CAS-004 Free Practice Test

A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only connect to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment.
Which of the following should be implemented for privileged users so they can support the environment from their workstations while remaining compliant?

1. A. NAC to control authorized endpoints
2. B. FIM on the servers storing the data
3. C. A jump box in the screened subnet
4. D. A general VPN solution to the primary network

Correct Answer: A
Network Access Control (NAC) is used to bolster the network security by restricting the availability of network resources to managed endpoints that don't satisfy the compliance requirements of the Organization.

A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident.
Which of the following would be BEST to proceed with the transformation?

1. A. An on-premises solution as a backup
2. B. A load balancer with a round-robin configuration
3. C. A multicloud provider solution
4. D. An active-active solution within the same tenant

Correct Answer: C
An active-active cluster does nothing if the cloud provider goes down. One of the main features of multi-cloud is redundancy. https://www.cloudflare.com/learning/cloud/what-is-multicloud/

After a security incident, a network security engineer discovers that a portion of the company’s sensitive external traffic has been redirected through a secondary ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure?

1. A. Disable BGP and implement a single static route for each internal network.
2. B. Implement a BGP route reflector.
3. C. Implement an inbound BGP prefix list.
4. D. Disable BGP and implement OSPF.

Correct Answer: C
Defenses against BGP hijacks include IP prefix filtering, meaning IP address announcements are sent and accepted only from a small set of well-defined autonomous systems, and monitoring Internet traffic to identify signs of abnormal traffic flows.

Which of the following are risks associated with vendor lock-in? (Choose two.)

1. A. The client can seamlessly move data.
2. B. The vendor can change product offerings.
3. C. The client receives a sufficient level of service.
4. D. The client experiences decreased quality of service.
5. E. The client can leverage a multicloud approach.
6. F. The client experiences increased interoperability.

Correct Answer: BD

A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment.
Which of the following should the security administrator do to mitigate the risk?

1. A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement.
2. B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management.
3. C. Suggest that the networking team contact the original embedded system’s vendor to get an update to the system that does not require Flash.
4. D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.

Correct Answer: D