CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 131:

  While investigating a security event an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.

  Which of the following is the next step the analyst should take after reporting the incident to the management team?

  A. Pay the ransom within 48 hours
  B. Isolate the servers to prevent the spread
  C. Notify law enforcement
  D. Request that the affected servers be restored immediately
  B. Isolate the servers to prevent the spread

  ---

  Explanation

  The immediate action after discovering ransomware is toisolate the affected serversto prevent further spread of the malware to other systems in the network. Paying the ransom is not recommended as it does not guarantee data recovery and

  encourages criminal behavior. Notifying law enforcement is necessary, but containment must happen first to limit damage. Requesting server restoration should only occur after containment and a thorough investigation to ensure no remnants

  of ransomware remain.

  CompTIA SecurityX CAS-005, Domain 2.0: Execute incident response procedures to contain and mitigate incidents.

• Question 132:

  The identity and access management team is sending logs to the SIEM for continuous monitoring. The deployed log collector is forwarding logs to the SIEM. However, only false positive alerts are being generated.

  Which of the following is the most likely reason for the inaccurate alerts?

  A. The compute resources are insufficient to support the SIEM
  B. The SIEM indexes are 100 large
  C. The data is not being properly parsed
  D. The retention policy is not property configured
  C. The data is not being properly parsed

  ---

  Explanation

  Proper parsing of data is crucial for the SIEM to accurately interpret and analyze the logs being forwarded by the log collector. If the data is not parsed correctly, the SIEM may misinterpret the logs, leading to false positives and inaccurate alerts. Ensuring that the log data is correctly parsed allows the SIEM to correlate and analyze the logs effectively, which is essential for accurate alerting and monitoring.

• Question 133:

  A security architect is investigating instances of employees who had their phones stolen in public places through seemingly targeted attacks. Devices are able to access company resources such as email and internal documentation, some of which can persist in application storage.

  Which of the following would best protect the company from information exposure? (Select two).

  A. Implement a remote wipe procedure if the phone does not check in for a period of time
  B. Enforce biometric access control with configured timeouts
  C. Set up geofencing for corporate applications where the phone must be near an office
  D. Use application control to restrict the applications that can be installed
  E. Leverage an MDM solution to prevent the side loading of mobile applications
  F. Enable device certificates that will be used for access to company resources
  A. Implement a remote wipe procedure if the phone does not check in for a period of time
  B. Enforce biometric access control with configured timeouts

  ---

  Explanation

  To protect company information on stolen mobile devices, implementing remote wipe procedures ensures data can be erased if a device is suspected lost or stolen.Biometric access control with enforced timeouts further secures the device, requiring biometric authentication periodically, thus limiting unauthorized access even if the device is stolen. Geofencing and certificates provide additional security layers but are less immediate protections against information exposure after theft. Application control and side-loading prevention are important for malware threats but less so for stolen device scenarios.

  CompTIA SecurityX CAS-005, Domain 3.0: Apply mobile device security strategies including remote wipe, biometrics, and device access controls.

• Question 134:

  A company must meet the following security requirements when implementing controls in order to be compliant with government policy:

  1.

  Access to the system document repository must be MFA enabled.

  2.

  Ongoing risk monitoring must be displayed on a system dashboard.

  3.

  Staff must receive email notifications about periodic tasks. Which of the following best meets all of these requirements?

  A. Implementing a GRC tool
  B. Configuring a privileged access management system
  C. Launching a vulnerability management program
  D. Creating a risk register
  A. Implementing a GRC tool

  ---

• Question 135:

  A security operations engineer needs to prevent inadvertent data disclosure when encrypted SSDs are reused within an enterprise.

  Which of the following is the most secure way to achieve this goal?

  A. Executing a script that deletes and overwrites all data on the SSD three times
  B. Wiping the SSD through degaussing
  C. Securely deleting the encryption keys used by the SSD
  D. Writing non-zero, random data to all cells of the SSD
  C. Securely deleting the encryption keys used by the SSD

  ---

  Explanation

  The most secure way to prevent inadvertent data disclosure when encrypted SSDs are reused is to securely delete the encryption keys used by the SSD. Without the encryption keys, the data on the SSD remains encrypted and is effectively

  unreadable, rendering any residual data useless. This method is more reliable and efficient than overwriting data multiple times or using other physical destruction methods.

  References:

  CompTIA SecurityX Study Guide: Highlights the importance of managing encryption keys and securely deleting them to protect data. NIST Special Publication 800-88, "Guidelines for Media Sanitization":

  Recommends cryptographic erasure as a secure method for sanitizing encrypted storage devices.

• Question 136:

  A global manufacturing company has an internal application that is critical to making products. This application cannot be updated and must be available in the production area. A security architect is implementing security for the application.

  Which of the following best describes the action the architect should take?

  A. Disallow wireless access to the application
  B. Deploy intrusion detection capabilities using a network tap
  C. Create an acceptable use policy for the use of the application
  D. Create a separate network for users who need access to the application
  D. Create a separate network for users who need access to the application

  ---

  Explanation

  Creating a separate network for users who need access to the application is the best action to secure an internal application that is critical to the production area and cannot be updated.

  Why Separate Network?

  Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents. Controlled Access: Ensures that only authorized users have

  access to the application, enhancing security and reducing the attack surface. Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network. Other options, while

  beneficial, do not provide the same level of security for a critical application:

  Option A: Disallow wireless access: Useful but does not provide comprehensive protection.

  Option B: Deploy intrusion detection capabilities using a network tap: Enhances monitoring but does not provide the same level of isolation and control.

  Option C: Create an acceptable use policy: Important for governance but does not provide technical security controls.

  References:

  CompTIA SecurityX Study Guide

  NIST Special Publication 800-125, "Guide to Security for Full Virtualization Technologies"

  "Network Segmentation Best Practices," Cisco Documentation

• Question 137:

  To prevent data breaches, security leaders at a company decide to expand user education to:

  Create a healthy security culture. Comply with regulatory requirements. Improve incident reporting.

  Which of the following would best meet their objective?

  A. Performing a DoS attack
  B. Scheduling regular penetration tests
  C. Simulating a phishing campaign
  D. Deploying fake ransomware
  C. Simulating a phishing campaign

  ---

  Explanation

• Question 138:

  DRAG DROP

  A security administrator must configure the database server shown below the comply with the four requirements listed. Drag and drop the appropriate ACL that should be configured on the database server to its corresponding requirement. Answer options may be used once or not at all.

  

  Select and Place:

  

  

  Explanation

• Question 139:

  A compliance officer is responsible for selecting the right governance framework to protect individuals' data. Which of the following is the appropriate framework for the company to consult when collecting international user data for the purpose of processing credit cards?

  A. ISO 27001
  B. COPPA
  C. NIST 800-53
  D. PCI DSS
  D. PCI DSS

  ---

  Explanation

• Question 140:

  A company reduced its staff 60 days ago, and applications are now starting to fail. The security analyst is investigating to determine if there is malicious intent for the application failures. The security analyst reviews the following logs:

  22:03:50 sshd[21502]: Success login for user01 from 192.168.2.5

  22:10:00 sshd[21502]: Failed login for user10 from 192.168.2.5

  22:11:40 sshd[21502]: Success login for user07 from 192.168.2.58

  22:12:00 sshd[21502]: Failed login for user10 from 192.168.2.5

  22:13:00 sshd[21502]: Failed login for user10 from 192.168.2.5

  22:13:00 sshd[21502]: Success login for user03 from 192.168.2.27

  22:13:00 sshd[21502]: Failed login for user10 from 192.168.2.5

  Which of the following is the most likely reason for the application failures?

  A.

  The user's account was set as a service account.

  
  B.

  The user's home directory was deleted.

  
  C.

  The user does not have sudo access.

  
  D.

  The root password has been changed.

  B.

  The user's home directory was deleted.

  ---

  Explanation

  When an employee leaves a company, their home directory might be deleted along with their account, leading to application failures if the directory contained configuration files, dependencies, or system scripts.