Free of CAS-002 sample question materials and prep for CompTIA certification for client, Real Success Guaranteed with Updated CAS-002 pdf dumps vce Materials. 100% PASS CompTIA Advanced Security Practitioner (CASP) exam Today!
♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for CompTIA CAS-002 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW CAS-002 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/CAS-002-exam-dumps.html
Q151. - (Topic 5)
A security manager has received the following email from the Chief Financial Officer (CFO):
“While I am concerned about the security of the proprietary financial data in our ERP application, we have had a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance targets. As things currently stand, we do not allow employees to work from home but this is something I am willing to allow so we can get back on track. What should we do first to securely enable this capability for my group?”
Based on the information provided, which of the following would be the MOST appropriate response to the CFO?
A. Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed.
B. Allow VNC access to corporate desktops from personal computers for the users working from home.
C. Allow terminal services access from personal computers after the CFO provides a list of the users working from home.
D. Work with the executive management team to revise policies before allowing any remote access.
Answer: D
Q152. - (Topic 3)
The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO’s requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?
A. Grey box testing performed by a major external consulting firm who have signed a NDA.
B. Black box testing performed by a major external consulting firm who have signed a NDA.
C. White box testing performed by the development and security assurance teams.
D. Grey box testing performed by the development and security assurance teams.
Answer: C
Q153. - (Topic 3)
About twice a year a switch fails in a company's network center. Under the maintenance contract, the switch would be replaced in two hours losing the business $1,000 per hour. The cost of a spare switch is $3,000 with a 12-hour delivery time and would eliminate downtime costs if purchased ahead of time. The maintenance contract is $1,500 per year.
Which of the following is true in this scenario?
A. It is more cost-effective to eliminate the maintenance contract and purchase a replacement upon failure.
B. It is more cost-effective to purchase a spare switch prior to an outage and eliminate the maintenance contract.
C. It is more cost-effective to keep the maintenance contract instead of purchasing a spare switch prior to an outage.
D. It is more cost-effective to purchase a spare switch prior to an outage and keep the maintenance contract.
Answer: D
Q154. - (Topic 4)
Company XYZ recently acquired a manufacturing plant from Company ABC which uses a different manufacturing ICS platform. Company XYZ has strict ICS security regulations while Company ABC does not. Which of the following approaches would the network security administrator for Company XYZ MOST likely proceed with to integrate the new manufacturing plant?
A. Conduct a network vulnerability assessment of acquired plant ICS platform and correct all identified flaws during integration.
B. Convert the acquired plant ICS platform to the Company XYZ standard ICS platform solely to eliminate potential regulatory conflicts.
C. Conduct a risk assessment of the acquired plant ICS platform and implement any necessary or required controls during integration.
D. Require Company ABC to bring their ICS platform into regulatory compliance prior to integrating the new plant into Company XYZ’s network.
Answer: C
Q155. - (Topic 4)
A Security Administrator has some concerns about the confidentiality of data when using SOAP. Which of the following BEST describes the Security Administrator’s concerns?
A. The SOAP header is not encrypted and allows intermediaries to view the header data. The body can be partially or completely encrypted.
B. The SOAP protocol supports weak hashing of header information. As a result the header and body can easily be deciphered by brute force tools.
C. The SOAP protocol can be easily tampered with, even though the header is encrypted.
D. The SOAP protocol does not support body or header encryption which allows assertions to be viewed in clear text by intermediaries.
Answer: A
Q156. - (Topic 2)
An organization has implemented an Agile development process for front end web application development. A new security architect has just joined the company and wants to integrate security activities into the SDLC.
Which of the following activities MUST be mandated to ensure code quality from a security perspective? (Select TWO).
A. Static and dynamic analysis is run as part of integration
B. Security standards and training is performed as part of the project
C. Daily stand-up meetings are held to ensure security requirements are understood
D. For each major iteration penetration testing is performed
E. Security requirements are story boarded and make it into the build
F. A security design is performed at the end of the requirements phase
Answer: A,D
Q157. - (Topic 2)
It has come to the IT administrator’s attention that the “post your comment” field on the company blog page has been exploited, resulting in cross-site scripting attacks against customers reading the blog. Which of the following would be the MOST effective at preventing the “post your comment” field from being exploited?
A. Update the blog page to HTTPS
B. Filter metacharacters
C. Install HIDS on the server
D. Patch the web application
E. Perform client side input validation
Answer: B
Q158. - (Topic 3)
A hosting company provides inexpensive guest virtual machines to low-margin customers. Customers manage their own guest virtual machines. Some customers want basic guarantees of logical separation from other customers and it has been indicated that some customers would like to have configuration control of this separation; whereas others want this provided as a value-added service by the hosting company. Which of the following BEST meets these requirements?
A. The hosting company should install a hypervisor-based firewall and allow customers to manage this on an as-needed basis.
B. The hosting company should manage the hypervisor-based firewall; while allowing customers to configure their own host-based firewall.
C. Customers should purchase physical firewalls to protect their guest hosts and have the hosting company manage these if requested.
D. The hosting company should install a host-based firewall on customer guest hosts and offer to administer host firewalls for customers if requested.
Answer: B
Q159. - (Topic 3)
A large financial company has a team of security-focused architects and designers that contribute into broader IT architecture and design solutions. Concerns have been raised due to the security contributions having varying levels of quality and consistency. It has been agreed that a more formalized methodology is needed that can take business drivers, capabilities, baselines, and re-usable patterns into account. Which of the following would BEST help to achieve these objectives?
A. Construct a library of re-usable security patterns
B. Construct a security control library
C. Introduce an ESA framework
D. Include SRTM in the SDLC
Answer: C
Q160. - (Topic 5)
Two separate companies are in the process of integrating their authentication infrastructure into a unified single sign-on system. Currently, both companies use an AD backend and two factor authentication using TOTP. The system administrators have configured a trust relationship between the authentication backend to ensure proper process flow. How should the employees request access to shared resources before the authentication integration is complete?
A. They should logon to the system using the username concatenated with the 6-digit code and their original password.
B. They should logon to the system using the newly assigned global username: first.lastname#### where #### is the second factor code.
C. They should use the username format: LANfirst.lastname together with their original password and the next 6-digit code displayed when the token button is depressed.
D. They should use the username format: first.lastname@company.com, together with a password and their 6-digit code.
Answer: D
