Free Access CompTIA.CAS-003.v2022-08-15.q472 Practice Test (Page 73)

Question 356

A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

A.Insecure direct object references, CSRF, Smurf

B.Privilege escalation, Application DoS, Buffer overflow

C.SQL injection, Resource exhaustion, Privilege escalation

D.CSRF, Fault injection, Memory leaks

Correct Answer: A

Insecure direct object references are used to access data. CSRF attacks the functions of a web site which could access data. A Smurf attack is used to take down a system.
A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data.
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.
Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

Question 357

A new security policy states all wireless and wired authentication must include the use of certificates when connecting to internal resources within the enterprise LAN by all employees.
Which of the following should be configured to comply with the new security policy? (Choose two.)

A.PKI

B.SSO

C.OAuth

D.Push-based authentication

E.802.1X

F.New pre-shared key

Question 358

An attacker wants to gain information about a company's database structure by probing the database listener.
The attacker tries to manipulate the company's database to see if it has any vulnerabilities that can be exploited to help carry out an attack. To prevent this type of attack, which of the following should the company do to secure its database?

A.Harden web and Internet resources

B.Tighten database authentication and limit table access

C.Implement challenge-based authentication

D.Mask the database banner

Question 359

An organization is currently working with a client to migrate data between a legacy ERP system and a cloud-based ERP tool using a global PaaS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements. Which of the following is the MOST likely reason for the need to sanitize the client data?

A.Data sovereignty

B.Data aggregation

C.Data volume

D.Data isolation

E.Data analytics

Question 360

Joe, a penetration tester, is assessing the security of an application binary provided to him by his client.
Which of the following methods would be the MOST effective in reaching this objective?

A.Manuallyreviewthe binaryina texteditor

B.Usea staticcodeanalyzer

C.Employafuzzingutility

D.Runthe binaryinan applicationsandbox

Other Version: 7489CompTIA.CAS-003.v2022-09-22.q535; 4321CompTIA.CAS-003.v2022-05-05.q206; 2991CompTIA.CAS-003.v2022-04-30.q141; 84CompTIA.Actualtestpdf.CAS-003.v2022-01-19.by.morgan.327q.pdf

Latest Upload: 105OCEG.GRCP.v2025-09-11.q211; 105HP.HPE0-V27.v2025-09-11.q78; 119Oracle.1Z0-1057-23.v2025-09-10.q47; 153Google.Professional-Cloud-Network-Engineer.v2025-09-09.q179; 133SAP.C-S4EWM-2023.v2025-09-08.q83; 167TheSecOpsGroup.CNSP.v2025-09-08.q20; 232CFAInstitute.ESG-Investing.v2025-09-08.q173; 214PECB.ISO-IEC-27001-Lead-Implementer.v2025-09-06.q132; 154Salesforce.Data-Architect.v2025-09-05.q216; 148Adobe.AD0-E605.v2025-09-05.q50

Question 356

Question 357

Question 358

Question 359

Question 360

Download PDF File