[Free] Download New Updated (December) CompTIA CAS-002 Exam Questions 111-120

Ensurepass

QUESTION 111

Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a penetration tester to evaluate the security of the client and server components of the proprietary web application before launch. Which of the following is the penetration tester MOST likely to use while performing black box testing of the security of the company’s purchased application? (Select TWO).

 

A.

Code review

B.

Sandbox

C.

Local proxy

D.

Fuzzer

E.

Port scanner

 

Correct Answer: CD

 

 

QUESTION 112

An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO).

 

A.

The company’s IDS signatures were not updated.

B.

The company’s custom code was not patched.

C.

The patch caused the system to revert to http.

D.

The software patch was not cryptographically signed.

E.

The wrong version of the patch was used.

F.

Third-party plug-ins were not patched.

 

Correct Answer: BF

 

 

QUESTION 113

A company has received the contract to begin developing a new suite of software tools to replace an aging collaboration solution. The original collaboration solution has been in place for nine years, contains over a million lines of code, and took over two years to develop originally. The SDLC has been broken up into eight primary stages, with each stage requiring an in-depth risk analysis before moving on to the next phase. Which of the following software development methods is MOST applicable?

 

A.

Spiral model

B.

Incremental model

C.

Waterfall model

D.

Agile model

 

Correct Answer: C

 

 

QUESTION 114

A large hospital has implemented BYOD to allow doctors and specialists the ability to access patient medical records on their tablets. The doctors and specialists access patient records over the hospital’s guest WiFi network which is isolated from the internal network with appropriate security controls. The patient records management system can be accessed from the guest network and requires two factor authentication. Using a remote desktop type interface, the doctors and specialists can interact with the hospital’s system. Cut and paste and printing functions are disabled to prevent the copying of data to BYOD devices. Which of the following are of MOST concern? (Select TWO).

 

A.

Privacy could be compromised as patient records can be viewed in uncontrolled areas.

B.

Device encryption has not been enabled and will result in a greater likelihood of data loss.

C.

The guest WiFi may be exploited allowing non-authorized individuals access to confidential patient data.

D.

Malware may be on BYOD devices which can extract data via key logging and screen scrapes.

E.

Remote wiping of devices should be enabled to ensure any lost device is rendered inoperable.

 

Correct Answer: AD

QUESTION 115

A software development manager is taking over an existing software development project. The team currently suffers from poor communication due to a long delay between requirements documentation and feature delivery. This gap is resulting in an above average number of security-related bugs making it into production. Which of the following development methodologies is the team MOST likely using now?

 

A.

Agile

B.

Waterfall

C.

Scrum

D.

Spiral

 

Correct Answer: B

 

 

QUESTION 116

Company A needs to export sensitive data from its financial system to company B’s database, using company B’s API in an automated manner. Company A’s policy prohibits the use of any intermediary external systems to transfer or store its sensitive data, therefore the transfer must occur directly between company A’s financial system and company B’s destination server using the supplied API. Additionally, company A’s legacy financial software does not support encryption, while company B’s API supports encryption. Which of the following will provide end-to-end encryption for the data transfer while adhering to these requirements?

 

A.

Company A must install an SSL tunneling software on the financial system.

B.

Company A’s security administrator should use an HTTPS capable browser to transfer the data.

C.

Company A should use a dedicated MPLS circuit to transfer the sensitive data to company B.

D.

Company A and B must create a site-to-site IPSec VPN on their respective firewalls.

 

Correct Answer: A

 

 

QUESTION 117

Three companies want to allow their employees to seamlessly connect to each other’s wireless corporate networks while keeping one consistent wireless client configuration. Each company wants to maintain its own authentication infrastructure and wants to ensure that an employee who is visiting the other two companies is authenticated by the home office when connecting to the other companies’ wireless network. All three companies have agreed to standardize on 802.1x EAP-PEAP-MSCHAPv2 for client configuration. Which of the following should the three companies implement?

 

A.

The three companies should agree on a single SSID and configure a hierarchical RADIUS system which implements trust delegation.

B.

The three companies should implement federated authentication through Shibboleth connected to an LDAP backend and agree on a single SSID.

C.

The three companies should implement a central portal-based single sign-on and agree to use the same CA when issuing client certificates.

D.

All three companies should use the same wireless vendor to facilitate the use of a shared cloud based wireless controller.

 

Correct Answer: A

 

 

 

QUESTION 118

DRAG DROP

Company A has experienced external attacks on their network and wants to minimize the attacks from reoccurring. Modify the network diagram to prevent SQL injections, XSS attacks, smurf attacks, e-mail spam, downloaded malware, viruses and ping attacks. The company can spend a MAXIMUM of $50,000 USD. A cost list for each item is listed below:

 

1. Anti-Virus Server – $10,000

2. Firewall-$15,000

3. Load Balanced Server – $10,000

4. NIDS/NIPS-$10,000

5. Packet Analyzer – $5,000

6. Patch Server-$15,000

7. Proxy Server-$20,000

8. Router-$10,000

9. Spam Filter-$5,000

10. Traffic Shaper – $20,000

11. Web Application Firewall – $10,000

 

Instructions:

Not all placeholders in the diagram need to be filled and items can only be used once. If you place an object on the network diagram, you can remove it by clicking the (x) in the upper right-hand of the object.

 

clip_image002

 

Correct Answer:

clip_image004

 

 

QUESTION 119

Which of the following represents important technical controls for securing a SAN storage infrastructure? (Select TWO).

 

A.

Synchronous copy of data

B.

RAID configuration

C.

Data de-duplication

D.

Storage pool space allocation

E.

Port scanning

F.

LUN masking/mapping

G.

Port mapping

 

Correct Answer: FG

 

 

QUESTION 120

A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period?

 

A.

Online password testing

B.

Rainbow tables attack

C.

Dictionary attack

D.

Brute force attack

 

Correct Answer: B

 

Free VCE & PDF File for CompTIA CAS-002 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in CAS-002 Exam Questions (December) and tagged , , , , , , . Bookmark the permalink.