CAS-003 Guide

Free CAS-003 Testing Material 2021

Certleader offers free demo for CAS-003 exam. "CompTIA Advanced Security Practitioner (CASP)", also known as CAS-003 exam, is a CompTIA Certification. This set of posts, Passing the CompTIA CAS-003 exam, will help you answer those questions. The CAS-003 Questions & Answers covers all the knowledge points of the real exam. 100% real CompTIA CAS-003 exams and revised by experts!

An agency has implemented a data retention policy that requires tagging data according to type before storing it in the data repository. The policy requires all business emails be automatically deleted after two years. During an open records investigation, information was found on an employee’s work computer concerning a conversation that occurred three years prior and proved damaging to the agency’s reputation. Which of the following MOST likely caused the data leak?

  • A. The employee manually changed the email client retention settings to prevent deletion of emails
  • B. The file that contained the damaging information was mistagged and retained on the server for longer than it should have been
  • C. The email was encrypted and an exception was put in place via the data classification application
  • D. The employee saved a file on the computer’s hard drive that contained archives of emails, which were more than two years old

Answer: D

There have been some failures of the company’s internal facing website. A security engineer has found the WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours over the past month, in four separate situations. One of these situations was a two hour scheduled maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month’s performance figures, which of the following calculations is the percentage of uptime assuming there were 722 hours in the month?

  • A. 92.24 percent
  • B. 98.06 percent
  • C. 98.34 percent
  • D. 99.72 percent

Answer: B

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.
14h of down time in a period of 772 supposed uptime = 14/772 x 100 = 1.939 % Thus the % of uptime = 100% - 1.939% = 98.06%
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, pp. 43, 116

A technician receives the following security alert from the firewall’s automated system:
CAS-003 dumps exhibit
After reviewing the alert, which of the following is the BEST analysis?

  • A. This alert is false positive because DNS is a normal network function.
  • B. This alert indicates a user was attempting to bypass security measures using dynamic DNS.
  • C. This alert was generated by the SIEM because the user attempted too many invalid login attempts.
  • D. This alert indicates an endpoint may be infected and is potentially contacting a suspect hos

Answer: B

A security administrator is performing VDI traffic data collection on a virtual server which migrates from one host to another. While reviewing the data collected by the protocol analyzer, the security administrator notices that sensitive data is present in the packet capture. Which of the following should the security administrator recommend to ensure the confidentiality of sensitive information during live VM migration, while minimizing latency issues?

  • A. A separate physical interface placed on a private VLAN should be configured for live host operations.
  • B. Database record encryption should be used when storing sensitive information on virtual servers.
  • C. Full disk encryption should be enabled across the enterprise to ensure the confidentiality of sensitive data.
  • D. Sensitive data should be stored on a backend SAN which uses an isolated fiber channel networ

Answer: A

VDI virtual machines can be migrated across physical hosts while the virtual machines are still powered on. In VMware, this is called vMotion. In Microsoft Hyper-V, this is called Live Migration. When a virtual machine is migrated between hosts, the data is unencrypted as it travels across the network. To prevent access to the data as it travels across the network, a dedicated network should be created for virtual machine migrations. The dedicated migration network should only be accessible by the virtual machine hosts to maximize security.
Incorrect Answers:
B: Database record encryption is used for encrypting database records only. This question does not state that the only sensitive data is database records. The data is at risk as it travels across the network when virtual machines are migrated between hosts. Data is unencrypted when it is transmitted over the network.
C: Full disk encryption is a good idea to secure data stored on disk. However, the data is unencrypted when it is transmitted over the network.
D: The sensitive data is on the VDI virtual machines. Storing the sensitive information on an isolated fiber channel network would make the information inaccessible from the virtual machines.

After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees. Which of the following would help meet these goals by having co-workers occasionally audit another worker's position?

  • A. Least privilege
  • B. Job rotation
  • C. Mandatory vacation
  • D. Separation of duties

Answer: B

Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.
Incorrect Answers:
A: The principle of least privilege prevents employees from accessing levels not required to perform their everyday function.
C: Mandatory vacation is used to discover misuse and allow the organization time to audit a suspected employee while they are away from work.
D: Separation of duties requires more than one person to complete a task. References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 245

A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of the following additional controls MUST be implemented to minimize the risk of data leakage? (Select TWO).

  • A. A full-system backup should be implemented to a third-party provider with strong encryption for data in transit.
  • B. A DLP gateway should be installed at the company border.
  • C. Strong authentication should be implemented via external biometric devices.
  • D. Full-tunnel VPN should be required for all network communication.
  • E. Full-drive file hashing should be implemented with hashes stored on separate storage.
  • F. Split-tunnel VPN should be enforced when transferring sensitive dat

Answer: BD

Web mail, Instant Messaging and personal networking sites are some of the most common means by which corporate data is leaked.
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.
Full-tunnel VPN should be required for all network communication. This will ensure that all data transmitted over the network is encrypted which would prevent a malicious user accessing the data by using packet sniffing.
Incorrect Answers:
A: This question is asking which of the following additional controls MUST be implemented to minimize the risk of data leakage. Implementing a full system backup does not minimize the risk of data leakage.
C: Strong authentication implemented via external biometric devices will ensure that only authorized people can access the network. However, it does not minimize the risk of data leakage.
E: Full-drive file hashing is not required because we already have full drive encryption.
F: Split-tunnel VPN is used when a user a remotely accessing the network. Communications with company servers go over a VPN whereas private communications such as web browsing does not use a VPN. A more secure solution is a full tunnel VPN.
References: " DLP"inition/data-loss-prevention-DLP

A government organization operates and maintains several ICS environments. The categorization of one of the ICS environments led to a moderate baseline. The organization has complied a set of applicable security controls based on this categorization.
Given that this is a unique environment, which of the following should the organization do NEXT to determine if other security controls should be considered?

  • A. Check for any relevant or required overlays.
  • B. Review enhancements within the current control set.
  • C. Modify to a high-baseline set of controls.
  • D. Perform continuous monitorin

Answer: C

A database administrator is required to adhere to and implement privacy principles when executing daily tasks. A manager directs the administrator to reduce the number of unique instances of PII stored within an organization’s systems to the greatest extent possible. Which of the following principles is being demonstrated?

  • A. Administrator accountability
  • B. PII security
  • C. Record transparency
  • D. Data minimization

Answer: D

A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later, the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it.
The person extracts the following data from the phone and EXIF data from some files:
DCIM Images folder
Audio books folder Torrentz
My TAX.xls
Consultancy HR Manual.doc Camera: SM-G950F Exposure time: 1/60s
Location: 3500 Lacey Road USA
Which of the following BEST describes the security problem?

  • A. MicroSD in not encrypted and also contains personal data.
  • B. MicroSD contains a mixture of personal and work data.
  • C. MicroSD in not encrypted and contains geotagging information.
  • D. MicroSD contains pirated software and is not encrypte

Answer: A

An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost. After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow?

  • A. File system information, swap files, network processes, system processes and raw disk blocks.
  • B. Raw disk blocks, network processes, system processes, swap files and file system information.
  • C. System processes, network processes, file system information, swap files and raw disk blocks.
  • D. Raw disk blocks, swap files, network processes, system processes, and file system informatio

Answer: C

The order in which you should collect evidence is referred to as the Order of volatility. Generally, evidence should be collected from the most volatile to the least volatile. The order of volatility from most volatile to least volatile is as follows:
Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes
Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives
Logs stored on remote systems Archive media
Incorrect Answers:
A: System and network processes are more volatile than file system information and swap files. B: System and network processes are more volatile than raw disk blocks.
D: System and network processes are more volatile than raw disk blocks and swap files. References: ""d-question/

An IT manager is concerned about the cost of implementing a web filtering solution in an effort to mitigate the risks associated with malware and resulting data leakage. Given that the ARO is twice per year, the ALE resulting from a data leak is $25,000 and the ALE after implementing the web filter is $15,000. The web filtering solution will cost the organization $10,000 per year. Which of the following values is the single loss expectancy of a data leakage event after implementing the web filtering solution?

