Ready to boost your cybersecurity expertise? Our free casp practice questions quiz is the ideal CompTIA CASP practice resource for advanced security practitioners aiming to pass the CASP certification. In this CASP exam quiz, you'll tackle real-world scenarios - from network vulnerabilities and data sanitization to security controls - so you can pinpoint strengths and gaps. If you've warmed up with an information security test or a cyber security awareness quiz , you're set for this advanced security practitioner quiz. Start now to challenge yourself with targeted CASP certification questions!
Which principle in the CIA triad ensures that data is accessible only to authorized users?
Availability
Accountability
Confidentiality
Integrity
The principle of confidentiality in the CIA triad ensures that data is accessible only to authorized users, preventing unauthorized disclosure. Confidentiality is maintained through encryption, access controls, and authentication mechanisms. It contrasts with integrity and availability, which focus on data accuracy and accessibility respectively. For more details, see Cisco's explanation of the CIA triad.
What is the primary function of HTTPS in network communications?
Transfer files via FTP
Encrypt web traffic
Authenticate email servers
Block malware downloads
HTTPS secures HTTP communications by encrypting data between the client and server using TLS or SSL. This prevents eavesdropping and tampering by unauthorized parties. It also provides server authentication to ensure users connect to legitimate sites. For more, see MDN Web Docs on HTTPS.
Which device monitors network traffic for malicious activity and alerts administrators?
Router
Network Switch
Proxy Server
Intrusion Detection System
An Intrusion Detection System (IDS) analyzes network or system activities for malicious actions and policy violations. It raises alerts when suspicious traffic patterns are detected. Unlike firewalls that block traffic, IDS solutions purely detect and notify administrators. More information is available at SANS Institute on IDS.
Which of the following is an example of a social engineering attack?
Port scanning
SQL injection
Phishing email
Ping sweep
Phishing is a social engineering attack that tricks individuals into revealing sensitive information via deceptive emails or websites. It exploits human psychology rather than technical vulnerabilities. Attackers often impersonate trusted entities to gain trust. For deeper insights, see OWASP on Phishing.
SQL injection attacks primarily target which layer of the OSI model?
Application layer
Transport layer
Data Link layer
Network layer
SQL injection exploits vulnerabilities in application-layer code that interfaces with databases. It allows attackers to inject malicious queries through input fields. Proper input validation and parameterized queries prevent these attacks. See OWASP on SQL Injection for more.
Which hashing algorithm is currently considered secure for integrity checks?
SHA-1
MD5
CRC32
SHA-256
SHA-256 is part of the SHA-2 family, which is recommended for strong cryptographic hashing. MD5 and SHA-1 have known collisions and are no longer considered secure. CRC32 is a checksum rather than a cryptographic hash and offers no security. More detail is available at NIST FIPS 180-4.
What does the principle of least privilege entail?
All users have administrative rights
Users can share privileges freely
Privileges are revoked after a year
Users receive only the minimum rights necessary
The principle of least privilege restricts user access rights to only what is strictly required for their job functions. This limits the potential impact of compromised accounts or insider threats. It is a core concept in security frameworks and compliance standards. Learn more at CIS Controls on Least Privilege.
Which type of security control is a VPN?
Corrective control
Preventive control
Compensating control
Detective control
A VPN is a preventive control because it proactively encrypts and secures communications to prevent unauthorized access. It safeguards data in transit by creating a secure tunnel between endpoints. Without a VPN, data could be intercepted on public networks. See Cisco on VPNs.
Which type of malware replicates itself and spreads to other devices without user interaction?
Rootkit
Adware
Trojan
Worm
A worm is self-replicating malware that spreads across networks without needing to attach to a host program or require user action. Trojans disguise themselves as legitimate software, while rootkits hide malicious processes. Adware displays unwanted ads. For details, see US-CERT on Worms.
Which method of input sanitation removes potentially dangerous HTML tags from user input?
Hashing
Tokenization
Encryption
Encoding
Encoding transforms special characters into a safe format, preventing execution of malicious scripts like XSS. Hashing and encryption protect data integrity and confidentiality, not input content. Tokenization replaces sensitive data but does not sanitize HTML. For more, see OWASP on XSS Prevention.
Which attack exploits buffer overflow vulnerabilities to execute arbitrary code?
ARP poisoning
DNS spoofing
Cross-Site Scripting
Buffer overflow attack
Buffer overflow attacks occur when data exceeds the memory buffer boundary, overwriting adjacent memory and allowing code execution. Proper bounds checking and safe coding practices mitigate these vulnerabilities. Languages like C and C++ are more prone to buffer overflows. Refer to OWASP on Buffer Overflow.
The POODLE vulnerability is associated with which protocol?
SSL 3.0
TLS 1.2
IPsec
SSH
POODLE (Padding Oracle On Downgraded Legacy Encryption) exploits a vulnerability in SSL 3.0's CBC mode padding. Attackers can decrypt secure sessions by forcing fallback to SSL 3.0. Modern TLS versions are not vulnerable. More at OpenSSL POODLE Advisory.
Which encryption mode provides both confidentiality and integrity protection?
Counter (CTR)
Galois/Counter Mode (GCM)
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Galois/Counter Mode (GCM) combines counter mode encryption with authentication using Galois field multiplication. It ensures both confidentiality and data integrity in a single operation. Other modes like CBC offer confidentiality only. For details, see NIST SP 800-38D.
What technique adds random data to passwords before hashing to defend against rainbow table attacks?
Salting
Hashing
Key stretching
Peppering
Salting appends or prepends unique random data to each password before hashing, making precomputed rainbow tables ineffective. Pepper involves a secret added globally, while key stretching repeatedly hashes. Salting is a fundamental defense against hash-based cracking. Learn more at OWASP Password Storage Cheat Sheet.
Which technology limits broadcast domains in a switched network?
NAT
WLAN
VPN
VLAN
Virtual LANs (VLANs) segment a single physical switch into multiple logical broadcast domains, isolating traffic. This improves performance and security by containing broadcasts. NAT translates addresses but does not segment within a switch. More information at Cisco on VLANs.
Which network attack floods a target with TCP SYN packets to exhaust resources?
Smurf attack
SYN flood
DNS amplification
ARP poisoning
A SYN flood attack exploits the TCP three-way handshake by sending numerous SYN requests without completing the handshake, overwhelming the server's connection table. This denial-of-service tactic can destabilize or crash services. Mitigations include SYN cookies and rate limiting. For more, see OWASP on SYN Flooding.
What type of attack tricks a browser into sending unwanted requests to a site where the user is authenticated?
Clickjacking
Cross-Site Scripting
Cross-Site Request Forgery
Session hijacking
Cross-Site Request Forgery (CSRF) forces a user's browser to send unauthorized commands to a trusted site where the user is authenticated. Attackers exploit the user's session to perform actions without consent. CSRF tokens and same-site cookies can prevent these attacks. See OWASP on CSRF.
Implementing a security awareness training program is what type of control?
Technical control
Administrative control
Compensating control
Physical control
Administrative controls are policies, procedures, and training designed to guide organizational security. Security awareness programs educate users on risks and best practices. Technical controls use technology solutions like firewalls or encryption. For more, see NIST definitions.
Which method provides non-repudiation and verifies data integrity?
Checksum
TLS handshake
Digital signature
Symmetric encryption
Digital signatures use asymmetric cryptography to ensure data integrity and non-repudiation by signing data with a private key. Recipients verify the signature with the corresponding public key. Symmetric encryption and checksums do not provide non-repudiation. For details, see NIST on Digital Signatures.
Which process is used to address vulnerabilities discovered in a system?
Patch management
Data deduplication
Data encryption
Address translation
Patch management is the systematic process of acquiring, testing, and installing patches to correct vulnerabilities. It keeps systems current and secure against known threats. Encryption and deduplication serve different purposes. For guidance, see CISA on Patch Management.
In a PKI, which entity is responsible for issuing digital certificates?
Certificate Revocation List (CRL)
Online Certificate Status Protocol (OCSP)
Certificate Authority (CA)
Registration Authority (RA)
A Certificate Authority (CA) issues and signs digital certificates that bind public keys to identities. The RA handles identity verification but does not issue certificates. CRLs and OCSP provide revocation status information. For more, see Digicert on CAs.
Which attack exploits shared hardware resources in cloud multi-tenant environments to extract data?
