CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 231:

  An organization is developing an in-house software platform to support capital planning and reporting functions. In addition to role-based access controls and auditing/logging capabilities, the product manager must include requirements associated with archiving data and immutable backups. Which of the following organizational considerations are most likely associated with this requirement? (Select two)

  A. Crypto-export management controls
  B. Supply chain weaknesses
  C. Device attestation
  D. Quality assurance
  E. Legal hold compliance
  F. Ransomware resilience
  E. Legal hold compliance
  F. Ransomware resilience

  ---

  The requirements for archiving data and immutable backups directly align with legal hold compliance (E) and ransomware resilience (F).

  Legal hold compliance ensures that organizations can retain data in a tamper-proof manner when required for litigation, regulatory mandates, or audits. Immutable backups satisfy this by preventing unauthorized changes or deletion, ensuring evidence and records are preserved.

  Ransomware resilience is also a key factor. Immutable backups allow recovery from ransomware attacks, as attackers cannot encrypt or delete data stored in read-only or write-once media. This reduces downtime and supports business continuity.

  Options A (crypto-export), B (supply chain), C (device attestation), and D (quality assurance) do not relate directly to data archiving or immutable storage.

  CAS-005 stresses aligning security controls with business continuity and compliance requirements. By focusing on legal and ransomware-related considerations, the organization ensures both regulatory and operational resilience.

• Question 232:

  A company wants to implement hardware security key authentication for accessing sensitive information systems. The goal is to prevent unauthorized users from gaining access with a stolen password. Which of the following models should the company implement to best solve this issue?

  A. Rule based
  B. Time-based
  C. Role based
  D. Context-based
  D. Context-based

  ---

  Explanation

  Context-based authentication enhances traditional security methods by incorporating additional layers of information about the user's current environment and behavior. This can include factors such as the user's location, the time of access,

  the device used, and the behavior patterns. It is particularly useful in preventing unauthorized access even if an attacker has obtained a valid password.

  Rule-based (A) focuses on predefined rules and is less flexible in adapting to dynamic threats.

  Time-based (B) authentication considers the time factor but doesn't provide comprehensive protection against stolen credentials. Role-based (C) is more about access control based on the user's role within the organization rather than

  authenticating the user based on current context. By implementing context-based authentication, the company can ensure that even if a password is compromised, the additional contextual factors required for access (which an attacker is

  unlikely to possess) provide a robust defense mechanism.

  References:

  CompTIA SecurityX guide on authentication models and best practices. NIST guidelines on authentication and identity proofing. Analysis of multi-factor and adaptive authentication techniques.

• Question 233:

  Anorganization has noticed an increase in phishing campaigns utilizingtyposquatting. A security analyst needs to enrich the data for commonly used domains against the domains used in phishing campaigns. The analyst uses a log forwarder to forward network logs to the SIEM. Which of the following would allow the security analyst to perform this analysis?

  A. Use acron jobto regularly update and compare domains.
  B. Create aparserthat matches domains.
  C. Develop aquerythat filters out all matching domain names.
  D. Implement adashboardon the SIEM that shows the percentage of traffic by domain.
  D. Implement adashboardon the SIEM that shows the percentage of traffic by domain.

  ---

  Enriching data to compare domains requires actionable visibility. Let's analyze:

  A. Cron job:Automates updates but doesn't analyze in the SIEM.

  B. Parser:Processes logs but doesn't provide comparison insights.

  C. Filter query:Excludes matches, opposite of enrichment.

  CompTIA SecurityX (CAS-005) objectives, Domain 2: Security Operations, covering SIEM analysis.

• Question 234:

  An organization recently implemented a new email DLP solution. Emails sent from company email addresses to matching personal email addresses generated a large number of alerts, but the content of the emails did not include company data. The security team needs to reduce the number of emails sent without blocking all emails to common personal email services. Which of the following should the security team implement first?

  A. Automatically quarantine outgoing email.
  B. Create an acceptable use policy.
  C. Enforce email encryption standards.
  D. Perform security awareness training focusing on phishing.
  B. Create an acceptable use policy.