  • A. $0
  • B. $7,500
  • C. $10,000
  • D. $12,500
  • E. $15,000

Answer: B

The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: ALE = ARO x SLE
Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure Factor (EF) SLE = AV x EF - Thus the Single Loss Expectancy (SLE) = ALE/ARO = $15,000 / 2 = $ 7,500 References:

A cybersecurity analyst is conducting packet analysis on the following:
CAS-003 dumps exhibit
Which of the following is occurring in the given packet capture?

  • A. ARP spoofing
  • B. Broadcast storm
  • C. Smurf attack
  • D. Network enurneration
  • E. Zero-day explogt

Answer: A

A security researches is gathering information about a recent spoke in the number of targeted attacks against multinational banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds.
Based on the information available to the researcher, which of the following is the MOST likely threat profile?

  • A. Nation-state-sponsored attackers conducting espionage for strategic gain.
  • B. Insiders seeking to gain access to funds for illicit purposes.
  • C. Opportunists seeking notoriety and fame for personal gain.
  • D. Hackvisits seeking to make a political statement because of socio-economic factor

Answer: D

A risk manager has decided to use likelihood and consequence to determine the risk of an event occurring to a company asset. Which of the following is a limitation of this approach to risk management?

  • A. Subjective and based on an individual's experience.
  • B. Requires a high degree of upfront work to gather environment details.
  • C. Difficult to differentiate between high, medium, and low risks.
  • D. Allows for cost and benefit analysis.
  • E. Calculations can be extremely complex to manag

Answer: A

Using likelihood and consequence to determine risk is known as qualitative risk analysis.
With qualitative risk analysis, the risk would be evaluated for its probability and impact using a numbered ranking system such as low, medium, and high or perhaps using a 1 to 10 scoring system. After qualitative analysis has been performed, you can then perform quantitative risk analysis. A
Quantitative risk analysis is a further analysis of the highest priority risks during which a numerical or quantitative rating is assigned to the risk.
Qualitative risk analysis is usually quick to perform and no special tools or software is required. However, qualitative risk analysis is subjective and based on the user’s experience.
Incorrect Answers:
B: Qualitative risk analysis does not require a high degree of upfront work to gather environment details. This answer applies more to quantitative risk analysis.
C: Although qualitative risk analysis does not use numeric values to quantify likelihood or consequence compared to quantitative analysis, we can all differentiate between the terms high, medium, and low when talking about risk.
D: Qualitative risk analysis does not allow for cost and benefit analysis, quantitative risk analysis does.
E: Calculations for qualitative risk analysis are not extremely complex to manage; they can be quantitative risk analysis.
" 1"alitative-risk-analysis-vs-quantitative-risk-analysis-pmp-concept-1

Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ’s headquarters. Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems?

  • A. Require each Company XYZ employee to use an IPSec connection to the required systems
  • B. Require Company XYZ employees to establish an encrypted VDI session to the required systems
  • C. Require Company ABC employees to use two-factor authentication on the required systems
  • D. Require a site-to-site VPN for intercompany communications

Answer: B

VDI stands for Virtual Desktop Infrastructure. Virtual desktop infrastructure is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.
Company ABC can configure virtual desktops with the required restrictions and required access to systems that the users in company XYZ require. The users in company XYZ can then log in to the virtual desktops over a secure encrypted connection and then access authorized systems only. Incorrect Answers:
A: Requiring IPSec connections to the required systems would secure the connections to the required systems. However, it does not prevent access to unauthorized systems.
C: The question states that the representatives reside at Company XYZ’s headquarters. Therefore, they will be access Company ABC’s systems remotely. Two factor authentication requires that the user be present at the location of the system to present a smart card or for biometric authentication; two factor authentication cannot be performed remotely.
D: A site-to-site VPN will just create a secure connection between the two sites. It does not restrict access to unauthorized systems.
http://searchvHYPERLINK ""

A breach was caused by an insider threat in which customer PII was compromised. Following the breach, a lead security analyst is asked to determine which vulnerabilities the attacker used to access company resources. Which of the following should the analyst use to remediate the vulnerabilities?

