CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 111:

  A systems administrator wants to introduce a newly released feature for an internal application. The administrate docs not want to test the feature in the production environment.

  Which of the following locations is the best place to test the new feature?

  A. Staging environment
  B. Testing environment
  C. CI/CO pipeline
  D. Development environment
  A. Staging environment

  ---

  Explanation

  The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here's a detailed explanation:

  Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging

  environment ensures that the new feature will behave as expected in the actual production setup.

  Isolation from Production: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change

  management and risk mitigation.

  Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which

  often have different configurations and workloads.

• Question 112:

  Third parties notified a company's security team about vulnerabilities in the company's application. The security team determined these vulnerabilities were previously disclosed in third-party libraries.

  Which of the following solutions best addresses the reported vulnerabilities?

  A. Using laC to include the newest dependencies
  B. Creating a bug bounty program
  C. Implementing a continuous security assessment program
  D. Integrating a SASI tool as part of the pipeline
  D. Integrating a SASI tool as part of the pipeline

  ---

  Explanation

  The best solution to address reported vulnerabilities in third-party libraries is integrating a Static Application Security Testing (SAST) tool as part of the development pipeline. Here's why:

  Early Detection: SAST tools analyze source code for vulnerabilities before the code is compiled. This allows developers to identify and fix security issues early in the development process. Continuous Security: By integrating SAST tools into

  the CI/CD pipeline, the organization ensures continuous security assessment of the codebase, including third-party libraries, with each code commit and build. Comprehensive Analysis:

  SAST tools provide a detailed analysis of the code, identifying potential vulnerabilities in both proprietary code and third-party dependencies, ensuring that known issues in libraries are addressed promptly.

• Question 113:

  A company is moving several of its systems to a multicloud environment and wants to automate the creation of the new servers using a standard image. Which of the following should the company implement to best support this goal?

  A. PowerShell
  B. Bash
  C. Terraform
  D. Ansible
  C. Terraform

  ---

  The most effective solution is Terraform (C), an Infrastructure as Code (IaC) tool that allows organizations to define and provision infrastructure resources across multiple cloud providers using a consistent configuration language. For a multicloud strategy, Terraform provides cloud-agnostic templates, ensuring that server creation, networking, and storage provisioning are automated and standardized across AWS, Azure, GCP, or other providers. This aligns with CAS-005 best practices for cloud automation

  and consistency.

  PowerShell (A) and Bash (B) are scripting tools that can automate tasks but are typically tied to specific operating systems and lack multicloud orchestration capabilities. Ansible (D) is a strong automation tool for configuration management and application deployment, but Terraform is specifically designed to provision and manage infrastructure at scale across multicloud environments.

  By using Terraform, the company can enforce consistent images, reduce human error, ensure compliance through reusable templates, and improve operational efficiency while maintaining flexibility across multiple providers.

• Question 114:

  To bring digital evidence in a court of law, the evidence must be:

  A. material.
  B. tangible.
  C. consistent.
  D. conserved.
  A. material.

  ---

  Explanation

  For evidence to be admissible in court, it must be material, meaning it must be relevant and have a significant impact on the case. Material evidence directly relates to the facts in dispute and can affect the outcome of the case by proving or disproving a key point.

• Question 115:

  Which of the following security risks should be considered as an organization reduces cost and increases availability of services by adopting serverless computing?

  A. Level of control and influence governments have over cloud service providers
  B. Type of virtualization or emulation technology used in the provisioning of services
  C. Vertical scalability of the infrastructure underpinning the serverless offerings
  D. Use of third-party monitoring of service provisioning and configurations
  A. Level of control and influence governments have over cloud service providers

  ---

  Explanation

  In serverless computing, organizations rely heavily on CSPs to manage the infrastructure, runtime, and scaling. A key risk is thelevel of control and influence governments have over CSPs, potentially affecting availability, access, or

  confidentiality of hosted services due to legal orders or government actions. Concerns about virtualization technologies, scalability, or third-party monitoring are valid but less critical compared to the overarching legal and control risks tied to

  CSP reliance.

  CompTIA SecurityX CAS-005, Domain 4.0: Understand the legal and regulatory impacts and risks of adopting third-party serverless solutions.

• Question 116:

  A company updates its cloud-based services by saving infrastructure code in a remote repository. The code is automatically deployed into the development environment every time the code is saved lo the repository The developers express concern that the deployment often fails, citing minor code issues and occasional security control check failures in the development environment

  Which of the following should a security engineer recommend to reduce the deployment failures? (Select two).

  A. Software composition analysis
  B. Pre-commit code linting
  C. Repository branch protection
  D. Automated regression testing
  E. Code submit authorization workflow
  F. Pipeline compliance scanning
  B. Pre-commit code linting
  D. Automated regression testing

  ---

  Explanation

  B. Pre-commit code linting: Linting tools analyze code for syntax errors and adherence to coding standards before the code is committed to the repository. This helps catch minor code issues early in the development process, reducing the

  likelihood of deployment failures.

  D. Automated regression testing: Automated regression tests ensure that new code changes do not introduce bugs or regressions into the existing codebase. By running these tests automatically during the deployment process, developers

  can catch issues early and ensure the stability of the development environment.

  Other options:

  A. Software composition analysis: This helps identify vulnerabilities in third-party components but does not directly address code quality or deployment failures.

  C. Repository branch protection: While this can help manage the code

  submission process, it does not directly prevent deployment failures caused by code issues or security check failures.

  E. Code submit authorization workflow: This manages who can submit code but does not address the quality of the code being submitted.

  F. Pipeline compliance scanning: This checks for compliance with security policies but does not

  address syntax or regression issues.

  References:

  CompTIA Security+ Study Guide

  "Continuous Integration and Continuous Delivery" by Jez Humble and David Farley

  OWASP (Open Web Application Security Project) guidelines on secure coding practices

• Question 117:

  An organization is required to

  1.Respond to internal and external inquiries in a timely manner

  2.Provide transparency.

  3.Comply with regulatory requirements

  The organization has not experienced any reportable breaches but wants to be prepared if a breach occurs in the future.

  Which of the following is the best way for the organization to prepare?

  A. Outsourcing the handling of necessary regulatory filing to an external consultant
  B. Integrating automated response mechanisms into the data subject access request process
  C. Developing communication templates that have been vetted by internal and external counsel
  D. Conducting lessons-learned activities and integrating observations into the crisis management plan
  C. Developing communication templates that have been vetted by internal and external counsel

  ---

  Explanation

  Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and

  provide transparency in the event of a breach.

  Why Communication Templates?

  Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

  Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements. Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the

  organization's credibility. Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately. Other options, while useful, do not provide the

  same level of preparedness and compliance:

  A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

  B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

  D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

  References:

  CompTIA SecurityX Study Guide

  NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide"

  ISO/IEC 27002:2013, "Information technology -- Security techniques -- Code of practice for information security controls"

• Question 118:

  SIMULATION

  As a security administrator, you are asked to harden a server running Red Hat Enterprise Server 5.5 64-bit.

  This server is being used as a DNS and time server. It is not used as a database, web server, or print server. There are no wireless connections to the server, and it does not need to print.

  The command window will be provided along with root access. You are connected via a secure shell with root access.

  You may query help for a list of commands.

  Instructions:

  You need to disable and turn off unrelated services and processes.

  It is possible to simulate a crash of your server session. The simulation can be reset, but the server cannot be rebooted. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  A. See the complete solution below in Explanation.
  B. PlaceHoder
  C. PlaceHoder
  D. PlaceHoder
  A. See the complete solution below in Explanation.

  ---

  Explanation

  In Order to deactivate web services, database services and print service, we can do following things 1) deactivate its services /etc/init.d/apache2 stop /etc/init.d/mysqld stop 2) close ports for these services Web Server iptables -I INPUT -p tcp -m tcp --dport 443 -j REJECTservice iptables save Print Server iptables -I INPUT -p tcp -m tcp --dport 631 -j REJECTservice iptables save Database Server iptables -I INPUT -p tcp -m tcp --dport <> -j REJECTservice iptables save 3) Kill the process any running for the same ps -aef|grep mysql kill -9 <>

• Question 119:

  An organization purchased a new manufacturing facility and the security administrator needs to:

  Implement security monitoring.

  Protect any non-traditional device(s)/network(s).

  Ensure no downtime for critical systems.

  Which of the following strategies best meets these requirements?

  A. Configuring honeypots in the internal network to capture malicious activity
  B. Analyzing system behavior and responding to any increase in activity
  C. Applying updates and patches soon after they have been released
  D. Observing the environment and proactively addressing any malicious activity
  D. Observing the environment and proactively addressing any malicious activity

  ---

  Explanation

• Question 120:

  A company receives reports about misconfigurations and vulnerabilities in a third-party hardware device that is part of its released products.

  Which of the following solutions is the best way for the company to identify possible issues at an earlier stage?

  A. Performing vulnerability tests on each device delivered by the providers
  B. Performing regular red-team exercises on the vendor production line
  C. Implementing a monitoring process for the integration between the application and the vendor appliance
  D. Implementing a proper supply chain risk management program
  D. Implementing a proper supply chain risk management program

  ---

  Explanation

  Addressing misconfigurations and vulnerabilities in third-party hardware requires a comprehensive approach to manage risks throughout the supply chain. Implementing a proper supply chain risk management (SCRM) program is the most effective solution as it encompasses the following: Holistic Approach: SCRM considers the entire lifecycle of the product, from initial design through to delivery and deployment. This ensures that risks are identified and managed at every stage. Vendor Management: It includes thorough vetting of suppliers and ongoing assessments of their security practices, which can identify and mitigate vulnerabilities early. Regular Audits and Assessments: A robust SCRM program involves regular audits and assessments, both internally and with suppliers, to ensure compliance with security standards and best practices. Collaboration and Communication: Ensures that there is effective communication and collaboration between the company and its suppliers, leading to faster identification and resolution of issues. Other options, while beneficial, do not provide the same comprehensive risk management:

  A. Performing vulnerability tests on each device delivered by the providers: While useful, this is reactive and only addresses issues after they have been delivered.

  B. Performing regular red-team exercises on the vendor production line: This

  can identify vulnerabilities but is not as comprehensive as a full SCRM program.

  C. Implementing a monitoring process for the integration between the application and the vendor appliance: This is important but only covers the integration

  phase, not the entire supply chain.

  References:

  CompTIA SecurityX Study Guide

  NIST Special Publication 800-161, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations"

  ISO/IEC 27036-1:2014, "Information technology -- Security techniques -- Information security for supplier relationships"