CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 121:

  An incident response analyst finds the following content inside of a log file that was collected from a compromised server: .2308464678 ... whoami ..... su2032829%72%322/// ...... /etc/passwd .... 2087031731467478432 ...$6490/90/./ ..< XML ?.. .... nty. Which of the following is the best action to prevent future compromise?

  A. Blocking the processing of external files by forwarding them to another server for processing
  B. Implementing an allow list for all text boxes throughout the web application
  C. Filtering inserted characters for all user inputs and allowing only ASCII characters
  D. Improving file-parsing capabilities to stop external entities from executing commands
  D. Improving file-parsing capabilities to stop external entities from executing commands

  ---

• Question 122:

  A common industrial protocol has the following characteristics:

  1.Provides for no authentication/security

  2.Is often implemented in a client/server relationship

  3.Is implemented as either RTU or TCP/IP

  Which of the following is being described?

  A. Profinet
  B. Modbus
  C. Zigbee
  D. Z-Wave
  B. Modbus

  ---

  Explanation

• Question 123:

  A security engineer receives the following findings from a recent security audit:

  1.

  Data should be protected based on user permissions and roles.

  2.

  User action tracking should be implemented across the network.

  3.

  Digital identities should be validated across the data access workflow.

  Which of the following is the first action the engineer should take to address the findings?

  A. Implement continuous and context-based authentication and authorization
  B. Use an enhanced user credential provisioning workflow and data monitoring tools
  C. Improve federation services for digital identities and data access
  D. Deploy OpenID Connect for API authentication
  A. Implement continuous and context-based authentication and authorization

  ---

  The first action is to implement continuous and context-based authentication and authorization (A). Traditional authentication validates users only at login, which creates gaps during active sessions. Continuous authentication ensures validation throughout the data access workflow, incorporating contextual factors like device state, geolocation, and behavioral analysis. This directly aligns with audit findings requiring protection by role, identity validation, and action tracking.

  Option B improves onboarding and monitoring but does not enforce continuous access control. Option C improves identity federation but does not provide session-by-session validation. Option D secures APIs but is too narrow for organization-wide identity workflows.

  CAS-005 stresses Zero Trust and context-aware IAM, making continuous authentication and authorization the top priority.

• Question 124:

  A security analyst needs to ensure email domains that send phishing attempts without previous communications are not delivered to mailboxes The following email headers are being reviewed

  

  Which of the following is the best action for the security analyst to take?

  A. Block messages from hr-saas.com because it is not a recognized domain.
  B. Reroute all messages with unusual security warning notices to the IT administrator
  C. Quarantine all messages with sales-mail.com in the email header
  D. Block vendor com for repeated attempts to send suspicious messages
  D. Block vendor com for repeated attempts to send suspicious messages

  ---

  Explanation

  In reviewing email headers and determining actions to mitigate phishing attempts, the security analyst should focus on patterns of suspicious behavior and the reputation of the sending domains. Here's the analysis of the options provided:

  A. Block messages from hr-saas.com because it is not a recognized domain: Blocking a domain solely because it is not recognized can lead to legitimate emails being missed. Recognition alone should not be the criterion for blocking.

  B.

  Reroute all messages with unusual security warning notices to the IT administrator: While rerouting suspicious messages can be a good practice, it is not specific to the domain sending repeated suspicious messages.

  C. Quarantine all

  messages with sales-mail.com in the email header: Quarantining messages based on the presence of a specific domain in the email header can be too broad and may capture legitimate emails.

  D. Block vendor com for repeated attempts to

  send suspicious messages: This option is the most appropriate because it targets a domain that has shown a pattern of sending suspicious messages. Blocking a domain that repeatedly sends phishing attempts without previous

  communications helps in preventing future attempts from the same source and aligns with the goal of mitigating phishing risks.

  References:

  CompTIA SecurityX Study Guide: Details best practices for handling phishing attempts, including blocking domains with repeated suspicious activity. NIST Special Publication 800-45 Version 2, "Guidelines on Electronic Mail Security":

  Provides guidelines on email security, including the management of suspicious email domains.

  "Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft" by Markus Jakobsson and Steven Myers: Discusses effective measures to counter phishing attempts, including blocking persistent

  offenders.

  By blocking the domain that has consistently attempted to send suspicious messages, the security analyst can effectively reduce the risk of phishing attacks.

• Question 125:

  A security officer performs due diligence activities before implementing a third-party solution into the enterprise environment. The security officer needs evidence from the third party that a data subject access request handling process is in place. Which of the following is the security officer most likely seeking to maintain compliance?