  • A. Protocol analyzer
  • B. Root cause analyzer
  • C. Behavioral analytics
  • D. Data leak prevention

Answer: D

A security administrator wants to calculate the ROI of a security design which includes the purchase of new equipment. The equipment costs $50,000 and it will take 50 hours to install and configure the equipment. The administrator plans to hire a contractor at a rate of $100/hour to do the installation. Given that the new design and equipment will allow the company to increase revenue and make an additional $100,000 on the first year, which of the following is the ROI expressed as a percentage for the first year?

  • A. -45 percent
  • B. 5.5 percent
  • C. 45 percent
  • D. 82 percent

Answer: D

Return on investment = Net profit / Investment where: Net profit = gross profit – expenses
investment = stock + market outstanding[when defined as?] + claims or
Return on investment = (gain from investment – cost of investment) / cost of investment Thus (100 000 – 55 000)/50 000 = 0,82 = 82 %
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 337

A deployment manager is working with a software development group to assess the security of a
new version of the organization’s internally developed ERP tool. The organization prefers to not perform assessment activities following deployment, instead focusing on assessing security throughout the life cycle. Which of the following methods would BEST assess the security of the product?

  • A. Static code analysis in the IDE environment
  • B. Penetration testing of the UAT environment
  • C. Vulnerability scanning of the production environment
  • D. Penetration testing of the production environment
  • E. Peer review prior to unit testing

Answer: C

The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to provide a list of enhancements to the company’s cybersecurity operation. As a result, the CISO has identified the need to align security operations with industry best practices. Which of the following industry references is appropriate to accomplish this?

  • A. OSSM
  • B. NIST
  • C. PCI
  • D. OWASP

Answer: B

An organization has established the following controls matrix:
CAS-003 dumps exhibit
The following control sets have been defined by the organization and are applied in aggregate fashion:
Systems containing PII are protected with the minimum control set. Systems containing medical data are protected at the moderate level. Systems containing cardholder data are protected at the high level.
The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements?

  • A. Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server.
  • B. Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code.
  • C. Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system.
  • D. Intrusion detection capabilities, network-based IPS, generator, and context-based authenticatio

Answer: D

A company monitors the performance of all web servers using WMI. A network administrator informs the security engineer that web servers hosting the company’s client-facing portal are running slowly today. After some investigation, the security engineer notices a large number of attempts at enumerating host information via SNMP from multiple IP addresses. Which of the following would be the BEST technique for the security engineer to employ in an attempt to prevent reconnaissance activity?

  • A. Install a HIPS on the web servers
  • B. Disable inbound traffic from offending sources
  • C. Disable SNMP on the web servers
  • D. Install anti-DDoS protection in the DMZ

Answer: A

A penetration tester has been contracted to conduct a physical assessment of a site. Which of the following is the MOST plausible method of social engineering to be conducted during this engagement?

  • A. Randomly calling customer employees and posing as a help desk technician requiring user password to resolve issues
  • B. Posing as a copier service technician and indicating the equipment had “phoned home” to alert the technician for a service call
  • C. Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed
  • D. Obtaining fake government credentials and impersonating law enforcement to gain access to a company facility

Answer: A

A security architect is designing a new infrastructure using both type 1 and type 2 virtual machines. In addition to the normal complement of security controls (e.g. antivirus, host hardening, HIPS/NIDS) the security architect needs to implement a mechanism to securely store cryptographic keys used to sign code and code modules on the VMs. Which of the following will meet this goal without requiring any hardware pass-through implementations?

  • A. vTPM
  • B. HSM
  • C. TPM
  • D. INE

Answer: A

A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
A vTPM is a virtual Trusted Platform Module.
IBM extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs. Each created instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.
Incorrect Answers:
B: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. This solution would require hardware pass-through.
C: A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. Virtual machines cannot access a hardware TPM.
D: INE (intelligent network element) is not used for storing cryptographic keys. References: http://HYPERLINK
"" m/researcher/HYPERLINK ""view_group.php?id=2850

The administrator is troubleshooting availability issues on an FCoE-based storage array that uses deduplication. The single controller in the storage array has failed, so the administrator wants to move the drives to a storage array from a different manufacturer in order to access the data. Whichof the following issues may potentially occur?

