CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 301:

  A security analyst is reviewing a SIEM and generates the following report:

  

  Later, the incident response team notices an attack was executed on the VM001 host. Which of the following should the security analyst do to enhance the alerting process on the SIEM platform?

  A. Include the EDR solution on the SIEM as a new log source.
  B. Perform a log correlation on the SIEM solution.
  C. Improve parsing of data on the SIEM.
  D. Create a new rule set to detect malware.
  B. Perform a log correlation on the SIEM solution.

  ---

  Explanation

• Question 302:

  A security operations analyst is reviewing network traffic baselines for nightly database backups. Given the following information:

  

  Which of the following should the security analyst do next?

  A. Consult with a network engineer to determine the impact of bandwidth usage
  B. Quarantine PRDDB01 and then alert the database engineers
  C. Refer to the incident response playbook for the proper response
  D. Review all the network logs for further data exfiltration
  D. Review all the network logs for further data exfiltration

  ---

• Question 303:

  An internal security audit determines that Telnet is currently being used within the environment to manage network switches. Which of the following tools should be utilized to identify credentials in plaintext that are used to log in to these devices?

  A. Fuzzer
  B. Network traffic analyzer
  C. HTTP interceptor
  D. Port scanner
  E. Password cracker
  B. Network traffic analyzer

  ---

  Explanation

  A network traffic analyzer (also known as a packet sniffer or protocol analyzer) captures and inspects the data packets traveling over the network. Since Telnet transmits data, including credentials, in plaintext, a network traffic analyzer can be used to capture the packets containing the login credentials as they are sent over the network. Tools like Wireshark are commonly used for this purpose and can help identify and analyze the plaintext credentials.

• Question 304:

  An endpoint security engineer finds that a newly acquired company has a variety of non-standard applications running and no defined ownership for those applications. The engineer needs to find a solution that restricts malicious programs and software from running in that environment, while allowing the non-standard applications to function without interruption.

  Which of the following application control configurations should the engineer apply?

  A. Deny list
  B. Allow list
  C. Audit mode
  D. MAC list
  C. Audit mode

  ---

  Explanation

  Option A: Deny list

  Deny lists block specific applications or processes identified as malicious.

  This approach is reactive and may inadvertently block the non-standard applications that are currently in use without proper ownership.

  Option B: Allow list

  Allow lists permit only pre-approved applications to run.

  While secure, this approach requires defining all non-standard applications, which may disrupt operations in an environment where ownership is unclear.

  Option C: Audit mode

  Correct Answer.

  Audit mode allows monitoring and logging of applications without enforcing restrictions.

  This is ideal in environments with non-standard applications and undefined ownership because it enables the engineer to observe the environment and gradually implement control without interruption. Audit mode provides critical visibility into

  the software landscape, ensuring that necessary applications remain functional.

  Option D: MAC list

  Mandatory Access Control (MAC) lists restrict access based on classification and clearance levels.

  This does not align with application control objectives in this context.

  CompTIA CASP+ Study Guide - Chapters on Endpoint Security and Application Control. CASP+ Objective 2.4: Implement appropriate security controls for enterprise endpoints.

• Question 305:

  A security analyst is performing a review of a web application. During testing as a standard user, the following error log appears:

  Error Message in Database Connection

  Connection to host USA-WebApp-Database failed

  Database "Prod-DB01" not found

  Table "CustomerInfo" not found

  Please retry your request later

  Which of the following best describes the analyst's findings and a potential mitigation technique?

  A. The findings indicate unsecure references. All potential user input needs to be properly sanitized.
  B. The findings indicate unsecure protocols. All cookies should be marked as HttpOnly.
  C. The findings indicate information disclosure. The displayed error message should be modified.
  D. The findings indicate a SQL injection. The database needs to be upgraded.
  C. The findings indicate information disclosure. The displayed error message should be modified.

  ---

  Explanation

  The error message reveals sensitive details (hostnames, database names, table names), constitutinginformation disclosure. This aids attackers in reconnaissance. Mitigation involves modifying the application to display generic error

  messages (e.g., "An error occurred") instead of specifics.

  Option A:Unsecure references suggest coding flaws, but this is a configuration/output issue, not input sanitization. Option B:Unsecure protocols and HttpOnly cookies relate to session security, not error handling. Option C:Correct--information

  disclosure is the issue; generic errors mitigate it. Option D:No evidence of SQL injection (e.g., manipulated input); upgrading the database doesn't address disclosure.

  CompTIA SecurityX CAS-005 Domain 2: Security Architecture ?Secure Application Design and Error Handling.

• Question 306:

  Which of the following best describes the challengesassociated with widespread adoption of homomorphic encryption techniques?

  A. Incomplete mathematical primitives
  B. No use cases to drive adoption
  C. Quantum computers not yet capable
  D. Insufficient coprocessor support
  D. Insufficient coprocessor support

  ---

  Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, preserving confidentiality. However, its adoption faces significant challenges due to performance overhead. According to the CompTIA SecurityX CAS-005 study materials (Domain 3: Cybersecurity Technology, 3.3), homomorphic encryption requires substantial computational resources, which standard processors struggle to provide efficiently. Specialized hardware, such as coprocessors (e.g., GPUs or

  TPUs), is oftenneeded to handle the complex mathematical operations involved. The lack of widespread, optimized coprocessor support in existing infrastructure is a primary barrier to adoption.

