CompTIA CAS-005 CompTIA SecurityX Certification Exam Exam Practice Test

Creating a separate network for users who need access tothe application is the best action to secure an internal application that is critical to the production area and cannot be updated.

Why Separate Network?

Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents.

Controlled Access: Ensures that only authorized users have access to the application, enhancing security and reducing the attack surface.

Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network.

Other options, while beneficial, do not provide the same level of security for a critical application:

A. Disallow wireless access: Useful but does not provide comprehensive protection.

B. Deploy intrusion detection capabilities using a network tap: Enhances monitoring but does not provide the same level of isolation and control.

C. Create an acceptable use policy: Important for governance but does not provide technical security controls.

Segmentationis the best option to ensure the security of legacy badge readers that cannot be upgraded. Segmentation isolates the legacy devices on a separate network segment to minimize their exposure to potential threats. This approach reduces the attack surface by preventing unauthorized access from other parts of the network while still allowing necessary connectivity to the enterprise resource planning (ERP) system.

Vulnerability scans (B)are useful for identifying weaknesses but do not actively protect the badge readers.

Anti-malware (C)is ineffective since the badge readers use a legacy platform that likely does not support modern endpoint protection solutions.

To minimize downtime, testing should occur in a virtual lab, not production. The best approach is to test solutions methodically: implement one solution at a time, run an attack simulation, collect metrics, roll back, and repeat. This isolates each solution’s effectiveness, ensuring accurate metrics for decision-making without production impact.

Option A:Testing all solutions simultaneously muddies the results—metrics won’t show which solution worked.

Option B:Collecting metrics before the simulation misses the point of testing against the attack.

Option C:Correct—tests each solution independently with simulation and metrics, minimizing downtime via virtual lab use.

Option D:Like A, combining solutions obscures individual effectiveness.

Homomorphic encryptionallows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.

OpenSSH vulnerabilityispublic facingand has acritical CVSS of 9.2.

Exploitable SSH services can lead to direct server compromise.

Although Apache has a higher score, it ' s internal.

FromCAS-005, Domain 3: Vulnerability Management:

“Prioritize external vulnerabilities with high CVSS and exposed attack surfaces.”

The most appropriate solution for the systems engineer to deploy is SELinux (Security-Enhanced Linux). Here ' s why:

Mandatory Access Control (MAC): SELinux enforces MAC policies, ensuring that only authorized users and processes can access specific resources. This helps in preventing unauthorized reading and modification of data and programs.

Access Vector Cache: SELinux utilizes an access vector cache (AVC) to improve performance. The AVC caches access decisions, reducing the need for repetitive policy lookups and thus improving system efficiency.

Security Mechanisms: SELinux provides a robust framework to enforce security policies and prevent bypassing of application security mechanisms. It controls access based on defined policies, ensuring that security measures are consistently applied.

Privilege Escalation and Process Interference: SELinux limits the ability of processes to escalate privileges and interfere with each other by enforcing strict access controls. This containment helps in isolating processes and minimizing the risk of privilege escalation attacks.

RACI matrix(Responsible, Accountable, Consulted, Informed) is used for role mapping across the project lifecycle.

CMDB is a configuration inventory; ITIL is a framework. Recall trees are for disaster recovery/business continuity.

FromCAS-005, Domain 1: Security Governance and Compliance:

“The RACI matrix is essential in role assignment and accountability for software development and operational processes.”

The best description of the cyber threat to a central bank implementing strict risk mitigations for the hardware supply chain, including an allow list for specific countries of origin, is the risk of physical implants and tampering. Here’s why:

Supply Chain Security: The supply chain is a critical vector for hardware tampering and physical implants, which can compromise the integrity and security of hardware components before they reach the organization.

Targeted Attacks: Banks and financial institutions are high-value targets, making them susceptible to sophisticated attacks, including those involving physical implants that can be introduced during manufacturing or shipping processes.

Strict Mitigations: Implementing an allow list for specific countries aims to mitigate the risk of supply chain attacks by limiting the sources of hardware. However, the primary concern remains the introduction of malicious components through tampering.

The Subject Alternative Name (SAN) field in an X.509 certificate specifies additional hostnames, FQDNs, or IP addresses that the certificate will secure. To allow mutual TLS authentication for multiple hostnames and an IP address, these identities must be included in the SAN field.

Organizational Unit (B) is an informational attribute, not related to TLS authentication.

Extended Key Usage (C) defines purpose (e.g., serverAuth, clientAuth) but not hostnames.

“Certificate extension” (D) is a generic term; SAN is the specific required extension.

The scenario describes a prolonged, stealthy operation where files were exfiltrated over three months via secure channels (TLS-protected HTTP) from unexpected systems, then ceased. This aligns with anAdvanced Persistent Threat (APT), characterized by long-term, targeted attacks aimed at data theft or surveillance, often using sophisticated methods to remain undetected.

Option A:Decrypting RSA with weak encryption implies a cryptographic attack, but TLS suggests modern encryption was used, and there’s no evidence of decryption here.

Option B:A zero-day attack exploits unknown vulnerabilities, but the duration and cessation suggest a planned operation, not a single exploit.

Option C:APT fits perfectly—slow, persistent exfiltration fromunusual systems indicates a coordinated, stealthy threat actor.

Option D:An on-path (man-in-the-middle) attack intercepts traffic, but there’s no indication of interception; the focus is on unauthorized transfers.

To support email authenticity and enable analysis by a third-party platform, the protocols must verify the sender’s identity and provide metadata for inspection. According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.2):

DMARC (Domain-based Message Authentication, Reporting, and Conformance):DMARC builds on SPF and DKIM to enforce policies for email authenticity and provides reporting mechanisms to share authentication results with third parties for analysis.

DKIM (DomainKeys Identified Mail):DKIM adds a cryptographic signature to emails, allowing recipients to verify the sender’s domain and ensure the email’s integrity.

These two protocols are essential for authenticity and reporting.

Option C (TLS):TLS ensures encryption during transmission but does not address authenticity or reporting.

Option D (SPF):SPF verifies sender IP addresses but lacks reporting capabilities without DMARC.

Option E (DNSSEC):DNSSEC secures DNS queries but is not specific to email authenticity.

Option F (MX):MX records define mail servers, not authenticity or reporting.

