CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 211:

  A security engineer is implementing a code signing requirement for all code developed by the organization. Currently, the PKI only generates website certificates. Which of the following steps should the engineer perform first?

  A. Add a new template on the internal CA with the correct attributes.
  B. Generate a wildcard certificate for the internal domain.
  C. Recalculate a public/private key pair for the root CA.
  D. Implement a SAN for all internal web applications.
  A. Add a new template on the internal CA with the correct attributes.

  ---

  Explanation

  To enable code signing with an existing PKI, the first step is to configure the Certificate Authority (CA) to issue code signing certificates. Adding a new template with attributes specific to code signing (e.g., key usage for signing) allows the CA

  to support this requirement without disrupting existing operations. Option A:Correct--templates define certificate types; this is the foundational step. Option B:Wildcard certificates are for domains, not code signing. Option C:Recalculating root

  CA keys is unnecessary and risky unless compromised.

  Option D:SAN (Subject Alternative Name) is for multi-domain certificates, irrelevant here.

  CompTIA SecurityX CAS-005 Domain 2: Security Architecture ?PKI Implementation.

• Question 212:

  Which of the following best describes the reason a network architect would enable forward secrecy on all VPN tunnels?

  A. This process is a requirement to enable hardware-accelerated cryptography.
  B. This process reduces the success of attackers performing cryptanalysis.
  C. The business requirements state that confidentiality is a critical success factor.
  D. Modern cryptographic protocols list this process as a prerequisite for use.
  B. This process reduces the success of attackers performing cryptanalysis.

  ---

  Explanation

  Forward secrecy, also known as perfect forward secrecy, is a feature of certain key agreement protocols that ensures session keys will not be compromised even if the server's private key is compromised in the future. By enabling forward

  secrecy on VPN tunnels, each session uses a unique key, and these keys are not derived from a common master key. This means that even if an attacker obtains the server's private key, they cannot decrypt past sessions, thereby

  significantly reducing the effectiveness of cryptanalysis attacks.

  CompTIA SecurityX CAS-005 Official Study Guide, Chapter 10:

  "Cryptography," Section 10.5: "Implementing Secure Protocols."

  ===========

• Question 213:

  Recently, two large engineering companies in the same line of business decided to approach cyberthreats in a united way. Which of the following best describes this unified approach?

  A. NDA
  B. ISA
  C. SLA
  D. MOU
  D. MOU

  ---

  Explanation

  Given the scenario of two large engineering companies joining forces to address cyberthreats in a united way, the most fitting description of their approach is a Memorandum of Understanding (MOU). This document formalizes their agreement to cooperate on cybersecurity matters, outlining their shared objectives, responsibilities, and possibly the methods they will use to collaborate effectively in combating cyber threats.

• Question 214:

  An organization wants to implement a secure cloud architecture across all instances. Given the following requirements:

  1.

  Establish a standard network template.

  2.

  Deployments must be consistent.

  3.

  Security policies must be able to be changed at scale. Which of the following technologies meets these requirements?

  A. Serverless deployment model
  B. Container orchestration
  C. Infrastructure as code
  D. CLI cloud administration
  E. API gateway
  C. Infrastructure as code

  ---

• Question 215:

  A security engineer wants to reduce the attack surface of a public-facing containerized application

  Which of the following will best reduce the application's privilege escalation attack surface?

  A. Implementing the following commands in the Dockerfile: RUN echo user:x:1000:1000iuser:/home/user:/dew/null > /ete/passwd
  B. Installing an EDR on the container's host with reporting configured to log to a centralized SIFM and Implementing the following alerting rules TF PBOCESS_USEB=rooC ALERT_TYPE=critical
  C. Designing a muiticontainer solution, with one set of containers that runs the mam application, and another set oi containers that perform automatic remediation by replacing compromised containers or disabling compromised accounts
  D. Running the container in an isolated network and placing a load balancer in a public- facing network. Adding the following ACL to the load balancer: PZRKZI HTTES from 0-0.0.0.0/0 pert 443
  A. Implementing the following commands in the Dockerfile: RUN echo user:x:1000:1000iuser:/home/user:/dew/null > /ete/passwd

  ---

  Explanation

  Implementing the given commands in the Dockerfile ensures that the container runs with non-root user privileges. Running applications as a non-root user reduces the risk of privilege escalation attacks because even if an attacker compromises the application, they would have limited privileges and would not be able to perform actions that require root access. A. Implementing the following commands in the Dockerfile: This directly addresses the privilege escalation attack surface by ensuring the application does not run with elevated privileges.

  B. Installing an EDR on the container's host: While useful for detecting threats, this does not reduce the privilege escalation attack surface within the containerized application.

  C. Designing a multi-container solution: While beneficial for modularity and remediation, it does not specifically address privilege escalation.

  D. Running the container in an isolated network: This improves network security but does not directly reduce the privilege escalation attack surface.

  References: CompTIA Security+ Study Guide Docker documentation on security best practices NIST SP 800-190, "Application Container Security Guide"

• Question 216:

  A security engineer must resolve a vulnerability in a deprecated version of Python for a custom-developed flight simul-ation application that is monitored and controlled remotely. The source code is proprietary and built with Python functions running on the Ubuntu operating system. Version control is not enabled for the application in development or production. However, the application must remain online in the production environment using built-in features. Which of the following solutions best reduces the attack surface of these issues and meets the outlined requirements?

  A. Configure code-signing within the CI/CD pipeline, update Python with aptitude, and update modules with pip in a test environment. Deploy the solution to production.
  B. Enable branch protection in the GitHub repository. Update Python with aptitude, and update modules with pip in a test environment. Deploy the solution to production.
  C. Use an NFS network share. Update Python with aptitude, and update modules with pip in a test environment. Deploy the solution to production.
  D. Configure version designation within the Python interpreter. Update Python with aptitude, and update modules with pip in a test environment. Deploy the solution to production.
  A. Configure code-signing within the CI/CD pipeline, update Python with aptitude, and update modules with pip in a test environment. Deploy the solution to production.

  ---

  Explanation

  Code-signing within theCI/CD pipelineensures that only verified and signed code is deployed, mitigating the risk of supply chain attacks. Updating Python withaptitude and updating modules withpipensures vulnerabilities are patched. Deploying the solution to production after testing maintains application availability while securing the development lifecycle. Branch protection (B)applies only to version-controlled environments, which is not the case here. NFS network share (C)does not address the deprecated Python vulnerability. Version designation (D)does not eliminate security risks from outdated dependencies.

  CompTIA SecurityX (CAS-005) Exam Objectives- Domain 3.0 (Security Engineering), Section onSoftware Assurance and Secure Development

• Question 217:

  Which of the following best explains the business requirement a healthcare provider fulfills by encrypting patient data at rest?

  A. Securing data transfer between hospitals
  B. Providing for non-repudiation data
  C. Reducing liability from identity theft
  D. Protecting privacy while supporting portability.
  D. Protecting privacy while supporting portability.

  ---

  Explanation

  Encrypting patient data at rest is a critical requirement for healthcare providers to ensure compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). The primary business requirement fulfilled by this

  practice is the protection of patient privacy while supporting the portability of medical information. By encrypting data at rest, healthcare providers safeguard sensitive patient information from unauthorized access, ensuring that privacy is

  maintained even if the storage media are compromised. Additionally, encryption supports the portability of patient records, allowing for secure transfer and access across different systems and locations while ensuring that privacy controls are

  in place.

  References:

  CompTIA SecurityX Study Guide: Emphasizes the importance of data encryption for protecting sensitive information and ensuring compliance with regulatory requirements.

  HIPAA Security Rule: Requires healthcare providers to implement safeguards, including encryption, to protect patient data.

  "Health Informatics: Practical Guide for Healthcare and Information Technology Professionals" by Robert

  E. Hoyt: Discusses encryption as a key measure for protecting patient data privacy and supporting data portability.

• Question 218:

  Which of the following supports the process of collecting a large pool of behavioral observations to inform decision-making?

  A. Linear regression
  B. Distributed consensus
  C. Big Data
  D. Machine learning
  C. Big Data

  ---

  Explanation

  Collecting a large pool of behavioral observations requires handling vast datasets, which is the domain ofBig Data. Big Data technologies enable the storage, processing, and analysis of large-scale data (e.g., user behavior logs) to inform

  decisions, a key capability in security analytics.

  Option A:Linear regression is a statistical method for modeling relationships, not collecting data.

  Option B:Distributed consensus relates to agreement in distributed systems (e.g., blockchain), not data collection.

  Option C:Big Data directly supports collecting and analyzing large datasets for insights, fitting the question perfectly.

  Option D:Machine learning uses data to train models but relies on data being collected first, often via Big Data.

  CompTIA SecurityX CAS-005 Domain 3: Research, Development, and Collaboration ?Data Analytics for Security.

• Question 219:

  SIMULATION

  An IPSec solution is being deployed. The configuration files for both the VPN concentrator and the AAA server are shown in the diagram.

  Complete the configuration files to meet the following requirements:

  1. The EAP method must use mutual certificate-based authentication (With issued client certificates).

  2. The IKEv2 Cipher suite must be configured to the MOST secure authenticated mode of operation,

  3. The secret must contain at least one uppercase character, one lowercase character, one numeric character, and one special character, and it must meet a minimum length requirement of eight characters.

  INSTRUCTIONS

  Click on the AAA server and VPN concentrator to complete the configuration.

  Fill in the appropriate fields and make selections from the drop-down menus.

  

  VPN Concentrator:

  

  AAA Server:

  

  A. See the complete solution below in Explanation.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See the complete solution below in Explanation.

  ---

  Explanation

  VPN Concentrator:

  

  AAA Server:

  

• Question 220:

  A Chief Information Security Officer requests an action plan to remediate vulnerabilities. A security analyst reviews the output from a recent vulnerability scan and notices hundreds of unique vulnerabilities. The output includes the CVSS score, IP address, hostname, and the list of vulnerabilities. The analyst determines more information is needed in order to decide which vulnerabilities should be fixed immediately. Which of the following is the best source for this information?

  A. Third-party risk review
  B. Business impact analysis
  C. Incident response playbook
  D. Crisis management plan
  B. Business impact analysis

  ---

  The correct source is the Business Impact Analysis (BIA). A BIA provides context about which systems and applications are most critical to business operations, regulatory compliance, and customer obligations. While CVSS scores indicate severity in technical terms, they do not reflect the business impact of exploitation. For example, a medium-severity vulnerability on a critical payment system may pose more business risk than a high-severity vulnerability on a test server.

  Option A (third-party risk review) focuses on vendor security posture, not internal remediation priorities.

  Option C (incident response playbook) guides response during active incidents, not vulnerability prioritization.

  Option D (crisis management plan) addresses executive-level communications during crises, not technical risk assessment.

  By combining vulnerability scan data with BIA context, security teams can prioritize remediation efforts based on business-critical systems, ensuring the highest-risk vulnerabilities are remediated first. This aligns with CAS-005's guidance on risk-based prioritization of remediation efforts.