CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 151:

  A company is rewriting a vulnerable application and adding the mprotect() system call in multiple parts of the application's code that was being leveraged by a recent exploitation tool. Which of the following should be enabled to ensure the application can leverage the new system call against similar attacks in the future?

  A. TPM
  B. Secure boot
  C. NX bit
  D. HSM
  C. NX bit

  ---

  Explanation

  Enabling the NX bit ensures that the rewritten application can effectively use the mprotect() system call to manage memory execution permissions, thereby strengthening its defenses against exploitation tools that attempt to execute code from unauthorized memory regions. This approach aligns with best practices in modern application security to mitigate memory-based vulnerabilities

• Question 152:

  While performing threat-hunting functions, an analyst is using the Diamond Model of Intrusion Analysis. The analyst identifies the likely adversary, the infrastructure involved, and the target. Which of the following must the threat hunter document to use the model effectively?

  A. Knowledge
  B. Capabilities
  C. Phase
  D. Methodologies
  B. Capabilities

  ---

• Question 153:

  A security technician is trying to connect a remote site to the central office over a site-to-site VPN. The technician has verified the source and destination IP addresses are correct, but the technician is unable to get the remote site to connect. The following error message keeps repeating:

  An error has occurred during Phase 1 handshake. Deleting keys and retrying...

  Which of the following is most likely the reason the connection is failing?

  A. The IKE hashing algorithm uses different key lengths on each VPN device.
  B. The IPSec settings allow more than one cipher suite on both devices.
  C. The Diffie-Hellman group on both sides matches but is a legacy group.
  D. The remote VPN is attempting to connect with a protocol other than SSL/TLS.
  C. The Diffie-Hellman group on both sides matches but is a legacy group.

  ---

  Explanation

  The error message "An error has occurred during Phase 1 handshake. Deleting keys and retrying..." suggests that there is an issue with the initial negotiation or key exchange process. Legacy Diffie-Hellman groups are a common cause of such issues because modern VPN devices might reject or fail to negotiate with older, less secure groups.

• Question 154:

  A software vendor provides routine functionality and security updates to its global customer base. The vendor would like to ensure distributed updates are authorized, originate from only the company, and have not been modified by others. Which of the following solutions best supports these objectives?

  A. Envelope encryption
  B. File integrity monitoring
  C. Application control
  D. Code signing
  D. Code signing

  ---

  Explanation

• Question 155:

  A company's security policy states that any publicly available server must be patched within 12 hours after a patch is released. A recent llS zero-day vulnerability was discovered that affects all versions of the Windows Server OS:

  

  Which of the following hosts should a security analyst patch first once a patch is available?

  A. 1
  B. 2
  C. 3
  D. 4
  E. 5
  F. 6
  A. 1

  ---

  Explanation

  Based on the security policy that any publicly available server must be patched within 12 hours after a patch is released, the security analyst should patch Host 1 first. Here's why:

  Public Availability: Host 1 is externally available, making it accessible from the internet. Publicly available servers are at higher risk of being targeted by attackers, especially when a zero-day vulnerability is known. Exposure to Threats: Host 1

  has IIS installed and is publicly accessible, increasing its exposure to potential exploitation. Patching this host first reduces the risk of a successful attack. Prioritization of Critical Assets: According to best practices, assets that are exposed to

  higher risks should be prioritized for patching to mitigate potential threats promptly.

• Question 156:

  A security engineer is developing a solution to meet the following requirements:

  1.

  All endpoints should be able to establish telemetry with a SIEM.

  2.

  All endpoints should be able to be integrated into the XDR platform.

  3.

  SOC services should be able to monitor the XDR platform.

  Which of the following should the security engineer implement to meet the requirements? (Select Two.)

  A. EDR
  B. HIDS
  C. Web application firewall
  D. Central logging
  E. Host-based firewall
  F. TPM
  A. EDR
  D. Central logging

  ---

• Question 157:

  SIMULATION A product development team has submitted code snippets for review prior to release. INSTRUCTIONS Analyze the code snippets, and then select one vulnerability, and one fix for each code snippet.

  Code Snippet 1

  

  Code Snippet 2

  

  Vulnerability 1:

  1. SQL injection

  2. Cross-site request forgery

  3. Server-side request forgery

  4. Indirect object reference

  5. Cross-site scripting

  Fix 1:

  1. Perform input sanitization of the userid field.

  2. Perform output encoding of queryResponse,

  3. Ensure usex:ia belongs to logged-in user.

  4. Inspect URLS and disallow arbitrary requests.

  5. Implement anti-forgery tokens.

  Vulnerability 2

  1) Denial of service

  2) Command injection

  3) SQL injection

  4) Authorization bypass

  5) Credentials passed via GET

  Fix 2

  1. Implement prepared statements and bind variables.

  2. Remove the serve_forever instruction.

  3. Prevent the "authenticated" value from being overridden by a GET parameter.

  4. HTTP POST should be used for sensitive parameters.

  5. Perform input sanitization of the userid field.

  A. See the complete solution below in Explanation.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See the complete solution below in Explanation.

  ---

  Explanation

  Code Snippet 1 Vulnerability 1: SQL injection SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a database. An attacker can inject malicious SQL commands into the input fields, such as username or password, and execute them on the database server. This can result in data theft, data corruption, or unauthorized access. Fix 1: Perform input sanitization of the userid field. Input sanitization is a technique that prevents SQL injection by validating and filtering the user input values before passing them to the database. The input sanitization should remove any special characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query. Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values. Code Snippet 2 Vulnerability 2: Cross-site request forgery Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that handles web requests. An attacker can trick a user into sending a malicious web request to a server that performs an action on behalf of the user, such as changing their password, transferring funds, or deleting data. This can result in unauthorized actions, data loss, or account compromise. Fix 2: Implement anti-forgery tokens. Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each web request that is generated by the server and verified by the server before performing the action. The anti-forgery token should be different for each user and each session, and should not be predictable or reusable by an attacker. This way, only legitimate web requests from the user's browser can be accepted by the server.

• Question 158:

  After a penetration test on the internal network, the following report was generated: Attack Target Result Compromised host ADMIN01S.CORP.LOCAL Successful Hash collected KRBTGT.CORP.LOCAL Successful Hash collected SQLSV.CORP.LOCAL Successful Pass the hash SQLSV.CORP.LOCAL Failed Domain control CORP.LOCAL Successful Which of the following should be recommended to remediate the attack?

  A. Deleting SQLSV
  B. Reimaging ADMIN01S
  C. Rotating KRBTGT password
  D. Resetting the local domain
  C. Rotating KRBTGT password

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The attacker gained domain control by collecting the KRBTGT hash (used for Kerberos tickets). Let's evaluate:

  A. Deleting SQLSV:Irrelevant since pass-the-hash failed there.

  B. Reimaging ADMIN01S:Addresses the compromised host but not domain control.

  C. Rotating KRBTGT password:Invalidates stolen Kerberos tickets, mitigating domain control per CAS-005's focus on identity security.

  CompTIA SecurityX (CAS-005) objectives, Domain 2: Security Operations, covering Kerberos security.

• Question 159:

  An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:

  Web server logs:

  192.168.1.10 - - [24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36

  192.168.1.10 - - [24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36

  Application server logs:

  24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying DB

  24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing

  Database server logs:

  24/Oct/2020 11:24:34 +05:00 [Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048

  24/Oct/2020 11:24:35 +05:00 [Warning] CA certificate ca.pem is self-signed.

  Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources?

  A. Enable the X-Forwarded-For header at the load balancer.
  B. Install a software-based HIDS on the application servers.
  C. Install a certificate signed by a trusted CA.
  D. Use stored procedures on the database server.
  E. Store the value of the $_SERVER['REMOTE_ADDR'] received by the web servers.
  A. Enable the X-Forwarded-For header at the load balancer.

  ---

  Explanation

  The issue is tracing the original source of requests in a tiered architecture with a load balancer. The web server logs show internal IPs (192.168.1.10), not the external client IPs, because the load balancer forwards requests without preserving

  the source. Enabling theX- Forwarded-Forheader on the load balancer adds the client's original IP to the HTTP request headers, allowing downstream servers to log it. This ensures traceability without altering the architecture significantly.

  Option A:Correct--X-Forwarded-For is the standard solution for preserving client IPs through load balancers.

  Option B:A Host-based Intrusion Detection System (HIDS) detects anomalies but doesn't address IP traceability.

  Option C:A trusted CA certificate fixes the self-signed warning but is unrelated to source tracking.

  Option D:Stored procedures improve database security but don't help with IP logging.

  Option E:Storing $_SERVER['REMOTE_ADDR'] captures the load balancer's IP, not the client's, unless X-Forwarded-For is enabled.

  CompTIA SecurityX CAS-005 Domain 4: Cybersecurity Operations ?Log Analysis and Incident

  Investigation.

• Question 160:

  A software company deployed a new application based on its internal code repository Several customers are reporting anti-malware alerts on workstations used to test the application

  Which of the following is the most likely cause of the alerts?

  A. Misconfigured code commit
  B. Unsecure bundled libraries
  C. Invalid code signing certificate
  D. Data leakage
  B. Unsecure bundled libraries

  ---

  Explanation

  The most likely cause of the anti-malware alerts on customer workstations is unsecure bundled libraries. When developing and deploying new applications, it is common for developers to use third-party libraries. If these libraries are not

  properly vetted for security, they can introduce vulnerabilities or malicious code.

  Why Unsecure Bundled Libraries?

  Third-Party Risks: Using libraries that are not secure can lead to malware infections if the libraries contain malicious code or vulnerabilities. Code Dependencies: Libraries may have dependencies that are not secure, leading to potential

  security risks.

  Common Issue: This is a frequent issue in software development where libraries are used for convenience but not properly vetted for security. Other options, while relevant, are less likely to cause widespread anti-malware alerts:

  A. Misconfigured code commit: Could lead to issues but less likely to trigger anti- malware alerts.

  C. Invalid code signing certificate: Would lead to trust issues but not typically anti- malware alerts.

  D. Data leakage: Relevant for privacy concerns but not directly related to anti- malware alerts.

  References: CompTIA SecurityX Study Guide "Securing Open Source Libraries," OWASP "Managing Third-Party Software Security Risks," Gartner Research