CompTIA CAS-005 CompTIA SecurityX Certification Exam Practice Test

Page: 1 / 14
Total 217 questions

Want more questions? Get Premium Access.
()

Question 1

[Security Architecture]

An endpoint security engineer finds that a newly acquired company has a variety of non-standard applications running and no defined ownership for those applications. The engineer needs to find a solution thatrestricts malicious programs and software from running in that environment, while allowing the non-standard applications to function without interruption. Which of the following application control configurations should the engineer apply?

ADeny list

BAllow list

CAudit mode

DMAC list

Answer : C

Comprehensive and Detailed Step-by-Step

Option A: Deny list

Deny lists block specific applications or processes identified as malicious.

This approach is reactive and mayinadvertently block the non-standard applications that are currently in use without proper ownership.

Option B: Allow list

Allow lists permit only pre-approved applications to run.

While secure, this approach requires defining all non-standard applications, which may disrupt operations in an environment where ownership is unclear.

Option C: Audit mode

Correct Answer.

Audit mode allows monitoring and logging of applications without enforcing restrictions.

This is ideal in environments with non-standard applications and undefined ownership because it enables the engineer to observe the environment and gradually implement control without interruption.

Audit mode provides critical visibility into the software landscape, ensuring that necessary applications remain functional.

Option D: MAC list

Mandatory Access Control (MAC) lists restrict access based on classification and clearance levels.

This does not align with application control objectives in this context.

CompTIA CASP+ Study Guide - Chapters on Endpoint Security and Application Control.

CASP+ Objective 2.4: Implement appropriate security controls for enterprise endpoints.

Question 2

[Governance, Risk, and Compliance (GRC)]

Audit findings indicate several user endpoints are not utilizing full disk encryption During me remediation process, a compliance analyst reviews the testing details for the endpoints and notes the endpoint device configuration does not support full disk encryption Which of the following is the most likely reason me device must be replaced'

AThe HSM is outdated and no longer supported by the manufacturer

BThe vTPM was not properly initialized and is corrupt.

CThe HSM is vulnerable to common exploits and a firmware upgrade is needed

DThe motherboard was not configured with a TPM from the OEM supplier.

EThe HSM does not support sealing storage

Answer : D

The most likely reason the device must be replaced is that the motherboard was not configured with a TPM (Trusted Platform Module) from the OEM (Original Equipment Manufacturer) supplier.

Why TPM is Necessary for Full Disk Encryption:

Hardware-Based Security: TPM provides a hardware-based mechanism to store encryption keys securely, which is essential for full disk encryption.

Compatibility: Full disk encryption solutions, such as BitLocker, require TPM to ensure that the encryption keys are securely stored and managed.

Integrity Checks: TPM enables system integrity checks during boot, ensuring that the device has not been tampered with.

Other options do not directly address the requirement for TPM in supporting full disk encryption:

A . The HSM is outdated: While HSM (Hardware Security Module) is important for security, it is not typically used for full disk encryption.

B . The vTPM was not properly initialized: vTPM (virtual TPM) is less common and not typically a reason for requiring hardware replacement.

C . The HSM is vulnerable to common exploits: This would require a firmware upgrade, not replacement of the device.

E . The HSM does not support sealing storage: Sealing storage is relevant but not the primary reason for requiring TPM for full disk encryption.

CompTIA SecurityX Study Guide

'Trusted Platform Module (TPM) Overview,' Microsoft Documentation

'BitLocker Deployment Guide,' Microsoft Documentation

Question 3

[Security Architecture]

A security configure isbuilding a solution to disable weak CBC configuration for remote access connections lo Linux systems. Which of the following should the security engineer modify?

AThe /etc/openssl.conf file, updating the virtual site parameter

BThe /etc/nsswith.conf file, updating the name server

CThe /etc/hosts file, updating the IP parameter

DThe /etc/etc/sshd, configure file updating the ciphers

Answer : D

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

CompTIA Security+ Study Guide

OpenSSH manual pages (man sshd_config)

CIS Benchmarks for Linux

Question 4

SIMULATION

[Identity and Access Management (IAM)]

A product development team has submitted code snippets for review prior to release.

INSTRUCTIONS

Analyze the code snippets, and then select one vulnerability, and one fix for each code snippet.

Code Snippet 1

Code Snippet 2

Vulnerability 1:

SQL injection

Cross-site request forgery

Server-side request forgery

Indirect object reference

Cross-site scripting

Fix 1:

Perform input sanitization of the userid field.

Perform output encoding of queryResponse,

Ensure usex:ia belongs to logged-in user.

Inspect URLS and disallow arbitrary requests.

Implementanti-forgery tokens.

Vulnerability 2

1) Denial of service

2) Command injection

3) SQL injection

4) Authorization bypass

5) Credentials passed via GET

Fix 2

A) Implement prepared statements and bind

variables.

B) Remove the serve_forever instruction.

C) Prevent the "authenticated" value from being overridden by a GET parameter.

D) HTTP POST should be used for sensitive parameters.

E) Perform input sanitization of the userid field.

