CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 181:

  An engineering team determines the cost to mitigate certain risks is higher than the asset values. The team must ensure the risks are prioritized appropriately.

  Which of the following is the best way to address the issue?

  A. Data labeling
  B. Branch protection
  C. Vulnerability assessments
  D. Purchasing insurance
  D. Purchasing insurance

  ---

  Explanation

  When the cost to mitigate certain risks is higher than the asset values, the best approach is to purchase insurance. This method allows the company to transfer the risk to an insurance provider, ensuring that financial losses are covered in the

  event of an incident. This approach is cost-effective and ensures that risks are prioritized appropriately without overspending on mitigation efforts.

  References:

  CompTIA SecurityX Study Guide: Discusses risk management strategies, including risk transfer through insurance.

  NIST Risk Management Framework (RMF): Highlights the use of insurance as a risk mitigation strategy.

  "Information Security Risk Assessment Toolkit" by Mark Talabis and Jason Martin:

  Covers risk management practices, including the benefits of purchasing insurance.

• Question 182:

  A control systems analyst is reviewing the defensive posture of engineering workstations on the shop floor. Upon evaluation, the analyst makes the following observations:

  1.Unsupported, end-of-life operating systems were still prevalent on the shop floor.

  2.There are no security controls for systems with supported operating systems.

  3.There is little uniformity of installed software among the workstations.

  Which of the following would have the greatest impact on the attack surface?

  A. Deploy antivirus software to all of the workstations.
  B. Increase the level of monitoring on the workstations.
  C. Utilize network-based allow and block lists.
  D. Harden all of the engineering workstations using a common strategy.
  D. Harden all of the engineering workstations using a common strategy.

  ---

  Explanation

• Question 183:

  A company isolated its OT systems from other areas of the corporate network. These systems are required to report usage information over the internet to the vendor.

  Which of the following best reduces the risk of compromise or sabotage? (Select two).

  A. Implementing allow lists
  B. Monitoring network behavior
  C. Encrypting data at rest
  D. Performing boot Integrity checks
  E. Executing daily health checks
  F. Implementing a site-to-site IPSec VPN
  A. Implementing allow lists
  F. Implementing a site-to-site IPSec VPN

  ---

  Explanation

  A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted.

  F. Implementing a

  site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

  Other options:

  B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage.

  C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network

  communication risks.

  D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications.

  E. Executing daily health checks: Useful for maintaining system health but does

  not directly reduce the risk of network-based compromise or sabotage.

  References:

  CompTIA Security+ Study Guide

  NIST SP 800-82, "Guide to Industrial Control Systems (ICS) Security" "Industrial Network Security" by Eric

  D. Knapp and Joel Thomas Langill

• Question 184:

  A vulnerability can on a web server identified the following:

  

  Which of the following actions would most likely eliminate on path decryption attacks? (Select two).

  A. Disallowing cipher suites that use ephemeral modes of operation for key agreement
  B. Removing support for CBC-based key exchange and signing algorithms
  C. Adding TLS_ECDHE_ECDSA_WITH_AE3_256_GCMS_HA256
  D. Implementing HIPS rules to identify and block BEAST attack attempts
  E. Restricting cipher suites to only allow TLS_RSA_WITH_AES_128_CBC_SHA
  F. Increasing the key length to 256 for TLS_RSA_WITH_AES_128_CBC_SHA
  B. Removing support for CBC-based key exchange and signing algorithms
  C. Adding TLS_ECDHE_ECDSA_WITH_AE3_256_GCMS_HA256

  ---

  Explanation

  On-path decryption attacks, such as BEAST (Browser Exploit Against SSL/TLS) and other related vulnerabilities, often exploit weaknesses in the implementation of CBC (Cipher Block Chaining) mode. To mitigate these attacks, the following actions are recommended:

  B. Removing support for CBC-based key exchange and signing algorithms: CBC mode is vulnerable to certain attacks like BEAST. By removing support for CBC- based ciphers, you can eliminate one of the primary vectors for these attacks. Instead, use modern cipher modes like GCM (Galois/Counter Mode) which offer better security properties.

  C. Adding TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256: This cipher suite uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for key exchange, which provides perfect forward secrecy. It also uses AES in GCM mode, which is not susceptible to the same attacks as CBC. SHA-256 is a strong hash function that ensures data integrity.

  References: CompTIA Security+ Study Guide NIST SP 800-52 Rev. 2, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations" OWASP (Open Web Application Security Project) guidelines on cryptography and secure communication

• Question 185:

  A company recently migrated its critical web application to a cloud provider's environment. As part of the company's risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application's security and check for opportunities to expose sensitive company information in the newly migrated cloud environment. Which of the following should be the first consideration prior to engaging in the test?

  A. Prepare a redundant server to ensure the critical web application's availability during the test.
  B. Obtain agreement between the company and the cloud provider to conduct penetration testing.
  C. Ensure the latest patches and signatures are deployed on the web server.
  D. Create an NDA between the external penetration tester and the company.
  B. Obtain agreement between the company and the cloud provider to conduct penetration testing.

  ---

  Explanation

  Obtain agreement between the company and the cloud provider to conduct penetration testing is the most critical first consideration. This ensures that the test is conducted legally and within the cloud provider's policies, preventing any potential violations or disruptions.

• Question 186:

  Source code snippets for two separate malware samples are shown below:

  Sample 1:

  knockEmDown(String e) {

  if(target.isAccessed()) {

  target.toShell(e);

  System.out.printIn(e.toString());

  c2.sendTelemetry(target.hostname.toString + " is " + e.toString());

  } else {

  target.close();

  }

  }

  Sample 2:

  targetSys(address a) {

  if(address.islpv4()) {

  address.connect(1337);

  address.keepAlive("paranoid");

  String status = knockEmDown(address.current);

  remote.sendC2(address.current + " is " + status);

  } else {

  throw Exception e;

  }

  }

  Which of the following describes the most important observation about the two samples?

  A. Telemetry is first buffered and then transmitted in paranoid mode.
  B. The samples were probably written by the same developer.
  C. Both samples use IP connectivity for command and control.
  D. Sample 1 is the target agent while Sample 2 is the C2 server.
  B. The samples were probably written by the same developer.

  ---

  Explanation

  Both samples share similar function names, variable naming styles, and logic flow, indicating that they were likely written by the same developer. This is a key observation in malware attribution, as cyber threat analysts often look for unique coding styles to link malware to specific threat actors.

  The presence of C2 (Command and Control) communication in both samples supports this theory, as attackers often reuse parts of their own malware code across different attacks.

• Question 187:

  A security analyst is reviewing the following code in the public repository for potential risk concerns:

  include bouncycastle-1.4.jar;

  include jquery-2.0.2.jar;

  public static void main() { ... }

  public static void territory() { ... }

  public static void state() { ... }

  public static String code = "init";

  public static String access_token = "spat-hfeiw-sogur-werdb-werib";

  Which of the following should the security analyst recommend first to remediate the vulnerability?

  A. Developing role-based security awareness training
  B. Revoking the secret used in the solution
  C. Purging code from public view
  D. Scanning the application with SAST
  B. Revoking the secret used in the solution

  ---

  Explanation

• Question 188:

  A hospital provides tablets to its medical staff to enable them to more quickly access and edit patients' charts. The hospital wants to ensure that if a tablet is identified as lost or stolen and a remote command is issued, the risk of data loss can be mitigated within seconds. The tablets are configured as follows:

  Full disk encryption is enabled

  "Always On" corporate VPN is enabled

  eFuse-backed keystore is enabled

  Wi-Fi 6 is configured with SAE

  Location services are disabled

  Application allow list is unconfigured

  Assuming the hospital policy cannot be changed, which of the following is the best way to meet the hospital's objective?

  A. Revoke the user VPN and Wi-Fi certificates
  B. Cryptographically erase FDE volumes
  C. Issue new MFA credentials to all users
  D. Configure the application allow list
  B. Cryptographically erase FDE volumes

  ---

  Explanation

  The key requirement is to instantly eliminate data loss on a lost device. Cryptographic erasure works by deleting the encryption keys used for FDE (full disk encryption), rendering all data unrecoverable within seconds--satisfying the "mitigate

  within seconds" requirement.

  Revoking certificates won't wipe the data from a lost tablet.

  Changing MFA credentials won't help unless the device is physically secured.

  Application allow lists don't apply once the device is lost.

  From CAS-005, Domain 3: Secure Systems Design and Deployment

  CAS-005 Guide, Chapter 9: Endpoint Security, pp. 178?80

• Question 189:

  A company experienced a data breach, resulting in the disclosure of extremely sensitive data regarding a merger. As a regulated entity, the company must comply with reporting and disclosure requirements. The company is concerned about its public image and shareholder values. Which of the following best supports the organization in addressing its concerns?

  A. Data subject access request
  B. Business impact analysis
  C. Supply chain management program
  D. Crisis management plan
  D. Crisis management plan

  ---

  Explanation

• Question 190:

  During a vulnerability assessment, a scan reveals the following finding:

  Windows Server 2016 Missing hotfix KB87728 - CVSS 3.1 Score: 8.1 [High] - Affected host 172.16.15.2

  Later in the review process, the remediation team marks the finding as a false positive. Which of the following is the best way to avoid this issue on future scans?

  A. Getting an up-to-date list of assets from the CMDB
  B. Performing an authenticated scan on the servers
  C. Configuring the sensor with an advanced policy for fingerprinting servers
  D. Coordinating the scan execution with the remediation team early in the process
  B. Performing an authenticated scan on the servers

  ---

  Explanation

  Authenticated scans allow the scanner to verify installed patches and configurations, reducing false positives.

  Other options:

  A (CMDB updates) improve asset tracking but do not validate patch installations.

  C (Advanced fingerprinting) improves accuracy but does not replace authentication.

  D (Coordination with teams) is good practice but does not prevent false positives.