CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 201:

  A company has identified a number of vulnerable, end-of-support systems with limited defensive capabilities. Which of the following would be the first step in reducing the attack surface in this environment?

  A. Utilizing hardening recommendations
  B. Deploying IPS/IDS throughout the environment
  C. Installing and updating antivirus
  D. Installing all available patches
  A. Utilizing hardening recommendations

  ---

  Explanation

• Question 202:

  HOTSPOT

  Company A has noticed abnormal behavior targeting their SQL server on the network from a rogue IP address. The company uses the following internal IP address ranges: 192.10.1.0/24 for the corporate site and 192.10.2.0/24 for the remote

  site. The Telco router interface uses the 192.10.5.0/30 IP range.

  Instructions: Click on the simulation button to refer to the Network Diagram for Company A.

  Click on Router 1, Router 2, and the Firewall to evaluate and configure each device.

  Task 1: Display and examine the logs and status of Router 1, Router 2, and Firewall interfaces.

  Task 2: Reconfigure the appropriate devices to prevent the attacks from continuing to target the SQL server and other servers on the corporate network.

  

  

  

  Explanation

  We have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

  

• Question 203:

  An organization has noticed an increase in phishing campaigns utilizing typosquatting. A security analyst needs to enrich the data for commonly used domains against the domains used in phishing campaigns. The analyst uses a log forwarder to forward network logs to the SIEM.

  Which of the following would allow the security analyst to perform this analysis?

  A. Use a cron job to regularly update and compare domains
  B. Create a parser that matches domains
  C. Develop a query that filters out all matching domain names
  D. Implement a dashboard on the SIEM that shows the percentage of traffic by domain
  D. Implement a dashboard on the SIEM that shows the percentage of traffic by domain

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Enriching data to compare domains requires actionable visibility. Let's analyze:

  A. Cron job:Automates updates but doesn't analyze in the SIEM.

  B. Parser:Processes logs but doesn't provide comparison insights.

  C. Filter query:Excludes matches, opposite of enrichment.

  CompTIA SecurityX (CAS-005) objectives, Domain 2: Security Operations, covering SIEM analysis.

• Question 204:

  During a gap assessment, an organization notes that OYOD usage is asignificant risk. The organization implemented administrative policies prohibiting BYOD usage However, the organization has not implemented technical controls to prevent the unauthorized use of BYOD assets when accessing the organization's resources. Which of the following solutions should the organization implement to reduce the risk of OYOD devices? (Select two).

  A. Cloud 1AM to enforce the use of token based MFA
  B. Conditional access, to enforce user-to-device binding
  C. NAC, to enforce device configuration requirements
  D. PAM. to enforce local password policies
  E. SD-WAN. to enforce web content filtering through external proxies
  F. DLP, to enforce data protection capabilities
  B. Conditional access, to enforce user-to-device binding
  C. NAC, to enforce device configuration requirements

  ---

  To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).

  Why Conditional Access and NAC?

  User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.

  Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more.

  Network Access Control (NAC):

  DeviceConfiguration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.

  Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.

  Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:

  A. Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.

  D. PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.

  E. SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance.

  F. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance.

  References: CompTIA SecurityX Study Guide "Conditional Access Policies," Microsoft Documentation "Network Access Control (NAC)," Cisco Documentation

• Question 205:

  A company is preparing to move a new version of a web application to production. No issues were reported during security scanning or quality assurance in the CI/CD pipeline.

  Which of the following actions should the company take next?

  A. Merge the test branch to the main branch
  B. Perform threat modeling on the production application
  C. Conduct unit testing on the submitted code
  D. Perform a peer review on the test branch
  A. Merge the test branch to the main branch

  ---

  Explanation

  The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main

  branch for deployment to production.

  Option B:Threat modeling is typically performed earlier, during design or development, not after passing CI/CD checks.

  Option C:Unit testing is part of the CI/CD pipeline and should already be completed.

  Option D:Peer reviews are conducted before or during the test phase, not after QAand security scans are clear.

  Option A:Merging the test branch to the main branch is the logical next step to prepare for production deployment.

  CompTIA SecurityX CAS-005 Official Study Guide, Domain 2: Security Operations, Section 2.3: "Manage secure software development lifecycles, including CI/CD pipelines." CAS-005 Exam Objectives, 2.3: "Analyze secure deployment

  processes in CI/CD environments."

• Question 206:

  An organization is researching the automation capabilities for systems within an OT network. A security analyst wants to assist with creating secure coding practices and would like to learn about the programming languages used on the PLCs. Which of the following programming languages is the most relevant for PLCs?

  A. Ladder logic
  B. Rust
  C. C
  D. Python
  E. Java
  A. Ladder logic

  ---

  Explanation

  Programmable Logic Controllers (PLCs) in Operational Technology (OT) environments commonly useLadder Logic, a graphical programming language resembling electrical relay logic diagrams. It's the most relevant for PLCs due to its

  widespread use in industrial automation.

  Option A:Ladder Logic is the standard for PLC programming, making it the best choice.

  Option B:Rust is modern and secure but not typically used for PLCs. Option C:C is used in some embedded systems but less common for PLCs. Option D:Python is versatile but not native to PLC programming.

  Option E:Java is rare in PLC contexts.

  CompTIA SecurityX CAS-005 Domain 2: Security Architecture ?OT Security and Secure Coding.

• Question 207:

  A security engineer needs to create multiple servers in a company's private cloud. The servers should have a virtual network infrastructure that supports connectivity, as well as security configurations applied using predefined templates. Which of the following is the best option for the security engineer to consider for the deployment?

  A. Installing a container orchestration solution locally, configuring the infrastructure, and cloning the solution
  B. Creating templates on the cloud provider marketplace and modeling the solution using those templates
  C. Using Terraform to implement an infrastructure as code model with the existing private cloud solution
  D. Integrating the cloud provider API to the CI/CD pipeline model used by the company
  C. Using Terraform to implement an infrastructure as code model with the existing private cloud solution

  ---

• Question 208:

  A company's help desk is experiencing a large number of calls from the finance department slating access issues to www bank com. The security operations center reviewed the following security logs:

  

  Which of the following is most likely the cause of the issue?

  A. Recursive DNS resolution is failing
  B. The DNS record has been poisoned.
  C. DNS traffic is being sinkholed.
  D. The DNS was set up incorrectly.
  C. DNS traffic is being sinkholed.

  ---

  Explanation

  Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address. In

  the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or

  redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident. Recursive DNS resolution failure (A) would generally lead to inability to

  resolve DNS at all, not to a specific HTTP error.

  DNS poisoning (B) could result in users being directed to malicious sites, but again, would likely result in a different set of errors or unusual activity. Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted

  errors like the one seen here.

  By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is

  being sinkholed.

  References:

  CompTIA SecurityX study materials on DNS security mechanisms. Standard HTTP status codes and their implications.

• Question 209:

  After several companies in the financial industry were affected by a similar incident, they shared information about threat intelligence and the malware used for exploitation. Which of the following should the companies do to best indicate whether the attacks are being conducted by the same actor?

  A. Apply code stylometry.
  B. Look for common IOCs.
  C. Use IOC extractions.
  D. Leverage malware detonation.
  A. Apply code stylometry.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Determining if attacks are from the same actor requires unique attribution. Let's analyze:

  A. Code stylometry:Analyzes coding style to identify authorship, the best method for linking malware to a specific actor per CAS-005's threat intelligence focus.

  B. Common IOCs:Indicates similar attacks but not necessarily the same actor.

  C. IOC extractions:Similar to B, lacks specificity for attribution.

  CompTIA SecurityX (CAS-005) objectives, Domain 2: Security Operations, covering threat intelligence.

• Question 210:

  A security analyst reviews the following report:

  

  Which of the following assessments is the analyst performing?

  A. System
  B. Supply chain
  C. Quantitative
  D. Organizational
  B. Supply chain

  ---

  Explanation

  The table shows detailed information about products, including location, chassis manufacturer, OS, application developer, and vendor. This type of information is typically assessed in a supply chain assessment to evaluate the security and

  reliability of components and services from different suppliers.

  Why Supply Chain Assessment?

  Component Evaluation: Assessing the origin and security of each component used in the products, including hardware, software, and third-party services. Vendor Reliability: Evaluating the security practices and reliability of vendors involved

  in providing components or services.

  Risk Management: Identifying potential risks associated with the supply chain, such as vulnerabilities in third-party components or insecure development practices.

  Other types of assessments do not align with the detailed supplier and component information provided:

  A. System: Focuses on individual system security, not the broader supply chain.

  C. Quantitative: Focuses on numerical risk assessments, not supplier information.

  D. Organizational: Focuses on internal organizational practices, not external

  suppliers.

  References:

  CompTIA SecurityX Study Guide

  NIST Special Publication 800-161, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations"

  "Supply Chain Security Best Practices," Gartner Research