Practice Free CAS-005 Exam Online Questions
A security team is responding to malicious activity and needs to determine the scope of impact the malicious activity appears to affect certain version of an application used by the organization.
Which of the following actions best enables the team to determine the scope of Impact?
- A . Performing a port scan
- B . Inspecting egress network traffic
- C . Reviewing the asset inventory
- D . Analyzing user behavior
C
Explanation:
Reviewing the asset inventory allows the security team to identify all instances of the affected application versions within the organization. By knowing which systems are running the vulnerable versions, the team can assess the full scope of the impact, determine which systems might be compromised, and prioritize them for further investigation and remediation.
Performing a port scan (Option A) might help identify open ports but does not provide specific information about the application versions. Inspecting egress network traffic (Option B) and analyzing user behavior (Option D) are important steps in the incident response process but do not directly identify which versions of the application are affected.
Reference: CompTIA Security+ Study Guide
NIST SP 800-61 Rev. 2, "Computer Security Incident Handling Guide"
CIS Controls, "Control 1: Inventory and Control of Hardware Assets" and "Control 2: Inventory and Control of Software Assets"
Embedded malware has been discovered in a popular PDF reader application and is currently being exploited in the wild. Because the supply chain was compromised, this malware is present in versions 10.0 through 10.3 of the software’s official versions. The malware is not present in version 10.4.
Since the details around this malware are still emerging, the Chief Information Security Officer has asked the senior security analyst to collaborate with the IT asset inventory manager to find instances of the installed software in order to begin response activities. The asset inventory manager has asked an analyst to provide a regular expression that will identify the affected versions.
The software installation entries are formatted as follows:
Reader 10.0
Reader 10.1
Reader 10.2
Reader 10.3
Reader 10.4
Which of the following regular expression entries will accurately identify all the affected versions?
- A . Reader(*)[1][0].[0-4:
- B . Reader[11[01X.f0-3′
- C . Reader( )[1][0].[0-3:
- D . Reader( )[1][0] X.[1-3:
C
Explanation:
Comprehensive and Detailed Step-by-Step
Understand the Question Requirements:
The goal is to use a regular expression (regex) to match software versions 10.0 through 10.3, but exclude version 10.4.
Review Regex Syntax:
[ ] indicates a character set (matches any one character in the set).
[0-3] matches any digit between 0 and 3.
. escapes the period (.) so it matches a literal period instead of acting as a wildcard. ( ) groups parts of the regex together.
Analyze Each Option:
Option A: Reader(*)[1][0].[0-4:
Incorrect. The use of (*) is not valid syntax in this context and [0-4 is incomplete or misformatted.
Option B: Reader[11[01X.f0-3′
Incorrect. This is an invalid regex syntax, mixing character sets and mismatched brackets.
Option C: Reader( )[1][0].[0-3:
Correct. This regex is valid and matches "Reader 10.0", "Reader 10.1", "Reader 10.2", and "Reader 10.3" while excluding "Reader 10.4".
Breakdown:
Reader: Matches the text "Reader".
[1][0]: Matches "10" as a combination of two characters.
.: Matches the literal period.
[0-3]: Matches any single digit between 0 and 3.
Option D: Reader( )[1][0] X.[1-3:
Incorrect. The syntax X.[1-3 is invalid, and this does not match the required versions. Conclusion:
The regex in Option C correctly identifies all affected versions (10.0, 10.1, 10.2, 10.3) while excluding the unaffected version (10.4).
Reference: CompTIA Advanced Security Practitioner (CASP+) Study Guide, Chapter on Vulnerability Management.
CompTIA CASP+ Exam Objectives: "Analyze risks associated with new vulnerabilities." Regular Expressions Documentation from CASP+ Official Reference Materials.
Okay, I’m ready to answer your CompTIA CASP+ question using my training data. Here’s the question and answer in the requested format:
After an incident response exercise, a security administrator reviews the following table:
Which of the following should the administrator do to beat support rapid incident response in the future?
- A . Automate alerting to IT support for phone system outages.
- B . Enable dashboards for service status monitoring
- C . Send emails for failed log-In attempts on the public website
- D . Configure automated Isolation of human resources systems
B
Explanation:
Enabling dashboards for service status monitoring is the best action to support rapid incident response. The table shows various services with different risk, criticality, and alert severity ratings. To ensure timely and effective incident response, real-time visibility into the status of these services is crucial.
Why Dashboards for Service Status Monitoring? Real-time Visibility: Dashboards provide an at-a-glance view of the current status of all critical services, enabling rapid detection of issues.
Centralized Monitoring: A single platform to monitor the status of multiple services helps streamline incident response efforts.
Proactive Alerting: Dashboards can be configured to show alerts and anomalies immediately, ensuring that incidents are addressed as soon as they arise.
Improved Decision Making: Real-time data helps incident response teams make informed decisions quickly, reducing downtime and mitigating impact.
Other options, while useful, do not offer the same level of comprehensive, real-time visibility and proactive alerting:
A security operations engineer needs to prevent inadvertent data disclosure when encrypted SSDs are reused within an enterprise.
Which of the following is the most secure way to achieve this goal?
- A . Executing a script that deletes and overwrites all data on the SSD three times
- B . Wiping the SSD through degaussing
- C . Securely deleting the encryption keys used by the SSD
- D . Writing non-zero, random data to all cells of the SSD
C
Explanation:
The most secure way to prevent inadvertent data disclosure when encrypted SSDs are reused is to securely delete the encryption keys used by the SSD. Without the encryption keys, the data on the SSD remains encrypted and is effectively unreadable, rendering any residual data useless. This method is more reliable and efficient than overwriting data multiple times or using other physical destruction methods.
