Practice Free CAS-005 Exam Online Questions
A security architect for a global organization with a distributed workforce recently received funding lo deploy a CASB solution.
Which of the following most likely explains the choice to use a proxy-based CASB?
- A . The capability to block unapproved applications and services is possible
- B . Privacy compliance obligations are bypassed when using a user-based deployment.
- C . Protecting and regularly rotating API secret keys requires a significant time commitment
- D . Corporate devices cannot receive certificates when not connected to on-premises devices
A
Explanation:
A proxy-based Cloud Access Security Broker (CASB) is chosen primarily for its ability to block unapproved applications and services.
Here’s why:
Application and Service Control: Proxy-based CASBs can monitor and control the use of applications and services by inspecting traffic as it passes through the proxy. This allows the organization to enforce policies that block unapproved applications and services, ensuring compliance with security policies.
Visibility and Monitoring: By routing traffic through the proxy, the CASB can provide detailed visibility into user activities and data flows, enabling better monitoring and threat detection.
Real-Time Protection: Proxy-based CASBs can provide real-time protection against threats by analyzing and controlling traffic before it reaches the end user, thus preventing the use of risky applications and services.
Reference: CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl NIST Special Publication 800-125: Guide to Security for Full Virtualization Technologies Gartner CASB Market Guide
4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 34 6d be 66 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 05 00 00 70 00 00 00 10 00 00 00 d0 00 00 70 4c 01 00 00 e0 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
Attempts to run the code in a sandbox produce no results.
Which of the following should the malware analyst do next to further analyze the malware and discover useful IoCs?
- A . Convert the hex-encoded sample to binary and attempt to decompile it.
- B . Run the encoded sample through an online vulnerability tool and check for any matches.
- C . Pad the beginning and end of the sample with binary executables and attempt to execute it.
- D . Use a disassembler on the unencoded snippet to convert from binary to ASCII text.
A
Explanation:
The provided hex sequence begins with "4d 5a, " which corresponds to the ASCII characters "MZ, " indicating the presence of a DOS MZ executable file header. This suggests that the sample is a Windows executable file. To analyze this malware effectively, the analyst should convert the hex-encoded data back into its binary form to reconstruct the executable file. Once converted, the analyst can use decompilation tools to translate the binary code into a higher-level programming language, facilitating a deeper understanding of the malware’s functionality and the extraction of Indicators of Compromise (IoCs).
Other options, such as running the sample through an online vulnerability tool (Option B) or padding it with executables (Option C), are less effective without first converting the hex data back to its original binary form. Using a disassembler on the unencoded snippet (Option D) would not be feasible until the hex data is properly reconstructed into its executable binary format.
Reference: CompTIA SecurityX CAS-005 Official Study Guide, Chapter 5: "Malware Analysis, " Section 5.3: "Static and Dynamic Analysis Techniques."
A company is preparing to move a new version of a web application to production. No issues were reported during security scanning or quality assurance in the CI/CD pipeline.
Which of the following actions should the company take next?
- A . Merge the test branch to the main branch
- B . Perform threat modeling on the production application
- C . Conduct unit testing on the submitted code
- D . Perform a peer review on the test branch
A
Explanation:
The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS-005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main branch for deployment to production.
Option B: Threat modeling is typically performed earlier, during design or development, not after passing CI/CD checks.
Option C: Unit testing is part of the CI/CD pipeline and should already be completed.
Option D: Peer reviews are conducted before or during the test phase, not after QA and security scans are clear.
Option A: Merging the test branch to the main branch is the logical next step to prepare for production deployment.
Reference: CompTIA SecurityX CAS-005 Official Study Guide, Domain 2: Security Operations, Section 2.3:
"Manage secure software development lifecycles, including CI/CD pipelines."
CAS-005 Exam Objectives, 2.3: "Analyze secure deployment processes in CI/CD environments."
A threat hunter is identifying potentially malicious activity associated with an APT. When the threat hunter runs queries against the SIEM platform with a date range of 60 to 90 days ago, the involved account seems to be typically most active in the evenings. When the threat hunter reruns the same query with a date range of 5 to 30 days ago, the account appears to be most active in the early morning.
Which of the following techniques is the threat hunter using to better understand the data?
- A . TTP-based inquiries
- B . User behavior analytics
- C . Adversary emulation
- D . OSINT analysis activities
B
Explanation:
User behavior analytics (UBA) detects anomalous activity by analyzing historical patterns and comparing them to recent behavior. The time shift in account activity suggests potential compromise or misuse.
TTP-based inquiries (A) focus on known attack tactics, techniques, and procedures but do not involve behavior tracking.
Adversary emulation (C) simulates attacks but does not analyze real data trends.
OSINT analysis (D) gathers intelligence from public sources, which is unrelated to internal account behavior analysis.
Reference: CompTIA SecurityX (CAS-005) Exam Objectives – Domain 4.0 (Security Operations), Section on Threat Intelligence and User Behavior Analytics (UBA)
While reviewing recent modem reports, a security officer discovers that several employees were contacted by the same individual who impersonated a recruiter.
