[Free] Download New Updated (December) CompTIA CAS-002 Exam Questions 221-230

Ensurepass

QUESTION 221

A recently hired security administrator is advising developers about the secure integration of a legacy in-house application with a new cloud based processing system. The systems must exchange large amounts of fixed format data such as names, addresses, and phone numbers, as well as occasional chunks of data in unpredictable formats. The developers want to construct a new data format and create custom tools to parse and process the data. The security administrator instead suggests that the developers:

 

A.

Create a custom standard to define the data.

B.

Use well formed standard compliant XML and strict schemas.

C.

Only document the data format in the parsing application code.

D.

Implement a de facto corporate standard for all analyzed data.

 

Correct Answer: B

 

 

 

 

 

 

 

QUESTION 222

ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators. Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone?

 

A.

Ensure hypervisor layer firewalling between all VM hosts regardless of security zone.

B.

Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s).

C.

Organize VM hosts into containers based on security zone and restrict access using an ACL.

D.

Require multi-factor authentication when accessing the console at the physical VM host.

 

Correct Answer: C

 

 

QUESTION 223

A web developer is responsible for a simple web application that books holiday accommodations. The front-facing web server offers an HTML form, which asks for a user’s age. This input gets placed into a signed integer variable and is then checked to ensure that the user is in the adult age range. Users have reported that the website is not functioning correctly. The web developer has inspected log files and sees that a very large number (in the billions) was submitted just before the issue started occurring. Which of the following is the MOST likely situation that has occurred?

 

A.

The age variable stored the large number and filled up disk space which stopped the application from continuing to function. Improper error handling prevented the application from recovering.

B.

The age variable has had an integer overflow and was assigned a very small negative number which led to unpredictable application behavior. Improper error handling prevented the application from recovering.

C.

Computers are able to store numbers well above “billions” in size. Therefore, the website issues are not related to the large number being input.

D.

The application has crashed because a very large integer has lead to a “divide by zero”. Improper e
rror handling prevented the application from recovering.

 

Correct Answer: B

 

 

QUESTION 224

A company decides to purchase commercially available software packages. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true?

 

A.

Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits.

B.

Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.

C.

Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers.

D.

Commercially available software packages are well known and widely available. Information concerning vulnerabilities and vi
able attack patterns are always shared within the IT community.

 

Correct Answer: B

 

QUESTION 225

An educational institution would like to make computer labs available to remote students. The labs are used for various IT networking, security, and programming courses. The requirements are:

 

1. Each lab must be on a separate network segment.

2. Labs must have access to the Internet, but not other lab networks.

3. Student devices must have network access, not simple access to hosts on the lab networks.

4. Students must have a private certificate installed before gaining access.

5. Servers must have a private certificate installed locally to provide assurance to the students.

6. All students must use the same VPN connection profile.

 

Which of the following components should be used to achieve the design in conjunction with directory services?

 

A.

L2TP VPN over TLS for remote connectivity, SAML for federated authentication, firewalls between each lab segment

B.

SSL VPN for remote connectivity, directory services groups for each lab group, ACLs on routing equipment

C.

IPSec VPN with mutual authentication for remote connectivity, RADIUS for authentication, ACLs on network equipment

D.

Cloud service remote access tool for remote connectivity, OAuth for authentication, ACL on routing equipment

 

Correct Answer: C

 

 

QUESTION 226

An IT auditor is reviewing the data classification for a sensitive system. The company has classified the data stored in the sensitive system according to the following matrix:

 

DATA TYPECONFIDENTIALITYINTEGRITYAVAILABILITY

 

—————————————————————————————————————

 

FinancialHIGHHIGHLOW

 

Client nameMEDIUMMEDIUMHIGH

 

Client addressLOWMEDIUMLOW

 

—————————————————————————————————————-

 

AGGREGATEMEDIUMMEDIUMMEDIUM

 

The auditor is advising the company to review the aggregate score and submit it to senior management. Which of the following should be the revised aggregate score?

