CompTIA CAS-005 Online Practice Questions and Exam Preparation

CompTIA CAS-005 Online Questions & Answers

• Question 311:

  SIMULATION

  

  A. See the complete solution below in Explanation.
  B. PlaceHoder
  C. PlaceHoder
  D. PlaceHoder
  A. See the complete solution below in Explanation.

  ---

  Explanation

  Step 1: Verify that the certificate is valid or not. In case of any warning message, cancel the download.

  Step 2: If certificate issue is not there then, download the file in your system.

  Step 3: Calculate the hash value of the downloaded file.

  Step 4: Match the hash value of the downloaded file with the one which you selected on the website. Step 5: Install the file if the hash value matches.

• Question 312:

  A company implemented a NIDS and a NIPS on the most critical environments. Since this implementation, the company has been experiencing network connectivity issues. Which of the following should the security architect recommend for a new NIDS/NIPS implementation?

  A. Implementing the NIDS with a port mirror in the core switch and the NIPS in the main firewall
  B. Implementing the NIDS and the NIPS together with the main firewall
  C. Implementing a NIDS without a NIPS to increase the detection capability
  D. Implementing the NIDS in the bastion host and the NIPS in the branch network router
  A. Implementing the NIDS with a port mirror in the core switch and the NIPS in the main firewall

  ---

  Explanation

• Question 313:

  A pharmaceutical lab hired a consultant to identify potential risks associated with Building 2, a new facility that is under construction. The consultant received the IT project plan, which includes the following VLAN design:

  

  Which of the following TTPs should the consultant recommend be addressed first?

  A. Zone traversal
  B. Unauthorized execution
  C. Privilege escalation
  D. Lateral movement
  A. Zone traversal

  ---

  Explanation

  The regulated lab environment (Yes) shares the same VLAN (10.2.0.0/22) with users, creating a zone traversal risk from unregulated zones to sensitive data networks. This allows pivoting and lateral movement from non-regulated user

  devices into regulated lab environments -- a classic zone boundary violation.

  Zone traversal should be mitigated through network segmentation and firewall enforcement.

  From CAS-005, Domain 2: Risk Management and Mitigation Strategies

  CAS-005 Study Guide, Chapter 8: Network Segmentation and Zoning, pp. 152?54

• Question 314:

  A systems administrator wants to reduce the number of failed patch deployments in an organization. The administrator discovers that system owners modify systems or applications in an ad hoc manner.

  Which of the following is the best way to reduce the number of failed patch deployments?

  A. Compliance tracking
  B. Situational awareness
  C. Change management
  D. Quality assurance
  C. Change management

  ---

  Explanation

  To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and

  approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.

  References:

  CompTIA SecurityX Study Guide: Emphasizes the importance of change management in maintaining system integrity and ensuring successful patch deployments.

  ITIL (Information Technology Infrastructure Library) Framework: Provides best practices for change management in IT services.

  "The Phoenix Project" by Gene Kim, Kevin Behr, and George Spafford: Discusses the critical role of change management in IT operations and its impact on system stability and reliability.

• Question 315:

  A systems administrator works with engineers to process and address vulnerabilities as a result of continuous scanning activities. The primary challenge faced by the administrator is differentiating between valid and invalid findings.

  Which of the following would the systems administrator most likely verify is properly configured?

  A. Report retention time
  B. Scanning credentials
  C. Exploit definitions
  D. Testing cadence
  B. Scanning credentials

  ---

  Explanation

  When differentiating between valid and invalid findings from vulnerability scans, the systems administrator should verify that the scanning credentials are properly configured. Valid credentials ensure that the scanner can authenticate and

  access the systems being evaluated, providing accurate and comprehensive results. Without proper credentials, scans may miss vulnerabilities or generate false positives, making it difficult to prioritize and address the findings effectively.

  References:

  CompTIA SecurityX Study Guide: Highlights the importance of using valid credentials for accurate vulnerability scanning.

  "Vulnerability Management" by Park Foreman: Discusses the role of scanning credentials in obtaining accurate scan results and minimizing false positives. "The Art of Network Security Monitoring" by Richard Bejtlich: Covers best practices

  for configuring and using vulnerability scanning tools, including the need for valid credentials.

• Question 316:

  A company's SICM is continuously reporting false positives and false negatives. The security operations team has implemented configuration changes to troubleshoot possible reporting errors.

  Which of the following sources of information best supports the required analysts process? (Select two).

  A. Third-party reports and logs
  B. Trends
  C. Dashboards
  D. Alert failures
  E. Network traffic summaries
  F. Manual review processes
  A. Third-party reports and logs
  B. Trends

  ---

  Explanation

  When dealing with false positives and false negatives reported by a Security Information and Event Management (SIEM) system, the goal is to enhance the accuracy of the alerts and ensure that actual threats are identified correctly. The following sources of information best support the analysis process:

  A. Third-party reports and logs: Utilizing external sources of information such as threat intelligence reports, vendor logs, and other third-party data can provide a broader perspective on potential threats. These sources often contain valuable

  insights and context that can help correlate events more accurately, reducing the likelihood of false positives and false negatives.

  B. Trends: Analyzing trends over time can help in understanding patterns and anomalies in the data. By

  observing trends, the security team can distinguish between normal and abnormal behavior, which aids in fine-tuning the SIEM configurations to better detect true positives and reduce false alerts. Other options such as dashboards, alert

  failures, network traffic summaries, and manual review processes are also useful but are more operational rather than foundational for understanding the root causes of reporting errors in SIEM configurations.

  References:

  CompTIA SecurityX Study Guide: Emphasizes the importance of leveraging external threat intelligence and historical trends for accurate threat detection. NIST Special Publication 800-92, "Guide to Computer Security Log Management":

  Highlights best practices for log management, including the use of third-party sources and trend analysis to improve incident detection. "Security Information and Event Management (SIEM) Implementation" by David Miller: Discusses the use

  of external intelligence and trends to enhance SIEM accuracy.

• Question 317:

  During a security assessment using an CDR solution, a security engineer generates the following report about the assets in me system:

  

  After five days, the EDR console reports an infection on the host 0WIN23 by a remote access Trojan Which of the following is the most probable cause of the infection?

  A. OW1N23 uses a legacy version of Windows that is not supported by the EDR
  B. LN002 was not supported by the EDR solution and propagates the RAT
  C. The EDR has an unknown vulnerability that was exploited by the attacker.
  D. 0W1N29 spreads the malware through other hosts in the network
  A. OW1N23 uses a legacy version of Windows that is not supported by the EDR

  ---

  Explanation

  OWIN23 is running Windows 7, which is a legacy operating system. Many EDR solutions no longer provide full support for outdated operating systems like Windows 7, which has reached its end of life and is no longer receiving security updates from Microsoft. This makes such systems more vulnerable to infections and attacks, including remote access Trojans (RATs).

  A. OWIN23 uses a legacy version of Windows that is not supported by the EDR: This is the most probable cause because the lack of support means that the EDR solution may not fully protect or monitor this system, making it an easy target for infections.

  B. LN002 was not supported by the EDR solution and propagates the RAT: While LN002 is unmanaged, it is less likely to propagate the RAT to OWIN23 directly without an established vector.

  C. The EDR has an unknown vulnerability that was exploited by the attacker: This is possible but less likely than the lack of support for an outdated OS.

  D. OWIN29 spreads the malware through other hosts in the network: While this could happen, the status indicates OWIN29 is in a bypass mode, which might limit its interactions but does not directly explain the infection on OWIN23.

  References: CompTIA Security+ Study Guide NIST SP 800-53, "Security and Privacy Controls for Information Systems and Organizations" Microsoft's Windows 7 End of Support documentation

• Question 318:

  A security engineer is assisting a DevOps team that has the following requirements for container images:

  1.Ensure container images are hashed and use version controls.

  2.Ensure container images are up to date and scanned for vulnerabilities.

  Which of the following should the security engineer do to meet these requirements?

  A. Enable clusters on the container image and configure the mesh with ACLs.
  B. Enable new security and quality checks within a CI/CD pipeline.
  C. Enable audits on the container image and monitor for configuration changes.
  D. Enable pulling of the container image from the vendor repository and deploy directly to operations.
  B. Enable new security and quality checks within a CI/CD pipeline.

  ---

  Explanation

  Implementing security and quality checks in a CI/CD pipeline ensures that:

  Container images are scanned for vulnerabilities before deployment.

  Version control is enforced, preventing unauthorized changes.

  Hashes validate image integrity.

  Other options:

  A (Configuring ACLs on mesh networks) improves access control but does not ensure scanning.

  C (Audits on container images) detect changes but do not enforce best practices.

  D (Pulling from a vendor repository) does not ensure vulnerability scanning.

• Question 319:

  Which of the following are the best ways to mitigate the threats that are the highest priority? (Select two).

  A. Isolate network systems using Zero Trust architecture with microsegmentation and SD-WAN
  B. Scan all systems and source code with access to sensitive data for vulnerabilities.
  C. Implement a cloud access security broker and place it in blocking mode to prevent information exfiltration.
  D. Apply data labeling to all sensitive information within the environment with special attention to payroll information.
  E. Institute a technical approval process that requires multiple parties to sign off on mass payroll changes.
  A. Isolate network systems using Zero Trust architecture with microsegmentation and SD-WAN
  E. Institute a technical approval process that requires multiple parties to sign off on mass payroll changes.

  ---

• Question 320:

  While reviewing recent modem reports, a security officer discovers that several employees were contacted by the same individual who impersonated a recruiter.

  Which of the following best describes this type of correlation?

  A. Spear-phishing campaign
  B. Threat modeling
  C. Red team assessment
  D. Attack pattern analysis
  A. Spear-phishing campaign

  ---

  Explanation

  The situation where several employees were contacted by the same individual impersonating a recruiter best describes a spear-phishing campaign. Here's why:

  Targeted Approach: Spear-phishing involves targeting specific individuals within an organization with personalized and convincing messages to trick them into divulging sensitive information or performing actions that compromise security.

  Impersonation: The use of impersonation, in this case, a recruiter, is a common tactic in spear-phishing to gain the trust of the targeted individuals and increase the likelihood of a successful attack. Correlated Contacts: The fact that several

  employees were contacted by the same individual suggests a coordinated effort to breach the organization's security by targeting multiple points of entry through social engineering.