Question 1

[Security Architecture]
Users are willing passwords on paper because of the number of passwords needed in an
environment. Which of the following solutions is the best way to manage this situation and decrease
risks?

Accepted Answer

B

Explanation: The core issue is password fatigue, where users must manage too many credentials, leading them to engage in insecure practices like writing passwords down. A Single Sign-On (SSO) solution directly addresses this root cause. By implementing SSO, users authenticate once to a central service and are then granted access to multiple integrated applications without re-entering credentials. This drastically reduces the number of passwords a user needs to remember, eliminating the primary motivation for writing them down. SSO also enhances security by providing a single, centrally managed, and auditable point of authentication that can be more robustly protected.

Question 2

[Emerging Technologies and Threats]
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth
allocation than other offices. As a result, the local securityinfrastructure staff is assessing
architectural options that will help preserve network bandwidth and increase speed to both internal
and external resources while not sacrificing threat visibility. Which of the following would be the best
option to implement?

Accepted Answer

B

Explanation: Local caching is the most effective solution for this scenario. A local caching server, often part of a proxy or WAN optimization controller, stores frequently accessed content within the satellite office's network. When a user requests this content again, it is delivered from the local cache at LAN speed, rather than being re-fetched over the constrained WAN link. This directly addresses the core requirements by preserving bandwidth and increasing speed for both internal and external resources. Modern caching proxies can also function as secure web gateways, inspecting traffic for threats and thus maintaining security visibility.

Question 3

[Security Engineering and Cryptography]
A developer needs toimprove the cryptographic strength of a password-storage component in a web
application without completely replacing the crypto-module. Which of the following is the most
appropriate technique?

Accepted Answer

E

Explanation: Key stretching is a cryptographic technique specifically designed to enhance the security of password-based systems. It increases the computational work required to verify a password by repeatedly applying a cryptographic hash function to the password and a salt. This process, implemented by algorithms like PBKDF2, bcrypt, and scrypt, makes brute-force and dictionary attacks significantly slower and more resource-intensive for an attacker. This directly addresses the developer's need to improve the cryptographic strength of the password-storage component without replacing the entire crypto-module, as it builds upon existing hash functions.

Question 4

[Emerging Technologies and Threats] Which of the following AI concerns is most adequately addressed by input sanitation?

Accepted Answer

B

Explanation: Prompt injection is an attack technique that involves crafting malicious inputs to manipulate a Large Language Model (LLM) into performing unintended actions, such as ignoring previous instructions or revealing sensitive information. This attack fundamentally exploits the model's input processing channel. Input sanitation, a security control that involves filtering, validating, and cleaning user-provided data before it is processed, is a direct and primary countermeasure. By sanitizing the prompt, a system can attempt to remove or neutralize the malicious instructions, thereby mitigating the risk of the model being compromised by the injected content.

Question 5

[Security Architecture]
A security analyst is troubleshooting the reason a specific user is having difficulty accessing company
resources The analyst reviews the following information:
CAS-005 practice exam questions

Which of the following is most likely the cause of the issue?

Accepted Answer

D

Explanation: The SIEM log displays classic indicators of a brute-force or password spraying attack: an extremely high count (1024) of failed login attempts for a privileged account ('admin') from a single source IP. The SIEM has correctly analyzed this, assigned a high-risk score (95), and provided a "Disable Account" recommendation. The most appropriate and mature security response is to implement automation, often via a Security Orchestration, Automation, and Response (SOAR) platform, to execute this recommendation automatically. This approach minimizes the mean time to respond (MTTR), contains the threat immediately, and hardens the security posture against future, similar attacks without requiring manual intervention for every incident.

Question 6

[Governance, Risk, and Compliance (GRC)]
An audit finding reveals that a legacy platform has not retained loos for more than 30 days The
platform has been segmented due to its interoperability with newer technology. As a
temporarysolution, the IT department changed the log retention to 120 days. Which of the following
should the security engineer do to ensure the logs are being properly retained?

Accepted Answer

C

Explanation: The most appropriate and robust solution to ensure logs are properly retained in an enterprise environment is to use a Security Information and Event Management (SIEM) system. A SIEM is specifically designed to collect, aggregate, normalize, and securely store logs from disparate sources, including legacy platforms. By forwarding the logs from the legacy system to the SIEM, the organization centralizes log management, overcomes the local storage limitations of the legacy platform, and ensures compliance with long-term retention policies mandated by the audit. This approach provides a scalable, secure, and searchable archive for forensic analysis and compliance reporting.

Question 7

[Security Operations] After an incident response exercise, a security administrator reviews the following table: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Security_X_CASP+_CAS-005/page_62_img_1.jpg Which of the following should the administrator do to beat support rapid incident response in the future?

