CAS-004 Free Practice Test

A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment.
Which of the following should the security administrator do to mitigate the risk?

1. A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement.
2. B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management.
3. C. Suggest that the networking team contact the original embedded system’s vendor to get an update to the system that does not require Flash.
4. D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.

Correct Answer: D

Based on PCI DSS v3.4, One Particular database field can store data, but the data must be unreadable. which of the following data objects meets this requirement?

1. A. PAN
2. B. CVV2
3. C. Cardholder name
4. D. expiration date

Correct Answer: A

The Chief information Officer (CIO) of a large bank, which uses multiple third-party organizations to deliver a service, is concerned about the handling and security of customer data by the parties. Which of the following should be implemented to BEST manage the risk?

1. A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewal
2. B. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit claus
3. C. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
4. D. Establish a team using members from first line risk, the business unit, and vendor management to assess only design security controls of all supplier
5. E. Store findings from the reviews in a database for all other business units and risk teams to reference.
6. F. Establish an audit program that regularly reviews all suppliers regardless of the data they access, how they access the data, and the type of data, Review all design and operational controls based on best practice standard and report the finding back to upper management.
7. G. Establish a governance program that rates suppliers based on their access to data, the type of data, and how they access the data Assign key controls that are reviewed and managed based on the supplier’sratin
8. H. Report finding units that rely on the suppliers and the various risk teams.

Correct Answer: A

A company's finance department acquired a new payment system that exports data to an unencrypted file on the system. The company implemented controls on the file so only appropriate personnel are allowed access. Which of the following risk techniques did the department use in this situation?

1. A. Accept
2. B. Avoid
3. C. Transfer
4. D. Mitigate

Correct Answer: D

A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?

1. A. 0.5
2. B. 8
3. C. 50
4. D. 36,500

Correct Answer: A