  • A. The data may not be in a usable format.
  • B. The new storage array is not FCoE based.
  • C. The data may need a file system check.
  • D. The new storage array also only has a single controlle

Answer: B

Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol.
When moving the disks to another storage array, you need to ensure that the array supports FCoE, not just regular Fiber Channel. Fiber Channel arrays and Fiber Channel over Ethernet arrays use different network connections, hardware and protocols. Fiber Channel arrays use the Fiber Channel protocol over a dedicated Fiber Channel network whereas FCoE arrays use the Fiber Channel
protocol over an Ethernet network. Incorrect Answers:
A: It is unlikely that the data will not be in a usable format. Fiber Channel LUNs appear as local disks on a Windows computer. The computer then creates an NTFS volume on the fiber channel LUN. The storage array does not see the NTFS file system or the data stored on it. FCoE arrays only see the underlying block level storage.
C: The data would not need a file system check. FCoE arrays use block level storage and do not check the file system. Any file system checks would be performed by a Windows computer. Even if this happened, the data would be accessible after the check.
D: The new storage array also having a single controller would not be a problem. Only one controller is required.

A penetration tester is conducting an assessment on and runs the following command from a coffee shop while connected to the public Internet:
CAS-003 dumps exhibit
Which of the following should the penetration tester conclude about the command output?

  • A. The public/private views on the DNS servers are misconfigured
  • B. is running an older mail server, which may be vulnerable to explogts
  • C. The DNS SPF records have not been updated for
  • D. is a backup mail server that may be more vulnerable to attack

Answer: B

A critical system audit shows that the payroll system is not meeting security policy due to missing OS security patches. Upon further review, it appears that the system is not being patched at all. The vendor states that the system is only supported on the current OS patch level. Which of the following compensating controls should be used to mitigate the vulnerability of missing OS patches on this system?

  • A. Isolate the system on a secure network to limit its contact with other systems
  • B. Implement an application layer firewall to protect the payroll system interface
  • C. Monitor the system’s security log for unauthorized access to the payroll application
  • D. Perform reconciliation of all payroll transactions on a daily basis

Answer: A

The payroll system is not meeting security policy due to missing OS security patches. We cannot apply the patches to the system because the vendor states that the system is only supported on the current OS patch level. Therefore, we need another way of securing the system.
We can improve the security of the system and the other systems on the network by isolating the payroll system on a secure network to limit its contact with other systems. This will reduce the likelihood of a malicious user accessing the payroll system and limit any damage to other systems if the payroll system is attacked.
Incorrect Answers:
B: An application layer firewall may provide some protection to the application. However, the operating system is vulnerable due to being unpatched. It is unlikely that an application layer firewall will protect against the operating system vulnerabilities.
C: Monitoring the system’s security log for unauthorized access to the payroll application will not actually provide any protection against unauthorized access. It would just enable you to see that unauthorized access has occurred.
D: Reconciling the payroll transactions on a daily basis would keep the accounts up to date but it would provide no protection for the system and so does not mitigate the vulnerability of missing OS patches as required in this question.

A pharmacy gives its clients online access to their records and the ability to review bills and make payments. A new SSL vulnerability on a specific platform was discovered, allowing an attacker to capture the data between the end user and the web server providing these services. After the new vulnerability, it was determined that web services provided are being impacted by this new threat. Which of the following data types MOST likely at risk of exposure based on this new threat? (Select Two)

  • A. Cardholder data
  • B. Intellectual property
  • C. Personal health information
  • D. Employee records
  • E. Corporate financial data

Answer: AC


P.S. Certifytools now are offering 100% pass ensure CAS-003 dumps! All CAS-003 exam questions have been updated with correct answers: (443 New Questions)

To know more about the CAS-003, click here.

Tagged as : CompTIA CAS-003 Dumps, Download CAS-003 pdf, CAS-003 VCE, CAS-003 pass4sure, examcollection CAS-003