CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 261:

  A help desk analyst suddenly begins receiving numerous calls from remote employees who state they are unable to connect to the VPN. The employees indicate the VPN client software is warning about an expired certificate. The help desk analyst determines the VPN certificate is valid. Which of the following is the most likely cause of the issue?

  A. The certificate has been compromised and needs to be replaced.
  B. The VPN concentrator is running an old version of code and needs to be upgraded.
  C. The NTP settings on the VPN concentrator are incorrectly configured.
  D. The end users are using outdated VPN client software.
  C. The NTP settings on the VPN concentrator are incorrectly configured.

  ---

  Explanation

  The issue described--where remote employees are unable to connect to the VPN due to warnings about an expired certificate despite the certificate being valid--is likely caused by incorrect NTP (Network Time Protocol) settings on the VPN concentrator. NTP is crucial for ensuring that the system clocks across network devices are synchronized with accurate time. Certificates have a validity period defined by start and end dates, and they rely on the system clock to determine whether they are valid or expired. If the system clock on the VPN concentrator is incorrect due to misconfigured NTP settings, the VPN concentrator may mistakenly believe that the certificate has expired when it actually hasn't. This would result in VPN clients displaying warnings about expired certificates and refusing to connect. Therefore, ensuring correct NTP configuration on the VPN concentrator is essential to resolve this issue.

• Question 262:

  A manufacturing plant is updating its IT services. During discussions, the senior management team created the following list of considerations:

  1.

  Staff turnover is high and seasonal.

  2.

  Extreme conditions often damage endpoints.

  3.

  Losses from downtime must be minimized.

  4.

  Regulatory data retention requirements exist.

  Which of the following best addresses the considerations?

  A. Establishing further environmental controls to limit equipment damage
  B. Using a non-persistent virtual desktop interface with thin clients
  C. Deploying redundant file servers and configuring database journaling
  D. Maintaining an inventory of spare endpoints for rapid deployment
  B. Using a non-persistent virtual desktop interface with thin clients

  ---

  The best solution is to use a non-persistent virtual desktop infrastructure (VDI) with thin clients (B). Thin clients are inexpensive, easy to replace, and resilient in harsh environments where traditional endpoints may be damaged. With non-persistent VDI, employee desktops are virtualized and reset to a clean state after logout, reducing risks from turnover, malware persistence, or user misconfiguration. Centralized management ensures consistent patching and security updates while minimizing downtime,

  since damaged thin clients can be swapped quickly with minimal disruption.

  Option A (environmental controls) may reduce equipment damage but does not address turnover or regulatory retention requirements.

  Option C (redundant servers and journaling) improves data integrity but does not solve endpoint-related risks or staffing issues.

  Option D (maintaining spare endpoints) mitigates hardware failures but still relies on managing and configuring full systems, which is inefficient for high-turnover environments.

  CAS-005 emphasizes virtualization and centralization strategies in environments where operational resilience, rapid recovery, and compliance are critical. Non-persistent VDI with thin clients provides the most comprehensive solution here.

• Question 263:

  An incident response team is analyzing malware and observes the following:

  1.Does not execute in a sandbox

  2.No network loCs

  3.No publicly known hash match

  4.No process injection method detected

  Which of the following should the team do next to proceed with further analysis?

  A. Use an online vims analysis tool to analyze the sample
  B. Check for an anti-virtualization code in the sample
  C. Utilize a new deployed machine to run the sample.
  D. Search oilier internal sources for a new sample.
  B. Check for an anti-virtualization code in the sample

  ---

  Explanation

  Malware that does not execute in a sandbox environment often contains anti-analysis techniques, such as anti-virtualization code. This code detects when the malware is running in a virtualized environment and alters its behavior to avoid

  detection. Checking for anti-virtualization code is a logical next step because:

  It helps determine if the malware is designed to evade analysis tools. Identifying such code can provide insights into the malware's behavior and intent. This step can also inform further analysis methods, such as running the malware on

  physical hardware.

  References:

  CompTIA Security+ Study Guide

  SANS Institute, "Malware Analysis Techniques"

  "Practical Malware Analysis" by Michael Sikorski and Andrew Honig

• Question 264:

  A company sells a security appliance assembled from globally sourced hardware and software components. Installing the security appliance requires enabling administrative permissions for the service accounts on the appliance. Which of the following allows the company to reassure new and existing customers that the risk introduced by the appliance is minimal?

  A. The results of a qualitative risk analysis performed on the appliance
  B. A business impact analysis and risk prioritization process
  C. Results of internal risk reduction studies conducted by a third-party assessor
  D. A transparent supply chain risk management and testing program
  D. A transparent supply chain risk management and testing program

  ---

• Question 265:

  During DAST scanning, applications are consistently reporting code defects in open-source libraries that were used to build web applications. Most of the code defects are from using libraries with known vulnerabilities. The code defects are causing product deployment delays. Which of the following is the best way to uncover these issues earlier in the life cycle?

  A. Directing application logs to the SIEM for continuous monitoring
  B. Modifying the WAF policies to block against known vulnerabilities
  C. Completing an IAST scan against the web application
  D. Using a software dependency management solution
  D. Using a software dependency management solution

  ---

  Explanation

• Question 266:

  An organization recently hired a third party to audit the information security controls present in the environment. After reviewing the audit findings, the Chief Information Security Officer (CISO) approved the budget for an in-depth defense strategy for network security. Which of the following is the most likely reason the CISO approved the additional budget?

  A. Other departments had unused budget, which was transferred to IT security
  B. Potential customers increasingly asked for security compliance reports.
  C. The previous network architecture contained controls that could be easily bypassed.
  D. The auditor reported a low score on the PCI DSS self-assessment questionnaire.
  C. The previous network architecture contained controls that could be easily bypassed.

  ---

  The most likely driver for approving additional network security budget is that the audit revealed that the existing architecture contained security controls that could be easily bypassed. This indicates fundamental weaknesses in defense-in-depth and suggests that attackers could gain access to sensitive systems or data despite the presence of controls.

  Option A (unused budgets) is not a strategic reason for approving security investment. Option B (compliance reports requested by customers) may influence investment in compliance initiatives, but it does not explain the need for an in-depth defense architecture. Option D (PCI DSS low score) is a compliance-specific issue but would not, on its own, drive a broad architectural budget approval unless PCI was the only focus.

  Security audits often uncover systemic flaws--such as flat networks, insufficient segmentation, or single points of failure--that create the conditions for bypassing controls. Addressing these issues requires rearchitecting the environment, introducing layered defenses, and strengthening monitoring capabilities, all of which demand significant budget. Thus, option C aligns with the decision to invest in robust defense-in-depth strategies.

• Question 267:

  After a cybersecurity incident, a security analyst was able to collect a binary that the attacker used on the compromised server. Then the analyst ran the following command: Which of the following options describes what the analyst is trying to do?

  

  A. To reconstruct the timeline of commands executed by the binary
  B. To extract IOCs from the binary used in the attack
  C. To replicate the attack in a secure environment
  B. To extract IOCs from the binary used in the attack

  ---

  Explanation

• Question 268:

  An external threat actor attacks public infrastructure providers. In response to the attack and during follow-up activities, various providers share information obtained during their response efforts. After the attack, energy sector companies share their status and response data:

  

  Which of the following is the most important issue to address to defend against future attacks?

  A. Failure to implement a UEBA system
  B. Failure to implement a DLP system
  C. Failure to join the industry ISAC
  D. Failure to integrate with the TIP
  C. Failure to join the industry ISAC

  ---

  Explanation

  The data provided shows that all companies have SIEM systems, but they differ in their implementation of UEBA, DLP, ISAC membership, and TIP integration. The key metric to evaluate is the effectiveness in detecting and responding to

  attacks, as shown by the "Time to Detect" and "Time to Respond" columns.

  Company 1, which is an ISAC member, has the fastest detection (10 minutes) and response (20 minutes) times.

  Company 3, which is not an ISAC member, has slower detection (12 minutes) and response (24 minutes) times, despite having UEBA and TIP integration. Company 2, which lacks TIP integration but is an ISAC member, has the slowest

  times (20 minutes to detect, 40 minutes to respond).

  This suggests that ISAC membership correlates with faster detection and response, likely due to access to shared threat intelligence.

  According to the CompTIA SecurityX CAS-005 objectives (Domain 2: Security Operations, Section 2.2), Information Sharing and Analysis Centers (ISACs) are critical for enabling organizations to share real-time threat intelligence within their

  industry. ISACs provide access to actionable intelligence, best practices, and coordinated response strategies, which are essential for defending against sophisticated attacks targeting critical infrastructure like the energy sector.

  The lack of ISAC membership (Company 3) limits access to this intelligence, hindering proactive defense and response capabilities. While UEBA, DLP, and TIP integration are valuable, they are more focused on internal monitoring, data

  protection, and individual threat intelligence feeds, respectively, and do not provide the same industry-wide collaboration as an ISAC.

  CompTIA SecurityX CAS-005 Official Study Guide, Domain 2: Security Operations, Section 2.2:

  "Explain the importance of threat intelligence sharing and collaboration, including ISACs."

  CAS-005 Exam Objectives, Section 2.2:

  "Analyze the impact of information sharing on incident response efficiency."

• Question 269:

  A security analyst notices a number of SIEM events that show the following activity: 10/30/2020 - 8:01 UTC - 192.168.1.1 - sc stop HinDctend 10/30/2020 - 8:05 UTC - 192.168.1.2 - c:\program files\games\comptidcasp.exe 10/30/2020 - 8:07 UTC - 192.168.1.1 - c:\windows\system32\cmd.exe /c powershell

  10/30/2020 - 8:07 UTC - 192.168.1.1 - powershell --> 40.90.23.154:443 Which of the following response actions should the analyst take first?

  A. Disable powershell.exe on all Microsoft Windows endpoints
  B. Restart Microsoft Windows Defender
  C. Configure the forward proxy to block 40.90.23.154
  D. Disable local administrator privileges on the endpoints
  C. Configure the forward proxy to block 40.90.23.154

  ---

  Explanation

  The first immediate action in an active incident is containment.Blocking the IP address (40.90.23.154) at the network edge prevents further communication with the malicious external server. Disabling PowerShell or removing local admin

  privileges are valid hardening steps, but containment by network control is the highest priority during an active compromise to stop data exfiltration or further command and control activity.

  CompTIA SecurityX CAS-005, Domain 2.0: Apply incident response techniques focusing on immediate containment actions.

• Question 270:

  DRAG DROP

  A security consultant is considering authentication options for a financial institution. The following authentication options are available security mechanism to the appropriate use case. Options may be used once.

  Select and Place:

  

  

  Explanation