CAS-005 CompTIA SecurityX Certification Exam Questions and Answers

The first action should be to reset access for John and Joe, who are corporate accounts belonging to the organization. Their credentials were exposed in recent leaks, including one from an initial access broker (Joe), which indicates an active exploitation risk. Immediate password resets and session invalidations prevent adversaries from using the compromised credentials to gain access.

Ann’s account (@hotmail.com) is personal and not under corporate management, so while her exposure is concerning, it does not pose a direct risk to organizational systems. Contacting her can follow later steps but should not delay urgent remediation for John and Joe.

Option B delays remediation. Option C overreaches by including Ann in corporate resets. Option D includes contacting authorities prematurely, which is important but secondary to immediate containment.

CAS-005 emphasizes rapid containment of credential leaks affecting corporate identities, making access resets for John and Joe the first step.

A Cloud Access Security Broker (CASB) is a security policy enforcement point placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Implementing a CASB provides several benefits:

A. Improve firewall rules to avoid access to those platforms: This can help but is not as effective or comprehensive as a CASB.

B. Implement a cloud-access security broker: A CASB can provide visibility into cloud application usage, enforce data security policies, and protect against data leaks by monitoring and controlling access to cloud services. It also provides advanced features like data encryption, data loss prevention (DLP), and compliance monitoring.

C. Create SIEM rules to raise alerts for access to those platforms: This helps in monitoring but does not prevent data leaks.

D. Deploy an internet proxy that filters certain domains: This can block access to specific sites but lacks the granular control and visibility provided by a CASB.

Implementing a CASB is the most comprehensive solution to decrease the risk of data leaks by providing visibility, control, and enforcement of security policies for cloud services.

Context-based authentication enhances traditional security methods by incorporating additional layers of information about the user's current environment and behavior. This can include factors such as the user's location, the time of access, the device used, and the behavior patterns. It is particularly useful in preventing unauthorized access even if an attacker has obtained a valid password.

Rule-based (A) focuses on predefined rules and is less flexible in adapting to dynamic threats.

Time-based (B) authentication considers the time factor but doesn't provide comprehensive protection against stolen credentials.

Role-based (C) is more about access control based on the user's role within the organization rather than authenticating the user based on current context.

By implementing context-based authentication, the company can ensure that even if a password is compromised, the additional contextual factors required for access (which an attacker is unlikely to possess) provide a robust defense mechanism.

In a Discretionary Access Control (DAC) model, the data owner or an assigned stakeholder has the authority to determine who can access resources. SecurityX CAS-005 IAM objectives describe DAC as user- or owner-controlled, where permissions can be granted or revoked at the owner’s discretion.

In this scenario, because permissions from the legacy system could not be migrated, multiple stakeholders were made responsible for assigning and managing access—matching the DAC model’s characteristics.

Option A relates to outsourcing, which does not define an access control model.

Option C is about authentication limitations, unrelated to the choice of DAC.

Option D describes backup responsibilities, which are operational tasks, not access control.

After applying mitigations that reduce the likelihood of a risk’s impact, the next step is toassess the residual risk—the risk that remains after controls are implemented. This ensures the organization understands if the mitigation is sufficient or if further action is needed, aligning with risk management best practices.

Option A:Correct—residual risk assessment is the logical next step to evaluate the effectiveness of mitigations.

Option B:Updating the threat model might follow but isn’t immediate; residual risk comes first.

Option C:Moving to the next risk skips evaluating the current mitigation’s success.

Option D:Recalculating impact magnitude is part of residual risk assessment but isn’t the full process.

The security diagram proposed by the security architect depicts a Zero Trust security model. Zero Trust is asecurity framework that assumes all entities, both inside and outside the network, cannot be trusted and must be verified before gaining access to resources.

Key Characteristics of Zero Trust in the Diagram:

Role-based Access Control: Ensures that users have access only to the resources necessary for their role.

Mandatory Access Control: Additional layer of security requiring authentication for access to sensitive areas.

Network Access Control: Ensures that devices meet security standards before accessing the network.

Multi-factor Authentication (MFA): Enhances security by requiring multiple forms of verification.

This model aligns with the Zero Trust principles of never trusting and always verifying access requests, regardless of their origin.

Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address.

In the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident.

Recursive DNS resolution failure (A) would generally lead to inability to resolve DNS at all, not to a specific HTTP error.

DNS poisoning (B) could result in usersbeing directed to malicious sites, but again, would likely result in a different set of errors or unusual activity.

Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted errors like the one seen here.

By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is being sinkholed.

Input sanitation is a critical process in cybersecurity that involvesvalidating and cleaning data provided by users to prevent malicious inputs from causing harm. In the context of AI concerns:

A. Model inversion involves an attacker inferring sensitive data from model outputs, typically requiring sophisticated methods beyond just manipulating input data.

B. Prompt Injection is a form of attack where an adversary provides malicious input to manipulate the behavior of AI models, particularly those dealing with natural language processing (NLP). Input sanitation directly addresses this by ensuring that inputs are cleaned and validated to remove potentially harmful commands or instructions that could alter the AI's behavior.

C. Data poisoning involves injecting malicious data into the training set to compromise the model. While input sanitation can help by filtering out bad data, data poisoning is typically addressed through robust data validation and monitoring during the model training phase, rather than real-time input sanitation.

D. Non-explainable model refers to the lack of transparency in how AI models make decisions. This concern is not addressed by input sanitation, as it relates more to model design and interpretability techniques.

Input sanitation is most relevant and effective for preventing Prompt Injection attacks, where the integrity of user inputs directly impacts the performance and security of AI models.

The immediate action after discovering ransomware is toisolate the affected serversto prevent further spread of the malware to other systems in the network. Paying the ransom is not recommended as it does not guarantee data recovery and encourages criminal behavior. Notifying law enforcement is necessary, but containment must happen first to limit damage. Requesting server restoration should only occur after containment and a thorough investigation to ensure no remnants of ransomware remain.

When differentiating between valid and invalid findings from vulnerability scans, the systemsadministrator should verify that the scanning credentials are properly configured. Valid credentials ensure that the scanner can authenticate and access the systems being evaluated, providing accurate and comprehensive results. Without proper credentials, scans may miss vulnerabilities or generate false positives, making it difficult to prioritize and address the findings effectively.

The code snippet exposes a hardcoded access token in a public repository. According to SecurityX CAS-005 secure coding best practices, the immediate action must be to revoke the exposed secret to prevent unauthorized access.

Removing the code from public view without revoking the token leaves the secret still usable by any attacker who has already seen or copied it.

SAST scanning would detect the issue but not mitigate it immediately.

Security awareness training is a long-term prevention measure but does not fix the immediate exposure.Revoking the secret first stops ongoing exploitation, after which the code can be removed, and preventative measures can be implemented.