Which of the following best describes this type of correlation?
- A . Spear-phishing campaign
- B . Threat modeling
- C . Red team assessment
- D . Attack pattern analysis
A
Explanation:
The situation where several employees were contacted by the same individual impersonating a recruiter best describes aspear-phishing campaign.
Here’s why:
Targeted Approach: Spear-phishing involves targeting specific individuals within an organization with personalized and convincing messages to trick them into divulging sensitive information or performing actions that compromise security.
Impersonation: The use of impersonation, in this case, a recruiter, is a common tactic in spear-phishing to gain the trust of the targeted individuals and increase the likelihood of a successful attack.
Correlated Contacts: The fact that several employees were contacted by the same individual suggests a coordinated effort to breach the organization’s security by targeting multiple points of entry through social engineering.
Reference: CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl NIST Special Publication 800-61: Computer Security Incident Handling Guide OWASP Phishing Cheat Sheet
A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident.
Which of the following would be best to proceed with the transformation?
- A . An on-premises solution as a backup
- B . A load balancer with a round-robin configuration
- C . A multicloud provider solution
- D . An active-active solution within the same tenant
C
Explanation:
Multicloud provider solutions involve using services from more than one cloud provider to ensure resiliency and redundancy. In the event of a failure or SLA breach by one CSP, another provider can maintain service continuity. An on-premises backup could help, but does not address CSP-specific SLA concerns directly. Round-robin load balancing and active-active within the same tenant still depend on a single provider, thus posing risks if the CSP fails.
Reference: CompTIA SecurityX CAS-005, Domain 4.0: Implement redundancy and fault-tolerant strategies, including multicloud deployment for service resiliency.
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following is the next step of the incident response plan?
- A . Remediation
- B . Containment
- C . Response
- D . Recovery
B
Explanation:
Incident response follows a standard process (e.g., NIST 800-61): Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. After identifying the attack (file and origin), the next step is Containment―limiting the spread or impact (e.g., isolating systems) before remediation or recovery.
Option A: Remediation (fixing the root cause) follows containment.
Option B: Correct―containment prevents further damage post-identification.
Option C: “Response” is too vague; it encompasses all steps.
Option D: Recovery (restoring systems) comes after containment and eradication.
Reference: CompTIA SecurityX CAS-005 Domain 4: Cybersecurity Operations C Incident Response Lifecycle.
A compliance officer is facilitating a business impact analysis (BIA) and wants business unit leaders to collect meaningful data. Several business unit leaders want more information about the types of data the officer needs.
Which of the following data types would be the most beneficial for the compliance officer? (Select two)
- A . Inventory details
- B . Applicable contract obligations
- C . Costs associated with downtime
- D . Network diagrams
- E . Contingency plans
- F . Critical processes
B, C, F
Explanation:
Comprehensive and Detailed
Understanding Business Impact Analysis (BIA):
A BIA assesses the effects of disruptions to an organization’s operations.
It helps prioritize resources based on the potential impact of downtime, compliance issues, and critical processes.
Why Options B, C, and F are Correct:
B (Applicable contract obligations) → Many companies have legal and compliance obligations regarding downtime, availability, and SLAs. This information helps determine what risk levels are acceptable.
C (Costs associated with downtime) → BIA quantifies the financial impact of system failures. Knowing lost revenue, regulatory fines, and recovery costs helps in planning.
F (Critical processes) → Identifying core business processes allows an organization to prioritize recovery efforts and maintain operational continuity.
Why Other Options Are Incorrect:
A (Inventory details) → While useful for asset management, it does not directly impact business continuity planning.
D (Network diagrams) → These help in security architecture but are not directly related to the financial/business impact analysis.
E (Contingency plans) → BIA is performed before contingency planning to identify what needs
protection.
Reference: CompTIA SecurityX CAS-005 Official Study Guide: Business Impact Analysis (BIA) & Risk Management
NIST SP 800-34: Business Continuity & Contingency Planning
A financial technology firm works collaboratively with business partners in the industry to share threat intelligence within a central platform This collaboration gives partner organizations the ability to obtain and share data associated with emerging threats from a variety of adversaries.
Which of the following should the organization most likely leverage to facilitate this activity? (Select two).
- A . CWPP
- B . YAKA
- C . ATTACK
- D . STIX
- E . TAXII
- F . JTAG
D, E
Explanation:
D. STIX (Structured Threat Information eXpression): STIX is a standardized language for representing threat information in a structured and machine-readable format. It facilitates the sharing ofthreat intelligence by ensuring that data is consistent and can be easily understood by all parties involved.
E. TAXII (Trusted Automated eXchange of Indicator Information): TAXII is a transport mechanism that enables the sharing of cyber threat information over a secure and trusted network. It works in conjunction with STIX to automate the exchange of threat intelligence among organizations.
Other options: