Selected CAS-004 CompTIA CASP Questions Answers

Page: 26 / 42

Question 104

A financial institution has several that currently employ the following controls:

* The severs follow a monthly patching cycle.

* All changes must go through a change management process.

* Developers and systems administrators must log into a jumpbox to access the servers hosting the data using two-factor authentication.

* The servers are on an isolated VLAN and cannot be directly accessed from the internal production network.

An outage recently occurred and lasted several days due to an upgrade that circumvented the approval process. Once the security team discovered an unauthorized patch was installed, they were able to resume operations within an hour. Which of the following should the security administrator recommend to reduce the time to resolution if a similar incident occurs in the future?

Options:

Require more than one approver for all change management requests.

Implement file integrity monitoring with automated alerts on the servers.

Disable automatic patch update capabilities on the servers

Enhanced audit logging on the jump servers and ship the logs to the SIEM.

Question 105

An organization is deploying a new, online digital bank and needs to ensure availability and performance. The cloud-based architecture is deployed using PaaS and SaaS solutions, and it was designed with the following considerations:

- Protection from DoS attacks against its infrastructure and web applications is in place.

- Highly available and distributed DNS is implemented.

- Static content is cached in the CDN.

- A WAF is deployed inline and is in block mode.

- Multiple public clouds are utilized in an active-passive architecture.

With the above controls in place, the bank is experiencing a slowdown on the unauthenticated payments page. Which of the following is the MOST likely cause?

Options:

The public cloud provider is applying QoS to the inbound customer traffic.

The API gateway endpoints are being directly targeted.

The site is experiencing a brute-force credential attack.

A DDoS attack is targeted at the CDN.

Question 106

A company launched a new service and created a landing page within its website network for users to access the service. Per company policy, all websites must utilize encryption for any authentication pages. A junior network administrator proceeded to use an outdated procedure to order new certificates. Afterward, customers are reporting the following error when accessing a new web page: NET:ERR_CERT_COMMON_NAME_INVALID. Which of the following BEST describes what the administrator should do NEXT?

Options:

Request a new certificate with the correct subject alternative name that includes the new websites.

Request a new certificate with the correct organizational unit for the company's website.

Request a new certificate with a stronger encryption strength and the latest cipher suite.

Request a new certificate with the same information but including the old certificate on the CRL.

Question 107

The Chief information Security Officer (CISO) of a small locate bank has a compliance requirement that a third-party penetration test of the core banking application must be conducted annually. Which of the following services would fulfill the compliance requirement with the LOWEST resource usage?