CAS-005 CompTIA SecurityX Certification Exam Questions and Answers

The correct snippet is Option A, which shows an Ansible YAML playbook designed to deploy and maintain security software on Linux servers. Ansible is a configuration management tool widely used in enterprise environments, and the ansible.builtin.apt module specifically manages package installation on Debian/Ubuntu-based Linux distributions. This ensures consistent security software deployment across multiple servers.

Option B is XML-based and does not represent a valid configuration management script. Option C incorrectly uses JSON format and references Microsoft’s store (com.microsoft.store.latest), which is irrelevant for Linux. Option D also uses JSON syntax with “AppX,” which applies to Windows applications, not Linux.

CAS-005 emphasizes infrastructure as code (IaC) and automation as best practices for secure system configuration. YAML-based playbooks in Ansible provide repeatability, auditability, and scalability, making Option A the most secure and appropriate solution.

Based on the provided logs, the user has accessed various applications from different geographic locations within a very short timeframe. This pattern is indicative of the "impossible travel" security rule, a common feature in Single Sign-On (SSO) systems designed to detect and prevent fraudulent access attempts.

Analysis of Logs:

At 8:47 p.m., the user accessed a VPN from Toronto.

At 8:48 p.m., the user accessed email from Los Angeles.

At 8:48 p.m., the user accessed the human resources system from Los Angeles.

At 8:49 p.m., the user accessed email again from Los Angeles.

At 8:52 p.m., the user attempted to access the human resources system from Toronto, which was denied.

These rapid changes in location are physically impossible and typically trigger security measures to prevent unauthorized access. The SSO system detected these inconsistencies and likely flagged the activity as suspicious, resulting in access denial.

A Content Delivery Network (CDN) caches and distributes static and dynamic web content across multiple geographically distributed edge servers, reducing latency for global users. This directly addresses page-loading delays caused by distance from the primary data centers.

RASP is for runtime application security, not latency.

Remote journaling is for data replication, not performance optimization.

SASE can improve security and WAN routing, but a CDN is purpose-built for content delivery performance.

Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here’s why:

Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.

Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies.

Minimal Disruption: Implementing a span port is a non-intrusive method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.

Excessive MFA push notifications can be a sign of an attempted push notification attack, where attackers repeatedly send MFA prompts hoping the user will eventually approve one by mistake. To mitigate this:

A. Provisioning FIDO2 devices: While FIDO2 devices offer strong authentication, they may not be practical for all users and do not directly address the issue of excessive push notifications.

B. Deploying a text message-based MFA: SMS-based MFA can still be vulnerable to similar spamming attacks and phishing.

C. Enabling OTP via email: Email-based OTPs add another layer of security but do not directly solve the issue of excessive notifications.

D. Configuring prompt-driven MFA: This option allows users to respond to prompts in a secure manner, often including features like time-limited approval windows, additional verification steps, or requiring specificactions to approve. This can help prevent users from accidentally approving malicious attempts.

Configuring prompt-driven MFA is the best solution to restrict unnecessary MFA notifications and improve security.

Matching Relevant Findings to the Affected Hosts:

Finding 1:

Affected Host: DNS

Reason: Users are unable to log into the domain from their workstations after relocating to Site B, which implies a failure in domain name services that are critical for user authentication and domain login.

Finding 2:

Affected Host: Pumps

Reason: Thepump room at Site B becoming inoperable directly points to the critical infrastructure components associated with pumping operations.

Finding 3:

Affected Host: VPN Concentrator

Reason: Unreliable internet connectivity at Site B due to route flapping indicates issues with network routing, which is often managed by VPN concentrators that handle site-to-site connectivity.

Corrective Actions for Finding 3:

Finding 3 Corrective Action:

Action: Modify the BGP configuration

Reason: Route flapping is often related to issues with Border Gateway Protocol (BGP) configurations. Adjusting BGP settings can stabilize routes and improve internet connectivity reliability.

Replication to Site B for Finding 1:

Affected Host: DNS

Domain Name System (DNS) services are essential for translating domain names into IP addresses, allowing users to log into the network. Replicating DNS services ensures that even if Site A is disrupted, users at Site B can still authenticate and access necessary resources.

Replication to Site B for Finding 2:

Affected Host: Pumps

The operation of the pump room is crucial for maintaining various functions within the infrastructure. Replicating the control systems and configurations for the pumps at Site B ensures that operations can continue smoothly even if Site A is affected.

Configuration Changes for Finding 3:

Affected Host: VPN Concentrator

Route flapping is a situation where routes become unstable, causing frequent changes in the best path for data to travel. This instability can be mitigated by modifying BGP configurations to ensure more stable routing. VPN concentrators, which manage connections between sites, are typically configured with BGP for optimal routing.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, providing strong privacy guarantees. However, the adoption of homomorphic encryption is challenging due to several factors:

A. Incomplete mathematical primitives: This is not the primary barrier as the theoretical foundations of homomorphic encryption are well-developed.

B. No use cases to drive adoption: There are several compelling use cases for homomorphic encryption, especially in privacy-sensitive fields like healthcare and finance.

C. Quantum computers not yet capable: Quantum computing is not directly related to the challenges of adopting homomorphic encryption.

D. Insufficient coprocessor support: The computational overhead of homomorphic encryption is significant, requiring substantial processing power. Current general-purpose processors are not optimized for the intensive computations required by homomorphic encryption, limiting its practical deployment. Specialized hardware or coprocessors designed to handle these computations more efficiently are not yet widely available.

The most appropriate solution for the systems engineer to deploy is SELinux (Security-Enhanced Linux). Here's why:

Mandatory Access Control (MAC): SELinux enforces MAC policies, ensuring that only authorized users and processes can access specific resources. This helps in preventing unauthorized reading and modification of data and programs.

Access Vector Cache: SELinux utilizes an access vector cache (AVC) to improve performance. The AVC caches access decisions, reducing the need for repetitive policy lookups and thus improving system efficiency.

Security Mechanisms: SELinux provides a robust framework to enforce security policies and prevent bypassing of application security mechanisms. It controls access based on defined policies, ensuring that security measures are consistently applied.

Privilege Escalation and Process Interference: SELinux limits the ability of processes to escalate privileges and interfere with each other by enforcing strict access controls. This containment helps in isolating processes and minimizing the risk of privilege escalation attacks.

To support email authenticity and enable analysis by a third-party platform, the protocols must verify the sender’s identity and provide metadata for inspection. According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.2):

DMARC (Domain-based Message Authentication, Reporting, and Conformance):DMARC builds on SPF and DKIM to enforce policies for email authenticity and provides reporting mechanisms to share authentication results with third parties for analysis.

DKIM (DomainKeys Identified Mail):DKIM adds a cryptographic signature to emails, allowing recipients to verify the sender’s domain and ensure the email’s integrity.

These two protocols are essential for authenticity and reporting.

Option C (TLS):TLS ensures encryption during transmission but does not address authenticity or reporting.

Option D (SPF):SPF verifies sender IP addresses but lacks reporting capabilities without DMARC.

Option E (DNSSEC):DNSSEC secures DNS queries but is not specific to email authenticity.

Option F (MX):MX records define mail servers, not authenticity or reporting.

Remote journaling continuously sends log updates to a remote system, ensuring near-real-time backup and an RPO (Recovery Point Objective) under one hour.

Key concepts:

RPO under one hour means minimal data loss.

Remote journaling provides rapid recovery by keeping near-live backups.

Other options:

A(Full disk encryption) protects against unauthorized access but does not aid recovery.

C (Immutable storage) prevents modification but does not ensure real-time backups.

D (RAID 10) improves redundancy but does not help against ransomware.

Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and provide transparency in the event of a breach.

Why Communication Templates?

Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements.

Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the organization’s credibility.

Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately.

Other options, while useful, do not provide the same level of preparedness and compliance:

A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

Automating compliance in cloudenvironments requires a tool that can enforce configurations, manage infrastructure as code, and align with industry standards (e.g., NIST, ISO). Let’s evaluate:

A. Jenkins:A CI/CD tool for automating software builds and deployments. It’s not designed for compliance enforcement or infrastructure management.

B. Python:A programming language that can be scripted for automation but lacks built-in compliance-focused features without significant custom development.

C. Ansible:An automation tool for configuration management, application deployment, and compliance enforcement. It uses playbooks to define desired states, making it ideal for automating compliance checks and remediation in cloud environments (e.g., AWS, Azure). CAS-005 emphasizes automation tools for security and compliance, and Ansible fits perfectly.

The provided code snippet shows a script that captures the user's cookies and sends them to a remote server. This type of attack is characteristic of Cross-Site Scripting (XSS), specifically stored XSS, where the malicious script is stored on the target server (e.g., in a database) and executed in the context of users who visit the infected web page.

A. XSRF (Cross-Site Request Forgery) attack: This involves tricking the user into performing actions on a different site without their knowledge but does not involve stealing cookies via script injection.

B. Command injection: This involves executing arbitrary commands on the host operating system, which is not relevant to the given JavaScript code.

C. Stored XSS: The provided code snippet matches the pattern of a stored XSS attack, where the script is injected into a web page, and when users visit the page, the script executes and sends theuser's cookies to the attacker's server.

D. SQL injection: This involves injecting malicious SQL queries into the database and is unrelated to the given JavaScript code.

Implementing a Single Sign-On (SSO) solution and integrating it with applications is the best way to manage the situation and decrease risks. Here’s why:

Reduced Password Fatigue: SSO allows users tolog in once and gain access to multiple applications and systems without needing to remember and manage multiple passwords. This reduces the likelihood of users writing down passwords.

Improved Security: By reducing the number of passwords users need to manage, SSO decreases the attack surface and potential for password-related security breaches. It also allows for the implementation of stronger authentication methods.

User Convenience: SSO improves the user experience by simplifying the login process, which can lead to higher productivity and satisfaction.

The correct answer is Playbooks (A). In incident response, playbooks are structured workflows that define step-by-step actions for specific incident types (e.g., ransomware, phishing, insider threats). They allow SOC analysts to standardize responses across multiple platforms and tools, ensuring consistency and faster mitigation. By leveraging playbooks, organizations integrate existing incident response tools into automated or semi-automated processes, improving efficiency and reducing human error.

Option B (event collectors) consolidate logs but do not directly improve response processes. Option C (centralized logging) enhances visibility but does not provide a framework for action. Option D (endpoint detection) expands detection capabilities but does not enhance the process effectiveness of incident response.

CAS-005 emphasizes structured response through automation and orchestration. Playbooks, often implemented via SOAR platforms, allow integration of detection, triage, and remediation steps, making them the most effective way to increase incident response maturity.

SecurityX CAS-005 secure DevOps guidance recommends integrating security controls into the CI/CD pipeline. By validating container security baselines at security gates before deployment, noncompliant builds are stopped early, ensuring consistency across environments.

Option B is useful but does not ensure compliance if changes are made after image creation.

Option A detects drift but only after deployment.

Option D is reactive and does not prevent insecure deployments.

The routing entry 0.0.0.0/0 forces all traffic from remote clients—including traffic destined for the public internet—through the VPN tunnel. This is called full-tunnel VPN routing. While it ensures strong security by forcing all traffic to pass through corporate controls, it can also overload VPN gateways and cause slow access to both internal and external applications, as seen in this scenario.

The correct fix is to enable split tunneling (B). Split tunneling allows only corporate traffic (e.g., private IP ranges or internal applications) to flow through the VPN, while internet-bound traffic routes directly to the internet. This reduces congestion on VPN concentrators, improves performance for remote users, and ensures efficient use of bandwidth.

Moving servers to a screened subnet (A) relates to internal segmentation but does not fix the VPN bottleneck. NAC (C) enforces device compliance but does not address routing inefficiencies. DNS over HTTPS (D) secures name resolution but is unrelated to network congestion.

Thus, enabling split tunneling balances security and performance for remote workers.

The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here’s a detailed explanation:

Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging environment ensures that the new feature will behave as expected in the actual production setup.

Isolation fromProduction: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change management and risk mitigation.

Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which often have different configurations and workloads.

The most critical considerations are trust boundaries (C) and supply chain access (E). Trust boundaries define where sensitive data crosses between systems or organizations, requiring strict cryptographic protections—especially important in government and commercial environments subject to crypto-export controls.

Supply chain access is also critical because hardware and software are sourced from external vendors. If suppliers are compromised, attackers could introduce malicious code, backdoors, or tampered firmware, endangering customers worldwide.

Option A (contractual obligations) and B (legal hold) are compliance-related but not direct security threats. Option D (cloud services enumeration) is irrelevant unless the storage is cloud-based. Option F (homomorphic encryption) is an advanced technology but not required for base threat modeling.

