CAS-003CAS-003 dumpsCAS-003 dumps pdfCAS-003 dumps VCECAS-003 exam dumpsCompTIA Advanced Security Practitioner (CASP+) dumps materialsCompTIA Advanced Security Practitioner CAS-003

[Update Mar 2022] New CAS-003 dumps for CompTIA CASP+ exam material

cas-003 exam

New CAS-003 dumps contain 791 exam questions and answers and are the best material for preparing for the CompTIA CASP+ certification exam.

Using CAS-003 dumps: Select the latest updated CAS-003 dumps PDF, CAS-003 dumps VCE or “PDF + VCE”, Help candidates pass the CompTIA CASP+ certification exam with ease.

Download Free Share CAS-003 Dumps PDF:

Read the latest free CAS-003 Dumps exam questions and answers online:

Number of exam questionsExam nameFromRelease time
15CompTIA Advanced Security Practitioner (CASP+)Lead4PassMar 6, 2022
New Question 1:

A security engineer on a large enterprise network needs to schedule maintenance within a fixed window of time. A total outage period of four hours is permitted for servers.

Workstations can undergo maintenance from 8:00 pm to 6:00 am daily. Which of the following can specify parameters for the maintenance work? (Select TWO).


Managed security service


Memorandum of understanding


Quality of service


Network service provider


Operating level agreement


Correct Answer: BE

B: A memorandum of understanding (MOU) documents conditions and applied terms for outsourcing partner organizations that must share data and information resources. It must be signed by a representative from each organization that has the legal authority to sign and is typically secured, as they are considered confidential.

E: An operating level agreement (O LA) defines the responsibilities of each partner\’s internal support group and what group and resources are used to meet the specified goal. It is used in conjunction with service level agreements (SLAs).

New Question 2:


After a security incident, an administrator would like to implement policies that would help reduce fraud and the potential for collusion between employees.

Which of the following would help meet these goals by having co-workers occasionally audit another worker\’s position?

A. Least privilege

B. Job rotation

C. Mandatory vacation

D. Separation of duties


Correct Answer: B

Job rotation can reduce fraud or misuse by preventing an individual from having too much control over an area.

New Question 3:


The Information Security Officer (ISO) believes that the company has been targeted by cybercriminals and it is under a cyber attack.

Internal services that are normally available to the public via the Internet are inaccessible, and employees in the office are unable to browse the Internet.

The senior security engineer starts by reviewing the bandwidth at the border router and notices that the incoming bandwidth on the router\’s external interface is maxed out.

The security engineer then inspects the following piece of log to try and determine the reason for the downtime, focusing on the company\’s external router\’s IP which is

11:16:22.110343 IP > UDP, length 1400 11:16:22.110351 IP > UDP, length 1400 11:16:22.110358 IP > UDP, length 1400 11:16:22.110402 IP > UDP, length 1400 11:16:22.110406 IP > UDP, length 1400 Which of the following describes the findings the senior security engineer should report to the ISO and the BEST solution for service restoration?

A. After the senior engineer used a network analyzer to identify an active Fraggle attack, the company\’s ISP should be contacted and instructed to block the malicious packets.

B. After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS filter should be enabled to block the attack and restore communication.

C. After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP sinkhole should be configured to drop traffic at the source networks.

D. After the senior engineer used a packet capture to identify an active Smurf attack, an ACL should be placed on the company\’s external router to block incoming UDP port 19 traffic.


Correct Answer: A

The exhibit displays logs that are indicative of an active Fraggle attack.

A Fraggle attack is similar to a smurf attack in that it is a denial of service attack, but the difference is that a Fraggle attack makes use of ICMP and UDP ports 7 and 19.

Thus when the senior engineer uses a network analyzer to identify the attack he should contact the company\’s ISP to block those malicious packets.

New Question 4:


A government agency considers confidentiality to be of utmost importance and availability issues to be of the least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

A. Insecure direct object references, CSRF, Smurf

B. Privilege escalation, Application DoS, Buffer overflow

C. SQL injection, Resource exhaustion, Privilege escalation

D. CSRF, Fault injection, Memory leaks


Correct Answer: A

Insecure direct object references are used to access data. CSRF attacks the functions of a website that could access data. A Smurf attack is used to take down a system.

A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data.

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user\’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user\’s context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission, etc.) via the target\’s browser without knowledge of the target user, at least until the unauthorized function has been committed.

A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests.

A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet.

Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker\’s victim.

All the hosts receiving the PING request reply to this victim\’s address instead of the real sender\’s address.

A single attacker sending hundreds or thousands of these PING messages per second can fill the victim\’s T-1 (or even T-3) line with ping replies, bringing the entire Internet service to its knees.

Smurfing falls under the general category of Denial of Service attacks — security attacks that don’t try to steal information but instead attempt to disable a computer or network.

New Question 5:


An investigator wants to collect the most volatile data first in an incident to preserve the data that runs the highest risk of being lost.

After memory, which of the following BEST represents the remaining order of volatility that the investigator should follow?

A. File system information, swap files, network processes, system processes, and raw disk blocks.

B. Raw disk blocks, network processes, system processes, swap files, and file system information.

C. System processes, network processes, file system information, swap files, and raw disk blocks.

D. Raw disk blocks, swap files, network processes, system processes, and file system information.


Correct Answer: C

The order in which you should collect evidence is referred to as the Order of volatility. Generally, evidence should be collected from the most volatile to the least volatile.

The order of volatility from most volatile to least volatile is as follows: Data in RAM, including CPU cache and recently used data and applications Data in RAM, including system and network processes Swap files (also known as paging files) stored on local disk drives Data stored on local disk drives Logs stored on remote systems Archive Media

New Question 6:


A Chief Information Security Officer (CISO) has requested that a SIEM solution be implemented. The CISO wants to know upfront what the projected TCO would be before looking further into this concern. Two vendor proposals have been received:

Vendor A: a product-based solution that can be purchased by the pharmaceutical company. Capital expenses to cover central log collectors, correlators, storage, and management consoles are expected to be $150,000. Operational expenses are expected to be a 0.5 full-time employee (FTE) to manage the solution, and 1 full-time employee to respond to incidents per year.

Vendor B: managed service-based solution which can be the outsourcer for the pharmaceutical company\’s needs.

The bundled offering is expected to be $100,000 per year.

Operational expenses for the pharmaceutical company to partner with the vendor are expected to be 0.5 FTE per year.

Internal employee costs are averaged to be $80,000 per year per FTE. Based on calculating the TCO of the two vendor proposals over a 5-year period, which of the following options is MOST accurate?

A. Based on cost alone, having an outsourced solution appears cheaper.

B. Based on cost alone, having an outsourced solution appears to be more expensive.

C. Based on cost alone, both outsourced an in-sourced solutions appear to be the same.

D. Based on cost alone, having a purchased product solution appears cheaper.


Correct Answer: A

The costs of making use of an outsourced solution will actually be savings for the company thus the outsourced solution is a cheaper option over a 5-year period because it amounts to 0,5 FTE per year for the company and at present, the company expense if $80,000 per year per FTE.

For the company to go alone it will cost $80,000 per annum per FTE = $400,000 over 5 years.

With Vendor a $150,000 + $200,000 (?FTE) = $350,000

With Vendor B = $100,000 it will be more expensive.


Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley and Sons, Indianapolis, 2012, p. 130

New Question 7:


A security engineer is responsible for monitoring company applications for known vulnerabilities. Which of the following is a way to stay current on exploits and information security news?

A. Update company policies and procedures

B. Subscribe to security mailing lists

C. Implement security awareness training

D. Ensure that the organization’s vulnerability management plan is up-to-date


Correct Answer: B

Subscribing to bug and vulnerability, security mailing lists is a good way of staying abreast and keeping up to date with the latest in those fields.

New Question 8:


A company that must comply with regulations is searching for a laptop encryption product to use for its 40,000 endpoints.

The product must meet regulations but also be flexible enough to minimize overhead and support in regard to password resets and lockouts.

Which of the following implementations would BEST meet the needs?

A. A partition-based software encryption product with low-level boot protection and authentication

B. A container-based encryption product that allows the end users to select which files to encrypt

C. A full-disk hardware-based encryption product with low-level boot protection and authentication

D. A file-based encryption product using profiles to target areas on the file system to encrypt


Correct Answer: D

The question is asking for a solution that will minimize overhead and support in regard to password resets and lockouts.

File-based encryption products operate under the context of the computer user\’s user account. This means that the user does not need to remember a separate password for the encryption software.

If the user forgets his user account password or is locked out due to failed login attempts, the support department can reset his password from a central database of user accounts (such as Active Directory) without the need to visit the user\’s computer.

Profiles can be used to determine areas on the file system to encrypt such as Document folders.

New Question 9:


ABC Corporation uses multiple security zones to protect systems and information, and all of the VM hosts are part of a consolidated VM infrastructure. Each zone has different VM administrators.

Which of the following restricts different zone administrators from directly accessing the console of a VM host from another zone?

A. Ensure hypervisor layer firewalling between all VM hosts regardless of the security zone.

B. Maintain a separate virtual switch for each security zone and ensure VM hosts bind to only the correct virtual NIC(s).

C. Organize VM hosts into containers based on security zone and restricts access using an ACL.

D. Require multi-factor authentication when accessing the console at the physical VM host.


Correct Answer: C

Access Control Lists (ACLs) are used to restrict access to the console of a virtual host. Virtual hosts are often managed by centralized management servers (for example VMware vCenter Server).

You can create logical containers that can contain multiple hosts and you can configure ACLs on the containers to provide access to the hosts within the container.

New Question 10:


A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period?

A. Online password testing

B. Rainbow tables attack

C. Dictionary attack

D. Brute force attack


Correct Answer: B

The passwords in a Windows (Active Directory) domain are encrypted.

When a password is “tried” against a system it is “hashed” using encryption so that the actual password is never sent in clear text across the communications line.

This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password.

Your password might be “shitzu” but the hash of your password would look something like “7378347eedbfdd761619451949225ec1”.

To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If the hashes match, then the user is authenticated and granted access.

Password cracking programs work in a similar way to the login process.

The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as MD5, and then comparing the hash output with the hashes in the stolen password file.

If it finds a match then the program has cracked the password.

Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords.

The Rainbow Tables essentially allow hackers to reverse the hashing function to determine what the plaintext password might be.

The use of Rainbow Tables allows for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves.

New Question 11:


Since the implementation of IPv6 on the company network, the security administrator has been unable to identify the users associated with certain devices utilizing IPv6 addresses, even when the devices are centrally managed.

en1: flags=8863 MTU 1500 ether f8:1e:af:ab:10:a3 inet6 fw80::fa1e:dfff:fee6:9d8%en1 prefixlen 64 scopeid 0x5 inet netmask 0xffffff00 broadcast inet6 2001:200:5:922:1035:dfff:fee6:9dfe prefixlen 64 autoconf inet6 2001:200:5:922:10ab:5e21:aa9a:6393 prefixlen 64 autoconf temporary nd6 options=1 media: autoselect status: active Given this output, which of the following protocols is in use by the company and what can the system administrator do to positively map users with IPv6 addresses in the future? (Select TWO).

A. The devices use EUI-64 format

B. The routers implement NDP

C. The network implements 6to4 to tunneling

D. The router IPv6 advertisement has been disabled

E. The administrator must disable IPv6 tunneling

F. The administrator must disable the mobile IPv6 router flag

G. The administrator must disable the IPv6 privacy extensions

H. The administrator must disable DHCPv6 option code 1


Correct Answer: BG

IPv6 makes use of the Neighbor Discovery Protocol (NDP). Thus if your routers implement NDP you will be able to map users with IPv6 addresses.

However to be able to positively map users with IPv6 addresses you will need to disable IPv6 privacy extensions.

New Question 12:


A new piece of ransomware got installed on a company\’s backup server which encrypted the hard drives containing the OS and backup application configuration but did not affect the deduplication data hard drives.

During the incident response, the company finds that all backup tapes for this server are also corrupt. Which of the following is the PRIMARY concern?

A. Determining how to install HIPS across all server platforms to prevent future incidents

B. Preventing the ransomware from re-infecting the server upon restore

C. Validating the integrity of the deduplicated data

D. Restoring the data will be difficult without the application configuration


Correct Answer: D

Ransomware is a type of malware that restricts access to a computer system that it infects in some way and demands that the user pay a ransom to the operators of the malware to remove the restriction.

Since the backup application configuration is not accessible, it will require more effort to recover the data.

Eradication and Recovery is the fourth step of the incident response. It occurs before preventing future problems.

New Question 13:


An administrator wants to enable policy-based flexible mandatory access controls on an open-source OS to prevent abnormal application modifications or executions. Which of the following would BEST accomplish this?

A. Access control lists

B. SELinux

C. IPtables firewall



Correct Answer: B

The most common open-source operating system is LINUX.

Security-Enhanced Linux (SELinux) was created by the United States National Security Agency (NSA) and is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls (MAC).

NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel.

It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications.

New Question 14:


Company ABC is hiring customer service representatives from Company XYZ. The representatives reside at Company XYZ\’s headquarters.

Which of the following BEST prevents Company XYZ representatives from gaining access to unauthorized Company ABC systems?

A. Require each Company XYZ employee to use an IPSec connection to the required systems

B. Require Company XYZ employees to establish an encrypted VDI session to the required systems

C. Require Company ABC employees to use two-factor authentication on the required systems

D. Require a site-to-site VPN for intercompany communications


Correct Answer: B

VDI stands for Virtual Desktop Infrastructure. Virtual desktop infrastructure is the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.

Company ABC can configure virtual desktops with the required restrictions and required access to systems that the users in company XYZ require.

The users in company XYZ can then log in to the virtual desktops over a secure encrypted connection and then access authorized systems only.

New Question 15:


The DLP solution has been showing some unidentified encrypted data being sent using FTP to a remote server.

A vulnerability scan found a collection of Linux servers that are missing OS-level patches. Upon further investigation, a technician notices that there are a few unidentified processes running on a number of the servers.

What would be a key FIRST step for the data security team to undertake at this point?

A. Capture process ID data and submit it to an anti-virus vendor for review.

B. Reboot the Linux servers, check running processes and install needed patches.

C. Remove a single Linux server from production and place it in quarantine.

D. Notify upper management of a security breach.

E. Conduct a bit-level image, including RAM, of one or more of the Linux servers.


Correct Answer: E

Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes.

In this question, an attack has been identified and confirmed. When a server is compromised or used to commit a crime, it is often necessary to seize it for forensics analysis.

Security teams often face two challenges when trying to remove a physical server from service: retention of potential evidence in volatile storage or removal of a device from a critical business process.

Evidence retention is a problem when the investigator wants to retain RAM content.

For example, removing power from a server starts the process of mitigating business impact, but it also denies forensic analysis of data, processes, keys, and possible footprints left by an attacker.

A full a bit level image, including RAM, should be taken of one or more of the Linux servers. In many cases, if your environment has been deliberately attacked, you may want to take legal action against the perpetrators.

In order to preserve this option, you should gather evidence that can be used against them, even if a decision is ultimately made not to pursue such action.

It is extremely important to back up the compromised systems as soon as possible. Back up the systems prior to performing any actions that could affect data integrity on the original media.


Lead4Pass CAS-003 dumps have been updated to the latest version. It has been verified by the actual test room and is real and effective. It is the best exam material for the CompTIA CASP+ certification exam. Download CAS-003 dumps with PDF and VCE: (791 Q&As)
Help candidates pass 100% of CompTIA CASP+ certification exams.

BTW, share part of CAS-003 Dumps PDF online download for free: