Question 1

During a review of events, a security analyst notes that several log entries from the FIM system
identify changes to firewall rule sets. While coordinating a response to the FIM entries, the analyst
receives alerts from the DLP system that indicate an employee is sending sensitive data to an
external email address. Which of the following would be the most relevant to review in order to gain
a better understanding of whether these events are associated with an attack?

Accepted Answer

E

Explanation: NetFlow logs provide visibility into network traffic patterns and volume, which can be analyzed to detect anomalies, including potential security incidents. They can be invaluable in correlating the timing and nature of network events with security incidents to better understand if there is an association.

Question 2

A security engineer is performing a threat modeling procedure against a machine learning system
that correlates analytic information for decision support. Which of the following threat statements
most likely applies to this type of system?

Accepted Answer

A

Explanation: Overloading a machine learning system with incorrect information is an example of poisoning the data set, which can compromise the integrity of decision-making processes. This aligns with CASP+ objective 2.3, which involves threat modeling and mitigating risks associated with AI and ML systems. ________________________________________

Question 3

Which of the following security features do email signatures provide?

Accepted Answer

A

Explanation: Email signatures provide non-repudiation, which ensures that the sender of an email cannot deny having sent it. A digital signature, when attached to an email, uses cryptographic techniques toverify the sender's identity and confirm the authenticity of the message. This feature helps establish trust by preventing tampering and ensuring the integrity of the communication. CASP+ emphasizes the role of digital signatures in ensuring non-repudiation in secure communication protocols. Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 – Enterprise Security Operations (Non-repudiation and Digital Signatures) CompTIA CASP+ Study Guide: Email Security and Non-repudiation with Digital Signatures

Question 4

A security analyst is examining a former employee's laptop for suspected evidence of suspicious
activity. The analyst usesddduring the investigation. Which of the following best explains why the
analyst is using this tool?

Accepted Answer

A

Explanation: Theddtool creates a bit-for-bit copy of a hard drive, preserving its contents exactly as they are. This is essential for forensic analysis, as it ensures the integrity of evidence. This aligns with CASP+ objective 5.2, which emphasizes forensic tools and techniques for preserving and analyzing digital evidence.

Question 5

An analyst reviews the following output collected during the execution of a web application security assessment: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CAS-004/page_306_img_1.jpg Which of the following attacks would be most likely to succeed, given the output?

Accepted Answer

C

Explanation: Based on the output in the image, which shows weak cipher suites and vulnerabilities related to encryption padding, the padding oracle attack is the most likely. This type of attack exploits the way padding errors are handled during decryption, potentially allowing an attacker to decrypt sensitive information. The weak cipher suites and lack of forward secrecy further increase the likelihood of such an attack succeeding. CASP+ highlights padding oracle attacks as critical vulnerabilities, particularly in environments where weak encryption protocols are used. Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 – Enterprise Security Operations (Encryption and Padding Oracle Attacks) CompTIA CASP+ Study Guide: Cryptographic Attacks and Cipher Vulnerabilities

Question 6

An IT director is working on a solution to meet the challenge of remotely managing laptop devices and securely locking them down. The solution must meet the following requirements:

• Cut down on patch management.

• Make use of standard configurations.

• Allow for custom resource configurations.

• Provide access to the enterprise system from multiple types of devices.

Which of the following would meet these requirements?

Accepted Answer

D

Explanation: A Virtual Desktop Infrastructure (VDI) solution meets all the listed requirements: reducing patch management, using standard configurations, allowing for custom resource configurations, andproviding access from multiple device types. VDI allows centralized management of desktop environments, where patches and updates can be applied once and distributed across all virtual desktops. It also supports flexible resource configurations and secure remote access from various devices. CASP+ highlights VDI as a solution for centralized, secure desktop management that meets modern enterprise needs for mobility and security. Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 – Enterprise Security Architecture (VDI for Secure Remote Desktop Management) CompTIA CASP+ Study Guide: Virtual Desktop Infrastructure for Centralized Management and Security

Question 7

Which of the following is the reason why security engineers often cannot upgrade the security of embedded facility automation systems?

Accepted Answer

A

Explanation: Embedded facility automation systems are often difficult to upgrade because they are constrained by available compute. These systems typically have limited processing power, memory, and storage, which restricts the ability to implement modern security measures, such as encryption, software updates, or advanced security controls. Security engineers may be unable to apply patches or updates without exceeding the system’s capacity. CASP+ discusses the challenges posed by resource- constrained devices, particularly in embedded systems and IoT environments, where upgrading security can be difficult due to hardware limitations. Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 – Enterprise Security Architecture (Embedded System Security and Constraints) CompTIA CASP+ Study Guide: Managing Security for Resource-Constrained Embedded Systems

Question 8

Which of the following provides the best solution for organizations that want to securely back up the MFA seeds for its employees in a central, offline location with minimal management overhead?

Accepted Answer

D

Explanation: A Hardware Security Module (HSM) provides the best solution for securely backing up MFA seeds in a central, offline location with minimal management overhead. HSMs are specialized hardware devices designed for cryptographic key management, including storing sensitive data like MFA seeds securely. HSMs offer high levels of protection against tampering and provide offline security, making them an ideal choice for backing up cryptographic materials. CASP+ recognizes HSMs as critical components for managing and securing cryptographic keys in centralized, secure environments. Reference: CASP+ CAS-004 Exam Objectives: Domain 3.0 – Enterprise Security Architecture (HSM and Secure Key Management) CompTIA CASP+ Study Guide: Secure Backup and Key Management with HSM

Question 9

A security consultant needs to set up wireless security for a small office that does not have Active
Directory. Despite the lack of central account management, the office manager wants to ensure a
high level of defense to prevent brute-force attacks against wireless authentication. Which of the
following technologies wouldbestmeet this need?

Accepted Answer

C

Explanation: Comprehensive and Detailed in-Depth Why the Correct Answer is C (WPA3 SAE): WPA3 SAE (Simultaneous Authentication of Equals)is the most advanced method for wireless security in small office environments without centralized authentication (like Active Directory). It addressesbrute-force attacksthroughforward secrecyand theDragonfly key exchangemethod, making it resistant to dictionary attacks and offline cracking. WPA3 SAEenhances security by protecting against password-guessing attacks even when a weak password is chosen. Additionally,WPA3 SAEeliminates the vulnerabilities found in WPA2-PSK by using amore secure key exchange mechanism. Why the Other Options Are Incorrect: A . Faraday cage: A Faraday cage can block wireless signals entirely, but it does not provide asecurity protocolfor wireless authentication. It’s primarily used forsignal isolationrather than securing wireless communication. B . WPA2 PSK: AlthoughWPA2 PSK (Pre-Shared Key)is widely used, it is vulnerable tobrute-force and offline dictionary attacks, especially when weak passwords are used. WPA2 does not includeprotection against offline password cracking, which is a significant concern. D . WEP 128 bit: WEP (Wired Equivalent Privacy)is extremely outdated and insecure. It uses theRC4 stream cipher, which is prone toIV (Initialization Vector) collisionsandkey recovery attacks. Modern tools can crack WEP keys within minutes, making it highly unsuitable. Additional Information: WPA3 SAEis particularly designed for environments where there is no centralized authentication server (likeActive Directory), which fits the small office scenario perfectly. TheDragonfly handshakeused by WPA3 SAE prevents offline brute-force attacks by usingpassword- based authenticated key exchange. Even if an attacker captures the handshake, they cannot easily performoffline dictionary attacksdue toindividualized encryptionfor each session. Extract from CompTIA SecurityX CAS-005 Study Guide: According to theCompTIA SecurityX CAS-005 Official Study Guide, WPA3 offers improved security over WPA2 by providingrobust protection against password guessing attacks, especially in environments without enterprise-grade authentication mechanisms. TheSAE protocolis highlighted as essential forpersonal and small office wireless networkswhere enhanced security is required without the complexity of a RADIUS server.

Question 10

A security engineer is reviewing Apache web server logs and has identified the following pattern in
the log:
GET https://example.com/image5/../../etc/passwd HTTP/1.1 200 OK
The engineer has also reviewed IDS and firewall logs and established a correlation to an external IP
address. Which of the following can be determined regarding the vulnerability and response?

Accepted Answer

C

Explanation: A directory traversal attack exploits vulnerabilities in file path handling to access unauthorized files, as seen in this example. To mitigate, sanitize user inputs and avoid directly passing user-supplied data to the filesystem. This aligns with CASP+ objective 1.5, addressing secure input validation and mitigating common web-based vulnerabilities.

Question 11

A security administrator needs to implement anX.509 solutionfor multiple sites within thehuman
resources department. This solution would need tosecure all subdomainsassociated with
thedomainnameof the main human resources web server. Which of the following would need to be
implemented to properly secure the sites and provideeasier private key management?

Accepted Answer

C

Explanation: Comprehensive and Detailed in-Depth Problem Statement: The security administrator needs a solution that: Securesmultiple subdomainsunder asingle domain name. Simplifiesprivate key management. UsesX.509 certificates, which are common forTLS/SSLin web environments. Why the Correct Answer is C (Wildcard certificate): AWildcard certificateallows thesame certificateto securemultiple subdomainsof a domain. The format for a wildcard certificate is usually: CopyEdit *.example.com This single certificate can cover: hr.example.com payroll.example.com benefits.example.com It significantlyreduces administrative overheadsince onlyone certificate and one private keyare needed. In anX.509 context, a wildcard certificate is commonly used forweb servers that host multiple subdomains. Key Benefits of Wildcard Certificates: Cost-Effective:One certificate forall subdomains. Simplified Management:Oneprivate keyto secure multiple services. Flexibility:Can addnew subdomainswithout issuing a new certificate. Compatibility:Widely supported inweb servers and application frameworks. Why the Other Options Are Incorrect: A . Certificate revocation list (CRL): A CRL is used tolist revoked certificatesand ensure they are no longer trusted. It does notsecure multiple subdomainsormanage private keys. B . Digital signature: A digital signature is used toverify the integrity and authenticityof data. It is not related tomanaging certificates or securing subdomains. D . Registration authority (RA): An RA is responsible forvalidating identity and issuing certificates. It does not directly address theissue of securing multiple subdomains. E . Certificate pinning: Certificate pinning ensures that an application only trustsspecific public keysto preventMitM attacks. It does not providemulti-subdomain supportorsimplify key management. Real-World Scenario: An organization runs anHR portalwith multiple subdomains: login.hr.example.com docs.hr.example.com support.hr.example.com Implementing awildcard certificateallows the company tomanage a single certificatewhile covering all these subdomains. This reduces themaintenance workloadsince updates or renewals only need to be performed onone certificate. Example of a Wildcard Certificate in Practice: Common Name (CN): CopyEdit *.hr.example.com Usage: Secures all subdomains within thehr.example.comnamespace. Reduces thenumber of certificates neededfrom one per subdomain to justone wildcard certificate. Visual Representation: lua CopyEdit +--------------------------+ | Wildcard Certificate | | (*.hr.example.com) | +--------------------------+ | +----------------+----------------+ | | hr.example.com payroll.hr.example.com | benefits.hr.example.com Asingle wildcard certificatecovers all subdomains underhr.example.com. Extract from CompTIA SecurityX CAS-005 Study Guide: TheCompTIA SecurityX CAS-005 Official Study Guideemphasizes thatwildcard certificatesare an efficient solution when securingmultiple subdomains under the same domain. They reduce the complexity ofprivate key managementand streamline thecertificate deployment process.

Question 12

A company's software developers have indicated that the security team takes too long to perform application security tasks. A security analyst plans to improve the situation by implementing security into the SDLC. The developers have the following requirements: 1. The solution must be able to initiate SQL injection and reflected XSS attacks. 2. The solution must ensure the application is not susceptible to memory leaks. Which of the following should be implemented to meet these requirements? (Select two).

Accepted Answer

D, F

Explanation: The combination of DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) would meet the developers' requirements. DAST is used for runtime testing, capable of simulating attacks like SQL injection and reflected XSS, which fulfills the first requirement. SAST analyzes the code statically to ensure that the application is not vulnerable to issues like memory leaks, fulfilling the second requirement. Implementing both will integrate security testing into the SDLC, addressing the security concerns earlier in the development cycle, as recommended in CASP+. Reference: CASP+ CAS-004 Exam Objectives: Domain 2.0 – Enterprise Security Operations (DAST, SAST for Secure Software Development) CompTIA CASP+ Study Guide: Secure SDLC and Application Security Testing

Question 13

A customer requires secure communication of subscribed web services at all times, but the company currently signs its own certificate requests to an internal C

Accepted Answer

D

Explanation: Step by Step Server authentication certificates are used to secure web communication (e.g., HTTPS). Submitting a CSR (Certificate Signing Request) for a server authentication certificate ensures the web services can securely establish encrypted communication. Other options, such as email encryption or software signing, do not apply in this scenario. Reference: CASP+ Exam Objectives 2.3 – Apply cryptographic techniques to secure communications.

Question 14

A SIEM generated an alert after a third-party database administrator, who had recently been granted
temporary access to the repository, accessed business-sensitive content in the database. The SIEM
had generated similar alerts before this incident. Which of the following best explains the cause of
the alert?

Accepted Answer

C

Explanation: Step by Step Database activity monitoring (DAM) tracks user actions within databases and generates alerts for anomalous behavior, such as unauthorized access to sensitive content. Database field tokenization protects sensitive data but does not monitor access. Database decoy involves creating fake data to detect misuse but is unrelated to monitoring. Database integrity enforcement ensures data accuracy but does not generate access alerts. Reference: CASP+ Exam Objectives 3.1 – Monitor and analyze logs for unauthorized access.

Question 15

A systems administrator is preparing to run avulnerability scanon a set of information systems in the
organization. The systems administrator wants to ensure that the targeted systems produceaccurate
information, especially regardingconfiguration settings. Which of the following scan types will
provide the systems administrator with themost accurate information?

Accepted Answer

D

Explanation: Comprehensive and Detailed in-Depth Understanding Vulnerability Scanning Types: Vulnerability scans can be categorized by two major factors: Active vs. Passive: Active Scans:Actively probe the target system, gathering detailed data. Passive Scans:Monitor network traffic and analyze data without directly probing the system. Credentialed vs. Non-Credentialed: Credentialed Scans:Utilize valid user credentials to access system information. Non-Credentialed Scans:Rely on publicly accessible data and network probing. Why the Correct Answer is D (An active, credentialed scan): Anactive, credentialed scancombinesdirect system probingwithauthorized access. This scan type provides themost accurate and comprehensive data, including: Configuration settings:Verifies security configurations likefirewall rules, user privileges, and patch levels. Detailed vulnerability data:Can accessinternal system informationandlog files. Thorough system analysis:Can enumeratesoftware versions, system settings, and misconfigurations. Credentialed scans canaccess local configuration filesandOS-level data, giving afull pictureof the system's security posture. Example Scenario: A systems administrator wants to verify thatall systems are patchedand properly configured according tocompany policies. Anactive, credentialed scancan log into each system anddirectly check patch versionsandconfiguration files, while anon-credentialed scanwould only be able to detect open ports and basic system information. Why the Other Options Are Incorrect: A . A passive, credentialed scan: Passive scansdo not interact directlywith the system, even if credentials are available. Theylack accuracyin identifyingconfiguration settingssince they onlymonitor traffic. B . A passive, non-credentialed scan: This method is theleast accurateas it onlymonitors network trafficwithout logging into systems. Providessurface-level informationand is typically used fordetecting anomaliesrather than deep scanning. C . An active, non-credentialed scan: Whileactive scanningprovides some detail,non-credentialed scansare limited toexternal checks. They can detectopen ports and basic vulnerabilitiesbutcannot access internal configurationsor system files. Key Differences: Scan Type Accuracy for Configuration Data Intrusiveness Use Case Passive, Credentialed Low Low Network monitoring Passive, Non-Credentialed Very Low Low Anomaly detection Active, Non-Credentialed Medium High Initial vulnerability assessment Active, Credentialed High High Comprehensive vulnerability analysis Best Practice: Always useactive, credentialed scansforin-depth vulnerability assessment, especially when accuracy inconfiguration validationis essential. Ensure thatcredentials providedfor scanning haveread-only permissionsto minimize risk. Extract from CompTIA SecurityX CAS-005 Study Guide: TheCompTIA SecurityX CAS-005 Official Study Guidehighlights thatactive, credentialed vulnerability scansare the most thorough and accurate. These scans canaccess system configurations, file permissions, and patch levels, which are crucial formaintaining system security. Non-credentialed scans, while useful forsurface-level checks, do not provide the same level of insight.

Free CompTIA CASP+ CAS-004 Actual Exam Questions