A company wants to modify its process to comply with privacy requirements after an incident involving PII data in a development environment. In order to perform functionality tests, the QA team still needs to use valid data in the specified format. Which of the following best addresses the risk without impacting the development life cycle?
Answer : D
Tokenizationreplaces sensitive data (e.g., PII) with non-sensitive placeholders while maintaining format consistency, ensuring compliancewithout disrupting testing. This method is commonly used forPCI-DSS and GDPR compliancewhile preserving data structure for functional tests.
Encryption (A)secures data but does not remove sensitivity or solve testing concerns.
Truncation (B)removes portions of data but may impact testing if format requirements are strict.
Synthetic data (C)can be useful but may not always match real-world scenarios perfectly for testing purposes.
A systems administrator is working with clients to verify email-based services are performing properly. The administrator wants to have the email server digitally sign outbound emails using the organization's private key. Which of the following should the systems administrator configure?
Answer : B
DomainKeys Identified Mail (DKIM) digitally signs outbound messages with the organization's private key, enabling recipients to verify integrity and authenticity using the corresponding public key in DNS.
SPF validates sending server IPs, not message integrity.
DMARC builds policy enforcement on top of SPF and DKIM results.
TLS secures the transport channel, not the message content itself.
A Chief Information Security Officer requests an action plan to remediate vulnerabilities. A security analyst reviews the output from a recent vulnerability scan and notices hundreds of unique vulnerabilities. The output includes the CVSS score, IP address, hostname, and the list of vulnerabilities. The analyst determines more information is needed in order to decide which vulnerabilities should be fixed immediately. Which of the following is the best source for this information?
Answer : B
The correct source is the Business Impact Analysis (BIA). A BIA provides context about which systems and applications are most critical to business operations, regulatory compliance, and customer obligations. While CVSS scores indicate severity in technical terms, they do not reflect the business impact of exploitation. For example, a medium-severity vulnerability on a critical payment system may pose more business risk than a high-severity vulnerability on a test server.
Option A (third-party risk review) focuses on vendor security posture, not internal remediation priorities. Option C (incident response playbook) guides response during active incidents, not vulnerability prioritization. Option D (crisis management plan) addresses executive-level communications during crises, not technical risk assessment.
By combining vulnerability scan data with BIA context, security teams can prioritize remediation efforts based on business-critical systems, ensuring the highest-risk vulnerabilities are remediated first. This aligns with CAS-005's guidance on risk-based prioritization of remediation efforts.
An organization recently implemented a policy that requires all passwords to be rotated every 90 days. An administrator observes a large volume of failed sign-on logs from multiple servers that are often accessed by users. The administrator determines users are disconnecting from the RDP session but not logging off. Which of the following should the administrator do to prevent account lockouts?
Answer : C
When users disconnect from Remote Desktop Protocol (RDP) sessions without properly logging off, their sessions remain active on the server. If their passwords are changed due to the 90-day rotation policy, these lingering sessions may attempt to reauthenticate using outdated credentials, leading to multiple failed login attempts and potential account lockouts.
Automating the logout of inactive sessions ensures that disconnected or idle sessions are terminated after a specified period, preventing stale sessions from causing authentication issues. This approach aligns with best practices for session management and helps maintain security compliance.
A security configure isbuilding a solution to disable weak CBC configuration for remote access connections lo Linux systems. Which of the following should the security engineer modify?
Answer : D
The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.
By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.
CompTIA Security+ Study Guide
OpenSSH manual pages (man sshd_config)
CIS Benchmarks for Linux
A security architect is performing threat-modeling activities related to an acquired overseas software company that will be integrated with existing products and systems Once its software is integrated, the software company will process customer data for the acqumng company Given the following:

Which of the following mitigations would reduce the risk of the most significant threats?
Answer : C
The table highlights that tampering threats (IDs 02 and 03) are rated Critical, making them the most significant risks. These threats involve malicious insiders inserting backdoors or attackers injecting malicious code into third-party libraries. To mitigate such risks, organizations must implement a secure software development lifecycle (SDLC) with formalized code scanning, gate checks, and supply chain validation.
Option C directly addresses these issues. Secure development practices include static/dynamic code analysis, dependency checks, peer reviews, and mandatory approvals before code promotion. This approach detects backdoors, prevents unauthorized modifications, and reduces the likelihood of compromised libraries being integrated.
Option A (PAM with conditional access) mitigates privilege escalation but does not address software tampering. Option B (rate limiting and federation) reduces brute-force authentication risks (ID 05) but not critical tampering. Option D (Zero Trust with microsegmentation) strengthens network defense but does not secure the integrity of source code or libraries.
Therefore, a secure SDLC with gate checks and code scanning is the best mitigation for the most critical threats identified.
A company's help desk is experiencing a large number of calls from the finance department slating access issues to www bank com The security operations center reviewed the following security logs:

Which of the following is most likely the cause of the issue?
Answer : C
Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address.
In the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident.
Recursive DNS resolution failure (A) would generally lead to inability to resolve DNS at all, not to a specific HTTP error.
DNS poisoning (B) could result in usersbeing directed to malicious sites, but again, would likely result in a different set of errors or unusual activity.
Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted errors like the one seen here.
By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is being sinkholed.
CompTIA SecurityX study materials on DNS security mechanisms.
Standard HTTP status codes and their implications.