  ---

  Explanation

  Anacceptable use policy (AUP)defines what is considered appropriate use of corporate email and prevents unnecessary emails to personal accounts. This helps in reducing false DLP alerts while maintaining compliance.

  Quarantining emails (A)is unnecessary since the content was not flagged as sensitive.

  Encryption (C)secures emails but does not address overuse. Phishing awareness training (D)is unrelated to policy enforcement for outgoing emails.

  CompTIA SecurityX (CAS-005) Exam Objectives- Domain 1.0 (Governance, Risk,

  and Compliance), Section onSecurity and Reporting Frameworks

• Question 235:

  A security architect is designing Zero Trust enforcement policies for all end users. The majority of users work remotely and travel frequently for work. Which of the following controls should the security architect do first?

  A. Switch user MFA from software-based tokens to hardware time-based OTPs.
  B. Implement TLS decryption and inspect inbound and outbound network traffic.
  C. Enforce daily posture compliance checks against the endpoint security controls.
  D. Deploy context-aware reauthentication with UBA baseline deviations.
  D. Deploy context-aware reauthentication with UBA baseline deviations.

  ---

  Zero Trust security is based on the principle of "never trust, always verify." For a mobile and frequently traveling workforce, enforcing rigid access models without adaptability creates friction and hampers productivity. The first priority in Zero Trust design for such a workforce is to deploy context-aware reauthentication combined with User Behavior Analytics (UBA). This ensures that deviations from baseline user behavior--such as unusual geographic access, time of day anomalies, or device changes--trigger

  additional authentication or session restrictions.

  Option A (hardware OTPs) enhances authentication security but does not provide adaptive, risk-based controls for varying user behavior. Option B (TLS decryption) focuses on network traffic inspection, which is important but secondary to ensuring identity and access enforcement in a Zero Trust model. Option C (posture compliance checks) is necessary but typically part of ongoing device security enforcement rather than the initial step.

  By starting with context-aware reauthentication, the organization ensures its Zero Trust strategy adapts dynamically to user behavior, providing both stronger security and a smoother experience for a global, remote workforce.

• Question 236:

  A security analyst received a report that an internal web page is down after a company- wide update to the web browser Given the following error message:

  Your connection is not private.

  Attackers might be trying to steal your information for www.internalwebsite.company.com.

  NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

  Which of the following is the best way to fix this issue?

  A. Rewriting any legacy web functions
  B. Disabling all deprecated ciphers
  C. Blocking all non-essential pons
  D. Discontinuing the use of self-signed certificates
  D. Discontinuing the use of self-signed certificates

  ---

  Explanation

  The error message "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" indicates that the web browser is rejecting the certificate because it uses a weak signature algorithm. This commonly happens with self-signed certificates, which

  often use outdated or insecure algorithms.

  Why Discontinue Self-Signed Certificates?

  Security Compliance: Modern browsers enforce strict security standards and may reject certificates that do not comply with these standards. Trusted Certificates: Using certificates from a trusted Certificate Authority (CA) ensures compliance

  with security standards and is less likely to be flagged as insecure.

  Weak Signature Algorithm: Self-signed certificates might use weak algorithms like MD5 or SHA-1, which are considered insecure.

  Other options do not address the specific cause of the certificate error:

  A. Rewriting legacy web functions: Does not address the certificate issue.

  B. Disabling deprecated ciphers: Useful for improving security but not related to the certificate error.

  C. Blocking non-essential ports: This is unrelated to the issue of certificate validation.

  References: CompTIA SecurityX Study Guide "Managing SSL/TLS Certificates," OWASP "Best Practices for Certificate Management," NIST Special Publication 800-57

• Question 237:

  An organization would like to increase the effectiveness of its incident response process across its multiplatform environment. A security engineer needs to implement the improvements using the organization's existing incident response tools. Which of the following should the security engineer use?

  A. Playbooks
  B. Event collectors
  C. Centralized logging
  D. Endpoint detection
  A. Playbooks

  ---

  The correct answer is Playbooks (A). In incident response, playbooks are structured workflows that define step-by-step actions for specific incident types (e.g., ransomware, phishing, insider threats). They allow SOC analysts to standardize responses across multiple platforms and tools, ensuring consistency and faster mitigation. By leveraging playbooks, organizations integrate existing incident response tools into automated or semi-automated processes, improving efficiency and reducing human error.

  Option B (event collectors) consolidate logs but do not directly improve response processes.

  Option C (centralized logging) enhances visibility but does not provide a framework for action.

  Option D (endpoint detection) expands detection capabilities but does not enhance the process effectiveness of incident response.

  CAS-005 emphasizes structured response through automation and orchestration. Playbooks, often implemented via SOAR platforms, allow integration of detection, triage, and remediation steps, making them the most effective way to increase incident response maturity.

• Question 238:

  During a recent security event, access from the non-production environment to the production environment enabled unauthorized users to:

  Install unapproved software

  Make unplanned configuration changes

  During the investigation, the following findings were identified:

  Several new users were added in bulkby the IAM team Additional firewalls and routers were recently added Vulnerability assessments have been disabled for more than 30 days. The application allow list has not been modified in two weeks.

  Logs were unavailable for various types of traffic Endpoints have not been patched in over ten days.

  Which of the following actions would most likely need to be taken to ensure proper monitoring?(Select two)

  A. Disable bulk user creationsby the IAM team
  B. Extend log retention for all security and network devices to180 days for all traffic
  C. Review the application allow listdaily
  D. Routinely update all endpoints and network devices as soon as new patches/hot fixes are available
  E. Ensure all network and security devices are sending relevant data to the SIEM
  F. Configure firewall rules to only allow production-to-non-production traffic
  A. Disable bulk user creationsby the IAM team
  D. Routinely update all endpoints and network devices as soon as new patches/hot fixes are available
  E. Ensure all network and security devices are sending relevant data to the SIEM

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Understanding the Security Event:

  Why Options A, D, and E are Correct:

  Why Other Options Are Incorrect:

  CompTIA SecurityX CAS-005 Official Study Guide:IAM, Patch Management and SIEM Logging Best Practices

  NIST 800-53 (AC-2, AU-12):Audit Logging and Access Control

• Question 239:

  An organization is implementing Zero Trust architecture A systems administrator must increase the effectiveness of the organization's context-aware access system. Which of the following is the best way to improve the effectiveness of the system?

  A. Secure zone architecture
  B. Always-on VPN
  C. Accurate asset inventory
  D. Microsegmentation
  D. Microsegmentation

  ---

  Explanation

  Microsegmentation is a critical strategy within Zero Trust architecture that enhances context-aware access systems by dividing the network into smaller, isolated segments. This reduces the attack surface and limits lateral movement of

  attackers within the network. It ensures that even if one segment is compromised, the attacker cannot easily access other segments. This granular approach to network security is essential for enforcing strict access controls and monitoring

  within Zero Trust environments.

  CompTIA SecurityX Study Guide, Chapter on Zero Trust Security, Section on Microsegmentation and Network Segmentation.

• Question 240:

  A building camera is remotely accessed and disabled from the remote console application during off-hours. A security analyst reviews the following logs:

  

  A security architect is onboarding a new EDR agent on servers that traditionally do not have internet access. In order for the agent to receive updates and report back to the management console, some changes must be made. Which of the following should the architect do to best accomplish this requirement? (Select two).

  A. Create a firewall rule to only allow traffic from the subnet to the internet via a proxy.
  B. Configure a proxy policy that blocks all traffic on port 443.
  C. Configure a proxy policy that allows only fully qualified domain names needed to communicate to a portal.
  D. Create a firewall rule to only allow traffic from the subnet to the internet via port 443.
  E. Create a firewall rule to only allow traffic from the subnet to the internet to fully qualified names that are not identified as malicious by the firewall vendor.
  F. Configure a proxy policy that blocks only lists of known-bad, fully qualified domain names.
  A. Create a firewall rule to only allow traffic from the subnet to the internet via a proxy.
  C. Configure a proxy policy that allows only fully qualified domain names needed to communicate to a portal.

  ---

  Explanation