Last Updated on July 6, 2021 by InfraExam

CAS-003 : CompTIA Advanced Security Practitioner (CASP+) CAS-003 : Part 22

  1. A company contracts a security consultant to perform a remote white-box penetration test. The company wants the consultant to focus on Internet-facing services without negatively impacting production services. Which of the following is the consultant MOST likely to use to identify the company’s attack surface? (Choose two.)

    • Web crawler
    • WHOIS registry
    • DNS records
    • Company’s firewall ACL
    • Internal routing tables
    • Directory service queries
  2. A company has completed the implementation of technical and management controls as required by its adopted security policies and standards. The implementation took two years and consumed all the budget approved to security projects. The board has denied any further requests for additional budget. Which of the following should the company do to address the residual risk?

    • Transfer the risk
    • Baseline the risk
    • Accept the risk
    • Remove the risk
  3. A company is the victim of a phishing and spear-phishing campaign. Users are clicking on website links that look like common bank sites and entering their credentials accidentally. A security engineer decides to use a layered defense to prevent the phishing or lessen its impact. Which of the following should the security engineer implement? (Choose two.)

    • Spam filter
    • Host intrusion prevention
    • Client certificates
    • Log monitoring
    • Content filter
    • Data loss prevention
  4. A creative services firm has a limited security budget and staff. Due to its business model, the company sends and receives a high volume of files every day through the preferred method defined by its customers. These include email, secure file transfers, and various cloud service providers. Which of the following would BEST reduce the risk of malware infection while meeting the company’s resource requirements and maintaining its current workflow?

    • Configure a network-based intrusion prevention system
    • Contract a cloud-based sandbox security service
    • Enable customers to send and receive files via SFTP
    • Implement appropriate DLP systems with strict policies
  5. A government entity is developing requirements for an RFP to acquire a biometric authentication system. When developing these requirements, which of the following considerations is MOST critical to the verification and validation of the SRTM?

    • Local and national laws and regulations
    • Secure software development requirements
    • Environmental constraint requirements
    • Testability of requirements
  6. An electric car company hires an IT consulting company to improve the cybersecurity of its vehicles. Which of the following should achieve the BEST long-term result for the company?

    • Designing and developing add-on security components for fielded vehicles
    • Reviewing proposed designs and prototypes for cybersecurity vulnerabilities
    • Performing a cyber risk assessment on production vehicles
    • Reviewing and influencing requirements for an early development vehicle
  7. A security manager is determining the best DLP solution for an enterprise. A list of requirements was created to use during the source selection. The security manager wants to confirm a solution exists for the requirements that have been defined. Which of the following should the security manager use?

    • NDA
    • RFP
    • RFQ
    • MSA
    • RFI