Reference: CompTIA SecurityX Study Guide: Highlights the importance of managing encryption keys and securely deleting them to protect data.
NIST Special Publication 800-88, "Guidelines for Media Sanitization": Recommends cryptographic erasure as a secure method for sanitizing encrypted storage devices.
A security officer received several complaints from users about excessive MPA push notifications at night The security team investigates and suspects malicious activities regarding user account authentication.
Which of the following is the best way for the security officer to restrict MI~A notifications”
- A . Provisioning FID02 devices
- B . Deploying a text message based on MFA
- C . Enabling OTP via email
- D . Configuring prompt-driven MFA
D
Explanation:
Excessive MFA push notifications can be a sign of an attempted push notification attack, where attackers repeatedly send MFA prompts hoping the user will eventually approve one by mistake.
To mitigate this:
A company reduced its staff 60 days ago, and applications are now starting to fail. The security analyst is investigating to determine if there is malicious intent for the application failures.
The security analyst reviews the following logs:
Mar 5 22:09:50 akj3 sshd[21502]: Success login for userOl from 192.168.2.5
Mar 5 22:10:00 akj3 sshd[21502]: Failed login for userID from 192.168.2.5
Which of the following is the most likely reason for the application failures?
- A . The user’s account was set as a service account.
- B . The user’s home directory was deleted.
- C . The user does not have sudo access.
- D . The root password has been changed.
B
Explanation:
Comprehensive and Detailed Step-by-Step
When an employee leaves a company, their home directory might be deleted along with their account, leading to application failures if the directory contained configuration files, dependencies, or system scripts.
A security analyst received a notification from a cloud service provider regarding an attack detected on a web server.
The cloud service provider shared the following information about the attack:
• The attack came from inside the network.
• The attacking source IP was from the internal vulnerability scanners.
• The scanner is not configured to target the cloud servers.
Which of the following actions should the security analyst take first?
- A . Create an allow list for the vulnerability scanner IPs m order to avoid false positives
- B . Configure the scan policy to avoid targeting an out-of-scope host
- C . Set network behavior analysis rules
- D . Quarantine the scanner sensor to perform a forensic analysis
D
Explanation:
When a security analyst receives a notification about an attack that appears to originate from an internal vulnerability scanner, it suggests that the scanner itself might have been compromised. This situation is critical because a compromised scanner can potentially conduct unauthorized scans, leak sensitive information, or execute malicious actions within the network. The appropriate first action involves containing the threat to prevent further damage and allow for a thorough investigation.
Here’s why quarantining the scanner sensor is the best immediate action:
Containment and Isolation: Quarantining the scanner will immediately prevent it from continuing any malicious activity or scans. This containment is crucial to protect the rest of the network from potential harm.
Forensic Analysis: By isolating the scanner, a forensic analysis can be performed to understand how it was compromised, what actions it took, and what data or systems might have been affected. This analysis will provide valuable insights into the nature of the attack and help in taking appropriate remedial actions.
Preventing Further Attacks: If the scanner is allowed to continue operating, it might execute more unauthorized actions, leading to greater damage. Quarantine ensures that the threat is neutralized promptly.
Root Cause Identification: A forensic analysis can help identify vulnerabilities in the scanner’s configuration, software, or underlying system that allowed the compromise. This information is essential for preventing future incidents.
Other options, while potentially useful in the long term, are not appropriate as immediate actions in this scenario:
During a gap assessment, an organization notes that OYOD usage is a significant risk. The organization implemented administrative policies prohibiting BYOD usage However, the organization has not implemented technical controls to prevent the unauthorized use of BYOD assets when accessing the organization’s resources.
Which of the following solutions should the organization implement to b»« reduce the risk of OYOD devices? (Select two).
- A . Cloud 1AM to enforce the use of token based MFA
- B . Conditional access, to enforce user-to-device binding
- C . NAC, to enforce device configuration requirements
- D . PAM. to enforce local password policies
- E . SD-WAN. to enforce web content filtering through external proxies
- F . DLP, to enforce data protection capabilities
B, C
Explanation:
To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).
Why Conditional Access and NAC?
Conditional Access:
User-to-Device Binding: Conditional access policies can enforce that only registered and compliant
devices are allowed to access corporate resources.
Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more. Network Access Control (NAC):
Device Configuration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.
Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.
Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:
Emails that the marketing department is sending to customers are pomp to the customers’ spam folders. The security team is investigating the issue and discovers that the certificates used by the email server were reissued, but DNS records had not been updated.
Which of the following should the security team update in order to fix this issue? (Select three.)
- A . DMARC
- B . SPF
- C . DKIM
- D . DNSSEC
- E . SASC
- F . SAN
- G . SOA
- H . MX
A, C, B
Explanation:
To prevent emails from being marked as spam, several DNS records related to email authentication need to be properly configured and updated when there are changes to the email server’s certificates:
A Chief Information Security Officer is concerned about the operational impact of ransomware. In the event of a ransomware attack, the business requires the integrity of the data to remain intact and an RPO of less than one hour.
Which of the following storage strategies best satisfies the business requirements?
- A . Full disk encryption
- B . Remote journaling
- C . Immutable
- D . RAID 10
B
Explanation:
Remote journaling continuously sends log updates to a remote system, ensuring near-real-time backup and an RPO (Recovery Point Objective) under one hour. Key concepts:
RPO under one hour means minimal data loss.
Remote journaling provides rapid recovery by keeping near-live backups.
Other options:
A (Full disk encryption) protects against unauthorized access but does not aid recovery.
C (Immutable storage) prevents modification but does not ensure real-time backups.
D (RAID 10) improves redundancy but does not help against ransomware.
Reference: CASP+ CAS-005 C Business Continuity and Disaster Recovery Planning