  Option A (Incomplete mathematical primitives):While early homomorphic encryption schemes had limitations, modern schemes (e.g., CKKS, BFV) have mature mathematical foundations, making this less of a challenge today.

  Option B (No use cases):Use cases exist, such as secure cloud computing and privacy-preserving data analytics, so this is not accurate.

  Option C (Quantum computers):Homomorphic encryption is not dependent on quantum computing, and quantum computers are unrelated to its current challenges.

  Option D (Insufficient coprocessor support):This is the most accurate, as performance bottlenecks require specialized hardware that is not yet widely available or integrated.

  CompTIA SecurityX CAS-005 Official Study Guide, Domain 3: Cybersecurity Technology, Section 3.3: "Evaluate emerging cryptographic technologies, including homomorphic encryption challenges." CAS-005 Exam Objectives, 3.3: "Analyze barriers to adopting advanced encryption techniques."

• Question 307:

  A SOC analyst is investigating an event in which a penetration tester was able to successfully create and execute a payload. The analyst pulls the following command history from the affected server-

  

  Which of the following should the analyst implement lo improve the security of the server?

  A. Kernel-supported ASLR controls
  B. Application controls with allow lists
  C. OS restrictions of globally writable folders
  D. EDR signatures that terminate specific processes
  B. Application controls with allow lists

  ---

  The best way to mitigate the ability of attackers or penetration testers to execute arbitrary payloads is to enforce application controls with allow lists (B). Application allow listing ensures that only pre-approved, trusted software and scripts can be executed on the system. This prevents attackers from dropping or running malicious binaries, even if they exploit vulnerabilities to gain access. CAS-005 emphasizes allow listing as a preventive control against post-exploitation persistence and lateral movement.

  Option A (ASLR) randomizes memory addresses and helps mitigate buffer overflow exploits but does not directly prevent execution of unauthorized programs.

  Option C (OS restrictions of globally writable folders) improves security hygiene but still does not stop attackers from executing already placed payloads in non- restricted locations.

  Option D (EDR signatures) are reactive and limited, since attackers often use novel or obfuscated payloads not yet captured by signature databases.

  Therefore, implementing application controls with allow lists provides the strongest defense against unauthorized payload execution in this context.

• Question 308:

  An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment. For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of the impact. Which of the following should the organization perform next?

  A. Assess the residual risk.
  B. Update the organization's threat model.
  C. Move to the next risk in the register.
  D. Recalculate the magnitude of the impact.
  A. Assess the residual risk.

  ---

  Explanation

  After applying mitigations that reduce the likelihood of a risk's impact, the next step is to assess the residual risk--the risk that remains after controls are implemented. This ensures the organization understands if the mitigation is sufficient or if

  further action is needed, aligning with risk management best practices. Option A:Correct--residual risk assessment is the logical next step to evaluate the effectiveness of mitigations.

  Option B:Updating the threat model might follow but isn't immediate; residual risk comes first.

  Option C:Moving to the next risk skips evaluating the current mitigation's success. Option D:Recalculating impact magnitude is part of residual risk assessment but isn't the full process.

  CompTIA SecurityX CAS-005 Domain 1: Risk Management ?Risk Mitigation and Residual Risk Analysis.

• Question 309:

  The Chief Information Security Officer (CISO) is working with a new company and needs a legal document to ensure all parties understand their roles during an assessment. Which of the following should the CISO have each party sign?

  A. SLA
  B. ISA
  C. Permissions and access
  D. Rules of engagement
  D. Rules of engagement

  ---

  Explanation

  The Rules of Engagement (ROE) document is essential for ensuring all parties understand their roles, responsibilities, and limitations during an assessment. It provides a clear framework that helps prevent legal and operational misunderstandings, making it the most appropriate choice for the CISO to have each party sign in this scenario.

• Question 310:

  A company recently experienced aransomware attack. Although the company performs systems and data backupon a schedule that aligns with itsRPO (Recovery Point Objective) requirements, thebackup administratorcould not recovercritical systems and datafrom its offline backups to meet the RPO. Eventually, the systems and data were restored with information that wassix months outside of RPO requirements.

  Which of the following actions should the company take to reduce the risk of a similar attack?

  A. Encrypt and label the backup tapes with the appropriate retention schedule before they are sent to the off-site location.
  B. Implement a business continuity process that includes reverting manual business processes.
  C. Perform regular disaster recovery testing of IT and non-IT systems and processes.
  D. Carry out a tabletop exercise to update and verify the RACI matrix with IT and critical business functions.
  C. Perform regular disaster recovery testing of IT and non-IT systems and processes.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Understanding the Ransomware Issue:

  Why Option C is Correct:

  Why Other Options Are Incorrect:

  CompTIA SecurityX CAS-005 Official Study Guide:Disaster Recovery and Business Continuity Planning

  NIST SP 800-34:Contingency Planning Guide for Information Systems

  ISO 22301:Business Continuity Management Standards