Practice Free CAS-005 Exam Online Questions
A company’s security policy states that any publicly available server must be patched within 12 hours after a patch is released.
A recent llS zero-day vulnerability was discovered that affects all versions of the Windows Server OS:
Which of the following hosts should a security analyst patch first once a patch is available?
- A . 1
- B . 2
- C . 3
- D . 4
- E . 5
- F . 6
A
Explanation:
Based on the security policy that any publicly available server must be patched within 12 hours after
a patch is released, the security analyst should patch Host 1 first.
Here’s why:
Public Availability: Host 1 is externally available, making it accessible from the internet. Publicly available servers are at higher risk of being targeted by attackers, especially when a zero-day vulnerability is known.
Exposure to Threats: Host 1 has IIS installed and is publicly accessible, increasing its exposure to potential exploitation. Patching this host first reduces the risk of a successful attack. Prioritization of Critical Assets: According to best practices, assets that are exposed to higher risks should be prioritized for patching to mitigate potential threats promptly.
Reference: CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl NIST Special Publication 800-40: Guide to Enterprise Patch Management Technologies CIS Controls: Control 3 – Continuous Vulnerability Management
A vulnerability can on a web server identified the following:
Which of the following actions would most likely eliminate on path decryption attacks? (Select two).
- A . Disallowing cipher suites that use ephemeral modes of operation for key agreement
- B . Removing support for CBC-based key exchange and signing algorithms
- C . Adding TLS_ECDHE_ECDSA_WITH_AE3_256_GCMS_HA256
- D . Implementing HIPS rules to identify and block BEAST attack attempts
- E . Restricting cipher suites to only allow TLS_RSA_WITH_AES_128_CBC_SHA
- F . Increasing the key length to 256 for TLS_RSA_WITH_AES_128_CBC_SHA
B, C
Explanation:
On-path decryption attacks, such as BEAST (Browser Exploit Against SSL/TLS) and other related vulnerabilities, often exploit weaknesses in the implementation of CBC (Cipher Block Chaining) mode.
To mitigate these attacks, the following actions are recommended:
B. Removing support for CBC-based key exchange and signing algorithms: CBC mode is vulnerable to certain attacks like BEAST. By removing support for CBC-based ciphers, you can eliminate one of the primary vectors for these attacks. Instead, use modern cipher modes like GCM (Galois/Counter Mode) which offer better security properties.
C. Adding TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256: This cipher suite uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for key exchange, which provides perfect forward secrecy. It also uses AES in GCM mode, which is not susceptible to the same attacks as CBC. SHA-256 is a strong hash function that ensures data integrity.
Reference: CompTIA Security+ Study Guide
NIST SP 800-52 Rev. 2, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations"
OWASP (Open Web Application Security Project) guidelines on cryptography and secure communication
A security analyst notices a number of SIEM events that show the following activity:
10/30/2020 – 8: 01 UTC – 192.168.1.1 – sc stop HinDctend
10/30/2020 – 8: 05 UTC – 192.168.1.2 – c: program filesgamescomptidcasp.exe
10/30/2020 – 8: 07 UTC – 192.168.1.1 – c: windowssystem32cmd.exe /c powershell
10/30/2020 – 8: 07 UTC – 192.168.1.1 – powershell ―> 40.90.23.154: 443.
Which of the following response actions should the analyst take first?
- A . Disable powershell.exe on all Microsoft Windows endpoints
- B . Restart Microsoft Windows Defender
- C . Configure the forward proxy to block 40.90.23.154
- D . Disable local administrator privileges on the endpoints
C
Explanation:
The first immediate action in an active incident is containment. Blocking the IP address (40.90.23.154) at the network edge prevents further communication with the malicious external server. Disabling PowerShell or removing local admin privileges are valid hardening steps, but containment by network control is the highest priority during an active compromise to stop data exfiltration or further command and control activity.
Reference: CompTIA SecurityX CAS-005, Domain 2.0: Apply incident response techniques focusing on immediate containment actions.
A malware researcher has discovered a credential stealer is looking at a specific memory register to harvest passwords that will be used later for lateral movement in corporate networks. The malware is using TCP 4444 to communicate with other workstations.
The lateral movement would be best mitigated by:
- A . Configuring the CPU’s NX bit
- B . Enabling a host firewall
- C . Enabling an edge firewall
- D . Enforcing all systems to use UEFI
- E . Enabling ASLR on the Active Directory server
B
Explanation:
The malware uses TCP 4444 to move laterally between systems. A host-based firewall can block unauthorized communication ports (like TCP 4444) on each workstation, preventing malware from establishing connections and spreading. Configuring the CPU’s NX bit and enabling ASLR primarily help in mitigating memory-based exploits, not in stopping lateral movement. Enabling UEFI ensures boot integrity but does not mitigate active lateral communication. An edge firewall would protect the network perimeter, not internal workstation-to-workstation communication.
Reference: CompTIA SecurityX CAS-005, Domain 2.0: Implement host-based security solutions, including host-based firewalls to mitigate threats.
Company A acquired Company B. During an audit, a security engineer found Company B’s environment was inadequately patched. In response, Company A placed a firewall between the two environments until Company B’s infrastructure could be integrated into Company A’s security program.
Which of the following risk-handling techniques was used?
- A . Accept
- B . Avoid
- C . Transfer
- D . Mitigate
D
Explanation:
Risk mitigation involves taking actions to reduce either the likelihood or impact of a threat. By implementing a firewall between the two environments, Company A is minimizing the risk of threats from Company B impacting its own systems. Accepting the risk would involve taking no action, avoiding it would mean terminating activities with Company B, and transferring would involve outsourcing the risk, none of which occurred here.
Reference: CompTIA SecurityX CAS-005, Domain 1.0: Apply appropriate risk response techniques to identified risks.
A user submits a help desk ticket stating then account does not authenticate sometimes. An analyst reviews the following logs for the user:
Which of the following best explains the reason the user’s access is being denied?
- A . incorrectly typed password
- B . Time-based access restrictions
- C . Account compromise
- D . Invalid user-to-device bindings
B
Explanation:
The logs reviewed for the user indicate that access is being denied due to time-based access restrictions. These restrictions are commonly implemented to limit access to systems during specific hours to enhance security. If a user attempts to authenticate outside of the allowed time window, access will be denied. This measure helps prevent unauthorized access during non-business hours, reducing the risk of security incidents.
Reference: CompTIA SecurityX Study Guide: Covers various access control methods, including time-based restrictions, as a means of enhancing security.
NIST Special Publication 800-53, "Security and Privacy Controls for Information Systems and Organizations": Recommends the use of time-based access restrictions as part of access control policies.
"Access Control and Identity Management" by Mike Chapple and Aaron French: Discusses the implementation and benefits of time-based access restrictions.
Which of the following should the engineer prioritize for remediation?
- A . Apache HTTP Server
- B . OpenSSH
- C . Google Chrome
- D . Migration to TLS 1.3
B
Explanation:
OpenSSH vulnerability is public facing and has acritical CVSS of 9.2.
Exploitable SSH services can lead to direct server compromise.
Although Apache has a higher score, it’s internal.
FromCAS-005, Domain 3: Vulnerability Management:
“Prioritize external vulnerabilities with high CVSS and exposed attack surfaces.”
Reference: CAS-005 Guide, Chapter 7: Vulnerability Prioritization, pg. 140C143
Within a SCADA a business needs access to the historian server in order together metric about the functionality of the environment.
Which of the following actions should be taken to address this requirement?
- A . Isolating the historian server for connections only from The SCADA environment
- B . Publishing the C$ share from SCADA to the enterprise
- C . Deploying a screened subnet between 11 and SCADA
- D . Adding the business workstations to the SCADA domain
A
Explanation:
The best action to address the requirement of accessing the historian server within a SCADA system is to isolate the historian server for connections only from the SCADA environment.
Here’s why: Security and Isolation: Isolating the historian server ensures that only authorized devices within the SCADA environment can connect to it. This minimizes the attack surface and protects sensitive data from unauthorized access.
Access Control: By restricting access to the historian server to only SCADA devices, the organization can better control and monitor interactions, ensuring that only legitimate queries and data retrievals occur.
Best Practices for Critical Infrastructure: Following the principle of least privilege, isolating critical components like the historian server is a standard practice in securing SCADA systems, reducing the risk of cyberattacks.
Reference: CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl
NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security
ISA/IEC 62443 Standards: Security for Industrial Automation and Control Systems
A systems administrator wants to reduce the number of failed patch deployments in an organization.
The administrator discovers that system owners modify systems or applications in an ad hoc manner.
Which of the following is the best way to reduce the number of failed patch deployments?
- A . Compliance tracking
- B . Situational awareness
- C . Change management
- D . Quality assurance
C
Explanation:
To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.
Reference: CompTIA SecurityX Study Guide: Emphasizes the importance of change management in maintaining system integrity and ensuring successful patch deployments.
ITIL (Information Technology Infrastructure Library) Framework: Provides best practices for change management in IT services.
"The Phoenix Project" by Gene Kim, Kevin Behr, and George Spafford: Discusses the critical role of change management in IT operations and its impact on system stability and reliability.
An organization is required to
* Respond to internal and external inquiries in a timely manner
* Provide transparency.
* Comply with regulatory requirements
The organization has not experienced any reportable breaches but wants to be prepared if a breach occurs in the future.
Which of the following is the best way for the organization to prepare?
- A . Outsourcing the handling of necessary regulatory filing to an external consultant
- B . Integrating automated response mechanisms into the data subject access request process
- C . Developing communication templates that have been vetted by internal and external counsel
- D . Conducting lessons-learned activities and integrating observations into the crisis management plan
C
Explanation:
Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and provide transparency in the event of a breach.
Why Communication Templates?
Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.
Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements.
Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the
organization’s credibility.
Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately.
Other options, while useful, do not provide the same level of preparedness and compliance: