage.
- B. Impossible travel; disable the device's account and access while investigating.
- C. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
- D. Falsified status reporting; remotely wipe the device.
Answer: C
NEW QUESTION # 150
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue.
Which of the following is the MOST cost-effective solution?
- A. Change the operating system.
- B. Buy a new server and create an active-active cluster.
- C. Move the server to a cloud provider.
- D. Upgrade the server with a new one.
Answer: C
NEW QUESTION # 151
A Chief information Security Officer (CISO) has launched to create a rebuts BCP/DR plan for the entire company. As part of the initiative , the security team must gather data supporting s operational importance for the applications used by the business and determine the order in which the application must be back online. Which of the following be the FIRST step taken by the team?
- A. Have each business unit conduct a BIA and categories the application according to the cumulative data gathered.
- B. Implement replication of all servers and application data to back up detacenters that are geographically from the central datacenter and release an upload BPA to all clients.
- C. Create an SLA for each application that states when the application will come back online and distribute this information to the business units.
- D. Perform a review of all policies an procedures related to BGP a and DR and created an educated educational module that can be assigned to at employees to provide training on BCP/DR events.
Answer: A
NEW QUESTION # 152
A security consultant needs to set up wireless security for a small office that does not have Active Directory.
Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication.
Which of the following technologies would BEST meet this need?
- A. WPA3 SAE
- B. Faraday cage
- C. WPA2 PSK
- D. WEP 128 bit
Answer: A
Explanation:
Explanation
WPA3 SAE prevents brute-force attacks.
NEW QUESTION # 153
A security architect is tasked with scoping a penetration test that will start next month. The architect wants to define what security controls will be impacted. Which of the following would be the BEST document to consult?
- A. Statement of work
- B. Master service agreement
- C. Rules of engagement
- D. Target audience
Answer: A
NEW QUESTION # 154
A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN.
Which of the following solutions does this describe?
- A. Asymmetric routing
- B. SSH tunneling
- C. Full tunneling
- D. Split tunneling
Answer: C
Explanation:
Explanation
The concern is users operating in a spit tunnel config which is what is being described. Using a Full Tunnel would route traffic from all applications through a single tunnel.
https://cybernews.com/what-is-vpn/split-tunneling/
NEW QUESTION # 155
After a security incident, a network security engineer discovers that a portion of the company's sensitive external traffic has been redirected through a secondary ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure?
- A. Disable BGP and implement OSPF.
- B. Implement a BGP route reflector.
- C. Disable BGP and implement a single static route for each internal network.
- D. Implement an inbound BGP prefix list.
Answer: D
Explanation:
Defenses against BGP hijacks include IP prefix filtering, meaning IP address announcements are sent and accepted only from a small set of well-defined autonomous systems, and monitoring Internet traffic to identify signs of abnormal traffic flows.
NEW QUESTION # 156
A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
Must have a minimum of 15 characters
Must use one number
Must use one capital letter
Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security?
- A. Password history
- B. Password complexity
- C. Account lockout
- D. Time-based logins
- E. Shared accounts
Answer: C
NEW QUESTION # 157
An organization is establishing a new software assurance program to vet applications before they are introduced into the production environment, Unfortunately. many Of the applications are provided only as compiled binaries. Which Of the following should the organization use to analyze these applications? (Select TWO).
- A. IAST
- B. Fuzz testing
- C. IDE SAST
- D. Third-party dependency management
- E. SAST
- F. Regression testing
Answer: B,C
NEW QUESTION # 158
A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:
Which of the following ciphers should the security analyst remove to support the business requirements?
- A. TLS_AES_128_GCM_SHA256
- B. TLS_DHE_DSS_WITH_RC4_128_SHA
- C. TLS_AES_128_CCM_8_SHA256
- D. TLS_CHACHA20_POLY1305_SHA256
Answer: B
NEW QUESTION # 159
A company's finance department acquired a new payment system that exports data to an unencrypted file on the system. The company implemented controls on the file so only appropriate personnel are allowed access. Which of the following risk techniques did the department use in this situation?
- A. Transfer
- B. Mitigate
- C. Avoid
- D. Accept
Answer: B
NEW QUESTION # 160
An analyst execute a vulnerability scan against an internet-facing DNS server and receives the following report:
Which of the following tools should the analyst use FIRST to validate the most critical vulnerability?
- A. Port scanner
- B. Exploitation framework
- C. Account enumerator
- D. Password cracker
Answer: D
NEW QUESTION # 161
A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization. The legal department provided the security team with a list of search terms to investigate.
This is an example of:
- A. e-discovery.
- B. due intelligence
- C. due care.
- D. legal hold.
Answer: A
NEW QUESTION # 162
A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead. The network comprises three VLANs:
The security engineer looks at the UTM firewall rules and finds the following:
Which of the following should the security engineer do to ensure IMAPS functions properly on the corporate user network?
- A. Make sure the UTM certificate is imported on the corporate computers.
- B. Confirm the email server certificate is installed on the corporate computers.
- C. Create an IMAPS firewall rule to ensure email is allowed.
- D. Contact the email service provider and ask if the company IP is blocked.
Answer: C
NEW QUESTION # 163
An organization is deploying a new, online digital bank and needs to ensure availability and performance. The cloud-based architecture is deployed using PaaS and SaaS solutions, and it was designed with the following considerations:
- Protection from DoS attacks against its infrastructure and web applications is in place.
- Highly available and distributed DNS is implemented.
- Static content is cached in the CDN.
- A WAF is deployed inline and is in block mode.
- Multiple public clouds are utilized in an active-passive architecture.
With the above controls in place, the bank is experiencing a slowdown on the unauthenticated payments page. Which of the following is the MOST likely cause?
- A. The site is experiencing a brute-force credential attack.
- B. A DDoS attack is targeted at the CDN.
- C. The API gateway endpoints are being directly targeted.
- D. The public cloud provider is applying QoS to the inbound customer traffic.
Answer: A
NEW QUESTION # 164
An organization's finance system was recently attacked. A forensic analyst is reviewing the contents Of the compromised files for credit card dat a.
Which of the following commands should the analyst run to BEST determine whether financial data was lost?
- A. Option C
- B. Option D
- C. Option A
- D. Option B
Answer: A
NEW QUESTION # 165
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage.
Which of the following is a security concern that will MOST likely need to be addressed during migration?
- A. Data exposure
- B. Data dispersion
- C. Latency
- D. Data loss
Answer: C
NEW QUESTION # 166
A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes.
Which of the following should a security architect recommend?
- A. A DLP program to identify which files have customer data and delete them
- B. A CMDB to report on systems that are not configured to security baselines
- C. An ERP program to identify which processes need to be tracked
- D. A CRM application to consolidate the data and provision access based on the process and need
Answer: B
NEW QUESTION # 167
An organization is assessing the security posture of a new SaaS CRM system that handles sensitive PI I and identity information, such as passport numbers. The SaaS CRM system does not meet the organization's current security standards. The assessment identifies the following:
1) There will be a 520,000 per day revenue loss for each day the system is delayed going into production.
2) The inherent risk is high.
3) The residual risk is low.
4) There will be a staged deployment to the solution rollout to the contact center.
Which of the following risk-handling techniques will BEST meet the organization's requirements?
- A. Accept the risk, as compensating controls have been implemented to manage the risk.
- B. Transfer the risk to the SaaS CRM vendor, as the organization is using a cloud service.
- C. Apply for a security exemption, as the risk is too high to accept.
- D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.
Answer: D
NEW QUESTION # 168
A company publishes several APIs for customers and is required to use keys to segregate customer data sets.
Which of the following would be BEST to use to store customer keys?
- A. A localized key store
- B. A trusted platform module
- C. A public key infrastructure
- D. A hardware security module
Answer: A
NEW QUESTION # 169
All staff at a company have started working remotely due to a global pandemic. To transition to remote work, the company has migrated to SaaS collaboration tools. The human resources department wants to use these tools to process sensitive information but is concerned the data could be:
Leaked to the media via printing of the documents
Sent to a personal email address
Accessed and viewed by systems administrators
Uploaded to a file storage site
Which of the following would mitigate the department's concerns?
- A. Data loss detection, reverse proxy, EDR, and PGP
- B. Watermarking, forward proxy, DLP, and MFA
- C. Proxy, secure VPN, endpoint encryption, and AV
- D. VDI, proxy, CASB, and DRM
Answer: D
NEW QUESTION # 170
Which of the following are risks associated with vendor lock-in? (Choose two.)
- A. The vendor can change product offerings.
- B. The client experiences increased interoperability.
- C. The client can leverage a multicloud approach.
- D. The client receives a sufficient level of service.
- E. The client experiences decreased quality of service.
- F. The client can seamlessly move data.
Answer: A,E
NEW QUESTION # 171
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users.
Which of the following would be BEST for the developer to perform? (Choose two.)
- A. Encrypt with 3DES.
- B. Verify MD5 hashes.
- C. Utilize code signing by a trusted third party.
- D. Implement certificate-based authentication.
- E. Make the DACL read-only.
- F. Compress the program with a password.
Answer: B,C
NEW QUESTION # 172
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed.
Which of the following will allow the inspection of the data without multiple certificate deployments?
- A. Use a third-party CA.
- B. Include all available cipher suites.
- C. Create a wildcard certificate.
- D. Implement certificate pinning.
Answer: D
NEW QUESTION # 173
......
The best CAS-004 exam study material and preparation tool is here: https://torrentking.practicematerial.com/CAS-004-questions-answers.html