ASee the solution below in explanation

Answer : A

Code Snippet 1

Vulnerability 1:SQL injection

SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a database. An attacker can inject malicious SQL commands into the input fields, such as username or password, and execute them on the database server. This can result in data theft, data corruption, or unauthorized access.

Fix 1:Perform input sanitization of the userid field.

Input sanitization is a technique that prevents SQL injection byvalidating and filtering the user input values before passing them to the database. The input sanitization should remove any special characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query. Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values.

Code Snippet 2

Vulnerability 2:Cross-site request forgery

Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that handles web requests. An attacker can trick a user into sending a malicious web request to a server that performs an action on behalf of the user, such as changing their password, transferring funds, or deleting dat

a. This can result in unauthorized actions, data loss, or account compromise.

Fix 2:Implement anti-forgery tokens.

Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each web request that is generated by the server and verified by the server before performing the action. The anti-forgery token should be different for each user and each session, and should not be predictable or reusable by an attacker. This way, only legitimate web requests from the user's browser can be accepted by the server.

Question 5

[Emerging Technologies and Threats]

After an incident occurred, a team reported during the lessons-learned review that the team.

* Lost important Information for further analysis.

* Did not utilize the chain of communication

* Did not follow the right steps for a proper response

Which of the following solutions is the best way to address these findinds?

ARequestingbudget for better forensic tools to Improve technical capabilities for Incident response operations

BBuilding playbooks for different scenarios and performing regular table-top exercises

CRequiring professional incident response certifications tor each new team member

DPublishing the incident response policy and enforcing it as part of the security awareness program

Answer : B

Building playbooks for different scenarios and performing regular table-top exercises directly addresses the issues identified in the lessons-learned review. Here's why:

Lost important information for further analysis: Playbooks outline step-by-step procedures for incident response, ensuring that team members know exactly what to document and how to preserve evidence.

Did not utilize the chain of communication: Playbooks include communication protocols, specifying who to notify and when. Regular table-top exercises reinforce these communication channels, ensuring they are followed during actual incidents.

Did not follow the right steps for a proper response: Playbooks provide a clear sequence of actions to be taken during various types of incidents, helping the team to respond in a structured and effective manner. Regular exercises allow the team to practice these steps, identifying and correcting any deviations from the plan.

Investing in better forensic tools (Option A) or requiring certifications (Option C) are also valuable, but they do not directly address the procedural and communication gaps identified. Publishing and enforcing the incident response policy (Option D) is important but not as practical and hands-on as playbooks and exercises in ensuring the team is prepared.

CompTIA Security+ Study Guide

NIST SP 800-61 Rev. 2, 'Computer Security Incident Handling Guide'

SANS Institute, 'Incident Handler's Handbook'

Question 6

[Emerging Technologies and Threats]

A cloud engineer wants to configure mail security protocols to support email authenticity and enable the flow of email security information to a third-party platform for further analysis. Which of the following must be configured to achieve these requirements? (Select two).

ADMARC

BDKIM

CTLS

DSPF

EDNSSEC

FMX

Answer : A, B

To support email authenticity and enable analysis by a third-party platform, the protocols must verify the sender's identity and provide metadata for inspection. According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.2):

DMARC (Domain-based Message Authentication, Reporting, and Conformance):DMARC builds on SPF and DKIM to enforce policies for email authenticity and provides reporting mechanisms to share authentication results with third parties for analysis.

DKIM (DomainKeys Identified Mail):DKIM adds a cryptographic signature to emails, allowing recipients to verify the sender's domain and ensure the email's integrity.

These two protocols are essential for authenticity and reporting.

Option C (TLS):TLS ensures encryption during transmission but does not address authenticity or reporting.

Option D (SPF):SPF verifies sender IP addresses but lacks reporting capabilities without DMARC.

Option E (DNSSEC):DNSSEC secures DNS queries but is not specific to email authenticity.

Option F (MX):MX records define mail servers, not authenticity or reporting.

CompTIA SecurityX CAS-005 Official Study Guide, Domain 3: Cybersecurity Technology, Section 3.2: 'Configure email security protocols, including DMARC and DKIM.'

CAS-005 Exam Objectives, 3.2: 'Implement technologies for email security and authenticity.'

Question 7

[Emerging Technologies and Threats]

A user submits a help desk ticket stating then account does not authenticatesometimes. An analyst reviews the following logs for the user:

Which of the following best explains the reason the user's access is being denied?

Aincorrectly typed password

BTime-based access restrictions

CAccount compromise

DInvalid user-to-device bindings

Answer : B

The logs reviewed for the user indicate that access is being denied due to time-based access restrictions. These restrictions are commonly implemented to limit access to systems during specific hours to enhance security. If a user attempts to authenticate outside of the allowed time window, access will be denied. This measure helps prevent unauthorized access during non-business hours, reducing the risk of security incidents.

CompTIA SecurityX Study Guide: Covers various access control methods, including time-based restrictions, as a means of enhancing security.

NIST Special Publication 800-53, 'Security and Privacy Controls for Information Systems and Organizations': Recommends the use of time-based access restrictions as part of access control policies.

'Access Control and Identity Management' by Mike Chapple and Aaron French: Discusses the implementation and benefits of time-based access restrictions.