Homomorphic encryptionallows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.

Step-by-Step Explanation:

Understand the QuestionRequirements:The goal is to use a regular expression (regex) to match software versions 10.0 through 10.3, but exclude version 10.4.

Review Regex Syntax:

[ ] indicates a character set (matches any one character in the set).

[0-3] matches any digit between 0 and 3.

\. escapes the period (.) so it matches a literal period instead of acting as a wildcard.

( ) groups parts of the regex together.

Analyze Each Option:

Option A: Reader(*)[1][0].[0-4:

Incorrect. The use of (*) is not valid syntax in this context and [0-4 is incomplete or misformatted.

Option B: Reader[11[01X.f0-3'

Incorrect. This is an invalid regex syntax, mixing character sets and mismatched brackets.

Option C: Reader( )[1][0].[0-3:

Correct. This regex is valid and matches "Reader 10.0", "Reader 10.1", "Reader 10.2", and "Reader 10.3" while excluding "Reader 10.4".

Breakdown:

Reader: Matches the text "Reader".

[1][0]: Matches "10" as a combination of two characters.

\.: Matches the literal period.

[0-3]: Matches any single digit between 0 and 3.

Option D: Reader( )[1][0] X.[1-3:

Incorrect. The syntax X.[1-3 is invalid, and this does not match the required versions.

Conclusion:The regex in Option C correctly identifies all affected versions (10.0, 10.1, 10.2, 10.3) while excluding the unaffected version (10.4).

The best description of the cyber threat to a central bank implementing strict risk mitigations for the hardware supply chain, including an allow list for specific countries of origin, is the risk of physical implants and tampering. Here’s why:

Supply Chain Security: The supply chain is a critical vector for hardware tampering and physical implants, which can compromise the integrity and security of hardware components before they reach the organization.

Targeted Attacks: Banks and financial institutions are high-value targets, making them susceptible to sophisticated attacks, including those involving physical implants that can be introduced during manufacturing or shipping processes.

Strict Mitigations: Implementing an allow list for specific countries aims to mitigate the risk of supply chain attacks by limiting the sources of hardware. However, the primary concern remains the introduction of malicious components through tampering.

Analysis and Remediation Options for Each IoC:

IoC 1:

Evidence:

Source: Apache_httpd

Type: DNSQ

Dest: @10.1.1.1:53,@10.1.2.5

Data: update.s.domain, CNAME 3a129sk219r9slmfkzzz000.s.domain, 108.158.253.253

Analysis:

Analysis: The service is attempting to resolve a malicious domain.

Reason: The DNS queries and the nature of the CNAME resolution indicate that the service is trying to resolve potentially harmful domains, which is a common tactic used by malware to connect to command-and-control servers.

Remediation:

Remediation: Implement a blocklist for known malicious ports.

Reason: Blocking known malicious domains at the DNS level prevents the resolution of harmful domains, thereby protecting the network from potential connections to malicious servers.

IoC 2:

Evidence:

Src: 10.0.5.5

Dst: 10.1.2.1, 10.1.2.2, 10.1.2.3, 10.1.2.4, 10.1.2.5

Proto: IP_ICMP

Data: ECHO

Action: Drop

Analysis:

Analysis: Someone is footprinting a network subnet.

Reason: The repeated ICMP ECHO requests to different addresses within a subnet indicate that someone is scanning the network to discover active hosts, a common reconnaissance technique used by attackers.

Remediation:

Remediation: Block ping requests across the WAN interface.

Reason: Blocking ICMP ECHO requests on the WAN interface can prevent attackers from using ping sweeps to gather information about the network topology and active devices.

IoC 3:

Evidence:

Proxylog:

GET /announce?info_hash=%01dff%27f%21%10%c5%wp%4e%1d%6f%63%3c%49%6d&peer_id%3dxJFS

Uploaded=0&downloaded=0&left=3767869&compact=1&ip=10.5.1.26&event=started

User-Agent: RAZA 2.1.0.0

Host: localhost

Connection: Keep-Alive

HTTP200 OK

Analysis:

Analysis: An employee is using P2P services to download files.

Reason: The HTTP GET request with parameters related to a BitTorrent client indicates that the employee is using peer-to-peer (P2P) services, which can lead to unauthorized data transfer and potential security risks.

Remediation:

Remediation: Enforce endpoint controls on third-party software installations.

Reason: By enforcing strict endpoint controls, you can prevent the installation and use of unauthorized software, such as P2P clients, thereby mitigating the risk of data leaks and other security threats associated with such applications.

Building playbooks for different scenarios and performing regular table-top exercises directly addresses the issues identified in the lessons-learned review. Here's why:

Lost important information for further analysis: Playbooks outline step-by-step procedures for incident response, ensuring that team members know exactly what to document and how to preserve evidence.

Did not utilize the chain of communication: Playbooks include communication protocols, specifying who to notify and when. Regular table-top exercises reinforce these communication channels, ensuring they are followed during actual incidents.

Did not follow the right steps for a proper response: Playbooks provide a clear sequence of actions to be taken during various types of incidents, helping the team to respond in a structured and effective manner. Regular exercises allow the team to practice these steps, identifying and correcting any deviations from the plan.

Investing in better forensic tools (Option A) or requiring certifications (Option C) are also valuable, but they do not directly address the procedural and communication gaps identified. Publishing and enforcing the incident response policy (Option D) is important but not as practical and hands-on as playbooks and exercises in ensuring the team is prepared.

Removing unnecessary services from existing endpoints reduces the attack surface by minimizing the number of potential vulnerabilities attackers could exploit. This is a cost-effective method to harden devices without requiring new purchases, aligning perfectly with a purchasing freeze. Deploying new EDR solutions or disposing of devices would likely conflict with the resource freeze, and reimaging systems does not address minimizing services proactively.

To mitigate the identified vulnerabilities, the followingsolutions are most appropriate:

A. Implementing data loss prevention (DLP): DLP solutions help prevent the unauthorized transfer of data outside the organization. This directly addresses the exfiltration of intellectual property by monitoring, detecting, and blocking sensitive data transfers.

E. Enabling modern authentication that supports Multi-Factor Authentication (MFA): This significantly enhances security by requiring additional verification methods beyond just passwords. It addresses the issue of weak user passwords by making it much harder for unauthorized users to gain access, even if they obtain the password.

Other options, while useful in specific contexts, do not address all the vulnerabilities mentioned:

B. Deploying file integrity monitoring helps detect changes to files but does not prevent data exfiltration or address weak passwords.

C. Restricting access to critical file services improves security but is not comprehensive enough to mitigate all identified vulnerabilities.

D. Deploying directory-based group policies can enforce security policies but might not directly prevent data exfiltration or ensure strong authentication.

F. Implementing a version control system helps manage changes to files but is not a security measure for preventing the identified vulnerabilities.

G. Implementing a CMDB platform (Configuration Management Database) helps manage IT assets but does not address the specific security issues mentioned.

The best way to prevent application-focused attacks for a platform-as-a-service solution with a web-based front end is to create Web Application Firewall (WAF) policies for relevant programming languages. Here's why:

Application-Focused Attack Prevention: WAFs are designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. They help prevent attacks such as SQL injection, cross-site scripting (XSS), and other application-layer attacks.

Customizable Rules: WAF policies can be tailored to the specific programming languages and frameworks used by the web application, providing targeted protection based on known vulnerabilities and attack patterns.

Real-Time Protection: WAFs provide real-time protection, blocking malicious requests before they reach the application, thereby enhancing the security posture of the platform.

Microsegmentation is a critical strategy within Zero Trust architecture that enhances context-aware access systems by dividing the network into smaller, isolated segments. This reduces the attack surface and limits lateral movement of attackers within the network. It ensures that even if one segment is compromised, the attacker cannot easily access other segments. This granular approach to network security is essential for enforcing strict access controls and monitoring within Zero Trust environments.

To prevent emails from being marked as spam, several DNS records related to email authentication need to be properly configured and updated when there are changes to the email server'scertificates:

A. DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC records help email servers determine how to handle messages that fail SPF or DKIM checks, improving email deliverability and reducing the likelihood of emails being marked as spam.

B. SPF (Sender Policy Framework): SPF records specify which mail servers are authorized to send email on behalf of your domain. Updating the SPF record ensures that the new email server is recognized as an authorized sender.

C. DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to email headers, allowing the receiving server to verify that the email has not been tampered with and is from an authorized sender. Updating DKIM records ensures that emails are properly signed and authenticated.

D. DNSSEC (Domain Name System Security Extensions): DNSSEC adds security to DNS by enabling DNS responses to be verified. While important for DNS security, it does not directly address the issue of emails being marked as spam.

E. SASC: This is not a relevant standard for this scenario.

F. SAN (Subject Alternative Name): SAN is used in SSL/TLS certificates for securing multiple domain names, not for email delivery issues.

G. SOA (Start of Authority): SOA records are used for DNS zone administration and do not directly impact email deliverability.

H. MX (Mail Exchange): MX records specify the mail servers responsible for receiving email on behalf of a domain. While important, the primary issue here is the authentication of outgoing emails, which is handled by SPF, DKIM, and DMARC.

The requirements for archiving data and immutable backups directly align with legal hold compliance (E) and ransomware resilience (F).

Legal hold compliance ensures that organizations can retain data in a tamper-proof manner when required for litigation, regulatory mandates, or audits. Immutable backups satisfy this by preventing unauthorized changes or deletion, ensuring evidence and records are preserved.

Ransomware resilience is also a key factor. Immutable backups allow recovery from ransomware attacks, as attackers cannot encrypt or delete data stored in read-only or write-once media. This reduces downtime and supports business continuity.

Options A (crypto-export), B (supply chain), C (device attestation), and D (quality assurance) do not relate directly to data archiving or immutable storage.

CAS-005 stresses aligning security controls with business continuity and compliance requirements. By focusing on legal and ransomware-related considerations, the organization ensures both regulatory and operational resilience.

The error message reveals sensitive details (hostnames, database names, table names), constitutinginformation disclosure. This aids attackers in reconnaissance. Mitigation involves modifying the application to display generic error messages (e.g., “An error occurred”) instead of specifics.

Option A:Unsecure references suggest coding flaws, but this is a configuration/output issue, not input sanitization.

Option B:Unsecure protocols and HttpOnly cookies relate to session security, not error handling.

Option C:Correct—information disclosure is the issue; generic errors mitigate it.

Option D:No evidence of SQL injection (e.g., manipulated input); upgrading the database doesn’t address disclosure.

Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and provide transparency in the event of a breach.

Why Communication Templates?

Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements.

Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the organization’s credibility.

Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately.

Other options, while useful, do not provide the same level of preparedness and compliance:

A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

SecurityX CAS-005 cloud architecture guidance emphasizes horizontal scaling for workloads that need to handle both predictable and fluctuating growth over time. Horizontal scaling allows the infrastructure to add nodes for both compute and storage dynamically, providing elasticity to meet fluctuating computational demands while accommodating exponential storage growth.

Vertical scaling (B) has hardware limits and is not as flexible for large, sustained growth.

CDN (A) is optimized for content distribution, not intensive compute workloads.

Load balancing (C) distributes workloads but does not address scaling for data growth.

Theregulated lab environment (Yes)shares the same VLAN (10.2.0.0/22) withusers, creatingzone traversalrisk from unregulated zones to sensitive datanetworks.

This allows pivoting and lateral movement from non-regulated user devices into regulated lab environments — a classiczone boundary violation.

Zone traversal should be mitigated with segmentation and firewall enforcement.

FromCAS-005, Domain 2: Risk Management and Mitigation Strategies:

“Zone traversal occurs when segmentation boundaries are misconfigured or merged, leading to regulatory and risk compliance failures.”

The situation where several employees were contacted by the same individual impersonating a recruiter best describes aspear-phishing campaign. Here’s why:

Targeted Approach: Spear-phishing involves targeting specific individuals within an organization with personalized and convincing messages to trick them into divulging sensitive information or performing actions that compromise security.

Impersonation: The use of impersonation, in this case, a recruiter, is a common tactic in spear-phishing to gain the trust of the targeted individuals and increase the likelihood of a successful attack.

Correlated Contacts: The fact that several employees were contacted by the same individual suggests a coordinated effort to breach the organization’s security by targeting multiple points of entry through social engineering.

The correct answer is Playbooks (A). In incident response, playbooks are structured workflows that define step-by-step actions for specific incident types (e.g., ransomware, phishing, insider threats). They allow SOC analysts to standardize responses across multiple platforms and tools, ensuring consistency and faster mitigation. By leveraging playbooks, organizations integrate existing incident response tools into automated or semi-automated processes, improving efficiency and reducing human error.

Option B (event collectors) consolidate logs but do not directly improve response processes. Option C (centralized logging) enhances visibility but does not provide a framework for action. Option D (endpoint detection) expands detection capabilities but does not enhance the process effectiveness of incident response.

CAS-005 emphasizes structured response through automation and orchestration. Playbooks, often implemented via SOAR platforms, allow integration of detection, triage, and remediation steps, making them the most effective way to increase incident response maturity.

Implementing security and quality checks in a CI/CD pipeline ensures that:

Container images are scanned for vulnerabilities beforedeployment.

Version control is enforced, preventing unauthorized changes.

Hashes validate image integrity.

Other options:

A (Configuring ACLs on mesh networks) improves access control but does not ensure scanning.

C (Audits on container images) detect changes but do not enforce best practices.

D (Pulling from a vendor repository) does not ensure vulnerability scanning.

When users disconnect from Remote Desktop Protocol (RDP) sessions without properly logging off, their sessions remain active on the server. If their passwords are changed due to the 90-day rotation policy, these lingering sessions may attempt to reauthenticate using outdated credentials, leading to multiple failed login attempts and potential account lockouts.

Automating the logout of inactive sessions ensures that disconnected or idle sessions are terminated after a specified period, preventing stale sessions from causing authentication issues. This approach aligns with best practices for session management and helps maintain security compliance.

Enabling dashboards for service status monitoring is the best action to support rapid incident response. The table shows various services with different risk, criticality, and alert severity ratings. To ensure timely and effective incident response, real-time visibility into the status of these services is crucial.

Why Dashboards for Service Status Monitoring?

Real-time Visibility: Dashboards provide an at-a-glance view of the current status of all critical services, enabling rapid detection of issues.

CentralizedMonitoring: A single platform to monitor the status of multiple services helps streamline incident response efforts.

Proactive Alerting: Dashboards can be configured to show alerts and anomalies immediately, ensuring that incidents are addressed as soon as they arise.

Improved Decision Making: Real-time data helps incident response teams make informed decisions quickly, reducing downtime and mitigating impact.

Other options, while useful, do not offer the same level of comprehensive, real-time visibility and proactive alerting:

A. Automate alerting to IT support for phone system outages: This addresses one service but does not provide a holistic view.

C. Send emails for failed log-in attempts on the public website: This is a specific alert for one type of issue and does not cover all services.

D. Configure automated isolation of human resources systems: This is a reactive measure for a specific service and does not provide real-time status monitoring.

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, theSIEM logs show that VM002 is making network connections to web.corp.local.

This indicatesunauthorized access, which could bea sign of lateral movement or network infection.

This is ared flagfor potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patternsare often an indicator of acompromised system.

VM002 should not be communicating externally, but it is.

This suggests a possiblebreach or malware infectionattempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration):While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002):The issue is not with HOST002. The suspicious activity isfrom VM002.

C (False positives):The repeated pattern of unauthorized connections makes false positivesunlikely.

OpenSSH vulnerabilityispublic facingand has acritical CVSS of 9.2.

Exploitable SSH services can lead to direct server compromise.

Although Apache has a higher score, it's internal.

FromCAS-005, Domain 3: Vulnerability Management:

“Prioritize external vulnerabilities with high CVSS and exposed attack surfaces.”

In reviewing email headers and determining actions to mitigate phishing attempts, the security analyst should focus on patterns of suspicious behavior and the reputation of the sending domains. Here’s the analysis of the options provided:

A. Block messages from hr-saas.com because it is not a recognized domain: Blocking a domain solely because it is not recognized can lead to legitimate emails being missed. Recognition alone should not be the criterion for blocking.

B. Reroute all messages with unusual security warning notices to the IT administrator: While rerouting suspicious messages can be a good practice, it is not specific to the domain sending repeated suspicious messages.

C. Quarantine all messages with sales-mail.com in the email header: Quarantining messages based on the presence of a specific domain in the email header can be too broad and may capture legitimate emails.

D. Block vendor com for repeated attempts to send suspicious messages: This option is the most appropriate because it targets a domain that has shown a pattern of sending suspicious messages. Blocking a domain that repeatedly sends phishing attempts without previous communications helps in preventing future attempts from the same source and aligns with the goal of mitigating phishing risks.

Device attestationensures that only corporate-approved devices can perform privileged actions in SaaS applications.Continuous authorizationmonitors ongoing device compliance, dynamically adjusting permissions based onsecurity posture.

Blocking connections (A)is too restrictive and does not accommodate BYOD.

Machine certificates (B)help with authentication but do not provide continuous security assessment.

MDM policies (D)secure mobile devices but do not apply real-time access controls for SaaS applications.

This scenario describes an attack where the attacker mimics the CEO’s voice to deceive the CFO, likely using AI-generated audio. According to the CompTIA SecurityX CAS-005 study guide (Domain 1: Security Strategy and Risk Management, 1.2), a deepfake attack involves using artificial intelligence to create realistic but fake audio, video, or other media to impersonate someone. In this case, the voice similarity suggests a deepfake audio attack, which is a targeted social engineering tactic.

Option A:Smishing involves SMS-based phishing, not voicecalls.

Option C:Automated exploit generation refers to creating software exploits, not impersonation.

Option D:Spear phishing targets specific individuals but typically via email, not voice-based impersonation.

Option B:Deepfake is the most accurate, as it describes AI-driven impersonation of the CEO’s voice.

Phishing simulations are a proven method for reinforcing security awareness, meeting compliance training requirements, and improving user incident reporting. In CAS-005, social engineering testing is a recommended component of organizational security culture programs.

DoS attacks (A) and penetration tests (B) assess technical security, not user awareness.

Fake ransomware (D) can cause unnecessary alarm and operational disruption.

Step by Step Explanation:

Understanding the Scenario: Theorganization is using customer-managed encryption keys in the cloud, which is more expensive than using the cloud provider's free managed keys. The CISO needs to find a way to reduce costs without significantly weakening the security posture.

Analyzing the Answer Choices:

A. Utilize an on-premises HSM to locally manage keys: While on-premises HSMs offer strong security, they introduce additional costs and complexity (procurement, maintenance, etc.). This option is unlikely to reduce costs compared to cloud-based key management.

B. Adjust the configuration for cloud provider keys on data that is classified as public: This is the most practical and cost-effective approach. Data classified as public doesn't require the same level of protection as sensitive data. Using the cloud provider's free managed keys for public data can significantly reduce costs without compromising security, as the data is intended to be publicly accessible anyway.

The technique that best addresses the issue of insider threats from employees who have individual access to encrypted material is key splitting. Here’s why:

Key Splitting: Key splitting involves dividing a cryptographic key into multiple parts anddistributing these parts among different individuals or systems. This ensures that no single individual has complete access to the key, thereby mitigating the risk of insider threats.

Increased Security: By requiring multiple parties to combine their key parts to access encrypted material, key splitting provides an additional layer of security. This approach is particularly useful in environments where sensitive data needs to be protected from unauthorized access by insiders.

Compliance and Best Practices: Key splitting aligns with best practices and regulatory requirements for handling sensitive information, ensuring that access is tightly controlled and monitored.

The best solution to address reported vulnerabilities in third-party libraries is integrating a Static Application Security Testing (SAST) tool as part of the development pipeline. Here’s why:

Early Detection: SAST tools analyze source code for vulnerabilities before the code is compiled. This allows developers to identify and fix security issues early in the development process.

Continuous Security: By integrating SAST tools into the CI/CD pipeline, the organization ensures continuous security assessment of the codebase, including third-party libraries, with each code commit and build.

Comprehensive Analysis: SAST tools provide a detailed analysis of the code, identifying potential vulnerabilities in both proprietary code and third-party dependencies, ensuring that known issues in libraries are addressed promptly.

The logs show the device checking in from two distant locations (USA and Qatar) at nearly the same time, which indicatesimpossible travel— a strong indicator that either the device has been cloned, compromised, or credentials stolen. The best immediate action is todisable the device's account and accessto prevent potential misuse while an investigation is conducted. Malicious application installation or resource issues are possible but secondary concerns here compared to account compromise.

Step-by-Step Explanation:

Runtime Application Self-Protection (RASP) (A)monitors and protects applications in real time by detecting and blocking attacks as they occur. Unlike traditional security solutions, RASP is integrated into the application itself, meaning it works regardless of the programming language used. It effectively mitigates common vulnerabilities such as SQL injection, XSS, and buffer overflows.

Dynamic Application Security Testing (DAST) (C) is a passive scanning approach that may not prevent attacks in real-time, while Network Intrusion PreventionSystems (NIPS) (D) focuses on network traffic, not application-layer security.

Encrypting patient data at rest is a critical requirement for healthcare providers to ensure compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). The primary business requirement fulfilled by this practice is the protection of patient privacy while supporting the portability of medical information. By encrypting data at rest, healthcare providers safeguard sensitive patient information from unauthorized access, ensuring that privacy is maintained even if the storage media are compromised. Additionally, encryption supports the portability of patient records, allowing for secure transfer and access across different systems and locations while ensuring that privacy controls are in place.

Adversary emulation simulates specific advanced persistent threat (APT) behaviors and techniques to test an organization’s security posture. In SecurityX CAS-005, this is part of red-teaming and purple-teaming strategies for realistic resilience testing.

Reliability factors (B) relate to operational uptime, not threat simulation.

Honeypots (C) attract attackers but do not directly emulate specific adversaries.

Internal reconnaissance (D) is one phase of an attack simulation, not the full emulation of advanced threat actors.

HMAC (Hash-based Message Authentication Code)ensures the integrity and authentication of API requests without exposing static or hard-coded private keys. It uses a secret key and a hash function, preventing replay attacks and tampering. VPNs secure the transport layer, MFA protects user accounts (not API-to-database communications), and DSA is a signature algorithm but does not address hard-coding risk directly.

Proper parsing of data is crucial for the SIEM to accurately interpret and analyze the logs being forwarded by the log collector. If the data is not parsed correctly, the SIEM may misinterpret the logs, leading to false positives and inaccurate alerts. Ensuring that the log data is correctly parsed allows the SIEM to correlate and analyze the logs effectively, which is essential for accurate alerting and monitoring.

The incident highlights gaps in visibility, monitoring, and log management that allowed unauthorized access to persist undetected. The most critical corrective actions are to extend log retention for all devices (B) and to ensure all devices are forwarding relevant logs to the SIEM (E). Together, these steps strengthen monitoring and incident detection capabilities by ensuring that sufficient telemetry is collected, stored, and available for correlation and investigation.

Disabling bulk user creation (A) may reduce misuse but does not directly address monitoring gaps. Daily review of the application allow list (C) is operationally impractical and does not provide the breadth of monitoring needed. Routine patching (D) is essential for security hygiene but is separate from monitoring improvements. Configuring firewall rules (F) may reduce traffic flows but does not ensure detection or visibility of unauthorized activity.

By prioritizing comprehensive log collection and ensuring adequate retention, the SOC can correlate anomalies across systems, detect malicious behavior earlier, and conduct forensic investigations effectively. This aligns with CAS-005 best practices for security operations and continuous monitoring in hybrid environments.

Implementing a Single Sign-On (SSO) solution and integrating it with applications is the best way to manage the situation and decrease risks. Here’s why:

Reduced Password Fatigue: SSO allows users tolog in once and gain access to multiple applications and systems without needing to remember and manage multiple passwords. This reduces the likelihood of users writing down passwords.

Improved Security: By reducing the number of passwords users need to manage, SSO decreases the attack surface and potential for password-related security breaches. It also allows for the implementation of stronger authentication methods.

User Convenience: SSO improves the user experience by simplifying the login process, which can lead to higher productivity and satisfaction.

RACI matrix(Responsible, Accountable, Consulted, Informed) is used for role mapping across the project lifecycle.

CMDB is a configuration inventory; ITIL is a framework. Recall trees are for disaster recovery/business continuity.

FromCAS-005, Domain 1: Security Governance and Compliance:

“The RACI matrix is essential in role assignment and accountability for software development and operational processes.”

The presence of an unauthorized server (29mail.mycrosoft.info) sending emails on behalf of the company indicates a potential spoofing or phishing attempt. To mitigate this:

Remove the unnecessary servers from the SPF record (Option C): The Sender Policy Framework (SPF) specifies which mail servers are authorized to send emails on behalf of a domain. Removing unauthorized or unnecessary servers from the SPF record helps prevent spoofed emails from passing SPF checks.

Change the SPF record to enforce the hard fail parameter (Option D): Setting the SPF policy to a hard fail (-all) ensures that emails from unauthorized servers are rejected, enhancing email security.

Implementing these changes strengthens the domain's email authentication mechanisms, reducing the risk of successful phishing or spoofing attacks.

The requirements demand detailed asset tracking and inventory management. Let’s analyze:

A. SBoM (Software Bill of Materials):Tracks software components, not hardware or network topology.

B. CASB (Cloud Access Security Broker):Secures cloud apps but doesn’t map physical switches or OS counts.

C. GRC(Governance, Risk, and Compliance):Focuses on risk management, not detailed asset tracking.

The most effective solution is Terraform (C), an Infrastructure as Code (IaC) tool that allows organizations to define and provision infrastructure resources across multiple cloud providers using a consistent configuration language. For a multicloud strategy, Terraform provides cloud-agnostic templates, ensuring that server creation, networking, and storage provisioning are automated and standardized across AWS, Azure, GCP, or other providers. This aligns with CAS-005 best practices for cloud automation and consistency.

PowerShell (A) and Bash (B) are scripting tools that can automate tasks but are typically tied to specific operating systems and lack multicloud orchestration capabilities. Ansible (D) is a strong automation tool for configuration management and application deployment, but Terraform is specifically designed to provision and manage infrastructure at scale across multicloud environments.

By using Terraform, the company can enforce consistent images, reduce human error, ensure compliance through reusable templates, and improve operational efficiency while maintaining flexibility across multiple providers.

The attacker gained domain control by collecting the KRBTGT hash (used for Kerberos tickets). Let’s evaluate:

A. Deleting SQLSV:Irrelevant since pass-the-hash failed there.

B. Reimaging ADMIN01S:Addresses the compromised host but not domain control.

C. Rotating KRBTGT password:Invalidates stolen Kerberos tickets, mitigating domain control per CAS-005’s focus on identity security.

The best approach is to use Terraform scripts while creating golden images (A). Terraform is an Infrastructure as Code (IaC) tool that allows organizations to automate infrastructure deployment consistently across environments. A golden image is a pre-configured, patched, and hardened system image used as a standard baseline. By creating golden images via Terraform scripts, the company ensures that every microservice instance is deployed on an already-updated and secure OS. This eliminates the need for repeatedly patching the base OS before code deployment.

Option B (cron job with apt-update) applies patches but introduces delays (every 30 days) and lacks consistency across new deployments. Option C (snapshots) saves deployment states but risks replicating outdated or unpatched images. Option D (centralized update server) is useful but still requires updates post-deployment, which slows the rollout of microservices.

By automating golden image creation through Terraform, the company gains efficiency, repeatability, and security assurance, aligning with DevSecOps principles and CAS-005 cloud-native best practices.

The vulnerability lies in line [10], where the function strcpy(transmit, input) is used. The strcpy function does not perform boundary checking when copying strings. Since input is defined with a size of 256 characters and transmit only has 20 characters allocated, the strcpy operation will cause a buffer overflow when the contents of input exceed the allocated size of transmit. This creates a significant security vulnerability, as attackers can overwrite adjacent memory, potentially injecting malicious code or altering program execution.

Lines [02], [04], [07], and [08] are not inherently vulnerable by themselves. Line [04] defines the oversized input, but the vulnerability only materializes when combined with the unsafe copy in line [10]. Secure coding practices recommend using safer alternatives like strncpy, which includes a length parameter, or implementing runtime checks to ensure the destination buffer size is not exceeded.

Thus, the vulnerable line that must be changed is line [10], where strcpy is used.

For bulk PKI enrollment:

MDM integration with directory services streamlines certificate request and deployment per device, leveraging existing authentication methods.

Simple Certificate Enrollment Protocol (SCEP) with one-time passwords allows automated, secure, large-scale certificate issuance without manual CSR handling.

clientAuth templates are used for device authentication, but selecting it alone is insufficient without automated enrollment mechanisms.

A single certificate for all devices violates PKI security principles and compromises individual device accountability.

Privileged Access Management (PAM)restricts elevated permissions, reducing the risk of widespread ransomware attacks.Multi-Factor Authentication (MFA)protects against credential theft and ensures that even if passwords are compromised, accounts are not easily accessible.Network segmentationbreaks the flat network into secure zones, limiting lateral movement by attackers. SD-WAN and BGP relate to network routing and efficiency, not security architecture specifically. Remote access VPN secures external access but does not solve internal flat network issues. Network Access Control (NAC) is helpful but secondary compared to PAM, MFA, and segmentation in this context.

The hijacked administrator account was used across multiple ASNs (indicating different network locations) in a short time, despite MFA and SSO. This suggests a stolen session or token misuse. Let’s analyze:

A. Token theft detection with lockouts:Useful for detecting stolen SSO tokens, but it’s reactive and may not prevent initial misuse across networks.

B. Context-based authentication:This adds real-time checks (e.g., geolocation, IP changes) to verify login attempts. Given the rapid ASN changes, this proactively mitigates the issue by challenging suspicious logins, aligning with CAS-005’s focus on adaptive security.

C. Decentralize accounts:This removes SSO, increasing complexity and weakening MFA enforcement, which isn’t practical or secure.

To meet the requirements of having allendpoints establish telemetry with a SIEM, integrate into an XDR platform, and allow SOC services to monitor the XDR platform, the best approach is to implement Host Intrusion Prevention Systems (HIPS) and a host-based firewall. HIPS can provide detailed telemetry data to the SIEM and can be integrated into the XDR platform for comprehensive monitoring and response. The host-based firewall ensures that only authorized traffic is allowed, providing an additional layer of security.

Software Composition Analysis (SCA) is the best method for identifying all components, dependencies, and open-source libraries used inan application. It ensures that organizations track and manage vulnerabilities in third-party code before deployment.

SCA tools generate a Software Bill of Materials (SBOM), which provides a full representation of the code and modules used in the application.

Other options:

Static Application Security Testing (SAST) (C) checks for vulnerabilities but does not map dependencies.

Interactive Application Security Testing (IAST) (D) works at runtime, not before deployment.

Runtime Application Self-Protection (RASP) (B) works while the application is running.

WAP A: No issue found. The WAP A is configured correctly and meets therequirements.

PC A = Enable host-based firewall to block all traffic

This option will turn off the host-based firewall and allow all traffic to pass through. This will comply with the requirement and also improve the connectivity of PC A to other devices on the network. However, this option will also reduce the security of PC A and make it more vulnerable to attacks. Therefore, it is recommended to use other security measures, such as antivirus, encryption, and password complexity, to protect PC A from potential threats.

Laptop A: Patch management

This option will install the updates that are available for Laptop A and ensure that it has the most recent security patches and bug fixes. This will comply with the requirement and also improve the performance and stability of Laptop A. However, this option may also require a reboot of Laptop A and some downtime during the update process. Therefore, it is recommended to backup any important data and close any open applications before applying the updates.

Switch A: No issue found. The Switch A is configured correctly and meets the requirements.

Switch B: No issue found. The Switch B is configured correctly and meets the requirements.

Laptop B: Disable unneeded services

This option will stop and disable the telnet service that is using port 23 on Laptop B. Telnet is a cleartext service that transmits data in plain text over the network, which exposes it to eavesdropping, interception, and modification by attackers. By disabling the telnet service, you will comply with the requirement and also improve the security of Laptop B. However, this option may also affect the functionality of Laptop B if it needs to use telnet for remote administration or other purposes. Therefore,it is recommended to use a secure alternative to telnet, such as SSH or HTTPS, that encrypts the data in transit.

PC B: Enable disk encryption

This option will encrypt the HDD of PC B using a tool such as BitLocker or VeraCrypt. Disk encryption is a technique that protects data at rest by converting it into an unreadable format that can only be decrypted with a valid key or password. By enabling disk encryption, you will comply with the requirement and also improve the confidentiality and integrity of PC B’s data. However, this option may also affect the performance and usability of PC B, as it requires additional processing time and user authentication to access the encrypted data. Therefore, it is recommended to backup any important data and choose a strong key or password before encrypting the disk.

PC C: Disable unneeded services

This option will stop and disable the SSH daemon that is using port 22 on PC C. SSH is a secure service that allows remote access and command execution over an encrypted channel. However, port 22 is thedefault and well-known port for SSH, which makes it a common target for brute-force attacks and port scanning. By disabling the SSH daemon on port 22, you will comply with the requirement and also improve the security of PC C. However, this option may also affect the functionality of PC C if it needs to use SSH for remote administration or other purposes. Therefore, it is recommended to enable the SSH daemon on a different port, such as 4022, by editing the configuration file using the following command:

sudo nano /etc/ssh/sshd_config

Server A. Need to select the following:

A black and white screen with white text Description automatically generated

A Content Delivery Network (CDN) caches and distributes static and dynamic web content across multiple geographically distributed edge servers, reducing latency for global users. This directly addresses page-loading delays caused by distance from the primary data centers.

RASP is for runtime application security, not latency.

Remote journaling is for data replication, not performance optimization.

SASE can improve security and WAN routing, but a CDN is purpose-built for content delivery performance.

Public Key Infrastructure (PKI) supports change management by securing messages (e.g., approvals, updates).Non-repudiation, provided via digital signatures, ensures a sender cannot deny sending a message, critical for auditability in change processes.

Option A:Correct—PKI’s digital signatures ensure non-repudiation.

Option B:Confidentiality (via encryption) is a PKI feature but less tied to change management’s focus on accountability.

Option C:Delivery receipts are not aPKI function; they’re protocol-specific (e.g., SMTP).

Option D:Attestation relates to verifying attributes, not a direct PKI message capability.

The best way for a SOC to rapidly identify whether deployed applications contain specific libraries is through the use of a Software Bill of Materials (SBOM). An SBOM is a formal, machine-readable inventory of all components, including third-party and open-source libraries, used in a software product. When a new vulnerability is disclosed (such as Log4Shell in Log4j), organizations with a comprehensive SBOM can immediately search across their application landscape to determine which systems are impacted.

Other options are less effective. Maintaining SAST/DAST reports (A) only provides snapshots of vulnerabilities at the time of scanning, but does not dynamically track components across all software in production. Vendor attestations (B) improve supply chain governance but do not provide immediate visibility into internal or custom software. A GRC tool (D) helps track vendors and policies but does not show technical dependencies inside applications.

Requiring suppliers and internal developers to provide and maintain SBOMs ensures continuous visibility into dependencies. This allows the SOC to quickly query and respond to emerging vulnerabilities, reducing risk exposure and accelerating remediation timelines.

SecurityX CAS-005 network architecture objectives emphasize limiting exposure of vulnerable systems by using application-aware firewalls with strict rule sets.

This approach directly reduces the attack surface by allowing only approved application traffic to and from the vulnerable systems, mitigating risk until systems are patched or replaced.

EDR (A) enhances detection but doesn’t inherently reduce the exposed services.

Network segmentation in monitor mode (B) doesn’t block threats.

IDS (C) detects activity but does not block it.

To minimize downtime, testing should occur in a virtual lab, not production. The best approach is to test solutions methodically: implement one solution at a time, run an attack simulation, collect metrics, roll back, and repeat. This isolates each solution’s effectiveness, ensuring accurate metrics for decision-making without production impact.

Option A:Testing all solutions simultaneously muddies the results—metrics won’t show which solution worked.

Option B:Collecting metrics before the simulation misses the point of testing against the attack.

Option C:Correct—tests each solution independently with simulation and metrics, minimizing downtime via virtual lab use.

Option D:Like A, combining solutions obscures individual effectiveness.

The best action to address the requirement of accessing the historian server within a SCADA system is to isolate the historian server for connections only from the SCADAenvironment. Here’s why:

Security and Isolation: Isolating the historian server ensures that only authorized devices within the SCADA environment can connect to it. This minimizes the attack surface and protects sensitive data from unauthorized access.

Access Control: By restricting access to the historian server to only SCADA devices, the organization can better control and monitor interactions, ensuring that only legitimate queries and data retrievals occur.

Best Practices for Critical Infrastructure: Following the principle of least privilege, isolating critical components like the historian server is a standard practice in securing SCADA systems, reducing the risk of cyberattacks.

The most secure way to prevent inadvertent data disclosure when encrypted SSDs are reused is to securely delete the encryption keys used by the SSD. Without the encryption keys, the data on the SSD remains encrypted and is effectively unreadable, rendering any residual data useless. This method is more reliable and efficient than overwriting data multiple times or using other physical destruction methods.

The table shows detailed information about products, includinglocation, chassis manufacturer, OS, application developer, and vendor. This type of information is typically assessed in a supply chain assessment to evaluate the security and reliability of components and services from different suppliers.

Why Supply Chain Assessment?

Component Evaluation: Assessing the origin and security of each component used in the products, including hardware, software, and third-party services.

Vendor Reliability: Evaluating the security practices and reliability of vendors involved in providing components or services.

Risk Management: Identifying potential risks associated with the supply chain, such as vulnerabilities in third-party components or insecure development practices.

Other types of assessments do not align with the detailed supplier and component information provided:

A. System: Focuses on individual system security, not the broader supply chain.

C. Quantitative: Focuses on numerical risk assessments, not supplier information.

D. Organizational: Focuses on internal organizational practices, not external suppliers.

Post-Quantum Cryptography (PQC) preparation is critical to protect data against future quantum computing attacks that could break current cryptographic algorithms (e.g., RSA, ECC). According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.3), quantum computers with sufficient computational power could perform calculations (e.g., Shor’s algorithm) to decrypt data protected by traditional algorithms. PQC focuses on developing algorithms resistant to such increases in computational resources, ensuring long-term data security.

Option B:Key stretching is a technique to strengthen passwords, not related to PQC.

Option C:PQC algorithms often have higher computational costs, not improved performance.

Option D:Asymmetric encryption is not ideal for large data sets, and PQC is not specifically about this use case.

Option A:This accurately describes PQC’s purpose to safeguard data against quantum-driven decryption.

In the given scenario, the security engineer is likely examining login activities and their associated geolocations. This type of analysis is aimed at identifying unusual login patterns that might indicate an impossible travel scenario. An impossible travel scenario is when a single user account logs in from geographically distant locations in a short time, which is physically impossible. By assessing login activities using geolocation, the engineer can tune alerts to identify and respond to potential security breaches more effectively.

Implementing the given commands in the Dockerfile ensures that the container runs with non-root user privileges. Running applications as a non-root user reduces the risk of privilege escalation attacks because even if anattacker compromises the application, they would have limited privileges and would not be able to perform actions that require root access.

A. Implementing the following commands in the Dockerfile: This directly addresses the privilege escalation attack surface by ensuring the application does not run with elevated privileges.

B. Installing an EDR on the container's host: While useful for detecting threats, this does not reduce the privilege escalation attack surface within the containerized application.

C.Designing a multi-container solution: While beneficial for modularity and remediation, it does not specifically address privilege escalation.

D. Running the container in an isolated network: This improves network security but does not directly reduce the privilege escalation attack surface.

Code Snippet 1

Vulnerability 1: SQL injection

SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a database. An attacker can inject malicious SQL commands into the input fields, such as username or password, and execute them on the database server. This can result in data theft, data corruption, or unauthorized access.

Fix 1: Perform input sanitization of the userid field.

Input sanitization is a technique that prevents SQL injection byvalidating and filtering the user input values before passing them to the database. The input sanitization should remove any special characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query. Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values.

Code Snippet 2

Vulnerability 2: Cross-site request forgery

Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that handles web requests. An attacker can trick a user into sending a malicious web request to a server that performs an action on behalf of the user, such as changing their password, transferring funds, or deleting data. This can result in unauthorized actions, data loss, or account compromise.

Fix 2: Implement anti-forgery tokens.

Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each web request that is generated by the server and verified by the server before performing the action. The anti-forgery token should be different for each user and each session, and should not be predictable or reusable by an attacker. This way, only legitimate web requests from the user’s browser can be accepted by the server.

The strings utility extracts human-readable text from binary files. Security analysts use it to identify Indicators of Compromise (IoCs) such as URLs, IP addresses, filenames, and commands embedded in the malware.

Option A (reconstructing timeline) would require event logs or forensic timeline tools.

Option C (replicating the attack) involves execution in a sandbox, not static string extraction.

The best solution to reduce the likelihood of firmware-level attacks and rootkits is to implement measured boot. Measured boot is a hardware-assisted security mechanism that leverages Trusted Platform Module (TPM) and Secure Boot processes. It records cryptographic measurements of each stage of the boot process—from firmware to operating system loaders—and stores them in the TPM. Security software, such as attestation services, can then verify that the system booted into a known, trusted state. If firmware or boot-level code has been tampered with, the measurements will not match expected values, alerting administrators to compromise.

Option A (software integrity checks) validates application-level integrity but does not address firmware rootkits that load before the operating system. Option B (self-encrypting drives) protects data at rest but does not prevent rootkits. Option D (host-based encryption) ensures confidentiality but does not detect or mitigate firmware-level persistence.

Measured boot specifically targets low-level tampering, making it the most relevant control to defend against rootkits and firmware exploits.

VPN Concentrator:

A screenshot of a computer Description automatically generated

AAA Server:

A screenshot of a computer Description automatically generated

A computer screen shot of a diagram Description automatically generated

A screenshot of a computer error Description automatically generated

Based on the log provided, the most concerning event that should be investigated further is the presence of a text file containing passwords that were leaked. Here's why:

Sensitive Information Exposure: A text file containing passwords represents a significant security risk, as it indicates that sensitive credentials have been exposed in plain text, potentially leading to unauthorized access.

Immediate Threat: Password leaks can lead to immediate exploitation by attackers, compromising user accounts and sensitive data. This requires urgent investi

The scenario describes a prolonged, stealthy operation where files were exfiltrated over three months via secure channels (TLS-protected HTTP) from unexpected systems, then ceased. This aligns with anAdvanced Persistent Threat (APT), characterized by long-term, targeted attacks aimed at data theft or surveillance, often using sophisticated methods to remain undetected.

Option A:Decrypting RSA with weak encryption implies a cryptographic attack, but TLS suggests modern encryption was used, and there’s no evidence of decryption here.

Option B:A zero-day attack exploits unknown vulnerabilities, but the duration and cessation suggest a planned operation, not a single exploit.

Option C:APT fits perfectly—slow, persistent exfiltration fromunusual systems indicates a coordinated, stealthy threat actor.

Option D:An on-path (man-in-the-middle) attack intercepts traffic, but there’s no indication of interception; the focus is on unauthorized transfers.

Step-by-Step Explanation:

Option A: Deny list

Deny lists block specific applications or processes identified as malicious.

This approach is reactive and mayinadvertently block the non-standard applications that are currently in use without proper ownership.

Option B: Allow list

Allow lists permit only pre-approved applications to run.

While secure, this approach requires defining all non-standard applications, which may disrupt operations in an environment where ownership is unclear.

Option C: Audit mode

Correct Answer.

Audit mode allows monitoring and logging of applications without enforcing restrictions.

This is ideal in environments with non-standard applications and undefined ownership because it enables the engineer to observe the environment and gradually implement control without interruption.

Audit mode provides critical visibility into the software landscape, ensuring that necessary applications remain functional.

Option D: MAC list

Mandatory Access Control (MAC) lists restrict access based on classification and clearance levels.

This does not align with application control objectives in this context.

CompTIA CASP+ Study Guide - Chapters on Endpoint Security and Application Control.

CASP+ Objective 2.4: Implement appropriate security controls for enterprise endpoints.

To determine how the acquisition of Company B will impact the attack surface, the following steps are crucial:

A. Documenting third-party connections used by Company B: Understanding all external connections is essential for assessing potential entry points for attackers and ensuring that these connections are secure.

E. Performing an architectural review of Company B's network: This review will identify vulnerabilities and assess the security posture of the acquired company's network, providing a comprehensive understanding of the new attack surface.

These actions will provide a clear picture of the security implications of the acquisition and help in developing a plan to mitigate any identified risks.

To design resilience in an enterprise system that can survive environmental catastrophes, recover within 24 hours, and be resilient to active exploitation, the best strategy is to allocate fully redundant and geographically distributed standby sites. Here’s why:

Geographical Redundancy: Having geographically distributed standby sites ensures that if one site is affected by an environmental catastrophe, the other sites can take over, providing continuity of operations.

Full Redundancy: Fully redundant sites mean that all critical systems and data are replicated, enabling quick recovery in the event of a critical loss of availability.

Resilience to Exploitation: Distributing resources across multiple sites reduces the risk of a single point of failure and increases resilience against targeted attacks.

Understanding the Ransomware Issue:

The key issue here is thatbackups were not recoverable within the required RPO timeframe.

This means the organizationdid not properly testitsbackup and disaster recovery (DR) processes.

To prevent this from happening again, regular disaster recovery testing is essential.

Why Option C is Correct:

Disaster recovery testing ensures that backups are functionaland can meetbusiness continuity needs.

Frequent DR testingallows organizations to identify and fixgaps in recovery strategies.

Regular testing ensuresthat recoverymeets the RPO & RTO (Recovery Time Objective) requirements.

Why Other Options Are Incorrect:

A (Encrypt & label backup tapes):While encryption is important, it does not address thefailure to meet RPO requirements.

B (Reverting to manual business processes):While amanual continuity planis good for resilience, it doesnot resolve the backup and recovery failure.

D (Tabletop exercise & RACI matrix):Atabletop exerciseis a planning activity, butit does not involve actual recovery testing.