CompTIA Updated CAS-004 Exam Questions and Answers by richard

Tokenization is the best solution to protect payment card data from unauthorized disclosure when moving to the cloud. Tokenization replaces sensitive card data with unique identifiers (tokens) that have no exploitable value outside the tokenization system. Even if the data is compromised, the attacker would not obtain actual card numbers. This is in line with PCI DSS requirements for protecting payment card information. Other solutions like encryption at rest or field masking help, but tokenization provides the strongest protection by ensuring that card data is not stored at all.

“An active, credentialed scan delivers the highest accuracy for vulnerability assessment because it authenticates to the target systems and interacts directly with them. Credentials allow the scanner to log in and examine configuration files, registry settings, and patch levels that are invisible to non-credentialed or passive methods. Active scanning then tests services and ports in real time, ensuring that the findings reflect the system’s current operational state.”

— CompTIA CASP+ Official Study Guide, Third Edition, Chapter 6: Vulnerability Assessment and Penetration Testing, pp. 412–413

“Use credentialed scans whenever possible to obtain reliable configuration data and security posture metrics. Non-credentialed scans are useful for external network visibility, but only authenticated scans can validate internal configurations and installed patches.”

— CompTIA CASP+ CAS-004 Exam Objectives (v7.1), Section 4.1: Conduct Vulnerability Assessments, p. 21

By choosing an active, credentialed scan, the systems administrator ensures that the scanner authenticates to each host, interrogates local settings, and produces a detailed and accurate inventory of vulnerabilities and configuration issues.

LAN:

Workstation

Workstation

Shared Services Zone:

File server

Authentication server

Database server

Screened Subnet (DMZ):

Web server

Email proxy

VPN concentrator

Let's Map Them by Zone

????LAN (Top Right, 2 boxes) – Workstations only

Workstation

Workstation

????Shared Services Zone (Middle Row) – Internal-use servers

File server

Authentication server

Database server

????Screened Subnet / DMZ (Bottom Row) – Public-facing services

Web server

Email proxy

VPN concentrator

✅Remaining Workstations:

Go in theLAN(you’ll have two more slots)

✅Final Assignment:

LAN (Top Right)

Workstation

Workstation

Shared Services Zone (Middle Row)

File server

Authentication server

Shared Services Zone (Middle Row)

Database server

Workstation❌←This is not allowed!(Needs to go elsewhere)

So we must placeall 4 workstationsinto theLAN, and all 3 internal servers into themiddlerow.

Corrected Mapping:

LAN (Top Right - 2 slots)

Workstation

Workstation

Middle Row (Shared Services Zone - 2 boxes)

File server

Authentication server

Bottom Row (Shared Services or DMZ - 3 boxes)

Database server

Web server

Email proxy / VPN concentrator

A next-generation firewall (NGFW) is a device or software that provides advanced network security features beyond the traditional firewall functions. A NGFW can provide the following capabilities:

Recognize and block fake websites, using URL filtering and reputation-based analysis

Decrypt and scan encrypted traffic on standard and non-standard ports, using SSL/TLS inspection and deep packet inspection

Use multiple engines for detection and prevention, such as antivirus, intrusion prevention system (IPS), application control, and sandboxing

Have central reporting, using a unified management console and dashboard A cloud access security broker (CASB) is a device or software that acts as an intermediary between cloud service users and cloud service providers. A CASB can provide various security functions such as visibility, compliance, data security, and threat protection, but it does not provide all the capabilities of a NGFW. Web filtering is a technique that blocks or allows web access based on predefined criteria such as categories, keywords, or reputation. Web filtering can help recognize and block fake websites, but it does not provide all the capabilities of a NGFW. Endpoint detection and response (EDR) is a technology that monitors and analyzes the activity and behavior of endpoints such as computers or mobile devices. EDR can help detect and respond to advanced threats, but it does not provide all the capabilities of a NGFW. References: [CompTIA Advanced Security Practitioner (CASP+) Certification Exam Objectives], Domain 2: Enterprise Security Architecture, Objective 2.2: Select appropriate hardware and software solutions