Comptia (CAS-003) Exam Questions And Answers page 2
A security consultant is considering authentication options for a financial institution. The following authentication options are available. Drag and drop the security mechanism to the appropriate use case. Options may be used once.
Risk Management
Enterprise Security Architecture
A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later, the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it.
The person extracts the following data from the phone and EXIF data from some files:
DCIM Images folder
Audio books folder
Torrentz
My TAX.xls
Consultancy HR Manual.doc
Camera: SM-G950F
Exposure time: 1/60s
Location: 3500 Lacey Road USA
Which of the following BEST describes the security problem?
The person extracts the following data from the phone and EXIF data from some files:
DCIM Images folder
Audio books folder
Torrentz
My TAX.xls
Consultancy HR Manual.doc
Camera: SM-G950F
Exposure time: 1/60s
Location: 3500 Lacey Road USA
Which of the following BEST describes the security problem?
MicroSD contains a mixture of personal and work data.
MicroSD in not encrypted and contains geotagging information.
MicroSD contains pirated software and is not encrypted.
Risk Management
Enterprise Security Architecture
An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tool using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data? (Choose two.)
Data aggregation
Data sovereignty
Data isolation
Data volume
Data analytics
Data precision
Risk Management
Enterprise Security Operations
During a security assessment, an organization is advised of inadequate control over network segmentation. The assessor explains that the organization s reliance on VLANs to segment traffic is insufficient to provide segmentation based on regulatory standards. Which of the following should the organization consider implementing along with VLANs to provide a greater level of segmentation?
Air gaps
Access control lists
Spanning tree protocol
Network virtualization
Elastic load balancing
Risk Management
Enterprise Security Operations
A large, multinational company currently has two separate databases. One is used for ERP, while the second is used for CRM. To consolidate services and infrastructure, it is proposed to combine the databases. The company s compliance manager is asked to review the proposal and is concerned about this integration. Which of the following would pose the MOST concern to the compliance manager?
The attack surface of the combined database is lower than the previous separate systems, so there likely are wasted resources on additional security controls that will not be needed.
There are specific regulatory requirements the company might be violating by combining these two types of services into one shared platform.
By consolidating services in this manner, there is an increased risk posed to the organization due to the number of resources required to manage the larger data pool.
Auditing the combined database structure will require more short-term resources, as the new system will need to be learned by the auditing team to ensure all security controls are in place.
Risk Management
Enterprise Security Operations
A security engineer has just been embedded in an agile development team to ensure security practices are maintained during frequent release cycles. A new web application includes an input form. Which of the following would work BEST to allow the security engineer to test how the application handles error conditions?
Running a dynamic analysis at form submission
Performing a static code analysis
Fuzzing possible input of the form
Conducting a runtime analysis of the code
Enterprise Security Operations
Enterprise Security Operations
An engineer needs to provide access to company resources for several offshore contractors. The contractors require:
• Access to a number of applications, including internal websites
• Access to database data and the ability to manipulate it
• The ability to log into Linux and Windows servers remotely
Which of the following remote access technologies are the BEST choices to provide all of this access securely? (Choose two.)
• Access to a number of applications, including internal websites
• Access to database data and the ability to manipulate it
• The ability to log into Linux and Windows servers remotely
Which of the following remote access technologies are the BEST choices to provide all of this access securely? (Choose two.)
VTC
VRRP
VLAN
VDI
VPN
Telnet
Risk Management
Enterprise Security Operations
A security architect is reviewing the code for a company s financial website. The architect suggests adding the following HTML element, along with a server-side function, to generate a random number on the page used to initiate a funds transfer:
Which of the following attacks is the security architect attempting to prevent?
Which of the following attacks is the security architect attempting to prevent?
SQL injection
XSRF
XSS
Clickjacking
Enterprise Security Architecture
Enterprise Security Architecture
A security analyst is reviewing the following pseudo-output snippet after running the command less /tmp/file.tmp.
The information above was obtained from a public-facing website and used to identify military assets. Which of the following should be implemented to reduce the risk of a similar compromise?
The information above was obtained from a public-facing website and used to identify military assets. Which of the following should be implemented to reduce the risk of a similar compromise?
Deploy a solution to sanitize geotagging information
Install software to wipe data remnants on servers
Enforce proper input validation on mission-critical software
Implement a digital watermarking solution
Risk Management
Enterprise Security Architecture
A company s security policy states any remote connections must be validated using two forms of network-based authentication. It also states local administrative accounts should not be used for any remote access. PKI currently is not configured within the network. RSA tokens have been provided to all employees, as well as a mobile application that can be used for 2FA authentication. A new NGFW has been installed within the network to provide security for external connections, and the company has decided to use it for VPN connections as well. Which of the following should be configured? (Choose two.)
Certificate-based authentication
TACACS+
802.1X
RADIUS
LDAP
Local user database
Risk Management
Enterprise Security Operations
Comments