Free CompTIA CAS-004 Practice Exam with Questions & Answers | Set: 12

Before determining which data should be deleted during a data cleanup project, it is critical to first review retention schedules. Retention schedules specify how long data must be retained to comply with legal, regulatory, or business requirements. Deleting data prematurely could result in non-compliance or the loss of important information. By consulting retention schedules, the security administrator ensures that data is deleted in a compliant and controlled manner, based on its retention policy. CASP+ highlights data retention management as a key element in data governance and security.

Step by Step Explanation:

Development of zero-day exploits is a critical risk, as adversarial entities with access to the source code could analyze it for vulnerabilities to exploit.

Legal action or sale of the source code are concerns, but they are not unique to the adversarial context of this scenario.

Publication of the source code on the internet is less likely than targeted exploitation in this specific scenario.

“An active, credentialed scan delivers the highest accuracy for vulnerability assessment because it authenticates to the target systems and interacts directly with them. Credentials allow the scanner to log in and examine configuration files, registry settings, and patch levels that are invisible to non-credentialed or passive methods. Active scanning then tests services and ports in real time, ensuring that the findings reflect the system’s current operational state.”

— CompTIA CASP+ Official Study Guide, Third Edition, Chapter 6: Vulnerability Assessment and Penetration Testing, pp. 412–413

“Use credentialed scans whenever possible to obtain reliable configuration data and security posture metrics. Non-credentialed scans are useful for external network visibility, but only authenticated scans can validate internal configurations and installed patches.”

— CompTIA CASP+ CAS-004 Exam Objectives (v7.1), Section 4.1: Conduct Vulnerability Assessments, p. 21

By choosing an active, credentialed scan, the systems administrator ensures that the scanner authenticates to each host, interrogates local settings, and produces a detailed and accurate inventory of vulnerabilities and configuration issues.

The combination of DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) would meet the developers' requirements. DAST is used for runtime testing, capable of simulating attacks like SQL injection and reflected XSS, which fulfills the first requirement. SAST analyzes the code statically to ensure that the application is not vulnerable to issues like memory leaks, fulfilling the second requirement. Implementing both will integrate security testing into the SDLC, addressing the security concerns earlier in the development cycle, as recommended in CASP+.

Agent-based scanning is best suited for environments with multiple subnets, VLANs, and branch offices, as described. It allows for fast scanning with fewer false positives, and since the agents are installed on the servers, they tend to have a lower impact on performance. This type of scanning also facilitates signature-based scanning, which is one of the customer's requirements.

Step by Step Explanation:

Creating an organizational risk register ensures the issue is documented and prioritized for mitigation, aligning with risk management best practices.

Accepting the risk is not advisable due to the financial implications of failure.

Implementing network compensating controls does not address server reliability.

Purchasing insurance only offsets financial risk and does not ensure system functionality.

A runbook is a detailed guide that provides step-by-step instructions on how to respond to specific types of incidents. It is used by the SOC team to ensure a consistent, organized, and efficient response to incidents. In this case, after the incident investigation, creating a runbook would help standardize the response process for future security incidents, enabling the team to act quickly and effectively. CASP+ emphasizes the importance of having detailed runbooks for incident response as part of an organization's overall incident response strategy.

The primary advantage of creating and maintaining a vendor risk registry is to ensure that an inventory of potential risks is maintained. A vendor risk registry helps organizations keep track of the risks associated with third-party vendors, especially as they may introduce vulnerabilities or non-compliance issues. By maintaining this registry, the organization can continuously monitor and manage vendor-related risks in a structured way, improving its overall security posture. CASP+ emphasizes the importance of vendor risk management in an organization’s broader risk management strategy.

Step by Step Explanation:

Replication ensures data consistency by synchronizing copies of data across clusters. This would prevent data loss during power outages.

Caching provides faster data retrieval but does not ensure data persistence.

Containerization improves deployment consistency but does not address resilience or data integrity.

Redundancy relates to additional hardware or systems but does not guarantee up-to-date data.

High availability addresses system uptime but does not prevent data loss.

Based on the SIEM alerts, the security analyst should first disable the jdoe account, as it is likely compromised by an attacker. The alerts show that the jdoe account successfully logged on to the abc-usa-fsl server, which is a file server, and then initiated SMB (445) traffic to the abc-web01server, which is a web server. This indicates that the attacker may be trying to exfiltrate data from the file server to the web server. Disabling the jdoe account would help stop this unauthorized activity and prevent further damage.

Disabling Administrator on abc-usa-fsl, the local account is compromised, is not the first action to take, as it is not clear from the alerts if the local account is compromised or not. The alert shows that there was a successful logon event for Administrator on abc-usa-fsl, but it does not specify if it was a local or domain account, or if it was authorized or not. Moreover, disabling the local account would not stop the SMB traffic from jdoe to abc-web01.

Shutting down the abc-usa-fsl server, a plaintext credential is being used, is not the first action to take, as it is not clear from the alerts if a plaintext credential is being used or not. The alert shows that there was RDP (3389) traffic from abc-admin1-logon to abc-usa-fsl, but it does not specify if the credential was encrypted or not. Moreover, shutting down the file server would disrupt its normal operations and affect other users.

Shutting down abc-usa-fw01; the remote access VPN vulnerability is exploited, is not the first action to take, as it is not clear from the alerts if the remote access VPN vulnerability is exploited or not. The alert shows that there was FTP (21) traffic from abc-usa-dcl to abc-web01, but it does not specify if it was related to the VPN or not. Moreover, shutting down the firewall would expose the network to other threats and affect other services. References: What is SIEM? | Microsoft Security, What is a SIEM Alert? | Cofense

PowerShell is a versatile scripting language that can be used to automate administrative tasks and configurations on Windows machines. It has the capability to edit registry keys, which is what the red team appears to have done based on the provided information. PowerShell is a common tool used by both system administrators and attackers (in the form of a red team during penetration testing).

Proper forensic investigation requires that evidence is preserved in a manner that maintains its integrity and reliability. To prevent legal issues such as penalties for not conducting a proper forensic investigation, the first and most crucial step is to ensure that evidence is preserved so that it can be verified, collected, and analyzed correctly. This involves making sure that the evidence is not tampered with or altered from the time it is identified until it is presented in a legal proceeding.

To reduce the risk of unauthorized devices accessing company resources, requiring device certificates is an effective control. Device certificates can be used to authenticate devices before they are allowed to connect to the network and access resources, ensuring that only devices with a valid certificate, which are typically managed and issued by the organization, can connect.

Email signatures provide non-repudiation, which ensures that the sender of an email cannot deny having sent it. A digital signature, when attached to an email, uses cryptographic techniques toverify the sender's identity and confirm the authenticity of the message. This feature helps establish trust by preventing tampering and ensuring the integrity of the communication. CASP+ emphasizes the role of digital signatures in ensuring non-repudiation in secure communication protocols.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation. Using SCAP can help to identify vulnerabilities, including those without standard definitions, and ensure they are tracked and managed effectively.