New Insights for the CASP+ CAS-004 Exam

By Bob Weiss

I just took the new CASP+ CAS-004 Exam on March 14.  This exam is an unscored pass/fail exam.  I passed.  There were very many questions where the feeling was “when did we ever learn about this.”   I’m an instructor for this course, and several others.  So the moral of the story, let go of your negative feelings of uncertainty and failure.  You ARE prepared, even if the subjects in the questions seem unfamiliar.  Read the scenario, read the question, pick an answer.  Go with your first answer.  Don’t overthink it, and don’t second guess yourself.  Never ever change an answer, the first impression is the good answer almost always.

This post is an accumulation over time, and I am adding new content as it happenes.  Also, check me out on Reddit.  https://www.reddit.com/r/CompTIA/comments/te8i8y/i_just_passed_the_casp_cas004_exam/ 

The was only one Performance-Based-Question (PBQ) and it was the first one on the exam.  The one I had was a Business Continuity/Disaster Recovery scenario.  There was a network map of two offices connected by a VPN, and a number of different hosts at each location.  In the scenario, there was a disaster at Location A.  There were three “findings” about certain situations that weren’t working correctly, and I had to match each finding to one or more devices.  One of the findings also required I choose a mitigation from a drop-down list.  I did not think this was overly hard, although I did reset the board 3 times before settling on my 4th answer set.  Usually I wait to do the PBQs at the end, but this one seemed simple enough so I just completed  PBQ1 and moved on.

Then there was a “Virtual Environment” question.  These are different, I have not seen one like this.  You HAVE to answer it in the order you get it, if you skip it you can’t go back. and you get no points.  Once you have answered it, you can’t go back either.  My Virtual question gave me a simulated Linux Ubuntu desktop.  The scenario was that this system was maliciously breached, and had been repaired, but there is concern by the security tech that there is a malicious TCP process still running, and your job it to find it, identity it, disable it, and kill it.  All in the constrains of the Ubuntu terminal window.  You definitely need to know your Linux commands for this one.  This is similar to the PBQ 1-3 listed below

To get good practice in Linux, I would recommend installing Kali Linux as a virtual machine, and learning how to work at the terminal window.

There was a lot of emphasis on Business Continuity/Disaster Recovery, Cloud, Authentication, and Software Security.

If you have taken this exam recently and wish to contribute some of your experiences, I would add them to this article.

Here are some tips on the Performance Based Questions (PBQ) from the CAS-003.  They may be out of date, but in my experience these PBQ questions hang around for a while.  These come from Quizlethttps://quizlet.com/it/513316332/casp-cas-003-performance-based-questions-flash-cards/  These are offered as examples, not verbatim copies of actual exam questions.

PBQ 1 Part 1 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. What command would you use to check the configuration

chkconfig –list

PBQ  1Part 2 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. What services would you need to disable to accomplish this

httpd
mysqld
lpd
bluetooth
wpa supplicant

PBQ 1 Part 3 As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit. This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server and it does not need to print. You need to disable and turn off unrelated services and processes. After you have stopped the service using the service “service” stop command, what needs to be done?

You need to kill the process. first type ps -A, this list all the processing running, find the service you want to kill and do so by command kill -9 262 (example) the 262 is the id number associated with the service

PBQ 2 Part 1 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. What is your first step

Out of the six downloads, some may be http and others https. Use only the Https

PBQ 2 Part 2 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. When downloading the patch, move on if you get these errors

the file does not download in a reasonable amount of time or you get a certificate warning

PBQ 2 Part 3 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. If a file downloads uneventfully, how would you check the hash of that file to the control hash given?

type md5sum install.exe and hit enter to compare that hash to the control hash given. md5sum should a directory in the directory your in (C:\Downloads directory). install.exe is the file you downloaded from the patch site and should also be in the same directory as md5sum directory

PBQ7 2 Part 4 An administrator wants to install a patch to an application. Given the scenario, download, verify and install the patch in the most secure manner. If you find the file that matches the control hash given on the download center site, how would you install that patch?

make sure that correct file is in the downloads directory and you are in the downloads directory and just type install.exe

Kerberos

When users are attached to the corporate network, single sign-on will be utilized

SAML

Authentication to cloud-based corporate portals will feature single sign on

OTP

Any infrastructure portal will require time-based authentication

oAuth

Customers will have delegated access to multiple digital services

Check out this chat of mine on Reddit – https://www.reddit.com/r/CompTIA/comments/te8i8y/i_just_passed_the_casp_cas004_exam/

Added on 2022-06-28 – Searching YouTube using CAS-004 Forensic Linux Sim I did find a two hour video tutorial on Linux Forensics at https://www.youtube.com/watch?v=HTEj8UY2TA8. I am watching it now. Some of this content may be useful in understanding the process that is being tested in the Sim.

 

Question from a test taker about the Simulated Virtual Environment question

I have to be careful here, I can provide guidance but not explicit information.  Conversation follows.

M – We were just talking on Reddit. I remember the exercise almost verbatim but I don’t want to make you feel uncomfortable with non-disclosure etc. But if you have any insight or tools to help me learn command line quickly or what to look for I think I can pass the rest. I’m fairly certain the exercise is what held me back. Let me know and I can send it to you. Also looking forward to reading your blog tomorrow.

Bob – Ok so you have some work ahead of you but not a lot.  You need a few Linux command line tools

First step is to get a copy of Linux on a computer.  Easiest way is to set up a virtual machine.  I have a VM of Kali Linux I use for all sorts of security work.  But Ubuntu would be the distro on the test.  Ever set up a VM?

I use Virtual Box.  It is free.  Got to virtualbox.org.  Download and install.  After that install the Extension Pack

Then go to Kali.org or ubuntu.com.  I know Kali better.  But they are both Debian Linux distros.  In Kali, choose the Virtual Machine option, and then download the VirtualBox option.  Save it where you can find it, then open Virtual Box and go to File, Import Appliance, and then find your download and you are done.

Let me know if you get it working.  Or let me know if you already have done this.

M- Thank you for sending, tried to download Kali but I don’t have enough space on my computer its just a basic acer. trying to find a better option

Bob- Ah too bad.  You could make a bootable USB drive to get around that problem, look lower on the Kali downloads page.  Unfortunately you can’t flip back and forth between the windows host OS and the Kali virtual OS.  You boot into the drive and its all Kali all the time.

I’ll send you a list of commands to learn, just need some time to pull them together.

Here are some Linux Command to learn  Linux Commands

At the beginning of the question the test offers suggestions about what Linux commands may be useful in this question.  Take the hint.  Write the commands on your note card.  You will be using them.

If you need help try the man command.  For instance, man netstat shows available commands in netstat..  Press q to quit or exit.  Generally speaking Windows help or Linux man information is available in the testing environment.  Not sure?  Get help!

One command you might need for this question is netstat  This will show a running list of TCP connections.  I opened my website at http://wyzguyscybersecurity.com.  It shows up on the first line in the image below.

You can see all the other TCP connections.  You will have to scroll back to the top of this report, as it goes on for several pages.

Another command you may need is ps.  This will show you the process IDs for all running processes.  Try to find the rogue process in question.  Here is the man page.

Here’s the man page for the service command

Let’s try the command service –status-all.  You should see a list of running services.  If we were trying to stop a rouge service named rogue type service rogue stop

The kill command will kill the rogue service.  Do so by command kill -9 262 (example) where 262 is the id number associated with the service.  Of course you will use the process ID you identified earlier.

This question will take a lot of time in the middle of the exam, but it is a must do with no backs. So practice makes perfect here.  Find your way by practicing on the Kali Linux VM you created earlier.

 

 

 

Be Sociable, Share!

16
MAR
20

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Comments

  1. First Last  April 12, 2022

    Very helpful post! I’m planning to take the CASP+ exam here soon (mostly because I do not have the experience requirements for the CISSP). My company pays for my training, and voucher so I was looking to buy the high end CompTIA training bundle for this with all the labs which I think will help a lot. Any suggestions on study materials besides the CISSP Boson materials you mentioned on reddit?

    reply
  2. bobwyzguy  April 12, 2022

    Hello First Last!

    First, good luck with your studies and pending exam.