CAS-005 highlights modeling adversary capabilities at trust boundaries and accounting for supply chain risks, making C and E the most important.

The best step is to query user behavior analytics (UBA) data. SIEM alerts provide potential security events, but without additional context, they may lead to false positives. UBA solutions detect anomalies by comparing user activity against baselines of normal behavior, highlighting unusual login patterns, lateral movement, or privilege escalation.

Option A (password manager logs) focuses only on credential use and lacks behavioral insight. Option B (dark web monitoring) helps identify compromised accounts but does not investigate the internal incident. Option C (audit logs for privileged actions) is useful but narrow in scope—it only covers administrator accounts.

By correlating SIEM data with UBA, the engineer can validate whether the flagged activity indicates real malicious behavior or benign anomalies. CAS-005 emphasizes advanced analytics integration (UEBA/UBA) to strengthen investigation and reduce false positives, making Option D the most effective choice.

Creatingsecure baseline imagesensuresconsistent, repeatabledeployment aligned with hardening standards. These images can be used acrosson-premises and cloud environments, ensuring compliance and reducing misconfigurations.

Vulnerability alerts (A)are reactive, not preventive.

Building images from scratch (C)is time-consuming and unnecessary if baselines exist.

Scripts for cleanup (D)are useful but do not prevent initial insecure configurations.

To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).

Why Conditional Access and NAC?

Conditional Access:

User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.

Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more.

Network Access Control (NAC):

DeviceConfiguration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.

Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.

Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:

A. Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.

D. PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.

E. SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance.

F. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance.

Based on the provided authentication logs, we observe that User1's accountexperienced multiple failed login attempts within a very short time span (at 8:01:23 AM on 12/15). This pattern indicates a potential brute-force attack or an attempt to gain unauthorized access. Here’s a breakdown of why disabling User1's account is the appropriate first step:

Failed Login Attempts: The logs show that User1 had four consecutive failed login attempts:

VM01 at 8:01:23 AM

VM08 at 8:01:23 AM

VM01 at 8:01:23 AM

VM08 at 8:01:23 AM

Security Protocols and Best Practices: According to CompTIA Security+ guidelines, multiple failed login attempts within a short timeframe should trigger an immediate response to prevent further potential unauthorized access attempts. This typically involves temporarily disabling the account to stop ongoing brute-force attacks.

Account Lockout Policy: Implementing an account lockout policy is a standard practice to thwart brute-force attacks. Disabling User1's account will align with these best practices and prevent further failed attempts, which might lead to successful unauthorized access if not addressed.

Risk mitigation involves taking actions to reduce either the likelihood or impact of a threat. By implementing a firewall between the two environments, Company A is minimizing the risk of threats from Company B impacting its own systems. Accepting the risk would involve taking no action, avoiding it would mean terminating activities with Company B, and transferring would involve outsourcing the risk, none of which occurred here.

Qualitative risk assessment is used when quantitative data (monetary loss, exact downtime cost, RTO) is unavailable or unreliable. The SecurityX CAS-005 GRC objectives note that qualitative methods rely on expert judgment, likelihood scales, and impact ratings rather than financial calculations. In this case, insufficient metrics rule out quantitative analysis.

Option A (work experience) is irrelevant to the choice of assessment type.

Option C (risk register) supports tracking, not selecting the assessment method.

Option D describes a quantitative goal, which is not possible with the given lack of metrics.

To enable code signing with an existing PKI, the first step is to configure the Certificate Authority (CA) to issue code signing certificates. Adding a new template with attributes specific to code signing (e.g., key usage for signing) allows the CA to support this requirement without disrupting existing operations.

Option A:Correct—templates define certificate types; this isthe foundational step.

Option B:Wildcard certificates are for domains, not code signing.

Option C:Recalculating root CA keys is unnecessary and risky unless compromised.

Option D:SAN (Subject Alternative Name) is for multi-domain certificates, irrelevant here.

Post-Quantum Cryptography (PQC) preparation is critical to protect data against future quantum computing attacks that could break current cryptographic algorithms (e.g., RSA, ECC). According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.3), quantum computers with sufficient computational power could perform calculations (e.g., Shor’s algorithm) to decrypt data protected by traditional algorithms. PQC focuses on developing algorithms resistant to such increases in computational resources, ensuring long-term data security.

Option B:Key stretching is a technique to strengthen passwords, not related to PQC.

Option C:PQC algorithms often have higher computational costs, not improved performance.

Option D:Asymmetric encryption is not ideal for large data sets, and PQC is not specifically about this use case.

Option A:This accurately describes PQC’s purpose to safeguard data against quantum-driven decryption.

To prevent unauthorized applications from running, the company needs a mechanism to explicitly define and enforce which applications are allowed to execute. "Permit listing" (often referred to as "whitelisting" in security contexts) is the most effective solution here. It involves creating a list of approved applications, and only those on the list are permitted to run, blocking all others by default. This directly addresses the root cause—users installing unapproved software—by restricting execution to only authorized programs.

Option A (Signing):Code signing ensures the authenticity and integrity of software by verifying it comes from a trusted source and hasn’t been tampered with. While useful, it doesn’t inherently prevent unauthorized applications from running unless combined with a policy like whitelisting.

Option B (Access control):Access control governs who can access systems or resources but doesn’t specifically restrict which applications can execute. It’s too broad for this scenario.

Option C (HIPS):A Host-based Intrusion Prevention System (HIPS) can detect and block malicious behavior, but it’s reactive and relies on signatures or heuristics, not a proactive allow-only approach.

Option D (Permit listing):This is the best fit, as it proactively enforces a policy where only explicitly authorized applications can run, preventing malware introduced by unauthorized software.

The best option is Mandatory Access Control (MAC). In MAC, access decisions are centrally controlled by the system or administrators, not by individual users. This ensures that healthcare staff who enter patient information cannot grant access to others, thereby preventing accidental or malicious disclosure. MAC enforces strict policies based on data sensitivity and user clearance, which aligns with compliance requirements like HIPAA.

Option A (rule-based) defines access through specific rules but is not as rigidly enforced as MAC. Option B (attribute-based) is flexible but could still allow dynamic grants of access. Option D (discretionary) explicitly allows users to assign access rights, which is exactly what must be avoided in this scenario.

CAS-005 stresses using centralized, non-discretionary controls when protecting sensitive medical data, making MAC the correct choice for hospitals.