Microsegmentation is a critical strategy within Zero Trust architecture that enhances context-aware access systems by dividing the network into smaller, isolated segments. This reduces the attack surface and limits lateral movement of attackers within the network. It ensures that even if one segment is compromised, the attacker cannot easily access other segments. This granular approach to network security is essential for enforcing strict access controls and monitoring within Zero Trust environments.

The code snippet exposes a hardcoded access token in a public repository. According to SecurityX CAS-005 secure coding best practices, the immediate action must be to revoke the exposed secret to prevent unauthorized access.

Removing the code from public view without revoking the token leaves the secret still usable by any attacker who has already seen or copied it.

SAST scanning would detect the issue but not mitigate it immediately.

Security awareness training is a long-term prevention measure but does not fix the immediate exposure.Revoking the secret first stops ongoing exploitation, after which the code can be removed, and preventative measures can be implemented.

The key requirement is toinstantly eliminate data losson a lost device.

Cryptographic erasureworks by deleting encryption keys used for FDE (full disk encryption), rendering all data unrecoverable within seconds — satisfying the " mitigate within seconds " requirement.

Revoking certificates won’t wipe the data from a lost tablet.

Changing MFA credentials won’t help unless the device is secured, and app allow lists don’t apply post-loss.

FromCAS-005, Domain 3: Secure Systems Design and Deployment:

“Cryptographic erase (CE) renders data irrecoverable by deleting encryption keys used to protect data on the device.”

The requirements demand detailed asset tracking and inventory management. Let’s analyze:

A. SBoM (Software Bill of Materials):Tracks software components, not hardware or network topology.

B. CASB (Cloud Access Security Broker):Secures cloud apps but doesn’t map physical switches or OS counts.

C. GRC(Governance, Risk, and Compliance):Focuses on risk management, not detailed asset tracking.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

Encrypting patient data at rest is a critical requirement for healthcare providers to ensure compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). The primary business requirement fulfilled by this practice is the protection of patient privacy while supporting the portability of medical information. By encrypting data at rest, healthcare providers safeguard sensitive patient information from unauthorized access, ensuring that privacy is maintained even if the storage media are compromised. Additionally, encryption supports the portability of patient records, allowing for secure transfer and access across different systems and locations while ensuring that privacy controls are in place.

Implementing security and quality checks in a CI/CD pipeline ensures that:

Container images are scanned for vulnerabilities beforedeployment.

Version control is enforced, preventing unauthorized changes.

Hashes validate image integrity.

Other options:

A (Configuring ACLs on mesh networks) improves access control but does not ensure scanning.

C (Audits on container images) detect changes but do not enforce best practices.

D (Pulling from a vendor repository) does not ensure vulnerability scanning.

The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here’s a detailed explanation:

Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging environment ensures that the new feature will behave as expected in the actual production setup.

Isolation fromProduction: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change management and risk mitigation.

Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which often have different configurations and workloads.

Implementing a Single Sign-On (SSO) solution and integrating it with applications is the best way to manage the situation and decrease risks. Here’s why:

Reduced Password Fatigue: SSO allows users tolog in once and gain access to multiple applications and systems without needing to remember and manage multiple passwords. This reduces the likelihood of users writing down passwords.

Improved Security: By reducing the number of passwords users need to manage, SSO decreases the attack surface and potential for password-related security breaches. It also allows for the implementation of stronger authentication methods.

User Convenience: SSO improves the user experience by simplifying the login process, which can lead to higher productivity and satisfaction.

To mitigate the issue of excessive permissions and privilege creep, the best solutions are:

Implementing a Role-Based Access Policy:

Role-Based Access Control (RBAC): This policy ensures that access permissions are granted based on the user ' s role within the organization, aligning with the principle of least privilege. Users are only granted access necessary for their role, reducing the risk of excessive permissions.

To improve the quality of code scanning results and reduce false positives, the best solution is to limit the tool to a specific coding language and fine-tune the rule set. By configuring the code scanning tool to focus on the specific language used in the application, the tool can more accurately identify relevant issues and reduce the number of false positives. Additionally, tuning the rule set ensures that the tool ' s checks are appropriate for the application ' s context, further improving the accuracy ofthe scan results.

Qualitative risk assessment is used when quantitative data (monetary loss, exact downtime cost, RTO) is unavailable or unreliable. The SecurityX CAS-005 GRC objectives note that qualitative methods rely on expert judgment, likelihood scales, and impact ratings rather than financial calculations. In this case, insufficient metrics rule out quantitative analysis.

Option A (work experience) is irrelevant to the choice of assessment type.

Option C (risk register) supports tracking, not selecting the assessment method.

Option D describes a quantitative goal, which is not possible with the given lack of metrics.

To protect company information on stolen mobile devices, implementingremote wipe proceduresensures data can be erased if a device is suspected lost or stolen.Biometric access controlwith enforced timeouts further secures the device, requiring biometric authentication periodically, thus limiting unauthorized access even if the device is stolen. Geofencing and certificates provide additional security layers but are less immediate protections against information exposure after theft. Application control and side-loading prevention are important for malware threats but less so for stolen device scenarios.

To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.

MDM Capabilities:

Central Management: MDM allows administrators to manage the configurations of all devices from a central console.

Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.

Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.

Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.

Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.

The security engineer should modify the following to fix the email migration issues:

Email CNAME Record: The email CNAME record must be changed to a type A record pointing to 192.168.1.10. This is because CNAME records should not be used where an IP address (A record) is required. Changing it to an A record ensures direct pointing to the correct IP.

TXT Record for DMARC: The TXT record must be changed to " v=dmarc ip4:192.168.1.10 include

com -all " . This ensures proper configuration of DMARC (Domain-based Message Authentication, Reporting & Conformance) to include the correct IP address and the email service provider domain.

DMARC: Ensuring the DMARC record is correctly set up helps in preventing email spoofing and phishing, aligning with email security best practices.

The most likely cause of the anti-malware alerts on customer workstations is unsecure bundled libraries. When developing and deploying new applications, it is common for developers to use third-party libraries. If these libraries are not properly vetted for security, they can introduce vulnerabilities or malicious code.

Why Unsecure Bundled Libraries?

Third-Party Risks: Using libraries that are not secure can lead to malware infections if the libraries contain malicious code or vulnerabilities.

Code Dependencies: Libraries may have dependencies that are not secure, leading to potential security risks.

Common Issue: This is a frequent issue in software development where libraries are used for convenience but not properly vetted for security.

Other options, while relevant, are less likely to cause widespread anti-malware alerts:

A. Misconfigured code commit: Could lead to issues but less likely to trigger anti-malware alerts.

C. Invalid code signing certificate: Would lead to trust issues but not typically anti-malware alerts.

D. Data leakage: Relevant for privacy concerns but not directly related to anti-malware alerts.

Tokenization replaces sensitive data elements with non-sensitive equivalents, called tokens, that can be used within the internal tests. The original data is stored securely and can be retrieved if necessary. This approach allows the software development team to work with data that appears realistic and valid without exposing the actual sensitive information.

Configuring data hashing (Option A) is not suitable for test data as ittransforms the data into a fixed-length value that is not usable in the same way as the original data. Replacing data with null records (Option C) is not useful as it does not provide valid data for testing. Data obfuscation (Option D) could be an alternative but might not meet the regulatory requirements as effectively as tokenization.

Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address.

In the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident.

Recursive DNS resolution failure (A) would generally lead to inability to resolve DNS at all, not to a specific HTTP error.

DNS poisoning (B) could result in usersbeing directed to malicious sites, but again, would likely result in a different set of errors or unusual activity.

Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted errors like the one seen here.

By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is being sinkholed.

Step-by-Step Explanation:

Option A: Deny list

Deny lists block specific applications or processes identified as malicious.

This approach is reactive and mayinadvertently block the non-standard applications that are currently in use without proper ownership.

Option B: Allow list

Allow lists permit only pre-approved applications to run.

While secure, this approach requires defining all non-standard applications, which may disrupt operations in an environment where ownership is unclear.

Option C: Audit mode

Correct Answer.

Audit mode allows monitoring and logging of applications without enforcing restrictions.

This is ideal in environments with non-standard applications and undefined ownership because it enables the engineer to observe the environment and gradually implement control without interruption.

Audit mode provides critical visibility into the software landscape, ensuring that necessary applications remain functional.

Option D: MAC list

Mandatory Access Control (MAC) lists restrict access based on classification and clearance levels.

This does not align with application control objectives in this context.

CompTIA CASP+ Study Guide - Chapters on Endpoint Security and Application Control.

CASP+ Objective 2.4: Implement appropriate security controls for enterprise endpoints.

The best answer is B. Privilege escalation . The most critical issue is the JWT header value " alg " : " None " , which indicates an unsigned token. If a workload accepts such a token, an attacker may be able to alter claims such as subject, role, scope, or account identity and then present the modified token as valid. Because the sample already references a service account in the token claims, the most concerning IAM consequence is unauthorized elevation of access through token forgery or manipulation. CompTIA’s SecurityX objectives include IAM and secure implementation of authentication and authorization controls; a broken token-validation scheme directly undermines authorization integrity.

Why the other options are not best:

A. Lateral movement could be a downstream result, but the immediate and primary risk in the token itself is unauthorized privilege gain. C. Credential stuffing involves reuse of stolen usernames and passwords, which is unrelated to this JWT issue. D. RCE from deserialization is a different application vulnerability class and is not the main concern shown by the JWT header and claims. The most direct risk here is privilege escalation via forged or altered tokens.

The most cost-effective and secure solution is to configure VPN concentrators inside the OT networks at both sites (Option D). This setup allows encrypted communications between Site A and Site B, enabling controllers at either site to serve as secondary or failover devices for the other. By leveraging VPN tunnels, the organization avoids the expensive and time-consuming process of laying new fiber infrastructure, while still ensuring secure, authenticated, and encrypted connections across sites.

Option A, direct fiber connectivity, provides high performance but is extremely costly and less flexible than VPN solutions. Option B, deploying redundant SCADA controllers at each site, increases hardware, licensing, and management costs while still requiring interconnectivity. Option C, air-gapping the OT network, may improve isolation but would prevent remote failover capabilities, contradicting the requirement for cross-site control.

By implementing VPN concentrators, the organization achieves secure cross-site redundancy, supports operational continuity in case of controller outages, and does so in a cost-effective manner aligned with common OT security practices.

The table shows that the user " SALES1 " is consistently blocked despite having met the MFA requirements. The common factor in these blocked attempts is the source IP address (8.11.4.16) being identified as from Germany while the user is assigned to France. This discrepancy suggests that the network geolocation is being misidentified by the authentication server, causing legitimate access attempts to be blocked.

Why Network Geolocation Misidentification?

Geolocation Accuracy: Authentication systems often use IP geolocation to verify the location of access attempts. Incorrect geolocation data can lead to legitimate requests being denied if they appear to come from unexpected locations.

Security Policies: Company security policies might block access attempts from certain locations to prevent unauthorized access. If the geolocation is wrong, legitimate users can be inadvertently blocked.

Consistent Pattern: The user " SALES1 " from the IP address 8.11.4.16 is always blocked, indicating a consistent issue with geolocation.

Other options do not align with the pattern observed:

A. Bypass MFA requirements: MFA is satisfied, so bypassing MFA is not the issue.

C. Administrator access policy: This is about user access, not specific administrator access.

D. OTP codes: The user has satisfied MFA, so OTP code configuration is not the issue.

Context-based authentication enhances traditional security methods by incorporating additional layers of information about the user ' s current environment and behavior. This can include factors such as the user ' s location, the time of access, the device used, and the behavior patterns. It is particularly useful in preventing unauthorized access even if an attacker has obtained a valid password.

Rule-based (A) focuses on predefined rules and is less flexible in adapting to dynamic threats.

Time-based (B) authentication considers the time factor but doesn ' t provide comprehensive protection against stolen credentials.

Role-based (C) is more about access control based on the user ' s role within the organization rather than authenticating the user based on current context.

By implementing context-based authentication, the company can ensure that even if a password is compromised, the additional contextual factors required for access (which an attacker is unlikely to possess) provide a robust defense mechanism.

Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and provide transparency in the event of a breach.

Why Communication Templates?

Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements.

Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the organization’s credibility.

Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately.

Other options, while useful, do not provide the same level of preparedness and compliance:

A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

The CIO needs to clarify the organization’s risk appetite, which defines the level of residual risk the business is willing to accept after all mitigation measures are applied. Risk appetite reflects the balance between operational requirements, security controls, and cost constraints. In business continuity planning, risk appetite helps decision-makers determine which risks must be reduced through additional investments (e.g., redundant systems, faster recovery strategies) and which risks are tolerable based on business priorities.

Mitigation (A) refers to the strategies used to reduce risk but not the threshold of acceptable residual risk. Impact (B) and Likelihood (C) are components of risk assessment—measuring severity and probability—but they do not define acceptance criteria. Risk appetite is the guiding principle that aligns technical controls with executive tolerance for disruption or loss.

By clarifying appetite, the CIO provides the compliance team and IT leadership with a framework for designing remediation activities that ensure continuity of critical internal processes while aligning with the organization’s strategic objectives and regulatory requirements.

SecurityX CAS-005 endpoint security and network control objectives emphasize least privilege network access.

Creating a firewall rule to allow outbound traffic only via a proxy (A) ensures centralized inspection and control.

Configuring the proxy to allow only the required FQDNs for EDR management communication (C) limits exposure to necessary destinations.Options D and E allow broader access than necessary, and B would block required communications entirely. F relies on blocklists instead of allowlists, which is less secure for high-assurance environments.

The best answer is C. Privacy regulations . A data subject access request process exists to support an individual’s right to access their personal data. Regulators and official privacy guidance define this as a core privacy right. The UK ICO explains that the “right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data” , and Article 15 GDPR establishes the same right in law. Because the security officer is asking a third party to prove it can handle these requests, the officer is clearly validating compliance with privacy law and related data protection obligations.

This also aligns with CompTIA SecurityX’s GRC focus on compliance requirements, program documentation, and data governance. A third party that processes personal data for the enterprise must be able to respond appropriately to access requests from data subjects, so confirming that process is a due diligence activity tied to regulatory privacy compliance rather than e-discovery, certification, or generic reporting frameworks.

Why the other options are incorrect:

A. Information security standards may require good practices, but DSAR handling is specifically about privacy rights. B. E-discovery requirements relate to legal discovery and litigation processes, not an individual’s privacy access rights. D. Certification requirements and E. Reporting frameworks are not the primary reason an organization must support subject access requests. The clearest and most accurate answer is privacy regulations.

Step by Step Explanation:

Understanding the Scenario: The question focuses on the historical design assumptions behind older operational technology (OT)systems, particularly in the context of command, control, and telemetry.

Analyzing the Answer Choices:

A. operating in an isolated/disconnected system: This is the most accurate assumption for many legacy OT systems. Historically, these systems weredesigned to operate in air-gapped environments, completely isolated from external networks (including the internet).

The best way is to perform a Software Assurance Maturity Model (SAMM) assessment. SAMM provides a structured framework to evaluate current software security maturity across people, process, and technology. The assessment highlights gaps and generates a roadmap tailored to the organization’s development environment.

Option B (threat modeling) only applies to specific applications, not the entire SDLC process. Option C risks misalignment with technical practices by relying only on CISO goals. Option D (OWASP secure coding manual) is useful but provides guidelines, not a maturity-based roadmap.

CAS-005 stresses leveraging maturity models for structured, measurable improvements. SAMM directly addresses this by producing a customized, actionable roadmap for secure coding practices.

A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted.

F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

Other options:

B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage.

C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network communication risks.

D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications.

E. Executing daily health checks: Useful for maintaining system health but does not directly reduce the risk of network-based compromise or sabotage.

Step-by-Step Explanation:

Both samples share similar function names, variable naming styles, and logic flow, indicating that they were likely written by the same developer. This is a keyobservation in malware attribution, as cyber threat analysts often look for unique coding styles to link malware to specific threat actors.

The presence of C2 (Command and Control) communication in both samples supports this theory, as attackers often reuse parts of their own malware code across different attacks.

This scenario clearly describes asupply chain attack, where the compromise occurs at the vendor or manufacturing stage before the product reaches the customer. The attack impacts many downstream organizations and sectors. SDLC attacks are focused on software development life cycles, side-loading involves unauthorized app installations, and remote code signing focuses on authenticating remote software, none of which fully encapsulate the situation described.

The malware uses TCP 4444 to move laterally between systems. A host-based firewall can block unauthorized communication ports (like TCP 4444) on each workstation, preventing malware from establishing connections and spreading. Configuring the CPU ' s NX bit and enabling ASLR primarily help in mitigating memory-based exploits, not in stopping lateral movement. Enabling UEFI ensures boot integrity but does not mitigate active lateral communication. An edge firewall would protect the network perimeter, not internal workstation-to-workstation communication.

The first action is to implement continuous and context-based authentication and authorization (A). Traditional authentication validates users only at login, which creates gaps during active sessions. Continuous authentication ensures validation throughout the data access workflow, incorporating contextual factors like device state, geolocation, and behavioral analysis. This directly aligns with audit findings requiring protection by role, identity validation, and action tracking.

Option B improves onboarding and monitoring but does not enforce continuous access control. Option C improves identity federation but does not provide session-by-session validation. Option D secures APIs but is too narrow for organization-wide identity workflows.

CAS-005 stresses Zero Trust and context-aware IAM, making continuous authentication and authorization the top priority.

The security diagram proposed by the security architect depicts a Zero Trust security model. Zero Trust is asecurity framework that assumes all entities, both inside and outside the network, cannot be trusted and must be verified before gaining access to resources.

Key Characteristics of Zero Trust in the Diagram:

Role-based Access Control: Ensures that users have access only to the resources necessary for their role.

Mandatory Access Control: Additional layer of security requiring authentication for access to sensitive areas.

Network Access Control: Ensures that devices meet security standards before accessing the network.

Multi-factor Authentication (MFA): Enhances security by requiring multiple forms of verification.

This model aligns with the Zero Trust principles of never trusting and always verifying access requests, regardless of their origin.

The best solution is to use Self-Encrypting Drives (SEDs). SEDs automatically encrypt all data stored on the disk and can be rapidly sanitized or obfuscated by deleting or altering the encryption keys. This provides immediate and secure protection if customs agents demand device access, as the sensitive data inside containers becomes unreadable without the decryption key.

