Practice Free CAS-005 Exam Online Questions
As part of a security audit in the software development life cycle, a product manager must demonstrate and provide evidence of a complete representation of the code and modules used within the production-deployed application prior to the build.
Which of the following best provides the required evidence?
- A . Software composition analysis
- B . Runtime application inspection
- C . Static application security testing
- D . Interactive application security testing
A
Explanation:
Software Composition Analysis (SCA) is the best method for identifying all components, dependencies, and open-source libraries used in an application. It ensures that organizations track and manage vulnerabilities in third-party code before deployment.
SCA tools generate a Software Bill of Materials (SBOM), which provides a full representation of the code and modules used in the application.
Other options:
Static Application Security Testing (SAST) (C) checks for vulnerabilities but does not map dependencies.
Interactive Application Security Testing (IAST) (D) works at runtime, not before deployment. Runtime Application Self-Protection (RASP) (B) works while the application is running.
Reference: CASP+ CAS-005 Official Study Guide C Chapter on Secure Software Development
A security analyst notices a number of SIEM events that show the following activity:
10/30/2020 – 8: 01 UTC – 192.168.1.1 – sc stop HinDctend
10/30/2020 – 8: 05 UTC – 192.168.1.2 – c: program filesgamescomptidcasp.exe
10/30/2020 – 8: 07 UTC – 192.168.1.1 – c: windowssystem32cmd.exe /c powershell
10/30/2020 – 8: 07 UTC – 192.168.1.1 – powershell ―> 40.90.23.154: 443.
Which of the following response actions should the analyst take first?
- A . Disable powershell.exe on all Microsoft Windows endpoints
- B . Restart Microsoft Windows Defender
- C . Configure the forward proxy to block 40.90.23.154
- D . Disable local administrator privileges on the endpoints
C
Explanation:
The first immediate action in an active incident is containment. Blocking the IP address (40.90.23.154) at the network edge prevents further communication with the malicious external server. Disabling PowerShell or removing local admin privileges are valid hardening steps, but containment by network control is the highest priority during an active compromise to stop data exfiltration or further command and control activity.
Reference: CompTIA SecurityX CAS-005, Domain 2.0: Apply incident response techniques focusing on immediate containment actions.
An analyst has prepared several possible solutions to a successful attack on the company. The solutions need to be implemented with the least amount of downtime.
Which of the following should the analyst perform?
- A . Implement all the solutions at once in a virtual lab and then run the attack simulation. Collect the metrics and then choose the best solution based on the metrics.
- B . Implement every solution one at a time in a virtual lab, running a metric collection each time.
After the collection, run the attack simulation, roll back each solution, and then implement the next.
Choose the best solution based on the best metrics. - C . Implement every solution one at a time in a virtual lab, running an attack simulation each time while collecting metrics. Roll back each solution and then implement the next. Choose the best solution based on the best metrics.
- D . Implement all the solutions at once in a virtual lab and then collect the metrics. After collection, run the attack simulation. Choose the best solution based on the best metrics.
C
Explanation:
To minimize downtime, testing should occur in a virtual lab, not production. The best approach is to test solutions methodically: implement one solution at a time, run an attack simulation, collect metrics, roll back, and repeat. This isolates each solution’s effectiveness, ensuring accurate metrics for decision-making without production impact.
Option A: Testing all solutions simultaneously muddies the results―metrics won’t show which solution worked.
Option B: Collecting metrics before the simulation misses the point of testing against the attack.
Option C: Correct―tests each solution independently with simulation and metrics, minimizing downtime via virtual lab use.
Option D: Like A, combining solutions obscures individual effectiveness.
Reference: CompTIA SecurityX CAS-005 Domain 4: Cybersecurity Operations C Incident Response and Testing.
A security officer received several complaints from users about excessive MPA push notifications at night The security team investigates and suspects malicious activities regarding user account authentication.
Which of the following is the best way for the security officer to restrict MI~A notifications”
- A . Provisioning FID02 devices
- B . Deploying a text message based on MFA
- C . Enabling OTP via email
- D . Configuring prompt-driven MFA
D
Explanation:
Excessive MFA push notifications can be a sign of an attempted push notification attack, where attackers repeatedly send MFA prompts hoping the user will eventually approve one by mistake. To mitigate this:
A company’s help desk is experiencing a large number of calls from the finance department slating access issues to www bank com.
The security operations center reviewed the following security logs:
Which of the following is most likely the cause of the issue?
- A . Recursive DNS resolution is failing
- B . The DNS record has been poisoned.
- C . DNS traffic is being sinkholed.
- D . The DNS was set up incorrectly.
C
Explanation:
Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address.
In the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident.
Recursive DNS resolution failure (A) would generally lead to inability to resolve DNS at all, not to a specific HTTP error.
DNS poisoning (B) could result in users being directed to malicious sites, but again, would likely result in a different set of errors or unusual activity.
Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted errors like the one seen here.
By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is being sinkholed.
Reference: CompTIA SecurityX study materials on DNS security mechanisms.
Standard HTTP status codes and their implications.
A security architect wants to develop abase line of security configurations These configurations automatically will be utilized machine is created.
Which of the following technologies should the security architect deploy to accomplish this goal?
- A . Short
- B . GASB
- C . Ansible
- D . CMDB
C
Explanation:
To develop a baseline of security configurations that will be automatically utilized when a machine is created, the security architect should deploy Ansible.
Here’s why:
Automation: Ansible is an automation tool that allows for the configuration, management, and deployment of applications and systems. It ensures that security configurations are consistently applied across all new machines.
Scalability: Ansible can scale to manage thousands of machines, making it suitable for large enterprises that need to maintain consistent security configurations across their infrastructure. Compliance: By using Ansible, organizations can enforce compliance with security policies and standards, ensuring that all systems are configured according to best practices.
Reference: CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl Ansible Documentation: Best Practices
NIST Special Publication 800-40: Guide to Enterprise Patch Management Technologies
A global manufacturing company has an internal application mat is critical to making products This application cannot be updated and must Beavailable in the production area A security architect is implementing security for the application.
Which of the following best describes the action the architect should take-?
- A . Disallow wireless access to the application.
- B . Deploy Intrusion detection capabilities using a network tap
- C . Create an acceptable use policy for the use of the application
- D . Create a separate network for users who need access to the application
D
Explanation:
Creating a separate network for users who need access to the application is the best action to secure an internal application that is critical to the production area and cannot be updated.
Why Separate Network?
Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents.
Controlled Access: Ensures that only authorized users have access to the application, enhancing security and reducing the attack surface.
Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network.
Other options, while beneficial, do not provide the same level of security for a critical application:
A global manufacturing company has an internal application mat is critical to making products This application cannot be updated and must Beavailable in the production area A security architect is implementing security for the application.
Which of the following best describes the action the architect should take-?
- A . Disallow wireless access to the application.
- B . Deploy Intrusion detection capabilities using a network tap
- C . Create an acceptable use policy for the use of the application
- D . Create a separate network for users who need access to the application
D
Explanation:
Creating a separate network for users who need access to the application is the best action to secure an internal application that is critical to the production area and cannot be updated.
Why Separate Network?
Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents.
Controlled Access: Ensures that only authorized users have access to the application, enhancing security and reducing the attack surface.
Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network.
Other options, while beneficial, do not provide the same level of security for a critical application:
An organization recently implemented a new email DLP solution. Emails sent from company email addresses to matching personal email addresses generated a large number of alerts, but the content of the emails did not include company data. The security team needs to reduce the number of emails sent without blocking all emails to common personal email services.
Which of the following should the security team implement first?
- A . Automatically quarantine outgoing email.
- B . Create an acceptable use policy.
- C . Enforce email encryption standards.
- D . Perform security awareness training focusing on phishing.
B
Explanation:
An acceptable use policy (AUP) defines what is considered appropriate use of corporate email and prevents unnecessary emails to personal accounts. This helps in reducing false DLP alerts while maintaining compliance.
Quarantining emails (A) is unnecessary since the content was not flagged as sensitive.
Encryption (C) secures emails but does not address overuse.
Phishing awareness training (D) is unrelated to policy enforcement for outgoing emails.
Reference: CompTIA SecurityX (CAS-005) Exam Objectives – Domain 1.0 (Governance, Risk, and Compliance), Section on Security and Reporting Frameworks
A security analyst needs to ensure email domains that send phishing attempts without previous communications are not delivered to mailboxes.
The following email headers are being reviewed
Which of the following is the best action for the security analyst to take?
- A . Block messages from hr-saas.com because it is not a recognized domain.
- B . Reroute all messages with unusual security warning notices to the IT administrator
- C . Quarantine all messages with sales-mail.com in the email header
- D . Block vendor com for repeated attempts to send suspicious messages
D
Explanation:
In reviewing email headers and determining actions to mitigate phishing attempts, the security analyst should focus on patterns of suspicious behavior and the reputation of the sending domains.
Here’s the analysis of the options provided: