CAS-004 Free Practice Test

A company wants to refactor a monolithic application to take advantage of cloud native services and service microsegmentation to secure sensitive application components. Which of the following should the company implement to ensure the architecture is portable?

1. A. Virtualized emulators
2. B. Type 2 hypervisors
3. C. Orchestration
4. D. Containerization

Correct Answer: D
Containerization is a technology that allows applications to run in isolated and portable environments called containers. Containers are lightweight and self-contained units that
include all the dependencies, libraries, and configuration files needed for an application to run. Containers can be deployed on any platform that supports the container runtime engine, such as Docker or Kubernetes.
Containerization would allow the company to refactor a monolithic application to take advantage of cloud native services and service microsegmentation to secure sensitive application components, because containerization would:
✑ Enable the application to be split into smaller and independent components
(microservices) that can communicate with each other through APIs or message queues.
✑ Allow the application to leverage cloud native services, such as load balancers,
databases, or serverless functions, that can be integrated with containers through configuration files or environment variables.
✑ Enhance the security of the application by isolating each container from other
containers and the host system, and applying fine-grained access control policies and network rules to each container or group of containers.
✑ Ensure the portability of the application by enabling it to run on any cloud provider
or platform that supports containers, without requiring any changes to the application code or configuration.

A cloud security engineer is setting up a cloud-hosted WAF. The engineer needs to implement a solution to protect the multiple websites the organization hosts. The organization websites are:
* www.mycompany.org
* www.mycompany.com
* campus.mycompany.com
* wiki. mycompany.org
The solution must save costs and be able to protect all websites. Users should be able to notify the cloud security engineer of any on-path attacks. Which of the following is the BEST solution?

1. A. Purchase one SAN certificate.
2. B. Implement self-signed certificates.
3. C. Purchase one certificate for each website.
4. D. Purchase one wildcard certificate.

Correct Answer: D
Purchasing one wildcard certificate is the best solution to protect multiple websites hosted by an organization in a cloud-hosted WAF. A wildcard certificate is a type of SSL/TLS certificate that can secure a domain name and any number of its subdomains with a single certificate. For example, a wildcard certificate for *.mycompany.com can secure www.mycompany.com, campus.mycompany.com, and any other subdomain under mycompany.com. A wildcard certificate can save costs and simplify management compared to purchasing individual certificates for each website.
References: [CompTIA CASP+ Study Guide, Second Edition, page 301]

A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings.
Which of the following scan types will provide the systems administrator with the MOST accurate information?

1. A. A passive, credentialed scan
2. B. A passive, non-credentialed scan
3. C. An active, non-credentialed scan
4. D. An active, credentialed scan

Correct Answer: D

A university issues badges through a homegrown identity management system to all staff and students. Each week during the summer, temporary summer school students arrive and need to be issued a badge to access minimal campus resources. The security team received a report from an outside auditor indicating the homegrown system is not consistent with best practices in the security field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST?

1. A. Investigating a potential threat identified in logs related to the identity management system
2. B. Updating the identity management system to use discretionary access control
3. C. Beginning research on two-factor authentication to later introduce into the identity management system
4. D. Working with procurement and creating a requirements document to select a new IAM system/vendor

Correct Answer: D
This is because the homegrown identity management system is not consistent with best practices and leaves the institution vulnerable, which means it needs to be replaced with a more secure and reliable solution. A new IAM system/vendor should be able to provide features such as role-based access control, two-factor authentication, auditing, and compliance that can enhance the security and efficiency of the identity management process. A requirements document can help define the scope, objectives, and criteria for selecting a suitable IAM system/vendor that meets the needs of the institution.

Over the last 90 days, many storage services has been exposed in the cloud services environments, and the security team does not have the ability to see is creating these instance. Shadow IT is creating data services and instances faster than the small security team can keep up with them. The Chief information security Officer (CIASO) has asked the security officer (CISO) has asked the security lead architect to architect to recommend solutions to this problem.
Which of the following BEST addresses the problem best address the problem with the least amount of administrative effort?

1. A. Compile a list of firewall requests and compare than against interesting cloud services.
2. B. Implement a CASB solution and track cloud service use cases for greater visibility.
3. C. Implement a user-behavior system to associate user events and cloud service creation events.
4. D. Capture all log and feed then to a SIEM and then for cloud service events

Correct Answer: C