[Free] Download New Updated (December) CompTIA CAS-002 Exam Questions 31-40

Ensurepass

QUESTION 31

A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications’ compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted?

 

A.

Establish the security control baseline

B.

Build the application according to software development security standards

C.

Review the results of user acceptance testing

D.

Consult with the stakeholders to determine which standards can be omitted

 

Correct Answer: A

 

 

QUESTION 32

The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the date/time stamp of the image source appears to have changed. The desktop support director has asked the Information Security department to determine if any changes were made to the source image. Which of the following methods would BEST help with this process? (Select TWO).

 

A.

Retrieve source system image from backup and run file comparison analysis on the two images.

B.

Parse all images to determine if extra data is hidden using steganography.

C.

Calculate a new hash and compare it with the previously captured image hash.

D.

Ask desktop support if any changes to the images were made.

E.

Check key system files to see if date/time stamp is in the past six months.

 

Correct Answer: AC

 

 

 

 

 

 

 

 

QUESTION 33

A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year?

 

A.

-45 percent

B.

5.5 percent

C.

45 percent

D.

82 percent

 

Correct Answer: D

 

 

QUESTION 34

The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO’s budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?

 

A.

The company should mitigate the risk.

B.

The company should transfer the risk.

C.

The company should avoid the risk.

D.

The company should accept the risk.

 

Correct Answer: B

 

 

QUESTION 35

A new internal network segmentation solution will be implemented into the enterprise that consists of 200 internal firewalls. As part of running a pilot exercise, it was determined that it takes three changes to deploy a new application onto the network before it is operational. Security now has a significant effect on overall availability. Which of the following would be the FIRST process to perform as a result of these findings?

 

A.

Lower the SLA to a more tolerable level and perform a risk assessment to see if the solution could be met by another solution. Reuse the firewall infrastructure on other projects.

B.

Perform a cost benefit analysis and implement the solution as it stands as long as the risks are understood by the business owners around the availability issues. Decrease the current SLA expectations to match the new solution.

C.

Engage internal auditors to perform a review of the project to determine why and how the project did not meet the security requirements. As part of the review ask them to review the control effectiveness.

D.

Review to determine if control effectiveness is in line with the complexity of the solution. Determine if the requirements can be met with a simpler solution.

 

Correct Answer: D

 

QUESTION 36

The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO argues that the company cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains why this company should proceed with protecting its corporate network boundary?

 

A.

The corporate network is the only network that is audited by regulators and customers.

B.

The aggregation of employees on a corporate network makes it a more valuable target for attackers.

C.

Home networks are unknown to attackers and less likely to be targeted directly.

D.

Employees are more likely to be using personal computers for general web browsing when they are at home.

 

Correct Answer: B

 

 

QUESTION 37

A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?

 

A.

The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.

B.

The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.

C.

The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CFO.

D.

Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.

 

Correct Answer: D

 

 

QUESTION 38

A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of-concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond?

 

A.

Assess the reliability of the information source, likelihood of exploitability, and impact to hosted data. Attempt to exploit via the proof-of-concept code. Consider remediation options.

B.

Hire an independent security consulting agency to perform a penetration test of the web servers. Advise management of any `high’ or `critical’ penetration test findings and put forward recommendations for mitigation.

C.

Review vulnerability write-ups posted on the Internet. Respond to management with a recommendation to wait until the news has been independently verified by software vendors providing the web application software.

D.

Notify all customers about the threat to their hosted data. Bring the web servers down into “maintenance mode” until the vulnerability can be reliably mitigated through a vendor patch.

 

Correct Answer: A

 

 

QUESTION 39

A mature organization with legacy information systems has incorporated numerous new processes and dependencies to manage security as its networks and infrastructure are modernized. The Chief Information Office has become increasingly frustrated with frequent releases, stating that the organization needs everything to work completely, and the vendor should already have those desires built into the software product. The vendor has been in constant communication with personnel and groups within the organization to understand its business process and capture new software requirements from users. Which of the following methods of software development is this organization’s configuration management process using?

 

A.

Agile

B.

SDL

C.

Waterfall

D.

Joint application development

 

Correct Answer: A

 

 

QUESTION 40

The Chief Executive Officer (CEO) of an Internet service provider (ISP) has decided to limit the company’s contribution to worldwide Distributed Denial of Service (DDoS) attacks. Which of the following should the ISP implement? (Select TWO).

 

A.

Block traffic from the ISP’s networks destined for blacklisted IPs.

B.

Prevent the ISP’s customers from querying DNS servers other than those hosted by the ISP.

C.

Scan the ISP’s customer networks using an up-to-date vulnerability scanner.

D.

Notify customers when services they run are involved in an attack.

E.

Block traffic with an IP source not allocated to customers from exiting the ISP’s network.

 

Correct Answer: DE

 

Free VCE & PDF File for CompTIA CAS-002 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in Uncategorized. Bookmark the permalink.