CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 241:

  An organization is looking for gaps in its detection capabilities based on the APTs that may target the industry.

  Which of the following should the security analyst use to perform threat modeling?

  A. ATTandCK
  B. OWASP
  C. CAPEC
  D. STRIDE
  A. ATTandCK

  ---

  Explanation

  The ATTandCK (Adversarial Tactics, Techniques, and Common Knowledge) framework is the best tool for a security analyst to use for threat modeling when looking for gaps in detection capabilities based on Advanced Persistent Threats

  (APTs) that may target the industry. Here's why:

  Comprehensive Framework: ATTandCK provides a detailed and structured repository of known adversary tactics and techniques based on real-world observations. It helps organizations understand how attackers operate and what techniques

  they might use.

  Gap Analysis: By mapping existing security controls against the ATTandCK matrix, analysts can identify which tactics and techniques are not adequately covered by current detection and mitigation measures. Industry Relevance: The ATTandCK

  framework is continuously updated with the latest threat intelligence, making it highly relevant for industries facing APT threats. It provides insights into specific APT groups and their preferred methods of attack.

• Question 242:

  An organization is implementing advanced security controls associated with the execution of software applications on corporate endpoints. The organization must implement a deny-all, permit-by-exception approach to software authorization for all systems regardless of OS.

  Which of the following should be implemented to meet these requirements?

  A. SELinux
  B. MDM
  C. XDR
  D. Block list
  E. Atomic execution
  D. Block list

  ---

  Explanation

  Understanding the Scenario: The organization wants a strict application control policy: deny all software execution by default and only allow specifically authorized applications. This must be enforced across all operating systems. It is implied that they mean an Allow list, but Block List is the only reasonable answer.

• Question 243:

  A security officer received several complaints from users about excessive MFA push notifications at night. The security team investigated and suspects malicious activity related to user account authentication.

  Which of the following is the best way for the security officer to restrict MFA notifications?

  A. Provisioning FIDO2 devices
  B. Deploying a text message–based MFA
  C. Enabling OTP via email
  D. Configuring prompt-driven MFA
  D. Configuring prompt-driven MFA

  ---

  Explanation

  Excessive MFA push notifications can be a sign of an attempted push notification attack, where attackers repeatedly send MFA prompts hoping the user will eventually approve one by mistake. To mitigate this:

  A. Provisioning FIDO2 devices: While FIDO2 devices offer strong authentication, they may not be practical for all users and do not directly address the issue of excessive push notifications.

  B. Deploying a text message-based MFA: SMS-based MFA can still be vulnerable to similar spamming attacks and phishing.

  C. Enabling OTP via email: Email-based OTPs add another layer of security but do not directly solve the issue of excessive notifications.

  D. Configuring prompt-driven MFA: This option allows users to respond to prompts in a secure manner,

  often including features like time-limited approval windows, additional verification steps, or requiring specific actions to approve. This can help prevent users from accidentally approving malicious attempts. Configuring prompt-driven MFA is

  the best solution to restrict unnecessary MFA notifications and improve security.

  References:

  CompTIA Security+ Study Guide

  NIST SP 800-63B, "Digital Identity Guidelines"

  "Multi-Factor Authentication: Best Practices" by Microsoft

• Question 244:

  A security configure isbuilding a solution to disable weak CBC configuration for remote access connections lo Linux systems. Which of the following should the security engineer modify?

  A. The /etc/openssl.conf file, updating the virtual site parameter
  B. The /etc/nsswith.conf file, updating the name server
  C. The /etc/hosts file, updating the IP parameter
  D. The /etc/etc/sshd, configure file updating the ciphers
  D. The /etc/etc/sshd, configure file updating the ciphers

  ---

  The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

  By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

  References:

  CompTIA Security+ Study Guide

  OpenSSH manual pages (man sshd_config)

  CIS Benchmarks for Linux

• Question 245:

  A security architect is troubleshooting an issue with an OIDC implementation. The architect reviews the following configuration and errors:

  

  Error: Invalid authentication request code

  Which of the following is the most likely cause of the error?

  A. The redirect-url parameter is not in the allowed list of redirect hosts in the configuration.
  B. Introspection is not enabled within the OIDC code implementation.
  C. The encoding of the URL parameters on the proxy system is failing.
  D. The state parameter is being reused within the authentication challenge.
  E. OAuth 2.0 was unable to verify the lack of an interception attack.
  A. The redirect-url parameter is not in the allowed list of redirect hosts in the configuration.

  ---

• Question 246:

  A risk assessment determined that company data was leaked to the general public during a migration. Which of the following best explains the root cause of this issue?

  A. Incomplete firewall rules between the CSP and on-premises infrastructure
  B. Insufficient logging of cloud activities to company SIEM
  C. Failure to implement full disk encryption to on-premises data storage
  D. Misconfiguration of access controls on cloud storage containers
  D. Misconfiguration of access controls on cloud storage containers

  ---

  Explanation

  During a migration, data is often moved to cloud storage containers. If these containers are not properly configured, they may be accessible to the public or unauthorized users, leading to data leaks. Misconfigurations such as setting permissions to public or not restricting access appropriately are common causes of data breaches in cloud environments.

• Question 247:

  Users must accept the terms presented in a captive petal when connecting to a guest network. Recently, users have reported that they are unable to access the Internet after joining the network A network engineer observes the following:

  1.Users should be redirected to the captive portal.

  2.The Motive portal runs Tl. S 1 2

  3.Newer browser versions encounter security errors that cannot be bypassed

  4.Certain websites cause unexpected re directs

  Which of the following mow likely explains this behavior?

  A. The TLS ciphers supported by the captive portal ate deprecated
  B. Employment of the HSTS setting is proliferating rapidly.
  C. Allowed traffic rules are causing the NIPS to drop legitimate traffic
  D. An attacker is redirecting supplicants to an evil twin WLAN.
  A. The TLS ciphers supported by the captive portal ate deprecated

  ---

  Explanation

  The most likely explanation for the issues encountered with the captive portal is that the TLS ciphers supported by the captive portal are deprecated. Here's why:

  TLS Cipher Suites: Modern browsers are continuously updated to support the latest security standards and often drop support for deprecated and insecure cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may

  refuse to connect, causing security errors.

  HSTS and Browser Security: Browsers with HTTP Strict Transport Security (HSTS) enabled will not allow connections to sites with weak security configurations. Deprecated TLS ciphers would cause these browsers to block the connection.

  References:

  By updating the TLS ciphers to modern, supported ones, the security engineer can ensure compatibility with newer browser versions and resolve the connectivity issues reported by users.

• Question 248:

  During an incident response activity, the response team collected some artifacts from a compromised server, but the following information is missing:

  1.

  Source of the malicious files

  2.

  Initial attack vector

  3.

  Lateral movement activities

  The next step in the playbook is to reconstruct a timeline. Which of the following best supports this effort?

  A. Executing decompilation of binary files
  B. Analyzing all network routes and connections
  C. Performing primary memory analysis
  D. Collecting operational system logs and storage disk data
  D. Collecting operational system logs and storage disk data

  ---

• Question 249:

  A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user's actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government.

  Which of the following should be taken into consideration during the process of releasing the drive to the government?

  A. Encryption in transit
  B. Legal issues
  C. Chain of custody
  D. Order of volatility
  E. Key exchange
  C. Chain of custody

  ---

  Explanation

  Chain of custody ensures that evidence is protected, documented, and accounted for from the moment it is collected until it is presented in court or a legal proceeding. Properly maintaining chain of custody is critical to proving that the

  evidence has not been tampered with. Although encryption protects data during transit, and legal issues are important, without a documented chain of custody, the integrity of the evidence itself could be challenged and invalidated.

  CompTIA SecurityX CAS-005, Domain 2.0: Apply forensic procedures for collecting, securing, and documenting evidence to maintain chain of custody.

• Question 250:

  A security analyst received a report that a suspicious flash drive was picked up in the office's waiting area, located beyond the secured door. The analyst investigated the drive and found malware designed to harvest and transmit credentials. Security cameras in the area where the flash drive was discovered showed a vendor representative dropping the drive. Which of the following should the analyst recommend as an additional way to identify anyone who enters the building, in the event the camera system fails?

  A. Employee badge logs
  B. Phone call logs
  C. Vehicle registration logs
  D. Visitor logs
  D. Visitor logs

  ---

  Explanation