    I would recommend taking the CISSP after passing the CASP while it is still fresh in your mind. You can be an Associate of the (ISC)2 and upgrade to full certification status when you get the 5 years squared away.

    There are many resources you could use. This article is really focusing on the CISSP, but much of the material is good study material for the CASP, CySA, Security+. even the Pentest+ or CEH Check this out https://wyzguyscybersecurity.com/comments-on-the-cissp-computer-adaptive-exam/

    You can contact me at bob@wyzguys.com. I am available for tutoring this exam if you are interested.

    reply
  3. Manny Lima  April 20, 2022

    Wish I saw this before taking the exam. I had no idea this question was coming and had to skip it and I failed the exam. I had all the multiple-choice questions memorized but yet I still somehow failed. Are these lab questions worth a lot of points/

    reply
  4. Manny Lima  April 20, 2022

    This was in regard to the Linux TCP virtual environment

    reply
  5. bobwyzguy  April 20, 2022

    Yes the Performance Based Questions and especially (I think) the Simulated Question carries a lot of weight on the exam. I think failing or not responding to the Sim Q pretty much guarantees a fail.

    On thing that most test takers don’t know is that HELP is available. If your PBQ or SimQ has a command window or terminal window, you can invoke help (such as ipconfig /?) and the help files will open, but JUST THE COMMANDS YOU NEED FOR THE TEST QUESTION. So if you are at the C prompt, just typing help or the ? will show you the commands that are necessary for the question. Not all the help, just what is covered on the question. This is a huge clue.

    If you are in Linux, the man (Manual) pages are available. Again, just the ones you need for the exam. question.

    reply
  6. Manny Lima  April 20, 2022

    This was my results: Which sections do you think were the virtual exam? My guess Section 1-3?

    You incorrectly answered one or more questions in the following objective areas:
    1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network.
    1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design.
    1.3 Given a scenario, integrate software applications securely into an enterprise architecture.
    1.4 Given a scenario, implement data security techniques for securing enterprise architecture.
    1.5 Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication and authorization controls.
    1.6 Given a set of requirements, implement secure cloud and virtualization solutions.
    1.7 Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements.
    2.1 Given a scenario, perform threat management activities.
    2.2 Given a scenario, analyze indicators of compromise and formulate an appropriate response.
    2.4 Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools.
    2.5 Given a scenario, analyze vulnerabilities and recommend risk mitigations.
    2.6 Given a scenario, use processes to reduce risk.
    2.9 Given a scenario, use forensic analysis tools.
    3.1 Given a scenario, apply secure configurations to enterprise mobility.
    3.2 Given a scenario, configure and implement endpoint security controls.
    3.3 Explain security considerations impacting specific sectors and operational technologies.
    3.4 Explain how cloud technology adoption impacts organizational security.
    3.5 Given a business requirement, implement the appropriate PKI solution.
    3.6 Given a business requirement, implement the appropriate cryptographic protocols and algorithms.
    3.7 Given a scenario, troubleshoot issues with cryptographic implementations.
    4.1 Given a set of requirements, apply the appropriate risk strategies.
    4.2 Explain the importance of managing and mitigating vendor risk.
    4.3 Explain compliance frameworks and legal considerations, and their organizational impact.
    4.4 Explain the importance of business continuity and disaster recovery concepts

    reply
  7. bobwyzguy  April 21, 2022

    Yes you could be on the right track. I checked Reddit for more comments about CAS-004 but were not finding much.

    reply
  8. ROG141  April 22, 2022

    Today i taked the CAS-004 for the error i skip the “Simulated Virtual Environment” i cant return to SIM, for that i failed the exam, the test have 81 question, Sad but true 🙁

    reply
    • bobwyzguy  May 23, 2022

      CompTIA does explain that there is no going back on the Sim. Do your best, don’t skip it.

      reply
  9. Sam  May 27, 2022

    I just failed casp+ and that simulation was a bummer. I spent 10+ minutes on it and hit next thinking I could go back but forgot that I couldn’t.

    I tried to find the malicious connection but idk what to look for? Was it supposed to be obvious like hackerDomain and is the process supposed to be obvious too?

    I had the disaster recovery but I totally did not understand what it’s wanting me to do. I am so bummed out!

    The multiple questions were sooo hard. All the studying I did seemed very useless.

    reply
  10. bobwyzguy  May 28, 2022

    The malicious process could be consuming large amounts of system resources especially processor and RAM (memory) PS should reveal that.

    Yes a process name that seems wrong, or a process that has a similar name to a correct process would be suspicious.

    You have to stop the process in PS and then kill it

    Most people do not know Linux well, so more time on a Linux system would help

    reply
  11. First  June 20, 2022

    Finally took the CASP+, couldn’t find the rogue process with ps but was able to disable the service. Nothing was glaringly obvious to me. Going to study Jason Dion’s materials and try again I suppose as maybe I can get partial credit for the SIM and attempt to get perfect on the multiple choice.

    reply
  12. John  June 24, 2022

    I took the CASP+ 004 and I struggled most with the virtual environment. I cloud not find any malicious processes and I used all commands such as ps, ss, netstat, and top, and I could not use commands like systemctl, service, and kill. Some of the questions were a bit iffy but I believe I was dragged by the virtual environment. I think the question is very misleading.

    reply
  13. no cow  June 27, 2022

    I am taking CASP this week and I am familiar with Ubuntu. I am curious if they strictly test on Linux? I know some commands are different such as the chkconfig on ubuntu is update-rc.d. Thanks for the info!

    reply
  14. bobwyzguy  June 27, 2022

    The Sim is all Linux. The Other PBQs could be on several things.

    reply
  15. Tom  June 28, 2022

    Yesterday was fail 3 for me. I know that I answered at least 76 of the multiple choice questions correct and thought I maybe passed the virtual linux question but I guess I didn’t. This has been the same for the other 2 tests…..strong on the multiple choice not on the virtual linux. I don’t know how they can put so much emphasis on one question when none of the training covered it?

    reply
  16. bobwyzguy  June 28, 2022

    First, I admire your persistence. It seems like the Simulation on Linux is tripping up many test takers. I am convince that you need a Linux installation like a Virtual Machine to learn the use of some of the commands that are necessary for this question.. If you believe the question is too difficult or unfair, you should probably open a case with CompTIA about it, but I wouldn’t expect much. If enough testers complain, maybe the Sim will be replaced with something a little easier to pass.

    reply
  17. Tom  June 28, 2022

    I installed Virtualbox and have an Ubuntu VM running. I have been practicing using netstat to show a process that doesn’t look correct, finding the pid and killing it. I am lacking at finding a malicious service and knowing what to do to prevent it from running again. I have been trying to figure out what looks right or wrong in crontab and several other things but I can’t seem to put everything together. Can you name a resource free or not that would help me? Thanks Bob.

    reply
  18. bobwyzguy  June 28, 2022

    As to how to find the malicious file, I would expect the file name to be the process name. It may take some looking to find where it is lodged in the system files, but there is an iterative search parameter of the ls command that uses ./././. that will parse the entire file tree. Another ls command will show the file path

    I went looking for other practice resources and especially YouTube videos in the CAS-004 Linux Sim. It seems that some sources are calling this a Forensics SIM, which it is. Another term to add to your search.

    I found something interesting at https://www.certification-questions.com/comptia-exam/cas-004-dumps.html that some of their content was taken down over DMCA conflicts. Sounds like CompTIA wasn’t happy that someone was revealing the solution to the sim (perhaps).

    My exploration of YouTube today revealed nothing specific to the Sim, just a lot of trainers and training companies selling their certification wares.

    Searching YouTube using CAS-004 Forensic Linux Sim I did find a two hour video tutorial on Linux Forensics at https://www.youtube.com/watch?v=HTEj8UY2TA8. I am watching it now. Some of this content may be useful in understanding the process that is being tested in the Sim. This is a lecture from what I assume to be a college class. He uses a lot of third party tools that aren’t part of the exam, so I am not sure how helpful this will be

    We need to hear from people who passed and are willing to share some insights. I am not looking for the answer, which would be a violation of the CompTIA NDA, just some help with the questions other test takers are asking

    reply
Subscribe to Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.