Option B (eFuse) and C (UEFI) are hardware mechanisms unrelated to dynamic data protection. Option D (vTPM) provides virtualized key storage but does not obfuscate data quickly under inspection conditions. Option E (MicroSD HSM) is useful for key storage but does not protect all data at scale.

CAS-005 highlights hardware-based encryption solutions like SEDs for protecting sensitive data during travel, ensuring both regulatory compliance and rapid response capabilities under hostile conditions.

Unauthorized code changesand lack ofindependent verificationare directly mitigated bycode signing, which ensures that code is from a trusted source and has not been altered.

While digital signatures are part of code signing, the broader practice of code signing encompasses signature management, version integrity, and trusted sources.

Lightweight cryptography is irrelevant in this context; it ' s more about efficiency in constrained devices.

Non-repudiation is a benefit of digital signatures but doesn ' t directly solve the verification/integrity concerns alone.

FromCAS-005 Guide, Domain 4: Security Architecture, Tools, and Technologies:

“Code signing ensures that the code has not been tampered with and originates from a trusted developer.”

The “cipher unavailable” message indicates that the client and server could not agree on a common cipher suite. After the OpenSSL update, the server likely dropped support for older, insecure ciphers (such as RC4 or 3DES) that legacy clients still use. The safest remediation is to update or configure the client applications to support modern, secure ciphers such as AES in Galois/Counter Mode (AES-GCM) or an equivalent strong cipher suite that is supported by the updated OpenSSL server.

Option A (SSL 3.0) is unsafe because SSL 3.0 is deprecated and vulnerable to multiple attacks (e.g., POODLE).

Option C (ECB mode) is insecure due to pattern leakage and should never be enforced.

Option D (ECC signatures) relates to key exchange and signatures, not to the “cipher unavailable” issue directly.

This approach aligns with SecurityX CAS-005 cryptographic interoperability guidance—modernize clients rather than reintroduce insecure protocols.

The best way for a SOC to rapidly identify whether deployed applications contain specific libraries is through the use of a Software Bill of Materials (SBOM). An SBOM is a formal, machine-readable inventory of all components, including third-party and open-source libraries, used in a software product. When a new vulnerability is disclosed (such as Log4Shell in Log4j), organizations with a comprehensive SBOM can immediately search across their application landscape to determine which systems are impacted.

Other options are less effective. Maintaining SAST/DAST reports (A) only provides snapshots of vulnerabilities at the time of scanning, but does not dynamically track components across all software in production. Vendor attestations (B) improve supply chain governance but do not provide immediate visibility into internal or custom software. A GRC tool (D) helps track vendors and policies but does not show technical dependencies inside applications.

Requiring suppliers and internal developers to provide and maintain SBOMs ensures continuous visibility into dependencies. This allows the SOC to quickly query and respond to emerging vulnerabilities, reducing risk exposure and accelerating remediation timelines.

Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here’s why:

Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.

Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies.

Minimal Disruption: Implementing a span port is a non-intrusive method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.

The correct snippet is Option A, which shows an Ansible YAML playbook designed to deploy and maintain security software on Linux servers. Ansible is a configuration management tool widely used in enterprise environments, and the ansible.builtin.apt module specifically manages package installation on Debian/Ubuntu-based Linux distributions. This ensures consistent security software deployment across multiple servers.

Option B is XML-based and does not represent a valid configuration management script. Option C incorrectly uses JSON format and references Microsoft’s store (com.microsoft.store.latest), which is irrelevant for Linux. Option D also uses JSON syntax with “AppX,” which applies to Windows applications, not Linux.

CAS-005 emphasizes infrastructure as code (IaC) and automation as best practices for secure system configuration. YAML-based playbooks in Ansible provide repeatability, auditability, and scalability, making Option A the most secure and appropriate solution.

To meet the requirements of only allowing internally signed applications, preventing unauthorized software installations, and logging attempts to run unauthorized software, configuring application control with blocked hashes and enterprise-trusted root certificates is the best solution. This approach ensures that only applications signed by trusted certificates are allowed to execute, while all other attempts are blocked and logged. It effectively prevents unauthorized software installations by restrictingexecution to pre-approved applications.

Geofencingallows the device to be restricted based on its physical location — disabling or locking devices when they move outside of trusted zones.Full disk encryptionensures that if a device is lost, the data remains inaccessible to unauthorized users. Containerization protects specific apps or data, but does not disable the entire device. Patch management, allow/blocklists, and geotagging serve other important functions but are not directly linked to the requirements in this scenario.

Implementing digital signatures ensures the integrity and authenticity of software binaries. When a binary is digitally signed, any tampering with the file (e.g., replacing it with amalicious version) would invalidate the signature. This allows systems to verify the origin and integrity of binaries before execution, preventing the execution of unauthorized or compromised binaries.

A. Improving patching processes: While important, this does not directly address the issue of verifying the integrity of binaries.

B. Implementing digital signatures: This ensures that only valid, untampered binaries are executed, preventing attackers from substituting legitimate binaries with malicious ones.

C. Performing manual updates via USB ports: This is not practical and does not scale well, especially in large environments.

D. Allowing only files from internal sources: This reduces the risk but does not provide a mechanism to verify the integrity of binaries.

To meet the requirements of having allendpoints establish telemetry with a SIEM, integrate into an XDR platform, and allow SOC services to monitor the XDR platform, the best approach is to implement Host Intrusion Prevention Systems (HIPS) and a host-based firewall. HIPS can provide detailed telemetry data to the SIEM and can be integrated into the XDR platform for comprehensive monitoring and response. The host-based firewall ensures that only authorized traffic is allowed, providing an additional layer of security.

The ATT & CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is the best tool for a security analyst to use for threat modeling when looking for gaps in detection capabilities based on Advanced Persistent Threats (APTs) that may target the industry. Here’s why:

Comprehensive Framework: ATT & CK provides a detailed and structured repository of known adversary tactics and techniques based on real-world observations. It helps organizations understand how attackers operate and what techniques they might use.

Gap Analysis: By mapping existing security controls against the ATT & CK matrix, analysts can identify which tactics and techniques are not adequately covered by current detection and mitigation measures.

Industry Relevance: The ATT & CK framework is continuously updated with the latest threat intelligence, making it highly relevant for industries facing APT threats. It provides insights into specific APT groups and their preferred methods of attack.

The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS-005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main branch for deployment to production.

Option B:Threat modeling is typically performed earlier, during design or development, not after passing CI/CD checks.

Option C:Unit testing is part of the CI/CD pipeline and should already be completed.

Option D:Peer reviews are conducted before or during the test phase, not after QAand security scans are clear.

Option A:Merging the test branch to the main branch is the logical next step to prepare for production deployment.

Step by Step Explanation:

Understanding the Scenario: The question is about ensuring that an organization retains control over its encryption keys. It focuses on different key storage and management methods.

Analyzing the Answer Choices:

A. Encrypting using a key stored in an on-premises hardware security module (HSM): This is thebest option for maintaining complete control over encryption keys. An HSM is a dedicated, tamper-resistant hardware device specifically designed for secure key storage and cryptographic operations. Storing keys on-premises within an HSM ensures the organization has exclusive access.

The SIEM report shows that some devices, such as VM003 (Critical server) and NET003 (IPS), are DOWN and therefore not reporting logs. In security monitoring, the absence of log data from critical systems creates dangerous blind spots. If logs are missing, attacks can proceed undetected, or investigations may lack the data needed for incident response.

The most effective action is to perform a non-reporting device assessment (C). This means identifying and correcting issues where devices fail to send logs, whether due to outages, misconfigurations, or integration gaps. Ensuring all critical devices, especially servers and intrusion prevention systems, consistently send logs to the SIEM strengthens overall visibility and monitoring posture.

Option A (time calibration) is important for correlation accuracy but does not address missing log feeds. Option B (centralized use case library) enhances detection but only works if the SIEM is receiving complete data. Option D (resiliency plan) helps protect log retention but is irrelevant if logs are never received in the first place.

Therefore, fixing non-reporting log sources is the highest priority to improve monitoring effectiveness.

To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.

The log snippet indicates a DNS AXFR (zone transfer) request, which can be exploited by attackers to gather detailed information about an internal network ' s infrastructure. Disabling DNS zone transfers is the best solution to mitigate this risk. Zone transfers should generally be restricted to authorized secondary DNS servers and not be publicly accessible, as they can reveal sensitive network information that facilitates lateral movement during an attack.

To determine how the acquisition of Company B will impact the attack surface, the following steps are crucial:

A. Documenting third-party connections used by Company B: Understanding all external connections is essential for assessing potential entry points for attackers and ensuring that these connections are secure.

E. Performing an architectural review of Company B ' s network: This review will identify vulnerabilities and assess the security posture of the acquired company ' s network, providing a comprehensive understanding of the new attack surface.

These actions will provide a clear picture of the security implications of the acquisition and help in developing a plan to mitigate any identified risks.

The best way to mitigate the ability of attackers or penetration testers to execute arbitrary payloads is to enforce application controls with allow lists (B). Application allow listing ensures that only pre-approved, trusted software and scripts can be executed on the system. This prevents attackers from dropping or running malicious binaries, even if they exploit vulnerabilities to gain access. CAS-005 emphasizes allow listing as a preventive control against post-exploitation persistence and lateral movement.

Option A (ASLR) randomizes memory addresses and helps mitigate buffer overflow exploits but does not directly prevent execution of unauthorized programs. Option C (OS restrictions of globally writable folders) improves security hygiene but still does not stop attackers from executing already placed payloads in non-restricted locations. Option D (EDR signatures) are reactive and limited, since attackers often use novel or obfuscated payloads not yet captured by signature databases.

Therefore, implementing application controls with allow lists provides the strongest defense against unauthorized payload execution in this context.

The best way to reduce liability and secure customer environments is to require that all employee-owned laptops have a corporate-licensed and managed Endpoint Detection and Response (EDR) solution installed. This ensures that devices accessing sensitive customer infrastructure are monitored for malware, unauthorized processes, and suspicious behaviors. EDR provides visibility into endpoint security posture and enforces corporate security baselines, which unmanaged personal devices typically lack.

Option A (MDM with attestation) works well for corporate-owned devices but is difficult to enforce reliably across personally owned laptops. Option C (VPN with certificate authentication) ensures encrypted access but does not validate whether the device is secure. Option D (host checking to jump boxes) reduces exposure but still allows unmanaged endpoints to connect indirectly.

CAS-005 emphasizes endpoint controls and assurance mechanisms for environments with third-party or bring-your-own-device (BYOD) risk. Deploying managed EDR ensures visibility, consistent policies, and rapid response across all devices, making this the most secure and practical option.

The table indicates varying load times for users accessing the website from different geographic locations. Customers from Australia and India are experiencingsignificantly higher load times compared to those from the United States. This suggests that latency and geographical distance are affecting the website ' s performance.

A. IDS (Intrusion Detection System): While an IDS is useful for detecting malicious activities, it does not address performance issues related to latency and geographical distribution of content.

B. CDN (Content Delivery Network): A CDN stores copies of the website ' s content in multiple geographic locations. By serving content from the nearest server to the user, a CDN can significantly reduce load times and improve user experience globally.

C. WAF (Web Application Firewall): A WAF protects web applications by filtering and monitoring HTTP traffic but does not improve performance related to geographical latency.

D. NAC (Network Access Control): NAC solutions control access to network resources but are not designed to address web performance issues.

Implementing a CDN is the best solution to resolve the performance issues observed in the log output.

The immediate action after discovering ransomware is toisolate the affected serversto prevent further spread of the malware to other systems in the network. Paying the ransom is not recommended as it does not guarantee data recovery and encourages criminal behavior. Notifying law enforcement is necessary, but containment must happen first to limit damage. Requesting server restoration should only occur after containment and a thorough investigation to ensure no remnants of ransomware remain.

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There ' s no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

The best approach for managing and monitoring IoT devices, such as thermostats, is to operate them on a separate network with no access to other internal devices. This segmentation ensures that the IoT devices are isolated from the main network, reducing the risk of potential security breaches affecting other critical systems. Additionally, this setup allows for secure vendor updates without exposing the broader network to potential vulnerabilities inherent in IoT devices.

The best answer is B. The attacker registered a new domain . The key evidence is in the visible sender fields: From: jdoe@exampl.com and Reply-To: jdoe@exampl.com . The legitimate company domain appears to be example.com , but the fraudulent email uses exampl.com , which is a lookalike domain missing the letter “e” . That is a classic typosquatting/business email compromise pattern. The headers also show Received-SPF: pass , which means the message passed SPF for the domain it actually came from, not that it was legitimate for the intended organization. The presence of a DKIM-Signature also shows that lack of domain keys is not the issue. This is therefore best explained by an attacker creating or registering a deceptive domain and sending authenticated email from it. CompTIA SecurityX’s Security Operations domain includes activities around analyzing indicators, email artifacts, and attack patterns to identify malicious activity.

Why the other options are incorrect:

A is not the best explanation because the scenario says John Doe’s account had been compromised earlier, but the specific headers here point to a spoof-like lookalike domain attack, not necessarily direct reuse of John’s real mailbox. C is incorrect because the headers explicitly show a DKIM-Signature , so domain keys were used. D is incorrect because the headers show Received-SPF: pass , not fail. The payment succeeded because the attacker used a deceptive domain that looked close enough to the legitimate one to fool the recipient during the invoice exchange.

HMAC (Hash-based Message Authentication Code)ensures the integrity and authentication of API requests without exposing static or hard-coded private keys. It uses a secret key and a hash function, preventing replay attacks and tampering. VPNs secure the transport layer, MFA protects user accounts (not API-to-database communications), and DSA is a signature algorithm but does not address hard-coding risk directly.

Animmutable databasepreventsmodifications or deletions, ensuring resilience against ransomware while maintaining multiple copies of data.

The best action to address the requirement of accessing the historian server within a SCADA system is to isolate the historian server for connections only from the SCADAenvironment. Here’s why:

Security and Isolation: Isolating the historian server ensures that only authorized devices within the SCADA environment can connect to it. This minimizes the attack surface and protects sensitive data from unauthorized access.

Access Control: By restricting access to the historian server to only SCADA devices, the organization can better control and monitor interactions, ensuring that only legitimate queries and data retrievals occur.

Best Practices for Critical Infrastructure: Following the principle of least privilege, isolating critical components like the historian server is a standard practice in securing SCADA systems, reducing the risk of cyberattacks.

User behavior analytics (UBA)detectsanomalousactivityby analyzing historical patterns and comparing them to recent behavior. The time shift in account activity suggestspotential compromise or misuse.

TTP-based inquiries (A)focus on known attack tactics, techniques, and procedures but do not involve behavior tracking.

Adversary emulation (C)simulates attacks but does not analyze real data trends.

OSINT analysis (D)gathers intelligence from public sources, which is unrelated to internal account behavior analysis.

Regression testing is a software testingpractice that ensures that recent code changes have not adversely affected existing functionalities. In this scenario, the reintroduction of a previously fixed bug indicates that changes or integrations brought back the old issue. Implementing comprehensive regression testing would help detect such reintroductions by systematically retesting the existing functionalities whenever changes are made to the codebase. This practice is crucial in maintaining the integrity of the application, especially in complexsystems where multiple components interact.​

Removing unnecessary services from existing endpoints reduces the attack surface by minimizing the number of potential vulnerabilities attackers could exploit. This is a cost-effective method to harden devices without requiring new purchases, aligning perfectly with a purchasing freeze. Deploying new EDR solutions or disposing of devices would likely conflict with the resource freeze, and reimaging systems does not address minimizing services proactively.

The most likely reason the device must be replaced is that the motherboard was not configured with a TPM (Trusted Platform Module) from the OEM (Original Equipment Manufacturer) supplier.

Why TPM is Necessary for Full Disk Encryption:

Hardware-Based Security: TPM provides a hardware-based mechanism to store encryption keys securely, which is essential for full disk encryption.

Compatibility: Full disk encryption solutions, such as BitLocker, require TPM to ensure that the encryption keys are securely stored and managed.

Integrity Checks: TPM enables system integrity checks during boot, ensuring that the device has not been tampered with.

Other options do not directly address the requirement for TPM in supporting full disk encryption:

A. The HSM is outdated: While HSM (Hardware Security Module) is important for security, it is not typically used for full disk encryption.

B. The vTPM was not properly initialized: vTPM (virtual TPM) is less common and not typically a reason for requiring hardware replacement.

C. The HSM is vulnerable to common exploits: This would require a firmware upgrade, not replacement of the device.

E. The HSM does not support sealing storage: Sealing storage is relevant but not the primary reason for requiring TPM for full disk encryption.

D. STIX (Structured Threat Information eXpression): STIX is a standardized language for representing threat information in a structured and machine-readable format. It facilitates the sharing ofthreat intelligence by ensuring that data is consistent and can be easily understood by all parties involved.

E. TAXII (Trusted Automated eXchange of Indicator Information): TAXII is a transport mechanism that enables the sharing of cyber threat information over a secure and trusted network. It works in conjunction with STIX to automate the exchange of threat intelligence among organizations.

Other options:

A. CWPP (Cloud Workload Protection Platform): This focuses on securing cloud workloads and is not directly related to threat intelligence sharing.

B. YARA: YARA is used for malware research and identifying patterns in files, but it is not a platform for sharing threat intelligence.

C. ATT & CK: This is a knowledge base of adversary tactics andtechniques but does not facilitate the sharing of threat intelligence data.

F. JTAG: JTAG is a standard for testing and debugging integrated circuits, not related to threat intelligence.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, providing strong privacy guarantees. However, the adoption of homomorphic encryption is challenging due to several factors:

A. Incomplete mathematical primitives: This is not the primary barrier as the theoretical foundations of homomorphic encryption are well-developed.

B. No use cases to drive adoption: There are several compelling use cases for homomorphic encryption, especially in privacy-sensitive fields like healthcare and finance.

C. Quantum computers not yet capable: Quantum computing is not directly related to the challenges of adopting homomorphic encryption.

D. Insufficient coprocessor support: The computational overhead of homomorphic encryption is significant, requiring substantial processing power. Current general-purpose processors are not optimized for the intensive computations required by homomorphic encryption, limiting its practical deployment. Specialized hardware or coprocessors designed to handle these computations more efficiently are not yet widely available.

B. Pre-commit code linting: Linting tools analyze code for syntax errors andadherence to coding standards before the code is committed to the repository. This helps catch minor code issues early in the development process, reducing the likelihood of deployment failures.

D. Automated regression testing: Automated regression tests ensure that new code changes do not introduce bugs or regressions into the existing codebase. By running these tests automatically during the deployment process, developers can catch issues early and ensure the stability of the development environment.

Other options:

A. Software composition analysis: This helps identify vulnerabilities in third-party components but does not directly address code quality or deployment failures.

C. Repository branch protection: While this can help manage the code submission process, it does not directly prevent deployment failures caused by code issues or security check failures.

E. Code submit authorization workflow: This manages who can submit code but does not address the quality of the code being submitted.

F. Pipeline compliance scanning: This checks for compliance with security policies but does not address syntax or regression issues.

The best solution is to implement authentication for API requests and apply appropriate rate limiting (C). Authentication ensures that only authorized customers or systems can access the API, while rate limiting helps prevent denial-of-service (DoS)-like conditions and cost inflation from excessive or malicious requests. This addresses both the security (unauthorized access) and cost issues (serverless billing based on execution).

Option A (digital certificates) is a strong control for authentication but may introduce unnecessary complexity and does not address rate abuse directly. Option B (rate limits with IP reputation checks) is useful but insufficient—malicious actors may rotate through new IPs not yet flagged. Option D (regional restrictions) might reduce some noise traffic but risks blocking legitimate global users and is not scalable for a modern cloud service.

CAS-005 highlights securing APIs with authentication, authorization, and throttling as best practices. Thus, the combined approach of API authentication plus rate limiting is the most comprehensive and effective solution.

The best answer is D. Host-based encryption . The strongest clue is that the company has proprietary information on its hard drives and consultants must travel with company-managed devices because BYOD is prohibited. That makes protection of data at rest on the endpoint the primary concern. Host-based encryption protects the contents of the drive if a laptop is lost, stolen, or physically accessed during travel. CompTIA’s SecurityX certification emphasizes building secure solutions across complex environments and supporting resilient enterprise protection, which includes securing endpoints and sensitive data stored on them.

Why the other options are not best:

A. Virtual hardware does not directly protect the data on the hard drive if the device is lost or stolen. B. Measured boot helps validate platform integrity at startup, but it does not primarily protect confidential data at rest. C. Secure enclave can protect certain secrets and key material, but it is narrower than full host-based encryption for an entire laptop drive. Because the requirement is specifically about proprietary data on traveling endpoints, full device or host-based encryption is the most beneficial control.

The most secure way to prevent inadvertent data disclosure when encrypted SSDs are reused is to securely delete the encryption keys used by the SSD. Without the encryption keys, the data on the SSD remains encrypted and is effectively unreadable, rendering any residual data useless. This method is more reliable and efficient than overwriting data multiple times or using other physical destruction methods.

In serverless computing, organizations rely heavily on CSPs to manage the infrastructure, runtime, and scaling. A key risk is thelevel of control and influence governments have over CSPs, potentially affecting availability, access, or confidentiality of hosted services due to legal orders or government actions. Concerns about virtualization technologies, scalability, or third-party monitoring are valid but less critical compared to the overarching legal and control risks tied to CSP reliance.

The best approach is to use Terraform scripts while creating golden images (A). Terraform is an Infrastructure as Code (IaC) tool that allows organizations to automate infrastructure deployment consistently across environments. A golden image is a pre-configured, patched, and hardened system image used as a standard baseline. By creating golden images via Terraform scripts, the company ensures that every microservice instance is deployed on an already-updated and secure OS. This eliminates the need for repeatedly patching the base OS before code deployment.

Option B (cron job with apt-update) applies patches but introduces delays (every 30 days) and lacks consistency across new deployments. Option C (snapshots) saves deployment states but risks replicating outdated or unpatched images. Option D (centralized update server) is useful but still requires updates post-deployment, which slows the rollout of microservices.

By automating golden image creation through Terraform, the company gains efficiency, repeatability, and security assurance, aligning with DevSecOps principles and CAS-005 cloud-native best practices.

The goal is to optimize bandwidth, increase speed, and maintain threat visibility in a low-bandwidth satellite office.Local cachingstores frequently accessed data locally, reducing bandwidth usage by minimizing repeated requests to external or internal resources. It speeds up access and doesn’t inherently reduce security visibility if paired with monitoring tools.

Option A:Distributed connection allocation might balance traffic but doesn’t directly reduce bandwidth usage or speed up access.

Option B:Local caching is ideal—reduces bandwidth, improves performance, and maintains visibility with proper security controls.

Option C:A CDN is great for external content delivery but less relevant for internal resources and doesn’t inherently address threat visibility.

Option D:SD-WAN improves WAN performance, but " vertical heterogeneity " is vague and not a standard term; it’s less tailored to this scenario than caching.

Excessive MFA push notifications can be a sign of an attempted push notification attack, where attackers repeatedly send MFA prompts hoping the user will eventually approve one by mistake. To mitigate this:

A. Provisioning FIDO2 devices: While FIDO2 devices offer strong authentication, they may not be practical for all users and do not directly address the issue of excessive push notifications.

B. Deploying a text message-based MFA: SMS-based MFA can still be vulnerable to similar spamming attacks and phishing.

C. Enabling OTP via email: Email-based OTPs add another layer of security but do not directly solve the issue of excessive notifications.

D. Configuring prompt-driven MFA: This option allows users to respond to prompts in a secure manner, often including features like time-limited approval windows, additional verification steps, or requiring specificactions to approve. This can help prevent users from accidentally approving malicious attempts.

Configuring prompt-driven MFA is the best solution to restrict unnecessary MFA notifications and improve security.

A risk register is atool commonly used in risk management to document all identified risks, their assessment in terms of likelihood and impact, and the actions steps to manage them. By adding the newly identified risks to the risk register and assigning an owner and severity, the organization ensures that each risk is visible to stakeholders and has a designated individual responsible for its management. This aligns with the company ' s requirements for transparency and accountability in risk management.​

The first immediate action in an active incident iscontainment.Blocking the IP address (40.90.23.154)at the network edge prevents further communication with the malicious external server. Disabling PowerShell or removing local admin privileges are valid hardening steps, but containment by network control is the highest priority during an active compromise to stop data exfiltration or further command and control activity.