When dealing with false positives and false negatives reported by a Security Information and Event Management (SIEM) system, the goal is to enhance the accuracy of the alerts and ensure that actual threats are identified correctly. The following sources of information best support the analysis process:

A. Third-party reports and logs: Utilizing external sources of information such as threat intelligence reports, vendor logs, and other third-party data can provide a broader perspective on potential threats. These sources often contain valuable insights and context that can help correlate events more accurately, reducing the likelihood of false positives and false negatives.

B. Trends: Analyzing trends over time can help inunderstanding patterns and anomalies in the data. By observing trends, the security team can distinguish between normal and abnormal behavior, which aids in fine-tuning the SIEM configurations to better detect true positives and reduce false alerts.

Other options such as dashboards, alert failures, network traffic summaries, and manual review processes are also useful but are more operational rather than foundational for understanding the root causes of reporting errors in SIEM configurations.

The data provided shows that all companies have SIEM systems, but they differ in their implementation of UEBA, DLP, ISAC membership, and TIP integration. The key metric to evaluate is the effectiveness in detecting and responding to attacks, as shown by the "Time to Detect" and "Time to Respond" columns. Company 1, which is an ISAC member, has the fastest detection (10 minutes) and response (20 minutes) times. Company 3, which is not an ISAC member, has slower detection (12 minutes) and response (24 minutes) times, despite having UEBA and TIP integration. Company 2, which lacks TIP integration but is an ISAC member, has the slowest times (20 minutes to detect, 40 minutes to respond). This suggests that ISAC membership correlates with faster detection and response, likely due to access to shared threat intelligence.

According to the CompTIA SecurityX CAS-005 objectives (Domain 2: Security Operations, 2.2), Information Sharing and Analysis Centers (ISACs) are critical for enabling organizations to share real-timethreat intelligence within their industry. ISACs provide access to actionable intelligence, best practices, and coordinated response strategies, which are essential for defending against sophisticated attacks targeting critical infrastructure like the energy sector. The lack of ISAC membership (Company 3) limits access to this intelligence, hindering proactive defense and response capabilities. While UEBA, DLP, and TIP integration are valuable, they are more focused on internal monitoring, data protection,and individual threat intelligence feeds, respectively, and do not provide the same industry-wide collaboration as an ISAC.

To meet the requirements of having allendpoints establish telemetry with a SIEM, integrate into an XDR platform, and allow SOC services to monitor the XDR platform, the best approach is to implement Host Intrusion Prevention Systems (HIPS) and a host-based firewall. HIPS can provide detailed telemetry data to the SIEM and can be integrated into the XDR platform for comprehensive monitoring and response. The host-based firewall ensures that only authorized traffic is allowed, providing an additional layer of security.

The most effective solution is Terraform (C), an Infrastructure as Code (IaC) tool that allows organizations to define and provision infrastructure resources across multiple cloud providers using a consistent configuration language. For a multicloud strategy, Terraform provides cloud-agnostic templates, ensuring that server creation, networking, and storage provisioning are automated and standardized across AWS, Azure, GCP, or other providers. This aligns with CAS-005 best practices for cloud automation and consistency.

PowerShell (A) and Bash (B) are scripting tools that can automate tasks but are typically tied to specific operating systems and lack multicloud orchestration capabilities. Ansible (D) is a strong automation tool for configuration management and application deployment, but Terraform is specifically designed to provision and manage infrastructure at scale across multicloud environments.

By using Terraform, the company can enforce consistent images, reduce human error, ensure compliance through reusable templates, and improve operational efficiency while maintaining flexibility across multiple providers.

In serverless computing, organizations rely heavily on CSPs to manage the infrastructure, runtime, and scaling. A key risk is thelevel of control and influence governments have over CSPs, potentially affecting availability, access, or confidentiality of hosted services due to legal orders or government actions. Concerns about virtualization technologies, scalability, or third-party monitoring are valid but less critical compared to the overarching legal and control risks tied to CSP reliance.

Step by Step Explanation:

Understanding the Scenario: The organization wants a strict application control policy: deny all software execution by default and only allow specifically authorized applications. This must be enforced across all operating systems. It is implied that they mean an Allow list, but Block List is the only reasonable answer.

Analyzing the Answer Choices:

A. SELinux (Security-Enhanced Linux): SELinux is a security module for the Linux kernel that provides Mandatory Access Control (MAC). While it can enforce application control, it's specific to Linux and doesn't meet the "regardless of OS" requirement.

Adversary emulation simulates specific advanced persistent threat (APT) behaviors and techniques to test an organization’s security posture. In SecurityX CAS-005, this is part of red-teaming and purple-teaming strategies for realistic resilience testing.

Reliability factors (B) relate to operational uptime, not threat simulation.

Honeypots (C) attract attackers but do not directly emulate specific adversaries.

Internal reconnaissance (D) is one phase of an attack simulation, not the full emulation of advanced threat actors.

ChaCha20-Poly1305is a cipher suite specifically designed for efficiency on systems with limited hardware resources. It offers high security with lower memory and CPU consumption compared to AES on certain platforms, especially mobile devices. TLS 1.3 supports ChaCha20-Poly1305 natively. CBC (Cipher Block Chaining) modes like IDEA-CBC and Camellia-CBC are less efficient and not recommended under TLS 1.3, and AES-GCM, while secure, can be less efficient than ChaCha20 on devices without AES hardware acceleration.

The organization is most concerned about Generative AI improving phishing and social engineering attacks. Tools like ChatGPT can generate highly convincing phishing emails, fake websites, and human-like interactions that bypass traditional detection methods. Employees who were trained to spot poor grammar or obvious scams may now struggle to detect AI-crafted exploits.

Option A relates to compliance but not AI-driven threats. Option B (overreliance on AI bots) is operational risk, not phishing. Option D (differential analysis) applies to AI privacy issues, not phishing.

CAS-005 emphasizes adapting training to emerging threats, including AI-enabled social engineering. This ensures users remain resilient against modern attacks, making C the correct answer.

Always-on VPN ensures that devices connect automatically to the corporate network whenever they are online, allowing seamless access to internal resources and enabling authentication against on-premises directory services (such as Active Directory). This supports centralized identity management, GPO enforcement, and compliance requirements.

Options B, C, and D involve local or peripheral resources, which are unaffected by VPN state.

The most likely explanation for the issues encountered with the captive portal is that the TLS ciphers supported by the captive portal are deprecated. Here’s why:

TLS Cipher Suites: Modern browsers are continuously updated to support the latest security standards and often drop support for deprecated and insecure cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may refuse to connect, causing security errors.