Cross-VM side-channel attack
Man-in-the-middle attack
DNS poisoning
ARP spoofing
Cross-VM side-channel attacks leverage shared CPU cache or memory buses in multi-tenant clouds to infer sensitive information. Attackers co-locate a malicious VM with the target to gather side-channel data. Proper isolation and resource partitioning mitigate these risks. See NIST on Side-Channel Attacks.
Which solution provides fine-grained control over privileged account access?
Single Sign-On (SSO)
Multi-factor Authentication (MFA)
Privileged Access Management (PAM)
Identity Federation
Privileged Access Management (PAM) enforces least privilege and just-in-time access for administrative accounts. It records sessions, manages passwords, and isolates credentials. While MFA adds authentication, PAM specifically controls and audits privileged usage. More at Gartner on PAM.
What is the main benefit of microsegmentation in modern data centers?
Increases broadcast domain size
Isolates workloads to prevent lateral movement
Reduces encryption overhead
Simplifies IP addressing
Microsegmentation divides networks into granular segments, isolating workloads and limiting lateral movement of attackers. This containment strategy enhances security posture by enforcing policies at the workload level. It does not affect broadcast domains or IP simplicity. Learn more at VMware on Microsegmentation.
Which data sanitization method replaces real data with realistic but fake values to protect PII?
Hashing
Encryption
Compression
Tokenization
Tokenization replaces sensitive data elements with non-sensitive equivalents or tokens, preserving format but preventing exposure of original information. Encryption and hashing protect data but do not produce realistic test values. Tokenization is widely used in data masking. See PCI on Tokenization.
Which key exchange method provides forward secrecy in TLS sessions?
Ephemeral Diffie-Hellman (DHE)
PSK key exchange
RSA key exchange
Static Diffie-Hellman
Ephemeral Diffie-Hellman (DHE) generates new key pairs for each session, ensuring that even if long-term keys are compromised, past sessions remain secure (forward secrecy). RSA key exchange and static DH do not provide this property. PSK uses pre-shared keys without forward secrecy. More at RFC 8446 Section 4.2.8.
In cloud service models, which model requires the customer to manage the operating system while the provider manages the hypervisor?
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Desktop as a Service (DaaS)
Software as a Service (SaaS)
In IaaS, the cloud provider manages the underlying hardware, virtualization, and hypervisor, while customers install and maintain their OS, middleware, and applications. PaaS abstracts the OS layer, and SaaS delivers fully managed applications. DaaS is focused on virtual desktops. For details, see AWS on Cloud Models.
What standard facilitates single sign-on (SSO) between identity providers and service providers?
IPsec
OpenVPN
Security Assertion Markup Language (SAML)
OAuth 2.0
SAML is an XML-based standard for exchanging authentication and authorization data between parties, enabling SSO across different domains. OAuth 2.0 is an authorization framework, not specifically SSO. VPN and IPsec are network encryption protocols. More info at SAML Authentication.
What is the primary purpose of a Web Application Firewall (WAF)?
Protect web applications by filtering HTTP traffic
Manage user identities
Encrypt network links
Perform antivirus scanning
A Web Application Firewall inspects HTTP/HTTPS traffic for malicious content like SQL injection or cross-site scripting and blocks harmful requests. It operates at the application layer, unlike network firewalls. It does not handle encryption or identity management. Read more at OWASP on WAFs.
Which algorithm family is part of the NIST-approved post-quantum cryptography standards?
Elliptic Curve Cryptography
RSA
AES
Kyber
Kyber is a lattice-based key encapsulation mechanism selected by NIST for post-quantum cryptography standards, providing resistance against quantum attacks. RSA and ECC rely on number-theoretic hardness that quantum computers could break. AES is a symmetric cipher not impacted by RSA/ECC weaknesses. See NIST PQC Project.
In SCADA and industrial control systems, which technology enforces one-way data flow to protect critical assets?
NAT gateway
VLAN
SSL VPN
Data diode
Data diodes are hardware devices that enforce unidirectional data flow, preventing any inbound communication and protecting critical ICS environments. VLANs and VPNs still allow bidirectional traffic. Data diodes provide the highest level of isolation for secure information transfers. For more, see ANSYS on Data Diodes.
