CAS-005 Online Practice Questions and Answers

Correct Answer: A

Matching Relevant Findings to the Affected Hosts:

Finding 1:

Finding 2:

Finding 3:

Corrective Actions for Finding 3:

Finding 3 Corrective Action:

Replication to Site B for Finding 1:

Replication to Site B for Finding 2:

Configuration Changes for Finding 3:

References:

CompTIA Security+ Study Guide: This guide provides detailed information on disaster recovery and continuity of operations, emphasizing the importance of replicating critical services and making necessary configuration changes to ensure

seamless operation during disruptions.

CompTIA Security+ Exam Objectives: These objectives highlight key areas in disaster recovery planning, including the replication of critical services and network configuration adjustments.

Disaster Recovery and Business Continuity Planning (DRBCP): This resource outlines best practices for ensuring that operations can continue at an alternate site during a disaster, including the replication of essential services and network

stability measures.

By ensuring that critical services like DNS and control systems for pumps are replicated at the alternate site, and by addressing network routing issues through proper BGP configuration, the organization can maintain operational continuity

and minimize the impact of natural disasters on their operations.

Correct Answer: A

Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue.

The rule shown in the image below is the rule in question. It is not working because the action is set to Deny.

This needs to be set to Permit.

Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.

The web servers rule is shown in the image below. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).

Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.

The SQL Server rule is shown in the image below. It is not working because the protocol is wrong. It should be TCP, not UDP.

Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

The network time rule is shown in the image below.

However, this rule is not being used because the `any' rule shown below allows all traffic and the rule is placed above the network time rule. To block all other traffic, the `any' rule needs to be set to Deny, not Permit and the rule needs to be

placed below all the other rules (it needs to be placed at the bottom of the list to the rule is enumerated last).

Correct Answer:

We have traffic coming from two rogue IP addresses: 192.10.3.204 and 192.10.3.254 (both in the 192.10.30.0/24 subnet) going to IPs in the corporate site subnet (192.10.1.0/24) and the remote site subnet (192.10.2.0/24). We need to Deny (block) this traffic at the firewall by ticking the following two checkboxes:

Correct Answer: C

The best solution to harden a three-tier environment (web, database, and application servers) is to implement microsegmentation on the server VLANs. Here's why:

Enhanced Security: Microsegmentation creates granular security zones within the data center, allowing for more precise control over east-west traffic between servers. This helps prevent lateral movement by attackers who may gain access

to one part of the network.

Isolation of Tiers: By segmenting the web, database, and application servers, the organization can apply specific security policies and controls to each segment, reducing the risk of cross-tier attacks. Compliance and Best Practices:

Microsegmentation aligns with best practices for network security and helps meet compliance requirements by ensuring that sensitive data and systems are properly isolated and protected.

Correct Answer: AF

A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted. F. Implementing a

site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

Other options:

B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage. C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network

communication risks. D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications. E. Executing daily health checks: Useful for maintaining system health but does

not directly reduce the risk of network-based compromise or sabotage.

References:

CompTIA Security+ Study Guide

NIST SP 800-82, "Guide to Industrial Control Systems (ICS) Security" "Industrial Network Security" by Eric D. Knapp and Joel Thomas Langill

Correct Answer: A

Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. When operating with a constrained budget, understanding the organization's risk appetite is crucial because:

It helps prioritize security investments based on the level of risk the organization is willing to tolerate.

High-impact, low-likelihood events may be deemed acceptable if they fall within the organization's risk appetite, allowing for budget allocation to other critical areas. Properly understanding and defining risk appetite ensures that limited

resources are used effectively to manage risks that align with the organization's strategic goals.

References:

CompTIA Security+ Study Guide

NIST Risk Management Framework (RMF) guidelines

ISO 31000, "Risk Management ?Guideline";

Correct Answer: C

Preparing communication templates that have been vetted by both internal and external counsel ensures that the organization can respond quickly and effectively to internal and external inquiries, comply with regulatory requirements, and

provide transparency in the event of a breach.

Why Communication Templates?

Timely Response: Pre-prepared templates ensure that responses are ready to be deployed quickly, reducing response time.

Regulatory Compliance: Templates vetted by counsel ensure that all communications meet legal and regulatory requirements. Consistent Messaging: Ensures that all responses are consistent, clear, and accurate, maintaining the

organization's credibility. Crisis Management: Pre-prepared templates are a critical component of a broader crisis management plan, ensuring that all stakeholders are informed appropriately. Other options, while useful, do not provide the

same level of preparedness and compliance:

A. Outsourcing to an external consultant: This may delay response times and lose internal control over the communication.

B. Integrating automated response mechanisms: Useful for efficiency but not for ensuring compliant and vetted responses.

D. Conducting lessons-learned activities: Important for improving processes but does not provide immediate preparedness for communication.

References:

CompTIA SecurityX Study Guide

NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide"

ISO/IEC 27002:2013, "Information technology -- Security techniques -- Code of practice for information security controls"

Correct Answer: AB

When dealing with false positives and false negatives reported by a Security Information and Event Management (SIEM) system, the goal is to enhance the accuracy of the alerts and ensure that actual threats are identified correctly. The following sources of information best support the analysis process:

A. Third-party reports and logs: Utilizing external sources of information such as threat intelligence reports, vendor logs, and other third-party data can provide a broader perspective on potential threats. These sources often contain valuable

insights and context that can help correlate events more accurately, reducing the likelihood of false positives and false negatives. B. Trends: Analyzing trends over time can help in understanding patterns and anomalies in the data. By

observing trends, the security team can distinguish between normal and abnormal behavior, which aids in fine-tuning the SIEM configurations to better detect true positives and reduce false alerts.

Other options such as dashboards, alert failures, network traffic summaries, and manual review processes are also useful but are more operational rather than foundational for understanding the root causes of reporting errors in SIEM

configurations.

References:

CompTIA SecurityX Study Guide: Emphasizes the importance of leveraging external threat intelligence and historical trends for accurate threat detection. NIST Special Publication 800-92, "Guide to Computer Security Log Management":

Highlights best practices for log management, including the use of third-party sources and trend analysis to improve incident detection. "Security Information and Event Management (SIEM) Implementation" by David Miller: Discusses the use

of external intelligence and trends to enhance SIEM accuracy.

Correct Answer: A

The best location to test a newly released feature for an internal application, without affecting the production environment, is the staging environment. Here's a detailed explanation:

Staging Environment: This environment closely mirrors the production environment in terms of hardware, software, configurations, and settings. It serves as a final testing ground before deploying changes to production. Testing in the staging

environment ensures that the new feature will behave as expected in the actual production setup.

Isolation from Production: The staging environment is isolated from production, which means any issues arising from the new feature will not impact the live users or the integrity of the production data. This aligns with best practices in change

management and risk mitigation.

Realistic Testing: Since the staging environment replicates the production environment, it provides realistic testing conditions. This helps in identifying potential issues that might not be apparent in a development or testing environment, which

often have different configurations and workloads.

Correct Answer: B

A centralized Software Bill of Materials (SBoM) is the best solution for identifying vulnerabilities in container images in a private repository. An SBoM provides a comprehensive inventory of all components, dependencies, and their versions

within a container image, facilitating quick evaluation and response to vulnerabilities.

Why Centralized SBoM?

Comprehensive Inventory: An SBoM lists all software components, including their versions and dependencies, allowing for thorough vulnerability assessments. Quick Identification: Centralizing SBoM data enables rapid identification of

affected containers when a vulnerability is disclosed.

Automation: SBoMs can be integrated into automated tools for continuous monitoring and alerting of vulnerabilities.

Regulatory Compliance: Helps in meeting compliance requirements by providing a clear and auditable record of all software components used. Other options, while useful, do not provide the same level of comprehensive and efficient

vulnerability management:

A. SAST scan reports: Focuses on static analysis of code but may not cover all components in container images.

C. CIS benchmark compliance reports: Ensures compliance with security benchmarks but does not provide detailed component inventory. D. Credentialed vulnerability scan: Useful for in-depth scans but may not be as efficient for quick vulnerability evaluation. References: CompTIA SecurityX Study Guide "Software Bill of Materials (SBoM)," NIST Documentation "Managing Container Security with SBoM," OWASP

Correct Answer: D

The TLS handshake errors indicate a TLS version mismatch between the VPN client and the OpenVPN server. Ensuring that both client and server configurations are aligned with compatible TLS versions and configurations is essential to resolving these errors and establishing a successful VPN connection.

Correct Answer: C

A Software Bill of Materials (SBOM) provides a comprehensive inventory of software components and libraries used in an application or device. It lists out all the dependencies and their versions, which is crucial for understanding the composition of applications, especially on unmanaged devices. In the context of the Log4j outbreak, having an SBOM would allow the security team to identify if any vulnerable versions of Log4j or other vulnerable software components are present on the unmanaged devices. This helps in assessing and mitigating risks associated with known vulnerabilities.

Correct Answer: D

Automating the process to disable terminated employees' accounts by integrating Active Directory (or any other authentication system) with the human resources information system (HRIS) is the best approach to reduce risks to the organization. By automating this process, the organization ensures that accounts are disabled promptly and consistently whenever an employee's termination date is updated in the HRIS. This reduces the window of opportunity for terminated employees to retain access to systems and sensitive information after leaving the organization.

Correct Answer: AD

Correct Answer: A