CAS-005 CompTIA SecurityX Certification Exam Question and Answers

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There's no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

The best option is adversary emulation. Adversary emulation involves simulating real-world attacker Tactics, Techniques, and Procedures (TTPs) based on frameworks like MITRE ATT&CK. Unlike penetration tests, which primarily focus on identifying exploitable vulnerabilities, adversary emulation specifically tests the effectiveness of detection and response capabilities against known adversarial behaviors.

Option A (penetration testing) provides value but may not align test cases with SIEM detection rules. Option C (vulnerability assessment) identifies weaknesses but does not test detection rules. Option D (threat hunting) is proactive analysis but does not validate existing SIEM rule coverage in a structured manner. Option E (threat feeds) enrich SIEM data but do not test its efficacy.

CAS-005 identifies adversary emulation as a key strategy for validating detection and response coverage. It provides measurable results about what alerts are triggered and where detection gaps exist, enabling organizations to tune SIEM rules for improved efficacy.

A centralized Software Bill of Materials (SBoM) is the best solution for identifying vulnerabilities in container images in aprivate repository. An SBoM provides a comprehensive inventory of all components, dependencies, and their versions within a container image, facilitating quick evaluation and response to vulnerabilities.

Why Centralized SBoM?

Comprehensive Inventory: An SBoM lists all software components, including their versions and dependencies, allowing for thorough vulnerability assessments.

Quick Identification: Centralizing SBoM data enables rapid identification of affected containers when a vulnerability is disclosed.

Automation: SBoMs can be integrated into automated tools for continuous monitoring and alerting of vulnerabilities.

Regulatory Compliance: Helps in meeting compliance requirements by providing a clear and auditable record of all software components used.

Other options, while useful, do not provide the same level of comprehensive and efficient vulnerability management:

A. SAST scan reports: Focuses on static analysis of code but may not cover all components in container images.

C. CIS benchmark compliance reports: Ensures compliance with security benchmarks but does not provide detailed component inventory.

D. Credentialed vulnerability scan: Useful for in-depth scans but may not be as efficient for quick vulnerability evaluation.

Malware that does not execute in a sandbox environment often contains anti-analysis techniques, such as anti-virtualization code. This code detects when the malware is running in a virtualized environment and alters its behavior to avoid detection. Checking for anti-virtualization code is a logical next step because:

It helps determine if the malware is designed to evade analysis tools.

Identifying such code can provide insights into themalware's behavior and intent.

This step can also inform further analysis methods, such as running the malware on physical hardware.

The best way for a SOC to rapidly identify whether deployed applications contain specific libraries is through the use of a Software Bill of Materials (SBOM). An SBOM is a formal, machine-readable inventory of all components, including third-party and open-source libraries, used in a software product. When a new vulnerability is disclosed (such as Log4Shell in Log4j), organizations with a comprehensive SBOM can immediately search across their application landscape to determine which systems are impacted.

Other options are less effective. Maintaining SAST/DAST reports (A) only provides snapshots of vulnerabilities at the time of scanning, but does not dynamically track components across all software in production. Vendor attestations (B) improve supply chain governance but do not provide immediate visibility into internal or custom software. A GRC tool (D) helps track vendors and policies but does not show technical dependencies inside applications.

Requiring suppliers and internal developers to provide and maintain SBOMs ensures continuous visibility into dependencies. This allows the SOC to quickly query and respond to emerging vulnerabilities, reducing risk exposure and accelerating remediation timelines.

The log-in activity indicates a security threat, particularly involving the ADMIN account with a high-risk failure status. This suggests that the account may be targeted by malicious activities such as credential stuffing or brute force attacks.

Updating log configuration settings (A) may help in better logging future activities but does not address the immediate threat.

Changing the admin account password (B) is a good practice but may not fully mitigate the ongoing threat if the account has already been compromised.

Blocking employees (C) from logging into non-business applications might help in reducing attack surfaces but doesn't directly address the compromised account issue.

Implementing automation to disable accounts associated with high-risk activities ensures an immediate response to the detected threat, preventing further unauthorized access and allowing time for thorough investigation and remediation.

The Center for Internet Security (CIS) Controls provide prescriptive best practices for validating and securing perimeter firewalls. These controls are specifically designed to offer detailed, actionable steps that organizations can follow to ensure firewall rules are configured properly, access is restricted to least privilege, and unnecessary services are disabled. CIS benchmarks also provide specific configuration guidance for different vendors, making them highly practical for real-world implementation and validation.

MITRE ATT&CK (B) is a framework for adversary tactics, techniques, and procedures, valuable for threat modeling but not a direct standard for firewall validation. NIST CSF (C) provides a high-level framework for cybersecurity risk management but lacks specific configuration guidance for firewalls. ISO 27001 (D) defines an information security management system (ISMS) framework, focusing on governance and certification rather than hands-on configuration best practices.

Therefore, the CIS Controls and Benchmarks represent the most direct and practical resource for validating firewall configurations in line with recognized industry best practices.

Authenticated scans allow the scanner to verify installed patches and configurations, reducing false positives.

Other options:

A (CMDB updates) improve asset tracking but do not validate patch installations.

C (Advanced fingerprinting) improves accuracy but does not replace authentication.

D (Coordination with teams) is good practice but does not prevent false positives.

The beststrategy for securely managing cryptographic material is to use a Hardware Security Module (HSM). Here’s why:

Security and Integrity: HSMs are specialized hardware devices designed to protect and manage digital keys. They provide high levels of physical and logical security, ensuring that cryptographic material is well protected against tampering and unauthorized access.

Centralized Key Management: Using HSMs allows for centralized management of cryptographic keys, reducing the risks associated with decentralized and potentially insecure key storage practices, such as on personal laptops.

Compliance and Best Practices: HSMs comply with various industry standards and regulations (such as FIPS 140-2) for secure key management. This ensures that the organization adheres to best practices and meets compliance requirements.

The most cost-effective and secure solution is to configure VPN concentrators inside the OT networks at both sites (Option D). This setup allows encrypted communications between Site A and Site B, enabling controllers at either site to serve as secondary or failover devices for the other. By leveraging VPN tunnels, the organization avoids the expensive and time-consuming process of laying new fiber infrastructure, while still ensuring secure, authenticated, and encrypted connections across sites.

Option A, direct fiber connectivity, provides high performance but is extremely costly and less flexible than VPN solutions. Option B, deploying redundant SCADA controllers at each site, increases hardware, licensing, and management costs while still requiring interconnectivity. Option C, air-gapping the OT network, may improve isolation but would prevent remote failover capabilities, contradicting the requirement for cross-site control.

By implementing VPN concentrators, the organization achieves secure cross-site redundancy, supports operational continuity in case of controller outages, and does so in a cost-effective manner aligned with common OT security practices.

SecurityX CAS-005 network architecture objectives emphasize limiting exposure of vulnerable systems by using application-aware firewalls with strict rule sets.

This approach directly reduces the attack surface by allowing only approved application traffic to and from the vulnerable systems, mitigating risk until systems are patched or replaced.

EDR (A) enhances detection but doesn’t inherently reduce the exposed services.

Network segmentation in monitor mode (B) doesn’t block threats.

IDS (C) detects activity but does not block it.

The most likely reason the device must be replaced is that the motherboard was not configured with a TPM (Trusted Platform Module) from the OEM (Original Equipment Manufacturer) supplier.

Why TPM is Necessary for Full Disk Encryption:

Hardware-Based Security: TPM provides a hardware-based mechanism to store encryption keys securely, which is essential for full disk encryption.

Compatibility: Full disk encryption solutions, such as BitLocker, require TPM to ensure that the encryption keys are securely stored and managed.

Integrity Checks: TPM enables system integrity checks during boot, ensuring that the device has not been tampered with.

Other options do not directly address the requirement for TPM in supporting full disk encryption:

A. The HSM is outdated: While HSM (Hardware Security Module) is important for security, it is not typically used for full disk encryption.

B. The vTPM was not properly initialized: vTPM (virtual TPM) is less common and not typically a reason for requiring hardware replacement.

C. The HSM is vulnerable to common exploits: This would require a firmware upgrade, not replacement of the device.

E. The HSM does not support sealing storage: Sealing storage is relevant but not the primary reason for requiring TPM for full disk encryption.

The most appropriate technique to improve the cryptographic strength of a password-storage component in a web application without completely replacing the crypto-module is key stretching. Here's why:

Enhanced Security: Key stretching algorithms, such as PBKDF2, bcrypt, and scrypt, increase the computational effort required to derive the encryption key from the password, making brute-force attacks more difficult and time-consuming.

Compatibility: Key stretching can be implemented alongside existing cryptographic modules, enhancing their security without the need for a complete overhaul.

Industry Best Practices: Key stretching is a widely recommended practice for securely storing passwords, as it significantly improves resistance to password-cracking attacks.

Programmable Logic Controllers (PLCs) in Operational Technology (OT) environments commonly useLadder Logic, a graphical programming language resembling electrical relay logic diagrams. It’s the most relevant for PLCs due to its widespread use in industrial automation.

Option A:Ladder Logic is the standard for PLC programming, making it the best choice.

Option B:Rust is modern and secure but not typically used for PLCs.

Option C:C is used in some embedded systems but less common for PLCs.

Option D:Python is versatile but not native to PLC programming.

Option E:Java is rare in PLC contexts.

The key requirement is toinstantly eliminate data losson a lost device.

Cryptographic erasureworks by deleting encryption keys used for FDE (full disk encryption), rendering all data unrecoverable within seconds — satisfying the "mitigate within seconds" requirement.

Revoking certificates won’t wipe the data from a lost tablet.

Changing MFA credentials won’t help unless the device is secured, and app allow lists don’t apply post-loss.

FromCAS-005, Domain 3: Secure Systems Design and Deployment:

“Cryptographic erase (CE) renders data irrecoverable by deleting encryption keys used to protect data on the device.”

Vendor lock-in occurs when a client is overly dependent on a vendor, limiting flexibility. Risks include:

Option B:Vendors changing offerings (e.g., features, pricing) can disrupt the client, a key lock-in risk.

Option D:Decreased quality of service may result from reliance on a single vendor without alternatives.

Option A:Seamless data movement is a benefit, not a risk.

Option C:Sufficient service is neutral or positive, not a risk.

Option E:Multicloud is hindered by lock-in, not a risk of it.

Option F:Increased interoperability contradicts lock-in’s limitations.

Step-by-Step Explanation:

Both samples share similar function names, variable naming styles, and logic flow, indicating that they were likely written by the same developer. This is a keyobservation in malware attribution, as cyber threat analysts often look for unique coding styles to link malware to specific threat actors.

The presence of C2 (Command and Control) communication in both samples supports this theory, as attackers often reuse parts of their own malware code across different attacks.

Post-Quantum Cryptography (PQC) preparation is critical to protect data against future quantum computing attacks that could break current cryptographic algorithms (e.g., RSA, ECC). According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.3), quantum computers with sufficient computational power could perform calculations (e.g., Shor’s algorithm) to decrypt data protected by traditional algorithms. PQC focuses on developing algorithms resistant to such increases in computational resources, ensuring long-term data security.

Option B:Key stretching is a technique to strengthen passwords, not related to PQC.

Option C:PQC algorithms often have higher computational costs, not improved performance.

Option D:Asymmetric encryption is not ideal for large data sets, and PQC is not specifically about this use case.

Option A:This accurately describes PQC’s purpose to safeguard data against quantum-driven decryption.

When users disconnect from Remote Desktop Protocol (RDP) sessions without properly logging off, their sessions remain active on the server. If their passwords are changed due to the 90-day rotation policy, these lingering sessions may attempt to reauthenticate using outdated credentials, leading to multiple failed login attempts and potential account lockouts.

Automating the logout of inactive sessions ensures that disconnected or idle sessions are terminated after a specified period, preventing stale sessions from causing authentication issues. This approach aligns with best practices for session management and helps maintain security compliance.

The immediate action after discovering ransomware is toisolate the affected serversto prevent further spread of the malware to other systems in the network. Paying the ransom is not recommended as it does not guarantee data recovery and encourages criminal behavior. Notifying law enforcement is necessary, but containment must happen first to limit damage. Requesting server restoration should only occur after containment and a thorough investigation to ensure no remnants of ransomware remain.

The scenario involves replacing an on-premises VPN solution, which has a zero-day vulnerability, with cloud-hosted resources while ensuring trusted connectivity. Trusted connectivity in a cloud environment implies secure, scalable, and modern access control that goes beyond traditional VPNs. Let’s analyze the options:

A. Container orchestration: This refers to managing and automating containerized workloads (e.g., Kubernetes). While useful for application deployment, it doesn’t directly address secure connectivity to cloud resources.

B. Microsegmentation: This involves creating fine-grained security policies within a network to limit lateral movement. It’s valuable for internal security but isn’t a complete solution for trusted connectivity to cloud-hosted resources.

C. Conditional access: This ensures access based on conditions (e.g., user identity, device health). It’s relevant for identity management but lacks the broader networking and security scope needed here.

In serverless computing, organizations rely heavily on CSPs to manage the infrastructure, runtime, and scaling. A key risk is thelevel of control and influence governments have over CSPs, potentially affecting availability, access, or confidentiality of hosted services due to legal orders or government actions. Concerns about virtualization technologies, scalability, or third-party monitoring are valid but less critical compared to the overarching legal and control risks tied to CSP reliance.

Always-on VPN ensures that devices connect automatically to the corporate network whenever they are online, allowing seamless access to internal resources and enabling authentication against on-premises directory services (such as Active Directory). This supports centralized identity management, GPO enforcement, and compliance requirements.

Options B, C, and D involve local or peripheral resources, which are unaffected by VPN state.

A computer screen shot of a diagram Description automatically generated

A screenshot of a computer error Description automatically generated

Creating a separate network for users who need access tothe application is the best action to secure an internal application that is critical to the production area and cannot be updated.

Why Separate Network?

Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents.

Controlled Access: Ensures that only authorized users have access to the application, enhancing security and reducing the attack surface.

Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network.

Other options, while beneficial, do not provide the same level of security for a critical application:

A. Disallow wireless access: Useful but does not provide comprehensive protection.

B. Deploy intrusion detection capabilities using a network tap: Enhances monitoring but does not provide the same level of isolation and control.

C. Create an acceptable use policy: Important for governance but does not provide technical security controls.

The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here’s a detailed explanation:

Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging environment ensures that the new feature will behave as expected in the actual production setup.

Isolation fromProduction: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change management and risk mitigation.

Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which often have different configurations and workloads.

A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted.

F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

Other options:

B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage.

C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network communication risks.

D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications.

E. Executing daily health checks: Useful for maintaining system health but does not directly reduce the risk of network-based compromise or sabotage.

To ensure the most secure way of keeping a legacy system (COL) operating until a new solution is available, isolating the system and enforcing strict firewall rules is the best approach. This method minimizes the attack surface by restricting access to only the necessary endpoints, thereby reducing the risk of unauthorized access and potential security breaches. Isolating the system ensures that it is not exposed to the broader network, while firewall rules control the traffic that can reach the system, providing a secure environment until a replacement is implemented.

Based on the provided authentication logs, we observe that User1's accountexperienced multiple failed login attempts within a very short time span (at 8:01:23 AM on 12/15). This pattern indicates a potential brute-force attack or an attempt to gain unauthorized access. Here’s a breakdown of why disabling User1's account is the appropriate first step:

Failed Login Attempts: The logs show that User1 had four consecutive failed login attempts:

VM01 at 8:01:23 AM

VM08 at 8:01:23 AM

VM01 at 8:01:23 AM

VM08 at 8:01:23 AM

Security Protocols and Best Practices: According to CompTIA Security+ guidelines, multiple failed login attempts within a short timeframe should trigger an immediate response to prevent further potential unauthorized access attempts. This typically involves temporarily disabling the account to stop ongoing brute-force attacks.

Account Lockout Policy: Implementing an account lockout policy is a standard practice to thwart brute-force attacks. Disabling User1's account will align with these best practices and prevent further failed attempts, which might lead to successful unauthorized access if not addressed.

For a distributed workforce needing access to compliance-bound on-premises systems, VPN access ensures encrypted, authenticated connectivity while limiting exposure. SecurityX CAS-005 emphasizes using VPNs for secure remote access when direct migration to cloud is not possible.

Moving legacy systems to cloud (B) violates the compliance constraints.

SDN security controls (C) are beneficial but do not inherently provide secure remote connectivity.

Microsegmentation (D) is useful for internal lateral movement control but does not solve remote access needs.

The most critical considerations are trust boundaries (C) and supply chain access (E). Trust boundaries define where sensitive data crosses between systems or organizations, requiring strict cryptographic protections—especially important in government and commercial environments subject to crypto-export controls.

Supply chain access is also critical because hardware and software are sourced from external vendors. If suppliers are compromised, attackers could introduce malicious code, backdoors, or tampered firmware, endangering customers worldwide.

Option A (contractual obligations) and B (legal hold) are compliance-related but not direct security threats. Option D (cloud services enumeration) is irrelevant unless the storage is cloud-based. Option F (homomorphic encryption) is an advanced technology but not required for base threat modeling.

CAS-005 highlights modeling adversary capabilities at trust boundaries and accounting for supply chain risks, making C and E the most important.

Chain of custody ensures that evidence is protected, documented, and accounted for from the moment it is collected until it is presented in court or a legal proceeding. Properly maintaining chain of custody is critical to proving that the evidence has not been tampered with. Although encryption protects data during transit, and legal issues are important, without a documented chain of custody, the integrity of the evidence itself could be challenged and invalidated.

Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and provide transparency in the event of a breach.

Why Communication Templates?

Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements.

Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the organization’s credibility.

Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately.

Other options, while useful, do not provide the same level of preparedness and compliance:

A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, theSIEM logs show that VM002 is making network connections to web.corp.local.

This indicatesunauthorized access, which could bea sign of lateral movement or network infection.

This is ared flagfor potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patternsare often an indicator of acompromised system.

VM002 should not be communicating externally, but it is.

This suggests a possiblebreach or malware infectionattempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration):While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002):The issue is not with HOST002. The suspicious activity isfrom VM002.

C (False positives):The repeated pattern of unauthorized connections makes false positivesunlikely.

Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here’s why:

Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.

Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies.

Minimal Disruption: Implementing a span port is a non-intrusive method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.

This scenario clearly describes asupply chain attack, where the compromise occurs at the vendor or manufacturing stage before the product reaches the customer. The attack impacts many downstream organizations and sectors. SDLC attacks are focused on software development life cycles, side-loading involves unauthorized app installations, and remote code signing focuses on authenticating remote software, none of which fully encapsulate the situation described.

To develop a baseline of security configurations that will be automatically utilized when a machine is created, the security architect should deploy Ansible. Here’s why:

Automation: Ansible is an automation tool that allows for the configuration, management, and deployment of applications and systems. It ensures that security configurations are consistently applied across all new machines.

Scalability: Ansible can scale to manage thousands of machines, making it suitable for large enterprises that need to maintain consistent security configurations across their infrastructure.

Compliance: By using Ansible, organizations can enforce compliance with security policies and standards, ensuring that all systems are configured according to best practices.

Formal methods in software engineering use mathematically based specifications to ensure system correctness, safety, and compliance with requirements. SecurityX CAS-005 stresses the importance of traceability between code and both functional and non-functional requirements for high-assurance systems like avionics. A lack of traceability means it is impossible to verify that the implementation meets all required safety and performance standards—exactly what formal methods address.

The security diagram proposed by the security architect depicts a Zero Trust security model. Zero Trust is asecurity framework that assumes all entities, both inside and outside the network, cannot be trusted and must be verified before gaining access to resources.

Key Characteristics of Zero Trust in the Diagram:

Role-based Access Control: Ensures that users have access only to the resources necessary for their role.

Mandatory Access Control: Additional layer of security requiring authentication for access to sensitive areas.

Network Access Control: Ensures that devices meet security standards before accessing the network.

Multi-factor Authentication (MFA): Enhances security by requiring multiple forms of verification.

This model aligns with the Zero Trust principles of never trusting and always verifying access requests, regardless of their origin.

To meet the requirements of having allendpoints establish telemetry with a SIEM, integrate into an XDR platform, and allow SOC services to monitor the XDR platform, the best approach is to implement Host Intrusion Prevention Systems (HIPS) and a host-based firewall. HIPS can provide detailed telemetry data to the SIEM and can be integrated into the XDR platform for comprehensive monitoring and response. The host-based firewall ensures that only authorized traffic is allowed, providing an additional layer of security.

Attack surface reductionfocuses on minimizingunnecessary services, open ports, and vulnerabilities, reducing the exposure to potential adversaries. This aligns withzero trust and least privilege principles.

Secure Boot (A)helps ensure system integrity but does not minimize exposed services.

Disabling third-party integrations (C)may help, but broader attack surface reduction is the best first step.

Limiting access (D)is important but does not directly reduce exposed services.

Incident response follows a standard process (e.g., NIST 800-61): Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. After identifying the attack (file and origin), the next step isContainment—limiting the spread or impact (e.g., isolating systems) before remediation or recovery.

Option A:Remediation (fixing the root cause) follows containment.

Option B:Correct—containment prevents further damage post-identification.

Option C:“Response” is too vague; it encompasses all steps.

Option D:Recovery (restoring systems) comes after containment and eradication.

OpenSSH vulnerabilityispublic facingand has acritical CVSS of 9.2.

Exploitable SSH services can lead to direct server compromise.

Although Apache has a higher score, it's internal.

FromCAS-005, Domain 3: Vulnerability Management:

“Prioritize external vulnerabilities with high CVSS and exposed attack surfaces.”

To ensure that logs from a legacy platform are properly retained beyond the default retention period, configuring the SIEM to aggregate the logs is the best approach. SIEM solutions are designed to collect, aggregate, and store logs from various sources, providing centralized log management and retention. This setup ensures that logs are retained according to policy and can be easily accessed for analysis and compliance purposes.

Limiting the platform's abilities to only non-sensitive functions helps to mitigate risks associated with AI operations. By ensuring that the AI-enabled digital worker is only allowed to perform tasks that do not involve sensitive or critical data, the organization reduces the potential impact of any security breaches or misuse.

Enhancing the training model's effectiveness (Option B) is important but does not directly address security guardrails. Granting the system the ability to self-govern (Option C) could increase risk as it may act beyond the organization's control. Requiring end-user acknowledgement of organizational policies (Option D) is a good practice but does not implement technical guardrails to secure the AI environment.

A central logging server ensures logs are collected in a tamper-proof manner and only ingested (not modified). This prevents attackers from altering logs locally.

Key concepts:

Logs should be centrally stored to prevent tampering.

Enabling log forwarding to a secure SIEM improves integrity.

Other options:

A (File monitoring tool) helps detect file changes but doesn’t prevent log tampering.

B (Changing log solutions) does not inherently improve security.

D (Log rotation and encryption) is best practice but does not prevent modification before transmission.

To prevent unauthorized applications from running, the company needs a mechanism to explicitly define and enforce which applications are allowed to execute. "Permit listing" (often referred to as "whitelisting" in security contexts) is the most effective solution here. It involves creating a list of approved applications, and only those on the list are permitted to run, blocking all others by default. This directly addresses the root cause—users installing unapproved software—by restricting execution to only authorized programs.

Option A (Signing):Code signing ensures the authenticity and integrity of software by verifying it comes from a trusted source and hasn’t been tampered with. While useful, it doesn’t inherently prevent unauthorized applications from running unless combined with a policy like whitelisting.

Option B (Access control):Access control governs who can access systems or resources but doesn’t specifically restrict which applications can execute. It’s too broad for this scenario.

Option C (HIPS):A Host-based Intrusion Prevention System (HIPS) can detect and block malicious behavior, but it’s reactive and relies on signatures or heuristics, not a proactive allow-only approach.

Option D (Permit listing):This is the best fit, as it proactively enforces a policy where only explicitly authorized applications can run, preventing malware introduced by unauthorized software.

Per SecurityX CAS-005 GRC principles, outsourcing a function does not transfer accountability for protecting personally identifiable information (PII). While subprocessors handle data, the originating organization remains responsible under most data protection laws and frameworks (e.g., GDPR, CCPA).

Due care in procurement (option B) is important, but it is a supporting concept, not the primary driver in this context.

Jurisdictional compliance (option D) is a requirement, but the underlying reason for risk assessment is that accountability for PII protection remains with the organization.

The log snippet indicates a DNS AXFR (zone transfer) request, which can be exploited by attackers to gather detailed information about an internal network's infrastructure. Disabling DNS zone transfers is the best solution to mitigate this risk. Zone transfers should generally be restricted to authorized secondary DNS servers and not be publicly accessible, as they can reveal sensitive network information that facilitates lateral movement during an attack.

The malware uses TCP 4444 to move laterally between systems. A host-based firewall can block unauthorized communication ports (like TCP 4444) on each workstation, preventing malware from establishing connections and spreading. Configuring the CPU's NX bit and enabling ASLR primarily help in mitigating memory-based exploits, not in stopping lateral movement. Enabling UEFI ensures boot integrity but does not mitigate active lateral communication. An edge firewall would protect the network perimeter, not internal workstation-to-workstation communication.

Implementing security and quality checks in a CI/CD pipeline ensures that:

Container images are scanned for vulnerabilities beforedeployment.

Version control is enforced, preventing unauthorized changes.

Hashes validate image integrity.

Other options:

A (Configuring ACLs on mesh networks) improves access control but does not ensure scanning.

C (Audits on container images) detect changes but do not enforce best practices.

D (Pulling from a vendor repository) does not ensure vulnerability scanning.

The code indicates that a WordPress (CMS) plug-in has likely been exploited. The function get_hex_cache() combines obfuscated PHP code (hex2bin) with external file retrieval (inc.tmp). This is characteristic of malicious plug-in injections in content management systems such as WordPress, where attackers inject backdoors or malicious scripts through vulnerable plug-ins.

Option B (search engine bots blocked) and C (corrupted stylesheet) would not explain injected PHP logic. Option D (WAF in transparent mode) reduces security controls but does not create malicious functions inside the CMS code.

The presence of obfuscated data in inc.tmp strongly suggests tampering. Exploited CMS plug-ins are a common initial access vector, often used to hide persistent malware or web shells.

This aligns with CAS-005 objectives on secure coding, monitoring for tampering, and conducting regular code reviews of third-party dependencies.

Input sanitation is a critical process in cybersecurity that involvesvalidating and cleaning data provided by users to prevent malicious inputs from causing harm. In the context of AI concerns:

A. Model inversion involves an attacker inferring sensitive data from model outputs, typically requiring sophisticated methods beyond just manipulating input data.

B. Prompt Injection is a form of attack where an adversary provides malicious input to manipulate the behavior of AI models, particularly those dealing with natural language processing (NLP). Input sanitation directly addresses this by ensuring that inputs are cleaned and validated to remove potentially harmful commands or instructions that could alter the AI's behavior.

C. Data poisoning involves injecting malicious data into the training set to compromise the model. While input sanitation can help by filtering out bad data, data poisoning is typically addressed through robust data validation and monitoring during the model training phase, rather than real-time input sanitation.

D. Non-explainable model refers to the lack of transparency in how AI models make decisions. This concern is not addressed by input sanitation, as it relates more to model design and interpretability techniques.

Input sanitation is most relevant and effective for preventing Prompt Injection attacks, where the integrity of user inputs directly impacts the performance and security of AI models.

In the context of improving incident response and reducing dwell time, the security analyst needs to focus on proactive measures that can quickly detect and alert on potential security breaches. Here’s a detailed analysis of the options provided:

A. Adjusting the SIEM to alert on attempts to visit phishing sites: While this is a useful measure to prevent phishing attacks, it primarily addresses external threats and doesn’t directly impact dwell time reduction, which focuses on the time a threat remains undetected within a network.

B. Allowing TRACE method traffic to enable better log correlation: The TRACE method in HTTP is used for debugging purposes, but enabling it can introduce security vulnerabilities. It’s not typically recommended for enhancing security monitoring or incident response.

C. Enabling alerting on all suspicious administrator behavior: This option directly targets the potential misuse of administrator accounts, which are often high-value targets for attackers. By monitoring and alerting on suspicious activities from admin accounts, the organization can quickly identify and respond to potential breaches, thereby reducing dwell time significantly. Suspicious behavior could include unusual login times, access to sensitive data not usually accessed by the admin, or any deviation from normal behavior patterns. This proactive monitoring is crucial for quick detection and response, aligning well with best practices in incident response.

D. Utilizing allow lists on the WAF for all users using GET methods: This measure is aimed at restricting access based on allowed lists, which can be effective in preventing unauthorized access but doesn’t specifically address the need for quick detection and response to internal threats.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS-005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main branch for deployment to production.

Option B:Threat modeling is typically performed earlier, during design or development, not after passing CI/CD checks.

Option C:Unit testing is part of the CI/CD pipeline and should already be completed.

Option D:Peer reviews are conducted before or during the test phase, not after QAand security scans are clear.

Option A:Merging the test branch to the main branch is the logical next step to prepare for production deployment.

Encrypting patient data at rest ensures that sensitive information is protected from unauthorized access, thereby maintaining patient privacy. Additionally, encryption supports data portability by allowing secure transfer and storage of data across different systems and devices without compromising confidentiality. This practice is crucial for healthcare providers to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of patient information.​

To mitigate the identified vulnerabilities, the followingsolutions are most appropriate:

A. Implementing data loss prevention (DLP): DLP solutions help prevent the unauthorized transfer of data outside the organization. This directly addresses the exfiltration of intellectual property by monitoring, detecting, and blocking sensitive data transfers.

E. Enabling modern authentication that supports Multi-Factor Authentication (MFA): This significantly enhances security by requiring additional verification methods beyond just passwords. It addresses the issue of weak user passwords by making it much harder for unauthorized users to gain access, even if they obtain the password.

Other options, while useful in specific contexts, do not address all the vulnerabilities mentioned:

B. Deploying file integrity monitoring helps detect changes to files but does not prevent data exfiltration or address weak passwords.

C. Restricting access to critical file services improves security but is not comprehensive enough to mitigate all identified vulnerabilities.

D. Deploying directory-based group policies can enforce security policies but might not directly prevent data exfiltration or ensure strong authentication.

F. Implementing a version control system helps manage changes to files but is not a security measure for preventing the identified vulnerabilities.

G. Implementing a CMDB platform (Configuration Management Database) helps manage IT assets but does not address the specific security issues mentioned.

To provide secure access tointernal and external cloud resources, eliminate split-tunnel traffic flows, and enable identity and access management capabilities, the most appropriate solutions are CASB (Cloud Access Security Broker) and SASE (Secure Access Service Edge).

Why CASB and SASE?

CASB (Cloud Access Security Broker):

Secure Access: CASB solutions provide secure access to cloud resources by enforcing security policies and monitoring user activities.

Identity and Access Management: CASBs integrate with identity and access management (IAM) systems to ensure that only authorized users can access cloud resources.

Visibility and Control: They offer visibility into cloud application usage and control over data sharing and access.

SASE (Secure Access Service Edge):

Eliminate Split-Tunnel Traffic: SASE integrates network security functions with WAN capabilities to ensure secure access without the need for split-tunnel configurations.

Comprehensive Security: SASE provides a holistic security approach, including secure web gateways, firewalls, and zero trust network access (ZTNA).

Identity-Based Access: SASE leverages IAM to enforce access controls based on user identity and context.

Other options, while useful, do not comprehensively address all the requirements:

A. Federation: Useful for identity management but does not eliminate split-tunnel traffic or provide comprehensive security.

B. Microsegmentation: Enhances security within the network but does not directly address secure access to cloud resources or split-tunnel traffic.

D. PAM (Privileged Access Management): Focuses on managing privileged accounts and does not provide comprehensive access control for internal and external resources.

E. SD-WAN: Enhances WAN performance but does not inherently provide the identity and access management capabilities or eliminate split-tunnel traffic.

Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. When operating with a constrained budget, understanding the organization's risk appetite is crucial because:

It helps prioritize security investments based on the level of risk the organization is willing to tolerate.

High-impact, low-likelihood events may be deemed acceptable if they fall within the organization's risk appetite, allowing for budget allocation to other critical areas.

Properly understanding and defining risk appetite ensures that limited resources are used effectively to manage risks that align with the organization's strategic goals.

To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.

MDM Capabilities:

Central Management: MDM allows administrators to manage the configurations of all devices from a central console.

Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.

Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.

Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.

Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.

The scenario describes a sophisticated attack where the threat actor used steganography within LDAP to exfiltrate data. Given that thehardware and OS firmware were validated and found uncompromised, the attack vector likely exploited a network communication channel. To mitigate such risks, enforcing allow lists for authorized network ports and protocols is the most effective strategy.

Here’s why this option is optimal:

Port and Protocol Restrictions: By creating an allow list, the organization can restrict communications to only those ports and protocols that are necessary for legitimate business operations. This reduces the attack surface by preventing unauthorized or unusual traffic.

Network Segmentation: Enforcing such rules helps in segmenting the network and ensuring that only approved communications occur, which is critical in preventing data exfiltration methods like steganography.

Preventing Unauthorized Access: Allow lists ensure that only predefined, trusted connections are allowed, blocking potential paths that attackers could use to infiltrate or exfiltrate data.

Other options, while beneficial in different contexts, are not directly addressing the network communication threat:

B. Measuring and attesting to the entire boot chain: While this improves system integrity, it doesn’t directly mitigate the risk of data exfiltration through network channels.

C. Rolling thecryptographic keys used for hardware security modules: This is useful for securing data and communications but doesn’t directly address the specific method of exfiltration described.

D. Using code signing to verify the source of OS updates: Ensures updates are from legitimate sources, but it doesn’t mitigate the risk of network-based data exfiltration.

Segmentationis the best option to ensure the security of legacy badge readers that cannot be upgraded. Segmentation isolates the legacy devices on a separate network segment to minimize their exposure to potential threats. This approach reduces the attack surface by preventing unauthorized access from other parts of the network while still allowing necessary connectivity to the enterprise resource planning (ERP) system.

Vulnerability scans (B)are useful for identifying weaknesses but do not actively protect the badge readers.

Anti-malware (C)is ineffective since the badge readers use a legacy platform that likely does not support modern endpoint protection solutions.

The correct regulation is COPPA (Children’s Online Privacy Protection Act). COPPA is a U.S. law that requires organizations to obtain parental consent and implement specific protections before collecting personal data from children under the age of 13. Since the legal counsel is advising about age-related sign-up requirements, the concern clearly points to COPPA compliance.

GDPR (A) is a European regulation governing privacy and data protection but is broader and not specifically tied to children’s age verification, though it has related provisions. LGPD (B) is Brazil’s data protection law, similar in scope to GDPR. PCI DSS (C) is focused on protecting cardholder data in payment environments, unrelated to age-related concerns.

CAS-005 covers the importance of aligning software platforms with legal and regulatory frameworks. For gaming and online services, COPPA compliance is crucial to avoid fines and reputational harm, ensuring the platform properly handles children’s data.

The most likely explanation for the issues encountered with the captive portal is that the TLS ciphers supported by the captive portal are deprecated. Here’s why:

TLS Cipher Suites: Modern browsers are continuously updated to support the latest security standards and often drop support for deprecated and insecure cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may refuse to connect, causing security errors.

HSTS and Browser Security: Browsers with HTTP Strict Transport Security (HSTS) enabled will not allow connections to sites with weak security configurations. Deprecated TLS ciphers would cause these browsers to block the connection.

Step-by-Step Explanation:

Understand the QuestionRequirements:The goal is to use a regular expression (regex) to match software versions 10.0 through 10.3, but exclude version 10.4.

Review Regex Syntax:

[ ] indicates a character set (matches any one character in the set).

[0-3] matches any digit between 0 and 3.

\. escapes the period (.) so it matches a literal period instead of acting as a wildcard.

( ) groups parts of the regex together.

Analyze Each Option:

Option A: Reader(*)[1][0].[0-4:

Incorrect. The use of (*) is not valid syntax in this context and [0-4 is incomplete or misformatted.

Option B: Reader[11[01X.f0-3'

Incorrect. This is an invalid regex syntax, mixing character sets and mismatched brackets.

Option C: Reader( )[1][0].[0-3:

Correct. This regex is valid and matches "Reader 10.0", "Reader 10.1", "Reader 10.2", and "Reader 10.3" while excluding "Reader 10.4".

Breakdown:

Reader: Matches the text "Reader".

[1][0]: Matches "10" as a combination of two characters.

\.: Matches the literal period.

[0-3]: Matches any single digit between 0 and 3.

Option D: Reader( )[1][0] X.[1-3:

Incorrect. The syntax X.[1-3 is invalid, and this does not match the required versions.

Conclusion:The regex in Option C correctly identifies all affected versions (10.0, 10.1, 10.2, 10.3) while excluding the unaffected version (10.4).

According to SecurityX CAS-005 threat intelligence and testing objectives, a honeypot is a decoy system designed to lure attackers, allowing security teams to observe new tactics, techniques, and procedures (TTPs) in a controlled environment.

An IPS is designed to block known attacks but not discover new ones.

Sandboxing is useful for analyzing suspicious files or malware samples but not for attracting live, unknown attack attempts.

Scanning for IoCs detects known compromise indicators, not new, emerging attacks.A honeypot directly supports proactive attack discovery and analysis.

To keep the mail server up to date with indicators of compromise (IoCs) and block known-malicious emails, the security architect needs mechanisms to ingest new threat intelligence and apply it dynamically. The best solutions are:

Threat Feed API (B): This provides automated updates from external or commercial threat intelligence providers. By integrating a threat feed, the mail server can regularly fetch IoCs such as malicious domains, IPs, or attachment hashes.

Webhooks (D): These allow real-time or near real-time updates when new IoCs are published. Instead of waiting for scheduled pulls, the mail server can receive push notifications with updated indicators, ensuring rapid response to evolving threats.

Other options are less effective. Log analyzers (A) assist with monitoring but don’t actively update or block threats. A scheduled task (C) may automate local operations but lacks the external intelligence integration required. Inbox deletion code (E) is reactive and inefficient. A security runbook (F) defines processes but does not technically enable automated updates.

Thus, the combination of Threat Feed APIs and Webhooks provides continuous, automated IoC ingestion, reducing exposure to malicious email campaigns.

Managing telemetry and differentiating it by office requires a way to categorize data. Let’s evaluate:

A. Sensor placement:Useful for data collection but doesn’t inherently differentiate by office.

B. Data labeling:Assigns metadata (e.g., office location) to telemetry, enabling differentiation. This aligns with CAS-005’s focus on data management for security operations.

C. Continuous monitoring:Ensures ongoing data collection but doesn’t address differentiation.

For SSDs,incinerationis considered the most secure method of physical destruction, ensuring no data remanence. SSDs store data differently compared to traditional spinning disks, making degaussing ineffective. Overwriting and formatting may not reliably erase all storage cells due to wear-leveling technologies. Shredding may work if the granularity is extremely fine, but incineration guarantees complete destruction beyond recovery.

This scenario describes an attack where the attacker mimics the CEO’s voice to deceive the CFO, likely using AI-generated audio. According to the CompTIA SecurityX CAS-005 study guide (Domain 1: Security Strategy and Risk Management, 1.2), a deepfake attack involves using artificial intelligence to create realistic but fake audio, video, or other media to impersonate someone. In this case, the voice similarity suggests a deepfake audio attack, which is a targeted social engineering tactic.

Option A:Smishing involves SMS-based phishing, not voicecalls.

Option C:Automated exploit generation refers to creating software exploits, not impersonation.

Option D:Spear phishing targets specific individuals but typically via email, not voice-based impersonation.

Option B:Deepfake is the most accurate, as it describes AI-driven impersonation of the CEO’s voice.

The logs show that the user connected fromToronto (104.18.16.29)andLos Angeles (95.67.137.12)within minutes. The sudden location change is a typical trigger forgeoblocking in a Next-Generation Firewall (NGFW), leading to theHR System being denied.

A compromised account (B)would show failed login attempts or unusual activities, but all other access attempts were allowed.

Business hours restriction (C)is unlikely since the user was granted access earlier.

Approved subnet issues (D)would affect all applications, not just HR System access.

The data provided shows that all companies have SIEM systems, but they differ in their implementation of UEBA, DLP, ISAC membership, and TIP integration. The key metric to evaluate is the effectiveness in detecting and responding to attacks, as shown by the "Time to Detect" and "Time to Respond" columns. Company 1, which is an ISAC member, has the fastest detection (10 minutes) and response (20 minutes) times. Company 3, which is not an ISAC member, has slower detection (12 minutes) and response (24 minutes) times, despite having UEBA and TIP integration. Company 2, which lacks TIP integration but is an ISAC member, has the slowest times (20 minutes to detect, 40 minutes to respond). This suggests that ISAC membership correlates with faster detection and response, likely due to access to shared threat intelligence.

According to the CompTIA SecurityX CAS-005 objectives (Domain 2: Security Operations, 2.2), Information Sharing and Analysis Centers (ISACs) are critical for enabling organizations to share real-timethreat intelligence within their industry. ISACs provide access to actionable intelligence, best practices, and coordinated response strategies, which are essential for defending against sophisticated attacks targeting critical infrastructure like the energy sector. The lack of ISAC membership (Company 3) limits access to this intelligence, hindering proactive defense and response capabilities. While UEBA, DLP, and TIP integration are valuable, they are more focused on internal monitoring, data protection,and individual threat intelligence feeds, respectively, and do not provide the same industry-wide collaboration as an ISAC.

The best step is to query user behavior analytics (UBA) data. SIEM alerts provide potential security events, but without additional context, they may lead to false positives. UBA solutions detect anomalies by comparing user activity against baselines of normal behavior, highlighting unusual login patterns, lateral movement, or privilege escalation.

Option A (password manager logs) focuses only on credential use and lacks behavioral insight. Option B (dark web monitoring) helps identify compromised accounts but does not investigate the internal incident. Option C (audit logs for privileged actions) is useful but narrow in scope—it only covers administrator accounts.

By correlating SIEM data with UBA, the engineer can validate whether the flagged activity indicates real malicious behavior or benign anomalies. CAS-005 emphasizes advanced analytics integration (UEBA/UBA) to strengthen investigation and reduce false positives, making Option D the most effective choice.

The provided code snippet shows a script that captures the user's cookies and sends them to a remote server. This type of attack is characteristic of Cross-Site Scripting (XSS), specifically stored XSS, where the malicious script is stored on the target server (e.g., in a database) and executed in the context of users who visit the infected web page.

A. XSRF (Cross-Site Request Forgery) attack: This involves tricking the user into performing actions on a different site without their knowledge but does not involve stealing cookies via script injection.

B. Command injection: This involves executing arbitrary commands on the host operating system, which is not relevant to the given JavaScript code.

C. Stored XSS: The provided code snippet matches the pattern of a stored XSS attack, where the script is injected into a web page, and when users visit the page, the script executes and sends theuser's cookies to the attacker's server.

D. SQL injection: This involves injecting malicious SQL queries into the database and is unrelated to the given JavaScript code.

The best solution is to provide a hash of all data made available (D). Hashing ensures the integrity of the threat intelligence data provided to customers. Clients can verify that the data received via API matches the published hash, ensuring no tampering occurred in transit or at rest. This supports customer trust and aligns with the objective of protecting data integrity while maintaining availability.

Option A (API secret keys) improves authentication and reduces attack surface but does not address integrity or compute efficiency. Option B (publishing IoCs publicly) increases attack surface and reduces control over distribution, which conflicts with security objectives. Option C (rate limiting) helps availability and cost control but does not guarantee data integrity.

By providing hashes, the company ensures customers can validate authenticity regardless of delivery method, reducing the risk of manipulated IoCs. This approach also minimizes compute spend since hashing is lightweight compared to continuous verification processes.

Therefore, the strongest alignment with all stated objectives—availability, reduced spend, reduced attack surface, and integrity—is achieved by providing hashes of all threat intelligence data.

The best approach is to use Terraform scripts while creating golden images (A). Terraform is an Infrastructure as Code (IaC) tool that allows organizations to automate infrastructure deployment consistently across environments. A golden image is a pre-configured, patched, and hardened system image used as a standard baseline. By creating golden images via Terraform scripts, the company ensures that every microservice instance is deployed on an already-updated and secure OS. This eliminates the need for repeatedly patching the base OS before code deployment.

Option B (cron job with apt-update) applies patches but introduces delays (every 30 days) and lacks consistency across new deployments. Option C (snapshots) saves deployment states but risks replicating outdated or unpatched images. Option D (centralized update server) is useful but still requires updates post-deployment, which slows the rollout of microservices.

By automating golden image creation through Terraform, the company gains efficiency, repeatability, and security assurance, aligning with DevSecOps principles and CAS-005 cloud-native best practices.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, preserving confidentiality. However, its adoption faces significant challenges due to performance overhead. According to the CompTIA SecurityX CAS-005 study materials (Domain 3: Cybersecurity Technology, 3.3), homomorphic encryption requires substantial computational resources, which standard processors struggle to provide efficiently. Specialized hardware, such as coprocessors (e.g., GPUs or TPUs), is oftenneeded to handle the complex mathematical operations involved. The lack of widespread, optimized coprocessor support in existing infrastructure is a primary barrier to adoption.

Option A (Incomplete mathematical primitives):While early homomorphic encryption schemes had limitations, modern schemes (e.g., CKKS, BFV) have mature mathematical foundations, making this less of a challenge today.

Option B (No use cases):Use cases exist, such as secure cloud computing and privacy-preserving data analytics, so this is not accurate.

Option C (Quantum computers):Homomorphic encryption is not dependent on quantum computing, and quantum computers are unrelated to its current challenges.

Option D (Insufficient coprocessor support):This is the most accurate, as performance bottlenecks require specialized hardware that is not yet widely available or integrated.

Geofencingallows the device to be restricted based on its physical location — disabling or locking devices when they move outside of trusted zones.Full disk encryptionensures that if a device is lost, the data remains inaccessible to unauthorized users. Containerization protects specific apps or data, but does not disable the entire device. Patch management, allow/blocklists, and geotagging serve other important functions but are not directly linked to the requirements in this scenario.

The error message"NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" indicates that the web browser is rejecting the certificate because it uses a weak signature algorithm. This commonly happens with self-signed certificates, which often use outdated or insecure algorithms.

Why Discontinue Self-Signed Certificates?

Security Compliance: Modern browsers enforce strict security standards and may reject certificates that do not comply with these standards.

Trusted Certificates: Using certificates from a trusted Certificate Authority (CA) ensures compliance with security standards and is less likely to be flagged as insecure.

Weak Signature Algorithm: Self-signed certificates might use weak algorithms like MD5 or SHA-1, which are considered insecure.

Other options do not address the specific cause of the certificate error:

A. Rewriting legacy web functions: Does not address the certificate issue.

B. Disabling deprecated ciphers: Useful for improving security but not related to the certificate error.

C. Blocking non-essential ports: This is unrelated to the issue of certificate validation.

Sinkholing, or DNS sinkholing, is a method used to redirect malicious traffic to a safe destination. This technique is often employed by security teams to prevent access to malicious domains by substituting a benign destination IP address.

In the given logs, users from the finance department are accessing www.bank.com and receiving HTTP status code 495. This status code is typically indicative of a client certificate error, which can occur if the DNS traffic is being manipulated or redirected incorrectly. The consistency in receiving the same HTTP status code across different users suggests a systematic issue rather than an isolated incident.

Recursive DNS resolution failure (A) would generally lead to inability to resolve DNS at all, not to a specific HTTP error.

DNS poisoning (B) could result in usersbeing directed to malicious sites, but again, would likely result in a different set of errors or unusual activity.

Incorrect DNS setup (D) would likely cause broader resolution issues rather than targeted errors like the one seen here.

By reviewing the provided data, it is evident that the DNS traffic for www.bank.com is being rerouted improperly, resulting in consistent HTTP 495 errors for the finance department users. Hence, the most likely cause is that the DNS traffic is being sinkholed.

Whencreating a threat model to identify vulnerabilities in an organization's infrastructure, prioritizing external-facing infrastructure with known exploited vulnerabilities is critical. Here’s why:

Exposure to Attack: External-facinginfrastructure is directly exposed to the internet, making it a primary target for attackers. Any vulnerabilities in this layer pose an immediate risk to the organization's security.

Known Exploited Vulnerabilities: Vulnerabilities that are already known and exploited in the wild are of higher concern because they are actively being used by attackers. Addressing these vulnerabilities reduces the risk of exploitation significantly.

Risk Mitigation: By prioritizing external-facing infrastructure with known exploited vulnerabilities, the organization can mitigate the most immediate and impactful threats, thereby improving overall security posture.

The goal is to optimize bandwidth, increase speed, and maintain threat visibility in a low-bandwidth satellite office.Local cachingstores frequently accessed data locally, reducing bandwidth usage by minimizing repeated requests to external or internal resources. It speeds up access and doesn’t inherently reduce security visibility if paired with monitoring tools.

Option A:Distributed connection allocation might balance traffic but doesn’t directly reduce bandwidth usage or speed up access.

Option B:Local caching is ideal—reduces bandwidth, improves performance, and maintains visibility with proper security controls.

Option C:A CDN is great for external content delivery but less relevant for internal resources and doesn’t inherently address threat visibility.

Option D:SD-WAN improves WAN performance, but "vertical heterogeneity" is vague and not a standard term; it’s less tailored to this scenario than caching.