CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 171:

  Asecuntv administrator is performing a gap assessment against a specific OS benchmark The benchmark requires the following configurations be applied to endpomts:

  1.Full disk encryption

  2.Host-based firewall

  3.Time synchronization

  4.Password policies

  5.Application allow listing

  6.Zero Trust application access

  Which of the following solutions best addresses the requirements? (Select two).

  A.

  CASB

  
  B.

  SBoM

  
  C.

  SCAP

  
  D.

  SASE

  
  E.

  HIDS

  C.

  SCAP

  
  D.

  SASE

  ---

  Explanation

  To address the specific OS benchmark configurations, the following solutions are most appropriate:

  C. SCAP (Security Content Automation Protocol): SCAP helps in automating vulnerability management and policy compliance, including configurations like full disk encryption, host-based firewalls, and password policies.

  D. SASE (Secure Access Service Edge): SASE provides a framework for Zero Trust network access and application allow listing, ensuring secure and compliant access to applications and data. These solutions together cover the comprehensive security requirements specified in the OS benchmark, ensuring a robust security posture for endpoints.

  References:

  CompTIA SecurityX Study Guide: Discusses SCAP and SASE as part of security configuration management and Zero Trust architectures. NIST Special Publication 800-126, "The Technical Specification for the Security Content Automation

  Protocol (SCAP)": Details SCAP's role in security automation. "Zero Trust Networks: Building Secure Systems in Untrusted Networks" by Evan Gilman and Doug Barth: Covers the principles of Zero Trust and how SASE can implement them.

  By implementing SCAP and SASE, the organization ensures that all the specified security configurations are applied and maintained effectively.

• Question 172:

  A company must build and deploy security standards for all servers in its on-premises and cloud environments based on hardening guidelines. Which of the following solutions most likely meets the requirements?

  A. Develop a security baseline to integrate with the vulnerability scanning platform to alert about any server not aligned with the new security standards.
  B. Create baseline images for each OS in use, following security standards, and integrate the images into the patching and deployment solution.
  C. Build all new images from scratch, installing only needed applications and modules in accordance with the new security standards.
  D. Run a script during server deployment to remove all the unnecessary applications as part of provisioning.
  B. Create baseline images for each OS in use, following security standards, and integrate the images into the patching and deployment solution.

  ---

  Explanation

  Creatingsecure baseline imagesensuresconsistent, repeatable deployment aligned withhardening standards. These images can be used acrosson- premises and cloud environments, ensuring compliance and reducing misconfigurations. Vulnerability alerts (A)are reactive, not preventive. Building images from scratch (C)is time-consuming and unnecessary if baselines exist. Scripts for cleanup (D)are useful but do not prevent initial insecure configurations.

  CompTIA SecurityX (CAS-005) Exam Objectives- Domain 3.0 (Security Engineering), Section onSystem Hardening and Configuration Management

• Question 173:

  A security engineer has learned that terminated employees' accounts are not being disabled. The termination dates are updated automatically in the human resources information system software by the appropriate human resources staff. Which of the following would best reduce risks to the organization?

  A. Exporting reports from the system on a weekly basis to disable terminated employees' accounts
  B. Granting permission to human resources staff to mark terminated employees' accounts as disabled
  C. Configuring allowed login times for all staff to only work during business hours
  D. Automating a process to disable the accounts by integrating Active Directory and human resources information systems
  D. Automating a process to disable the accounts by integrating Active Directory and human resources information systems

  ---

  Explanation

  Automating the process to disable terminated employees' accounts by integrating Active Directory (or any other authentication system) with the human resources information system (HRIS) is the best approach to reduce risks to the organization. By automating this process, the organization ensures that accounts are disabled promptly and consistently whenever an employee's termination date is updated in the HRIS. This reduces the window of opportunity for terminated employees to retain access to systems and sensitive information after leaving the organization.

• Question 174:

  A company has a website with a huge database. The company wants to ensure that a DR site could be brought online quickly in the event of a failover, and end users would miss no more than 30 minutes of data. Which of the following should the company do to meet these objectives?

  A. Build a content caching system at the DR site.
  B. Store the nightly full backups at the DR site.
  C. Increase the network bandwidth to the DR site.
  D. Implement real-time replication for the DR site.
  D. Implement real-time replication for the DR site.

  ---

  Explanation

• Question 175:

  An organization developed a containerized application. The organization wants to run the application in the cloud and automatically scale it based on demand. The security operations team would like to use container orchestration but does not want to assume patching responsibilities. Which of the following service models best meets these requirements?

  A. PaaS
  B. SaaS
  C. IaaS
  D. MaaS
  A. PaaS

  ---

  Explanation

• Question 176:

  Following a Log4j outbreak, several network appliances were not managed and remained undetected despite an application inventory system being in place. Which of the following solutions should the security director recommend to best understand the composition of applications on unmanaged devices?

  A. Protocol analyzer
  B. Package monitoring
  C. Software bill of materials
  D. Fuzz testing
  C. Software bill of materials

  ---

  Explanation

  A Software Bill of Materials (SBOM) provides a comprehensive inventory of software components and libraries used in an application or device. It lists out all the dependencies and their versions, which is crucial for understanding the composition of applications, especially on unmanaged devices. In the context of the Log4j outbreak, having an SBOM would allow the security team to identify if any vulnerable versions of Log4j or other vulnerable software components are present on the unmanaged devices. This helps in assessing and mitigating risks associated with known vulnerabilities.

• Question 177:

  Which of the following includes best practices for validating perimeter firewall configurations?

  A. CIS controls
  B. MITRE ATTandCK
  C. NIST CSF
  D. ISO 27001
  A. CIS controls

  ---

  The Center for Internet Security (CIS) Controls provide prescriptive best practices for validating and securing perimeter firewalls. These controls are specifically designed to offer detailed, actionable steps that organizations can follow to ensure firewall rules are configured properly, access is restricted to least privilege, and unnecessary services are disabled. CIS benchmarks also provide specific configuration guidance for different vendors, making them highly practical for real-world implementation and

  validation.

  MITRE ATTandCK (B) is a framework for adversary tactics, techniques, and procedures, valuable for threat modeling but not a direct standard for firewall validation.

  NIST CSF (C) provides a high-level framework for cybersecurity risk management but lacks specific configuration guidance for firewalls.

  ISO 27001 (D) defines an information security management system (ISMS) framework, focusing on governance and certification rather than hands-on configuration best practices.

  Therefore, the CIS Controls and Benchmarks represent the most direct and practical resource for validating firewall configurations in line with recognized industry best practices.

• Question 178:

  Due to an infrastructure optimization plan, a company has moved from a unified architecture to a federated architecture divided by region. Long-term employees now have a better experience, but new employees are experiencing major performance issues when traveling between regions. The company is reviewing the following information:

  

  Which of the following is the most effective action to remediate the issue?

  A. Creating a new user entry in the affected region for the affected employee.
  B. Synchronizing all regions' user identities and ensuring ongoing synchronization.
  C. Restarting European region physical access control systems.
  D. Resyncing single sign-on application with connected security appliances.
  B. Synchronizing all regions' user identities and ensuring ongoing synchronization.

  ---

  Explanation

• Question 179:

  A security analyst received a notification from a cloud service provider regarding an attack detected on a web server The cloud service provider shared the following information about the attack:

  1.The attack came from inside the network.

  2.The attacking source IP was from the internal vulnerability scanners.

  3.The scanner is not configured to target the cloud servers.

  Which of the following actions should the security analyst take first?

