CompTIA CAS-005 Exam Practice Test Instant Access

Question 1

[Security Engineering and Cryptography]

Which of the following is the main reason quantum computing advancements are leading companies and countries to deploy new encryption algorithms?

AEncryption systems based on large prime numbers will be vulnerable to exploitation

BZero Trust security architectures will require homomorphic encryption.

CPerfect forward secrecy will prevent deployment of advanced firewall monitoring techniques

DQuantum computers willenable malicious actors to capture IP traffic in real time

Answer : A

Advancements in quantum computing pose a significant threat to current encryption systems, especially those based on the difficulty of factoring large prime numbers, such as RSA. Quantum computers have the potential to solve these problems exponentially faster than classical computers, making current cryptographic systems vulnerable.

Why Large Prime Numbers are Vulnerable:

Shor's Algorithm: Quantum computers can use Shor's algorithm to factorize large integers efficiently, which undermines the security of RSA encryption.

Cryptographic Breakthrough: The ability to quickly factor large prime numbers means that encrypted data, which relies on the hardness of thismathematical problem, can be decrypted.

Other options, while relevant, do not capture the primary reason for the shift towards new encryption algorithms:

B . Zero Trust security architectures: While important, the shift to homomorphic encryption is not the main driver for new encryption algorithms.

C . Perfect forward secrecy: It enhances security but is not the main reason for new encryption algorithms.

D . Real-time IP traffic capture: Quantum computers pose a more significant threat to the underlying cryptographic algorithms than to the real-time capture of traffic.

CompTIA SecurityX Study Guide

NIST Special Publication 800-208, 'Recommendation for Stateful Hash-Based Signature Schemes'

'Quantum Computing and Cryptography,' MIT Technology Review

Question 2

[Governance, Risk, and Compliance (GRC)]

A systems administrator wants to introduce a newly released feature for an internal application. The administrate docs not want to test the feature in the production environment. Which of the following locations is the best place to test the new feature?

AStaging environment

BTesting environment

CCI/CO pipeline

DDevelopment environment

Answer : A

The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here's a detailed explanation:

Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging environment ensures that the new feature will behave as expected in the actual production setup.

Isolation fromProduction: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change management and risk mitigation.

Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which often have different configurations and workloads.

CompTIA Security+ SY0-601 Official Study Guide by Quentin Docter, Jon Buhagiar

NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations

Question 3

[Security Architecture]

A company is preparing to move a new version of a web application to production. No issues were reported during security scanning or quality assurance in the CI/CD pipeline. Which of the following actions should thecompany take next?

AMerge the test branch to the main branch

BPerform threat modeling on the production application

CConduct unit testing on the submitted code

DPerform a peer review on the test branch

Answer : A

The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS-005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main branch for deployment to production.

Option B:Threat modeling is typically performed earlier, during design or development, not after passing CI/CD checks.

Option C:Unit testing is part of the CI/CD pipeline and should already be completed.

Option D:Peer reviews are conducted before or during the test phase, not after QAand security scans are clear.

Option A:Merging the test branch to the main branch is the logical next step to prepare for production deployment.

CompTIA SecurityX CAS-005 Official Study Guide, Domain 2: Security Operations, Section 2.3: 'Manage secure software development lifecycles, including CI/CD pipelines.'

CAS-005 Exam Objectives, 2.3: 'Analyze secure deployment processes in CI/CD environments.'

Question 4

SIMULATION

[Identity and Access Management (IAM)]

A product development team has submitted code snippets for review prior to release.

INSTRUCTIONS

Analyze the code snippets, and then select one vulnerability, and one fix for each code snippet.

Code Snippet 1

Code Snippet 2

Vulnerability 1:

SQL injection

Cross-site request forgery

Server-side request forgery

Indirect object reference

Cross-site scripting

Fix 1:

Perform input sanitization of the userid field.

Perform output encoding of queryResponse,

Ensure usex:ia belongs to logged-in user.

Inspect URLS and disallow arbitrary requests.

Implementanti-forgery tokens.

Vulnerability 2

1) Denial of service

2) Command injection

3) SQL injection

4) Authorization bypass

5) Credentials passed via GET

Fix 2

A) Implement prepared statements and bind

variables.

B) Remove the serve_forever instruction.

C) Prevent the "authenticated" value from being overridden by a GET parameter.

D) HTTP POST should be used for sensitive parameters.

E) Perform input sanitization of the userid field.

ASee the solution below in explanation

Answer : A

Code Snippet 1

Vulnerability 1:SQL injection

SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a database. An attacker can inject malicious SQL commands into the input fields, such as username or password, and execute them on the database server. This can result in data theft, data corruption, or unauthorized access.

Fix 1:Perform input sanitization of the userid field.

Input sanitization is a technique that prevents SQL injection byvalidating and filtering the user input values before passing them to the database. The input sanitization should remove any special characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query. Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values.

Code Snippet 2

Vulnerability 2:Cross-site request forgery

Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that handles web requests. An attacker can trick a user into sending a malicious web request to a server that performs an action on behalf of the user, such as changing their password, transferring funds, or deleting dat

a. This can result in unauthorized actions, data loss, or account compromise.

Fix 2:Implement anti-forgery tokens.

Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each web request that is generated by the server and verified by the server before performing the action. The anti-forgery token should be different for each user and each session, and should not be predictable or reusable by an attacker. This way, only legitimate web requests from the user's browser can be accepted by the server.

Question 5

During a recent audit, a company's systems were assessed- Given the following information:

Which of the following is the best way to reduce the attack surface?

ADeploying an EDR solution to all impacted machines in manufacturing

BSegmenting the manufacturing network with a firewall and placing the rules in monitor mode

CSetting up an IDS inline to monitor and detect any threats to the software

DImplementing an application-aware firewall and writing strict rules for the application access

Answer : D

SecurityX CAS-005 network architecture objectives emphasize limiting exposure of vulnerable systems by using application-aware firewalls with strict rule sets.

This approach directly reduces the attack surface by allowing only approved application traffic to and from the vulnerable systems, mitigating risk until systems are patched or replaced.

EDR (A) enhances detection but doesn't inherently reduce the exposed services.

Network segmentation in monitor mode (B) doesn't block threats.

Question 6

[Emerging Technologies and Threats]

A security architect for a global organization with a distributed workforce recently received funding lo deploy a CASB solution Which of the following most likely explains the choice to use a proxy-based CASB?

AThe capability to block unapproved applications and services is possible

BPrivacy compliance obligations are bypassed when using a user-based deployment.

CProtecting and regularly rotating API secret keys requires a significant time commitment

DCorporate devices cannot receive certificates when not connected to on-premises devices

Answer : A

A proxy-based Cloud Access Security Broker (CASB) is chosen primarily for its ability to block unapproved applications and services. Here's why:

Application and Service Control: Proxy-based CASBs can monitor and control the use of applications and services by inspecting traffic as it passes through the proxy. This allows the organization to enforce policies that block unapproved applications and services, ensuring compliance with security policies.

Visibility and Monitoring: By routing traffic through the proxy, the CASB can provide detailed visibility into user activities and data flows, enabling better monitoring and threat detection.

Real-Time Protection: Proxy-based CASBs can provide real-time protection against threats by analyzing and controlling traffic before it reaches the end user, thus preventing the use of risky applications and services.

CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl

NIST Special Publication 800-125: Guide to Security for Full Virtualization Technologies

Gartner CASB Market Guide

Question 7

[Security Architecture]

A software development team requires valid data for internal tests. Company regulations, however do not allow the use of this data in cleartext. Which of the following solutions best meet these requirements?

AConfiguring data hashing

BDeploying tokenization

CReplacing data with null record

DImplementing data obfuscation

Answer : B

Tokenization replaces sensitive data elements with non-sensitive equivalents, called tokens, that can be used within the internal tests. The original data is stored securely and can be retrieved if necessary. This approach allows the software development team to work with data that appears realistic and valid without exposing the actual sensitive information.

Configuring data hashing (Option A) is not suitable for test data as ittransforms the data into a fixed-length value that is not usable in the same way as the original data. Replacing data with null records (Option C) is not useful as it does not provide valid data for testing. Data obfuscation (Option D) could be an alternative but might not meet the regulatory requirements as effectively as tokenization.

CompTIA Security+ Study Guide

NIST SP 800-57 Part 1 Rev. 5, 'Recommendation for Key Management'

PCI DSS Tokenization Guidelines

CompTIA SecurityX Certification CAS-005 Exam Practice Test