  A. Information security standards
  B. E-discovery requirements
  C. Privacy regulations
  D. Certification requirements
  E. Reporting frameworks
  C. Privacy regulations

  ---

  Explanation

  Privacy regulations (C), such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), require companies to provide data subject access request (DSAR) handling processes. A DSAR allows individuals to request details about their personal data stored by a company and request modifications or deletions.

  Information security standards (A) focus on overall security controls, while e-discovery requirements (B) relate to legal investigations rather than ongoing compliance.

• Question 126:

  A financial services organization is using AI to fully automate the process of deciding client loan rates.

  Which of the following should the organization be most concerned about from a privacy perspective?

  A. Model explainability
  B. Credential theft
  C. Possible prompt injections
  D. Exposure to social engineering
  A. Model explainability

  ---

  Explanation

  When using AI to fully automate the process of deciding client loan rates, the primary concern from a privacy perspective is model explainability.

  Why Model Explainability is Critical:

  Transparency: It ensures that the decision-making process of the AI model can be understood and explained to stakeholders, including clients. Accountability: Helps in identifying biases and errors in the model, ensuring that the AI is making

  fair and unbiased decisions.

  Regulatory Compliance: Various regulations require that decisions, especially those affecting individuals' financial status, can be explained and justified. Trust: Builds trust among users and stakeholders by demonstrating that the AI decisions

  are transparent and justifiable.

  Other options, such as credential theft, prompt injections, and social engineering, are significant concerns but do not directly address the privacy and fairness implications of automated decision-making.

  References:

  CompTIA SecurityX Study Guide

  "The Importance of Explainability in AI," IEEE Xplore GDPR Article 22, "Automated Individual Decision-Making, Including Profiling"

• Question 127:

  A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack. Which of the following is the next step of the incident response plan?

  A. Remediation
  B. Containment
  C. Response
  D. Recovery
  B. Containment

  ---

  Explanation

  Incident response follows a standard process (e.g., NIST 800-61): Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. After identifying the attack (file and origin), the next step isContainment--limiting the spread or impact (e.g., isolating systems) before remediation or recovery. Option A:Remediation (fixing the root cause) follows containment. Option B:Correct--containment prevents further damage post-identification. Option C:"Response" is too vague; it encompasses all steps. Option D:Recovery (restoring systems) comes after containment and eradication.

  CompTIA SecurityX CAS-005 Domain 4: Cybersecurity Operations ?Incident Response Lifecycle.

• Question 128:

  Recent repents indicate that a software tool is being exploited Attackers were able to bypass user access controls and load a database. A security analyst needs to find the vulnerability and recommend a mitigation. The analyst generates the following output: Which of the following would the analyst most likely recommend?

  

  A. Installing appropriate EDR tools to block pass-the-hash attempts
  B. Adding additional time to software development to perform fuzz testing
  C. Removing hard coded credentials from the source code
  D. Not allowing users to change their local passwords
  C. Removing hard coded credentials from the source code

  ---

  Explanation

  The output indicates that the software tool contains hard-coded credentials, which attackers can exploit to bypass user access controls and load the database. The most likely recommendation is to remove hard-coded credentials from the

  source code.

  Here's why:

  Security Best Practices: Hard-coded credentials are a significant security risk because they can be easily discovered through reverse engineering or simple inspection of the code. Removing them reduces the risk of unauthorized access.

  Credential Management: Credentials should be managed securely using environment variables, secure vaults, or configuration management tools that provide encryption and access controls. Mitigation of Exploits: By eliminating hard-coded

  credentials, the organization can prevent attackers from easily bypassing authentication mechanisms and gaining unauthorized access to sensitive systems.

• Question 129:

  The ISAC for the retail industry recently released a report regarding social engineering tactics in which small groups create distractions for employees while other malicious individuals install advanced card skimmers on the payment systems. The Chief Information Security Officer (CISO) thinks that security awareness training, technical control implementations, and governance already in place is adequate to protect from this threat. The board would like to test these controls. Which of the following should the CISO recommend?

  A. Dark web monitoring
  B. Adversary emulation engagement
  C. Supply chain risk consultation
  D. Tabletop exercises
  B. Adversary emulation engagement

  ---

• Question 130:

  A cybersecurity architect seeks to improve vulnerability management and orchestrate a large number of vulnerability checks. Key constraints include:

  1.

  There are 512 containerized microservices.

  2.

  Vulnerability data is sourced from multiple scanners.

  3.

  CIS baselines must be enforced.

  4.

  Scan activity must be scheduled.

  Which of the following automation workflows best meets this objective?

  A. Employing an endpoint data collection system
  B. Deploying an XCCDF scanner
  C. Utilizing CVSS reports for SOC analysts
  D. Using a repository scanner to enforce laC security
  B. Deploying an XCCDF scanner

  ---