HSTS and Browser Security: Browsers with HTTP Strict Transport Security (HSTS) enabled will not allow connections to sites with weak security configurations. Deprecated TLS ciphers would cause these browsers to block the connection.

To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.

MDM Capabilities:

Central Management: MDM allows administrators to manage the configurations of all devices from a central console.

Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.

Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.

Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.

Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.

The best way is to perform a Software Assurance Maturity Model (SAMM) assessment. SAMM provides a structured framework to evaluate current software security maturity across people, process, and technology. The assessment highlights gaps and generates a roadmap tailored to the organization’s development environment.

Option B (threat modeling) only applies to specific applications, not the entire SDLC process. Option C risks misalignment with technical practices by relying only on CISO goals. Option D (OWASP secure coding manual) is useful but provides guidelines, not a maturity-based roadmap.

CAS-005 stresses leveraging maturity models for structured, measurable improvements. SAMM directly addresses this by producing a customized, actionable roadmap for secure coding practices.

The best approach for managing and monitoring IoT devices, such as thermostats, is to operate them on a separate network with no access to other internal devices. This segmentation ensures that the IoT devices are isolated from the main network, reducing the risk of potential security breaches affecting other critical systems. Additionally, this setup allows for secure vendor updates without exposing the broader network to potential vulnerabilities inherent in IoT devices.

The log snippet indicates a DNS AXFR (zone transfer) request, which can be exploited by attackers to gather detailed information about an internal network's infrastructure. Disabling DNS zone transfers is the best solution to mitigate this risk. Zone transfers should generally be restricted to authorized secondary DNS servers and not be publicly accessible, as they can reveal sensitive network information that facilitates lateral movement during an attack.

Step-by-Step Explanation:

Option A: Deny list

Deny lists block specific applications or processes identified as malicious.

This approach is reactive and mayinadvertently block the non-standard applications that are currently in use without proper ownership.

Option B: Allow list

Allow lists permit only pre-approved applications to run.

While secure, this approach requires defining all non-standard applications, which may disrupt operations in an environment where ownership is unclear.

Option C: Audit mode

Correct Answer.

Audit mode allows monitoring and logging of applications without enforcing restrictions.

This is ideal in environments with non-standard applications and undefined ownership because it enables the engineer to observe the environment and gradually implement control without interruption.

Audit mode provides critical visibility into the software landscape, ensuring that necessary applications remain functional.

Option D: MAC list

Mandatory Access Control (MAC) lists restrict access based on classification and clearance levels.

This does not align with application control objectives in this context.

CompTIA CASP+ Study Guide - Chapters on Endpoint Security and Application Control.

CASP+ Objective 2.4: Implement appropriate security controls for enterprise endpoints.

The correct regulation is COPPA (Children’s Online Privacy Protection Act). COPPA is a U.S. law that requires organizations to obtain parental consent and implement specific protections before collecting personal data from children under the age of 13. Since the legal counsel is advising about age-related sign-up requirements, the concern clearly points to COPPA compliance.

GDPR (A) is a European regulation governing privacy and data protection but is broader and not specifically tied to children’s age verification, though it has related provisions. LGPD (B) is Brazil’s data protection law, similar in scope to GDPR. PCI DSS (C) is focused on protecting cardholder data in payment environments, unrelated to age-related concerns.

CAS-005 covers the importance of aligning software platforms with legal and regulatory frameworks. For gaming and online services, COPPA compliance is crucial to avoid fines and reputational harm, ensuring the platform properly handles children’s data.

Animmutable databasepreventsmodifications or deletions, ensuring resilience against ransomware while maintaining multiple copies of data.

To keep the mail server up to date with indicators of compromise (IoCs) and block known-malicious emails, the security architect needs mechanisms to ingest new threat intelligence and apply it dynamically. The best solutions are:

Threat Feed API (B): This provides automated updates from external or commercial threat intelligence providers. By integrating a threat feed, the mail server can regularly fetch IoCs such as malicious domains, IPs, or attachment hashes.

Webhooks (D): These allow real-time or near real-time updates when new IoCs are published. Instead of waiting for scheduled pulls, the mail server can receive push notifications with updated indicators, ensuring rapid response to evolving threats.

Other options are less effective. Log analyzers (A) assist with monitoring but don’t actively update or block threats. A scheduled task (C) may automate local operations but lacks the external intelligence integration required. Inbox deletion code (E) is reactive and inefficient. A security runbook (F) defines processes but does not technically enable automated updates.

Thus, the combination of Threat Feed APIs and Webhooks provides continuous, automated IoC ingestion, reducing exposure to malicious email campaigns.

To improve the quality of code scanning results and reduce false positives, the best solution is to limit the tool to a specific coding language and fine-tune the rule set. By configuring the code scanning tool to focus on the specific language used in the application, the tool can more accurately identify relevant issues and reduce the number of false positives. Additionally, tuning the rule set ensures that the tool's checks are appropriate for the application's context, further improving the accuracy ofthe scan results.

To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.

The best solution is Conditional Access (D). Conditional access policies enforce access requirements based on contextual signals such as device compliance, user identity, location, or risk profile. In this case, the administrator can configure conditional access to ensure that only managed, corporate-approved devices are allowed to access confidential data. If an employee attempts to use a personal laptop, the access request will be blocked or redirected to a secure process (e.g., virtual desktop).

Option A (OCSP stapling) relates to certificate revocation checking and does not control device access. Option B (CASB) provides cloud access visibility and control but is broader and less precise than enforcing direct device-level conditional policies. Option C (SOAR) orchestrates responses but is not primarily designed for access enforcement. Option E (package monitoring) detects software changes but does not prevent unauthorized device usage.

Conditional access is a core principle in Zero Trust and modern IAM, making it the best solution for ensuring that sensitive data can only be accessed from trusted devices.

Understanding the Security Event:

Unauthorized usersgained access from non-production to production.

IAM policies were weak, allowingbulk user creation.

Vulnerability assessments were disabled, andpatching was delayed.

Logs were unavailable, making incident response difficult.

Why Options A, D, and E areCorrect:

A (Disable bulk user creation by IAM team)→ Prevents unauthorized mass user account creation, which could beexploited by attackers.

D (Routine updates for endpoints & network devices)→ Patch management ensuresvulnerabilities are not left open for attackers.

E (Ensure all security/network devices send logs to SIEM)→ Helps withreal-time monitoring and detection of unauthorized activities.

Why Other Options Are Incorrect:

B (180-day log retention)→ While log retention is good,real-time monitoring is the priority.

C (Review application allow list daily)→ Reviewing itdaily is impractical. Regular audits are better.

F (Restrict production-to-non-production traffic)→ The issue isunauthorized access, not traffic routing.

The SIEM already contains multiple events that, if correlated, would have indicated an active attack sequence on VM001—such as denied connections, IPS alerts, malware detection, and then an allowed connection. CAS-005 Security Operations objectives emphasize log correlation as a way to enhance detection by linking related events across different time stamps and data sources into a single, higher-confidence alert.

Option A (adding EDR logs) could add visibility but does not address the need to connect existing events for earlier detection.

Option C (improving parsing) ensures readability but does not create actionable alerts.

Option D (creating a new malware detection rule) is redundant since malware detection already appeared in logs; the issue was the lack of correlation to act on it in time.

By correlating IDS, IPS, firewall, and malware detection logs, the SIEM can raise a higher-priority alert before the attack is completed.

Segmentationis the best option to ensure the security of legacy badge readers that cannot be upgraded. Segmentation isolates the legacy devices on a separate network segment to minimize their exposure to potential threats. This approach reduces the attack surface by preventing unauthorized access from other parts of the network while still allowing necessary connectivity to the enterprise resource planning (ERP) system.

Vulnerability scans (B)are useful for identifying weaknesses but do not actively protect the badge readers.

Anti-malware (C)is ineffective since the badge readers use a legacy platform that likely does not support modern endpoint protection solutions.

For bulk PKI enrollment:

MDM integration with directory services streamlines certificate request and deployment per device, leveraging existing authentication methods.

Simple Certificate Enrollment Protocol (SCEP) with one-time passwords allows automated, secure, large-scale certificate issuance without manual CSR handling.

clientAuth templates are used for device authentication, but selecting it alone is insufficient without automated enrollment mechanisms.

A single certificate for all devices violates PKI security principles and compromises individual device accountability.

Step-by-Step Explanation:

Privacy regulations (C), such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), require companies to provide data subject access request (DSAR) handling processes. A DSAR allows individuals to request details about their personal data stored by a company and request modifications or deletions.

Information security standards (A) focus on overall security controls, while e-discovery requirements (B) relate to legal investigations rather than ongoing compliance.

Collecting a large pool of behavioral observations requires handling vast datasets, which is the domain ofBig Data. Big Data technologies enable the storage, processing, and analysis of large-scale data (e.g., user behavior logs) to inform decisions, a key capability in security analytics.

Option A:Linear regression is a statistical method for modeling relationships, not collecting data.

Option B:Distributed consensus relates to agreement in distributed systems (e.g., blockchain), not data collection.

Option C:Big Data directly supports collecting and analyzing large datasets for insights, fitting the question perfectly.

Option D:Machine learning uses data to train models but relies on data being collected first, often via Big Data.

Integrating IDS, firewall, and DLP to reduce response time requires orchestration and automation. Let’s evaluate:

A. SOAR(Security Orchestration, Automation, and Response):SOAR integrates security tools, automates workflows, and speeds up incident response. It’s the best fit for this scenario, as CAS-005 highlights SOAR for operational efficiency.

B. CWPP (CloudWorkload Protection Platform):Focused on securing cloud workloads, not integrating on-premises tools.

C. XCCDF (Extensible Configuration Checklist Description Format):A standard for compliance checklists, not a tool for integration or response.

A proxy-based Cloud Access Security Broker (CASB) is chosen primarily for its ability to block unapproved applications and services. Here’s why:

Application and Service Control: Proxy-based CASBs can monitor and control the use of applications and services by inspecting traffic as it passes through the proxy. This allows the organization to enforce policies that block unapproved applications and services, ensuring compliance with security policies.

Visibility and Monitoring: By routing traffic through the proxy, the CASB can provide detailed visibility into user activities and data flows, enabling better monitoring and threat detection.

Real-Time Protection: Proxy-based CASBs can provide real-time protection against threats by analyzing and controlling traffic before it reaches the end user, thus preventing the use of risky applications and services.

The best solution is to implement an interactive honeypot (A). Honeypots are decoy systems designed to attract and observe adversary behavior in real time. When security tools cannot categorize suspicious inbound traffic, a honeypot provides an isolated environment where the suspicious activity can be redirected and monitored without risking production systems. By deploying an interactive honeypot, analysts can study attacker tactics, techniques, and procedures (TTPs), extract Indicators of Compromise (IoCs), and improve defensive controls.

Option B (mapping to known IoCs) fails because the activity cannot be categorized, implying it is novel or not yet identified in threat intelligence feeds. Option C (monitoring the dark web) provides intelligence about potential threats but does not address real-time inbound suspicious activity. Option D (UEBA) focuses on analyzing user and entity behaviors but is less effective for categorizing inbound external traffic.

By using honeypots, organizations gain visibility into new, unknown, or advanced attack techniques, which helps improve detection capabilities, enrich threat intelligence, and strengthen incident response.

A risk register is atool commonly used in risk management to document all identified risks, their assessment in terms of likelihood and impact, and the actions steps to manage them. By adding the newly identified risks to the risk register and assigning an owner and severity, the organization ensures that each risk is visible to stakeholders and has a designated individual responsible for its management. This aligns with the company's requirements for transparency and accountability in risk management.​

In a Discretionary Access Control (DAC) model, the data owner or an assigned stakeholder has the authority to determine who can access resources. SecurityX CAS-005 IAM objectives describe DAC as user- or owner-controlled, where permissions can be granted or revoked at the owner’s discretion.

In this scenario, because permissions from the legacy system could not be migrated, multiple stakeholders were made responsible for assigning and managing access—matching the DAC model’s characteristics.

Option A relates to outsourcing, which does not define an access control model.

Option C is about authentication limitations, unrelated to the choice of DAC.

Option D describes backup responsibilities, which are operational tasks, not access control.

Step by Step Explanation:

Understanding the Scenario: Theorganization is using customer-managed encryption keys in the cloud, which is more expensive than using the cloud provider's free managed keys. The CISO needs to find a way to reduce costs without significantly weakening the security posture.

Analyzing the Answer Choices:

A. Utilize an on-premises HSM to locally manage keys: While on-premises HSMs offer strong security, they introduce additional costs and complexity (procurement, maintenance, etc.). This option is unlikely to reduce costs compared to cloud-based key management.

B. Adjust the configuration for cloud provider keys on data that is classified as public: This is the most practical and cost-effective approach. Data classified as public doesn't require the same level of protection as sensitive data. Using the cloud provider's free managed keys for public data can significantly reduce costs without compromising security, as the data is intended to be publicly accessible anyway.

Homomorphic encryptionallows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.

To ensure that logs from a legacy platform are properly retained beyond the default retention period, configuring the SIEM to aggregate the logs is the best approach. SIEM solutions are designed to collect, aggregate, and store logs from various sources, providing centralized log management and retention. This setup ensures that logs are retained according to policy and can be easily accessed for analysis and compliance purposes.

To improve the vulnerability management process in an environment where new devices/IPs are added and dropped regularly, the company should perform regular discovery scanning throughout the IT landscape using the vulnerability management tool. Here’s why:

Accurate Asset Inventory: Regular discovery scans help maintain an up-to-date inventory of all assets, ensuring that the vulnerability management process includes all relevant devices and IPs.

Consistency in Reporting: By continuously discovering and scanning new and existing assets, the company can generate consistent and comprehensive vulnerability reports that reflect the current state of the network.

Proactive Management: Regular scans enable the organization to proactively identify and address vulnerabilities on new and existing assets, reducing the window of exposure to potential threats.

A computer screen shot of a diagram Description automatically generated

A screenshot of a computer error Description automatically generated

The security diagram proposed by the security architect depicts a Zero Trust security model. Zero Trust is asecurity framework that assumes all entities, both inside and outside the network, cannot be trusted and must be verified before gaining access to resources.

Key Characteristics of Zero Trust in the Diagram:

Role-based Access Control: Ensures that users have access only to the resources necessary for their role.

Mandatory Access Control: Additional layer of security requiring authentication for access to sensitive areas.

Network Access Control: Ensures that devices meet security standards before accessing the network.

Multi-factor Authentication (MFA): Enhances security by requiring multiple forms of verification.

This model aligns with the Zero Trust principles of never trusting and always verifying access requests, regardless of their origin.

The logs indicate unauthorized access from104.18.16.29, an external IP, to the building camera’s administrative console during off-hours.Restricting access only to approved IPsensures that only authorized personnel can remotely control the cameras, reducing the risk of unauthorized access and manipulation.

Implementing WAF protection (A)secures against web application attacks but does not restrict unauthorized administrative access.

Upgrading the firmware (B)is good security hygiene but does not immediately mitigate the active threat.

Blocking IP 104.18.16.29 (D)is a temporary measure, as an attacker can switch to another IP. A better long-term solution is whitelisting trusted IPs.

The user-agent string can providevaluable information to distinguish between legitimate and bot-related traffic. It contains details about the browser, device, and sometimes the operating system of the client making the request.

Why Use User-Agent String?

Identify Patterns: User-agent strings can help identify patterns that are typical of bots or legitimate users.

Block Malicious Bots: Many bots use known user-agent strings, and identifying these can help block malicious requests.

Anomalies Detection: Anomalous user-agent strings can indicate spoofing attempts or malicious activity.

Other options provide useful information but may not be as effective for initial determination of the nature of the request:

B. Byte length of the request: This can indicate anomalies but does not provide detailed information about the client.

C. Web application headers: While useful, they may not provide enough distinction between legitimate and bot traffic.

D. HTML encoding field: This is not typically used for identifying the nature of the request.

The error message reveals sensitive details (hostnames, database names, table names), constitutinginformation disclosure. This aids attackers in reconnaissance. Mitigation involves modifying the application to display generic error messages (e.g., “An error occurred”) instead of specifics.

Option A:Unsecure references suggest coding flaws, but this is a configuration/output issue, not input sanitization.

Option B:Unsecure protocols and HttpOnly cookies relate to session security, not error handling.

Option C:Correct—information disclosure is the issue; generic errors mitigate it.

Option D:No evidence of SQL injection (e.g., manipulated input); upgrading the database doesn’t address disclosure.

The key requirement is toinstantly eliminate data losson a lost device.

Cryptographic erasureworks by deleting encryption keys used for FDE (full disk encryption), rendering all data unrecoverable within seconds — satisfying the "mitigate within seconds" requirement.

Revoking certificates won’t wipe the data from a lost tablet.

Changing MFA credentials won’t help unless the device is secured, and app allow lists don’t apply post-loss.

FromCAS-005, Domain 3: Secure Systems Design and Deployment:

“Cryptographic erase (CE) renders data irrecoverable by deleting encryption keys used to protect data on the device.”

Step-by-Step Explanation:

Runtime Application Self-Protection (RASP) (A)monitors and protects applications in real time by detecting and blocking attacks as they occur. Unlike traditional security solutions, RASP is integrated into the application itself, meaning it works regardless of the programming language used. It effectively mitigates common vulnerabilities such as SQL injection, XSS, and buffer overflows.

Dynamic Application Security Testing (DAST) (C) is a passive scanning approach that may not prevent attacks in real-time, while Network Intrusion PreventionSystems (NIPS) (D) focuses on network traffic, not application-layer security.

After applying mitigations that reduce the likelihood of a risk’s impact, the next step is toassess the residual risk—the risk that remains after controls are implemented. This ensures the organization understands if the mitigation is sufficient or if further action is needed, aligning with risk management best practices.

Option A:Correct—residual risk assessment is the logical next step to evaluate the effectiveness of mitigations.

Option B:Updating the threat model might follow but isn’t immediate; residual risk comes first.

Option C:Moving to the next risk skips evaluating the current mitigation’s success.

Option D:Recalculating impact magnitude is part of residual risk assessment but isn’t the full process.

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, theSIEM logs show that VM002 is making network connections to web.corp.local.

This indicatesunauthorized access, which could bea sign of lateral movement or network infection.

This is ared flagfor potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patternsare often an indicator of acompromised system.

VM002 should not be communicating externally, but it is.

This suggests a possiblebreach or malware infectionattempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration):While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002):The issue is not with HOST002. The suspicious activity isfrom VM002.

C (False positives):The repeated pattern of unauthorized connections makes false positivesunlikely.

Step-by-Step Explanation:

Both samples share similar function names, variable naming styles, and logic flow, indicating that they were likely written by the same developer. This is a keyobservation in malware attribution, as cyber threat analysts often look for unique coding styles to link malware to specific threat actors.

The presence of C2 (Command and Control) communication in both samples supports this theory, as attackers often reuse parts of their own malware code across different attacks.

The logs reviewed for the user indicate that access is being denied due to time-based access restrictions. These restrictions are commonly implemented to limit access to systems during specific hours to enhance security. If a user attempts to authenticate outside of the allowed time window, access will be denied. This measure helps prevent unauthorized access during non-business hours, reducing the risk of security incidents.

Step by Step Explanation:

Understanding the Scenario: The question focuses on the historical design assumptions behind older operational technology (OT)systems, particularly in the context of command, control, and telemetry.

Analyzing the Answer Choices:

A. operating in an isolated/disconnected system: This is the most accurate assumption for many legacy OT systems. Historically, these systems weredesigned to operate in air-gapped environments, completely isolated from external networks (including the internet).

The code snippet exposes a hardcoded access token in a public repository. According to SecurityX CAS-005 secure coding best practices, the immediate action must be to revoke the exposed secret to prevent unauthorized access.

Removing the code from public view without revoking the token leaves the secret still usable by any attacker who has already seen or copied it.

SAST scanning would detect the issue but not mitigate it immediately.

Security awareness training is a long-term prevention measure but does not fix the immediate exposure.Revoking the secret first stops ongoing exploitation, after which the code can be removed, and preventative measures can be implemented.

The error message"NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" indicates that the web browser is rejecting the certificate because it uses a weak signature algorithm. This commonly happens with self-signed certificates, which often use outdated or insecure algorithms.

Why Discontinue Self-Signed Certificates?

Security Compliance: Modern browsers enforce strict security standards and may reject certificates that do not comply with these standards.

Trusted Certificates: Using certificates from a trusted Certificate Authority (CA) ensures compliance with security standards and is less likely to be flagged as insecure.

Weak Signature Algorithm: Self-signed certificates might use weak algorithms like MD5 or SHA-1, which are considered insecure.

Other options do not address the specific cause of the certificate error:

A. Rewriting legacy web functions: Does not address the certificate issue.

B. Disabling deprecated ciphers: Useful for improving security but not related to the certificate error.

C. Blocking non-essential ports: This is unrelated to the issue of certificate validation.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, preserving confidentiality. However, its adoption faces significant challenges due to performance overhead. According to the CompTIA SecurityX CAS-005 study materials (Domain 3: Cybersecurity Technology, 3.3), homomorphic encryption requires substantial computational resources, which standard processors struggle to provide efficiently. Specialized hardware, such as coprocessors (e.g., GPUs or TPUs), is oftenneeded to handle the complex mathematical operations involved. The lack of widespread, optimized coprocessor support in existing infrastructure is a primary barrier to adoption.

Option A (Incomplete mathematical primitives):While early homomorphic encryption schemes had limitations, modern schemes (e.g., CKKS, BFV) have mature mathematical foundations, making this less of a challenge today.

Option B (No use cases):Use cases exist, such as secure cloud computing and privacy-preserving data analytics, so this is not accurate.

Option C (Quantum computers):Homomorphic encryption is not dependent on quantum computing, and quantum computers are unrelated to its current challenges.

Option D (Insufficient coprocessor support):This is the most accurate, as performance bottlenecks require specialized hardware that is not yet widely available or integrated.

Whencreating a threat model to identify vulnerabilities in an organization's infrastructure, prioritizing external-facing infrastructure with known exploited vulnerabilities is critical. Here’s why:

Exposure to Attack: External-facinginfrastructure is directly exposed to the internet, making it a primary target for attackers. Any vulnerabilities in this layer pose an immediate risk to the organization's security.

Known Exploited Vulnerabilities: Vulnerabilities that are already known and exploited in the wild are of higher concern because they are actively being used by attackers. Addressing these vulnerabilities reduces the risk of exploitation significantly.

Risk Mitigation: By prioritizing external-facing infrastructure with known exploited vulnerabilities, the organization can mitigate the most immediate and impactful threats, thereby improving overall security posture.

The goal is to optimize bandwidth, increase speed, and maintain threat visibility in a low-bandwidth satellite office.Local cachingstores frequently accessed data locally, reducing bandwidth usage by minimizing repeated requests to external or internal resources. It speeds up access and doesn’t inherently reduce security visibility if paired with monitoring tools.

Option A:Distributed connection allocation might balance traffic but doesn’t directly reduce bandwidth usage or speed up access.

Option B:Local caching is ideal—reduces bandwidth, improves performance, and maintains visibility with proper security controls.

Option C:A CDN is great for external content delivery but less relevant for internal resources and doesn’t inherently address threat visibility.

Option D:SD-WAN improves WAN performance, but "vertical heterogeneity" is vague and not a standard term; it’s less tailored to this scenario than caching.

To mitigate the issue of excessive permissions and privilege creep, the best solutions are:

Implementing a Role-Based Access Policy:

Role-Based Access Control (RBAC): This policy ensures that access permissions are granted based on the user's role within the organization, aligning with the principle of least privilege. Users are only granted access necessary for their role, reducing the risk of excessive permissions.

The immediate action after discovering ransomware is toisolate the affected serversto prevent further spread of the malware to other systems in the network. Paying the ransom is not recommended as it does not guarantee data recovery and encourages criminal behavior. Notifying law enforcement is necessary, but containment must happen first to limit damage. Requesting server restoration should only occur after containment and a thorough investigation to ensure no remnants of ransomware remain.

User behavior analytics (UBA)detectsanomalousactivityby analyzing historical patterns and comparing them to recent behavior. The time shift in account activity suggestspotential compromise or misuse.

TTP-based inquiries (A)focus on known attack tactics, techniques, and procedures but do not involve behavior tracking.

Adversary emulation (C)simulates attacks but does not analyze real data trends.

OSINT analysis (D)gathers intelligence from public sources, which is unrelated to internal account behavior analysis.

For a disaster recovery (DR) plan requiring immediate data availability, the first step is understanding what needs to be protected and recovered. Identifying critical business processes and their associated software and hardware requirements establishes the foundation for the DR plan. This ensures that backups and recovery mechanisms align with business priorities, meeting the "moment's notice" requirement.

Option A:A change management plan is important for system consistency but doesn’t directly address immediate data availability in a DR context.

Option B:Hiring staff supports execution but doesn’t define what needs to be recovered or how. It’s a later step.

Option C:A warm site (a partially operational backup site) is a good DR solution, but designing it comes after identifying critical processes and resources.

Option D:This is the first step in any DR planning process—knowing what’s critical ensures the plan meets availability goals efficiently.