Which principle is fundamental to Zero Trust Architecture?
Default deny and verify every request
Trust once authenticated
Rely solely on perimeter defenses
Implicit trust within the network perimeter
Zero Trust Architecture operates on the principle of 'never trust, always verify' by default denying access and continuously validating identity and context for each request. It eliminates implicit trust based on network location. This reduces risk from internal and external threats. See NIST SP 800-207 on Zero Trust.
Which anomaly detection technique uses statistical models like Hidden Markov Models to identify deviations from normal traffic patterns?
Honey token analysis
Hidden Markov Model-based anomaly detection
Signature-based detection
Manual log review
Hidden Markov Models apply probabilistic statistical methods to model normal sequences of events and detect anomalies when observed behavior deviates significantly. Signature-based methods only detect known attacks. Honey tokens provide decoy detection, and manual log review is labor-intensive. Learn more at ScienceDirect on HMM for IDS.
0
{"name":"Which principle in the CIA triad ensures that data is accessible only to authorized users?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which principle in the CIA triad ensures that data is accessible only to authorized users?, What is the primary function of HTTPS in network communications?, Which device monitors network traffic for malicious activity and alerts administrators?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}
Score9/33
Easy4/10
Medium2/10
Hard2/9
Expert1/4
AI Study Notes
Email these to me
You can bookmark this page to review your notes in future, or fill out the email box below to email them to yourself.
Study Outcomes
Understand CASP Practice Question Formats -
Recognize key components of casp practice questions and how they mirror real-world exam scenarios to better anticipate question types.
Analyze Network Vulnerabilities -
Assess common network weaknesses and evaluate appropriate security controls to mitigate potential threats.
Apply Data Sanitization Techniques -
Implement effective data sanitization methods to ensure sensitive information is securely handled according to best practices.
Evaluate Security Control Measures -
Compare and judge various security controls and countermeasures to determine the most effective solutions for advanced security challenges.
Interpret Advanced Security Scenarios -
Break down complex cybersecurity situations similar to a CASP exam quiz to improve critical thinking and decision-making skills.
Boost CASP Exam Readiness -
Build confidence and identify knowledge gaps through focused practice, ensuring a strong performance on CASP certification questions.
Cheat Sheet
Risk Management Framework (RMF) Mastery -
Familiarize yourself with NIST SP 800-37's six RMF steps (Categorize, Select, Implement, Assess, Authorize, Monitor) to ensure systematic security governance. Use the mnemonic "CSI-AAM" to recall each phase and apply it to real-world scenarios like cloud migrations. Understanding RMF ties directly into effective CASP exam decisions on control selection and continuous monitoring (NIST, 2020).
Network Vulnerability Assessment vs. Penetration Testing -
Know that vulnerability scans identify potential weaknesses (e.g., open ports, outdated patches) while penetration tests exploit those flaws to prove real risk. Practice with tools such as Nessus for scanning and Metasploit for exploitation to grasp each method's scope and limitations. Remember: "Scan to see, Pen-test to prove," which clarifies objectives when answering CASP exam quiz questions.
Data Sanitization Techniques -
Review NIST SP 800-88 guidelines for Clear (overwrite), Purge (degauss), and Destroy (physical destruction) methods to prevent data remanence. An example: a three-pass overwrite algorithm (0xFF, 0x00, random) meets most compliance needs and boosts your confidence on CASP certification questions. Categorizing media by risk level ensures you choose the fastest yet safest sanitization approach.
Security Control Types and Mapping -
Distinguish between preventive, detective, and corrective controls; use the "PDC" acronym to anchor your study. For instance, firewalls (preventive), SIEM alerts (detective), and patch management (corrective) form a layered defense strategy. Mapping these to real frameworks like ISO 27001 Annex A reinforces your ability to match controls to organizational objectives on the CASP exam.
Advanced Cryptographic Concepts -
Contrast symmetric (AES-256) and asymmetric (RSA-2048, ECC) algorithms, and understand key management best practices, such as HSM use for private key storage. A quick formula: Cipher Strength ≈ Key Length × Algorithm Efficiency guides you in selecting between AES, RSA, or ECC for performance vs. security trade-offs. Mastering these distinctions is critical for tackling CompTIA CASP practice questions on encryption architectures.