Practice Free CAS-005 Exam Online Questions
A systems administrator works with engineers to process and address vulnerabilities as a result of continuous scanning activities. The primary challenge faced by the administrator is differentiating between valid and invalid findings.
Which of the following would the systems administrator most likely verify is properly configured?
- A . Report retention time
- B . Scanning credentials
- C . Exploit definitions
- D . Testing cadence
B
Explanation:
When differentiating between valid and invalid findings from vulnerability scans, the systems administrator should verify that the scanning credentials are properly configured. Valid credentials ensure that the scanner can authenticate and access the systems being evaluated, providing accurate and comprehensive results. Without proper credentials, scans may miss vulnerabilities or generate false positives, making it difficult to prioritize and address the findings effectively.
Reference: CompTIA SecurityX Study Guide: Highlights the importance of using valid credentials for accurate vulnerability scanning.
"Vulnerability Management" by Park Foreman: Discusses the role of scanning credentials in obtaining accurate scan results and minimizing false positives.
"The Art of Network Security Monitoring" by Richard Bejtlich: Covers best practices for configuring and using vulnerability scanning tools, including the need for valid credentials.
An organization plans to deploy new software. The project manager compiles a list of roles that will be involved in different phases of the deployment life cycle.
Which of the following should the project manager use to track these roles?
- A . CMDB
- B . Recall tree
- C . ITIL
- D . RACI matrix
D
Explanation:
RACI matrix (Responsible, Accountable, Consulted, Informed) is used for role mapping across the project lifecycle.
CMDB is a configuration inventory; ITIL is a framework. Recall trees are for disaster recovery/business continuity.
FromCAS-005, Domain 1: Security Governance and Compliance:
“The RACI matrix is essential in role assignment and accountability for software development and
operational processes.”
Reference: CAS-005 Official Guide, Chapter 3: Governance Frameworks, pg. 78C79
A company that relies on an COL system must keep it operating until a new solution is available.
Which of the following is the most secure way to meet this goal?
- A . Isolating the system and enforcing firewall rules to allow access to only required endpoints
- B . Enforcing strong credentials and improving monitoring capabilities
- C . Restricting system access to perform necessary maintenance by the IT team
- D . Placing the system in a screened subnet and blocking access from internal resources
A
Explanation:
To ensure the most secure way of keeping a legacy system (COL) operating until a new solution is available, isolating the system and enforcing strict firewall rules is the best approach. This method minimizes the attack surface by restricting access to only the necessary endpoints, thereby reducing the risk of unauthorized access and potential security breaches. Isolating the system ensures that it is not exposed to the broader network, while firewall rules control the traffic that can reach the system, providing a secure environment until a replacement is implemented.
Reference: CompTIA SecurityX Study Guide: Recommends network isolation and firewall rules as effective measures for securing legacy systems.
NIST Special Publication 800-82, "Guide to Industrial Control Systems (ICS) Security": Advises on isolating critical systems and using firewalls to control access.
"Network Security Assessment" by Chris McNab: Discusses techniques for isolating systems and enforcing firewall rules to protect vulnerable or legacy systems.
By isolating the system and implementing strict firewall controls, the organization can maintain the necessary operations securely while working on deploying a new solution.
An organization that performs real-time financial processing is implementing a new backup solution.
Given the following business requirements:
The backup solution must reduce the risk of potential backup compromise.
The backup solution must be resilient to a ransomware attack.
The time to restore from backups is less important than backup data integrity.
Multiple copies of production data must be maintained.
Which of the following backup strategies best meets these requirements?
- A . Creating a secondary, immutable database and adding live data on a continuous basis
- B . Utilizing two connected storage arrays and ensuring the arrays constantly sync
- C . Enabling remote journaling on the databases to ensure real-time transactions are mirrored
- D . Setting up anti-tampering on the databases to ensure data cannot be changed unintentionally
A
Explanation:
An immutable database prevents modifications or deletions, ensuring resilience against ransomware while maintaining multiple copies of data.
Reference: CompTIA SecurityX (CAS-005) Exam Objectives – Domain 3.0 (Security Engineering), Section on Data Protection & Backup Strategies
During a gap assessment, an organization notes that OYOD usage is a significant risk. The organization implemented administrative policies prohibiting BYOD usage However, the organization has not implemented technical controls to prevent the unauthorized use of BYOD assets when accessing the organization’s resources.
Which of the following solutions should the organization implement to b»« reduce the risk of OYOD devices? (Select two).
- A . Cloud 1AM to enforce the use of token based MFA
- B . Conditional access, to enforce user-to-device binding
- C . NAC, to enforce device configuration requirements
- D . PAM. to enforce local password policies
- E . SD-WAN. to enforce web content filtering through external proxies
- F . DLP, to enforce data protection capabilities
B,C
Explanation:
To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).
Why Conditional Access and NAC?
Conditional Access:
User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.
Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more. Network Access Control (NAC):
Device Configuration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.
Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.
Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:
Which of the following best describes a common use case for homomorphic encryption?
- A . Processing data on a server after decrypting in order to prevent unauthorized access in transit
- B . Maintaining the confidentiality of data both at rest and in transit to and from a CSP for processing
- C . Transmitting confidential data to a CSP for processing on a large number of resources without revealing information
- D . Storing proprietary data across multiple nodes in a private cloud to prevent access by unauthenticated users
C
Explanation:
Homomorphic encryption allows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.
Reference: CompTIA SecurityX CAS-005, Domain 3.0: Implement secure protocols and encryption technologies including homomorphic encryption for cloud and external processing.
An administrator brings the company’s fleet of mobile devices into its PKI in order to align device WLAN NAC configurations with existing workstations and laptops. Thousands of devices need to be reconfigured in a cost-effective, time-efficient, and secure manner.
Which of the following actions best achieve this goal? (Select two)
- A . Using the existing MDM solution to integrate with directory services for authentication and enrollment
- B . Deploying netAuth extended key usage certificate templates
- C . Deploying serverAuth extended key usage certificate templates
- D . Deploying clientAuth extended key usage certificate templates
- E . Configuring SCEP on the CA with an OTP for bulk device enrollment
- F . Submitting a CSR to the CA to obtain a single certificate that can be used across all devices
A, E
Explanation:
Comprehensive and Detailed
For bulk PKI enrollment:
MDM integration with directory services streamlines certificate request and deployment per device, leveraging existing authentication methods.
Simple Certificate Enrollment Protocol (SCEP) with one-time passwords allows automated, secure, large-scale certificate issuance without manual CSR handling.
client AUTH templates are used for device authentication, but selecting it alone is insufficient without automated enrollment mechanisms.
A single certificate for all devices violates PKI security principles and compromises individual device accountability.
A hospital provides tablets to its medical staff to enable them to more quickly access and edit patients’ charts. The hospital wants to ensure that if a tablet is identified as lost or stolen and a remote command is issued, the risk of data loss can be mitigated within seconds.
The tablets are configured as follows:
• Full disk encryption is enabled.
• "Always On" corporate VPN is enabled.
• eFuse-backed keystore is enabled.
• Wi-Fi 6 is configured with SAE.
• Location services is disabled.
• Application allow list is unconfigured.
Assuming the hospital policy cannot be changed, which of the following is the best way to meet the hospital’s objective?
- A . Revoke the user VPN and Wi-Fi certificates
- B . Cryptographically erase FDE volumes
- C . Issue new MFA credentials to all users
- D . Configure the application allow list
B
Explanation:
The key requirement is toinstantly eliminate data losson a lost device.
Cryptographic erasureworks by deleting encryption keys used for FDE (full disk encryption), rendering all data unrecoverable within seconds ― satisfying the "mitigate within seconds" requirement.
Revoking certificates won’t wipe the data from a lost tablet.
Changing MFA credentials won’t help unless the device is secured, and app allow lists don’t apply post-loss.
FromCAS-005, Domain 3: Secure Systems Design and Deployment:
“Cryptographic erase (CE) renders data irrecoverable by deleting encryption keys used to protect data on the device.”
Reference: CAS-005 Guide, Chapter 9: Endpoint Security, pg. 178C180
Due to an infrastructure optimization plan, a company has moved from a unified architecture to a federated architecture divided by region. Long-term employees now have a better experience, but
new employees are experiencing major performance issues when traveling between regions. The company is reviewing the following information:
Which of the following is the most effective action to remediate the issue?
- A . Creating a new user entry in the affected region for the affected employee
- B . Synchronizing all regions* user identities and ensuring ongoing synchronization
- C . Restarting European region physical access control systems
- D . Resyncing single sign-on application with connected security appliances
B
Explanation:
In a federated environment divided by region, if user identities are not synchronized across regions, authentication may be slow or fail when employees travel. CAS-005 IAM guidance states that identity synchronization ensures user attributes and credentials are consistently available in all regions, reducing latency and login issues.
Option A creates separate identities, which breaks single identity management.
Option C is unrelated to the login performance issue.
Option D may resolve SSO appliance sync but not cross-region identity data availability.
An organization recently migrated data to a new file management system. The architect decides to use a discretionary authorization model on the new system.
Which of the following best explains the architect’s choice?
- A . The responsibility of migrating data to the new file management system was outsourced to the vendor providing the platform.
- B . The permissions were not able to be migrated to the new system, and several stakeholders were made responsible for granting appropriate access.
- C . The legacy file management system did not support modern authentication techniques despite the business requirements.
- D . The data custodians were selected by business stakeholders to ensure backups of the file management system are maintained off site.
B
Explanation:
Comprehensive and Detailed
In a Discretionary Access Control (DAC) model, the data owner or an assigned stakeholder has the authority to determine who can access resources. SecurityX CAS-005 IAM objectives describe DAC as user- or owner-controlled, where permissions can be granted or revoked at the owner’s discretion. In this scenario, because permissions from the legacy system could not be migrated, multiple stakeholders were made responsible for assigning and managing access―matching the DAC model’s characteristics.
Option A relates to outsourcing, which does not define an access control model.
Option C is about authentication limitations, unrelated to the choice of DAC.
Option D describes backup responsibilities, which are operational tasks, not access control.