  A. Create an allow list for the vulnerability scanner IPs m order to avoid false positives
  B. Configure the scan policy to avoid targeting an out-of-scope host
  C. Set network behavior analysis rules
  D. Quarantine the scanner sensor to perform a forensic analysis
  D. Quarantine the scanner sensor to perform a forensic analysis

  ---

  Explanation

  When a security analyst receives a notification about an attack that appears to originate from an internal vulnerability scanner, it suggests that the scanner itself might have been compromised. This situation is critical because a compromised scanner can potentially conduct unauthorized scans, leak sensitive information, or execute malicious actions within the network. The appropriate first action involves containing the threat to prevent further damage and allow for a thorough investigation. Here's why quarantining the scanner sensor is the best immediate action: Containment and Isolation: Quarantining the scanner will immediately prevent it from continuing any malicious activity or scans. This containment is crucial to protect the rest of the network from potential harm. Forensic Analysis: By isolating the scanner, a forensic analysis can be performed to understand how it was compromised, what actions it took, and what data or systems might have been affected. This analysis will provide valuable insights into the nature of the attack and help in taking appropriate remedial actions. Preventing Further Attacks: If the scanner is allowed to continue operating, it might execute more unauthorized actions, leading to greater damage. Quarantine ensures that the threat is neutralized promptly. Root Cause Identification: A forensic analysis can help identify vulnerabilities in the scanner's configuration, software, or underlying system that allowed the compromise. This information is essential for preventing future incidents. Other options, while potentially useful in the long term, are not appropriate as immediate actions in this scenario:

  A. Create an allow list for the vulnerability scanner IPs to avoid false positives:

  This action addresses false positives but does not mitigate the immediate threat posed by the compromised scanner.

  B. Configure the scan policy to avoid targeting an out-of-scope host: This step is preventive for future scans but does not deal with the current incident where the scanner is already compromised.

  C. Set network behavior analysis rules: While

  useful for ongoing monitoring and detection, this does not address the immediate need to stop the compromised scanner's activities. In conclusion, the first and most crucial action is to quarantine the scanner sensor to halt any malicious

  activity and perform a forensic analysis to understand the scope and nature of the compromise. This step ensures that the threat is contained and provides a basis for further remediation efforts.

  References:

  CompTIA SecurityX Study Guide

  NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide"

• Question 180:

  A security analyst is troubleshooting the reason a specific user is having difficulty accessing company resources The analyst reviews the following information:

  

  Which of the following is most likely the cause of the issue?

  A. The local network access has been configured to bypass MFA requirements.
  B. A network geolocation is being misidentified by the authentication server
  C. Administrator access from an alternate location is blocked by company policy
  D. Several users have not configured their mobile devices to receive OTP codes
  B. A network geolocation is being misidentified by the authentication server

  ---

  Explanation

  The table shows that the user "SALES1" is consistently blocked despite having met the MFA requirements. The common factor in these blocked attempts is the source IP address (8.11.4.16) being identified as from Germany while the user is

  assigned to France. This discrepancy suggests that the network geolocation is being misidentified by the authentication server, causing legitimate access attempts to be blocked.

  Why Network Geolocation Misidentification?

  Geolocation Accuracy: Authentication systems often use IP geolocation to verify the location of access attempts. Incorrect geolocation data can lead to legitimate requests being denied if they appear to come from unexpected locations.

  Security Policies: Company security policies might block access attempts from certain locations to prevent unauthorized access. If the geolocation is wrong, legitimate users can be inadvertently blocked. Consistent Pattern: The user

  "SALES1" from the IP address 8.11.4.16 is always blocked, indicating a consistent issue with geolocation. Other options do not align with the pattern observed:

  A. Bypass MFA requirements: MFA is satisfied, so bypassing MFA is not the issue.

  C. Administrator access policy: This is about user access, not specific administrator access.

  D. OTP codes: The user has satisfied MFA, so OTP code configuration is not the issue.

  References:

  CompTIA SecurityX Study Guide

  "Geolocation and Authentication," NIST Special Publication 800-63B "IP Geolocation Accuracy," Cisco Documentation