 

A.

HIGH, MEDIUM, LOW

B.

MEDIUM, MEDIUM, LOW

C.

HIGH, HIGH, HIGH

D.

MEDIUM, MEDIUM, MEDIUM

 

Correct Answer: C

 

QUESTION 227

The helpdesk is receiving multiple calls about slow and intermittent Internet access from the finance department. The following information is compiled:

 

Caller 1, IP 172.16.35.217, NETMASK 255.255.254.0

 

Caller 2, IP 172.16.35.53, NETMASK 255.255.254.0

 

Caller 3, IP 172.16.35.173, NETMASK 255.255.254.0

 

All callers are connected to the same switch and are routed by a router with five built-in interfaces. The upstream router interface’s MAC is 00-01-42-32-ab-1a

 

A packet capture shows the following:

 

09:05:15.934840 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

 

09:06:16.124850 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

 

09:07:25.439811 arp reply 172.16.34.1 is-at 00:01:42:32:ab:1a (00:01:42:32:ab:1a)

 

09:08:10.937590 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2305, seq 1, length 65534

 

09:08:10.937591 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2306, seq 2, length 65534

 

09:08:10.937592 IP 172.16.35.1 > 172.16.35.255: ICMP echo request, id 2307, seq 3, length 65534

 

Which of the following is occurring on the network?

 

A.

A man-in-the-middle attack is underway on the network.

B.

An ARP flood attack is targeting at the router.

C.

The default gateway is being spoofed on the network.

D.

A denial of service attack is targeting at the router.

 

Correct Answer: < /font>D

 

 

QUESTION 228

The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices?

 

A.

Revise the corporate policy to include possible termination as a result of violations

B.

Increase the frequency and distribution of the USB violations report

C.

Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense

D.

Implement group policy objects

 

Correct Answer: D

 

 

QUESTION 229

A project manager working for a large city government is required to plan and build a WAN, which will be required to host official business and public access. It is also anticipated that the city’s emergency and first response communication systems will be required to operate across the same network. The project manager has experience with enterprise IT projects, but feels this project has an increased complexity as a result of the mixed business / public use and the critical infrastructure it will provide. Which of the following should the project manager release to the public, academia, and private industry to ensure the city provides due care in considering all project factors prior to building its new WAN?

 

A.

NDA

B.

RFI

C.

RFP

D.

RFQ

 

Correct Answer: B

 

 

QUESTION 230

A penetration tester is inspecting traffic on a new mobile banking application and sends the following web request:

 

POST http://www.example.com/resources/NewBankAccount HTTP/1.1

 

Content-type: application/json

 

{

 

“account”:

 

[

 

{ “creditAccount”:”Credit Card Rewards account”} { “salesLeadRef”:”www.example.com/badcontent/exploitme.exe”}

 

],

 

“customer”:

 

[

 

{ “name”:”Joe Citizen”} { “custRef”:”3153151″}

 

]

 

}

 

The banking website responds with:

 

HTTP/1.1 200 OK

 

{

 

“newAccountDetails”:

 

[

 

{ “cardNumber”:”1234123412341234″} { “cardExpiry”:”2020-12-31″}

 

{ “cardCVV”:”909″}

 

],

 

“marketingCookieTracker”:”JSESSIONID=000000001″

 

“returnCode”:”Account added successfully”

 

}

 

Which of the following are security weaknesses in this example? (Select TWO).

 

A.

Missing input validation on some fields

B.

Vulnerable to SQL injection

C.

Sensitive details communicated in clear-text

D.

Vulnerable to XSS

E.

Vulnerable to malware file uploads

F.

JSON/REST is not as secure as XML

 

Correct Answer: AC

 

Free VCE & PDF File for CompTIA CAS-002 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in CAS-002 Exam Questions (December) and tagged , , , , , , . Bookmark the permalink.