Accepted Answer

B

Explanation: The incident table reveals a 30-minute delay between the detection of the phone system outage (08:00) and the notification to IT support (08:30). This gap occurred because the notification method was reactive, relying on a user to report the problem. To accelerate future incident response, the organization must improve its proactive monitoring capabilities. Enabling dashboards for service status monitoring provides real-time, centralized visibility into the health of critical systems. This allows the IT and security teams to identify and begin investigating issues as soon as they are detected by monitoring tools, rather than waiting for manual user reports, thereby significantly reducing the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Question 8

[Security Engineering and Cryptography] Emails that the marketing department is sending to customers are pomp to the customers' spam folders. The security team is investigating the issue and discovers that the certificates used by the email server were reissued, but DNS records had not been updated. Which of the following should the security team update in order to fix this issue? (Select three.)

Accepted Answer

A, B, C

Explanation: The problem describes emails being sent to spam, which is a common symptom of email authentication failure. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are the three primary DNS-based technologies used to authenticate email and prevent spoofing. SPF is a TXT record that lists authorized mail servers for a domain. DKIM uses a public key published in a DNS TXT record to verify a digital signature on the email. A reissued certificate often involves new cryptographic keys, requiring an update to the DKIM record. DMARC is a TXT record that defines the policy for handling emails that fail SPF or DKIM checks. Updating these three records ensures that the sender's identity is properly authenticated by receiving mail servers, which resolves the issue of legitimate emails being marked as spam.

Question 9

[Security Architecture] A security analyst is troubleshooting the reason a specific user is having difficulty accessing company resources The analyst reviews the following information: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Security_X_CASP+_CAS-005/page_82_img_1.jpg Which of the following is most likely the cause of the issue?

Accepted Answer

B

Explanation: The user's access was denied due to the failure of the "Require MFA from untrusted locations" Conditional Access Policy. This policy was triggered because the user's IP address (198.51.100.23) was geolocated to Argentina. If the user is a legitimate employee attempting to access resources from a known trusted location (e.g., a corporate office or home network), this log indicates the IP geolocation service used by the authentication server is inaccurate. This misidentification of the user's true location is the most likely root cause for the application of a stricter, location-based policy that the user subsequently failed.

Question 10

[Security Architecture]
A senior security engineer flags the following log file snippet as having likely facilitated an attacker’s
lateral movement in a recent breach:
qry_source: 19.27.214.22 TCP/53
qry_dest: 199.105.22.13 TCP/53
qry_type: AXFR
| in comptia.org
------------ directoryserver1 A 10.80.8.10
------------directoryserver2 A 10.80.8.11
------------ directoryserver3 A 10.80.8.12
------------ internal-dns A 10.80.9.1
----------- www-int A 10.80.9.3
------------ fshare A 10.80.9.4
------------ sip A 10.80.9.5
------------ msn-crit-apcs A 10.81.22.33
Which of the following solutions, if implemented, would mitigate the risk of this issue reoccurring?

Accepted Answer

A

Explanation: The log snippet indicates a successful DNS zone transfer (qrytype: AXFR) was executed from an external IP address (19.27.214.22). This type of query allows an attacker to download the entire DNS zone file, revealing the internal network topology, hostnames, and IP addresses of sensitive servers (e.g., directoryserver1, msn-crit-apcs). This information is invaluable for reconnaissance and subsequent lateral movement. The most direct and effective mitigation is to configure the DNS server to disable or strictly control zone transfers, permitting them only from the IP addresses of authorized secondary DNS servers and denying all others.

Question 11

[Security Engineering and Cryptography] PKI can be used to support security requirements in the change management process. Which of the following capabilities does PKI provide for messages?

Accepted Answer

A

Explanation: Public Key Infrastructure (PKI) provides several security services through the use of asymmetric cryptography. For messages, the most relevant capability in a change management context is non-repudiation. This is achieved via digital signatures. A user signs a message (e.g., a change request or approval) with their private key. Anyone with the corresponding public key can verify the signature, which provides strong evidence that the message originated from the key holder and has not been altered. This prevents the sender from plausibly denying their involvement, which is a critical requirement for maintaining an auditable and accountable change management process.

Question 12

[Identity and Access Management (IAM)]
A cloud engineer needs to identify appropriate solutions to:
• Provide secure access to internal and external cloud resources.
• Eliminate split-tunnel traffic flows.
•Enable identity and access management capabilities.
Which of the following solutions arc the most appropriate? (Select two).

Accepted Answer

C, F

Explanation: A Secure Access Service Edge (SASE) architecture is the most comprehensive solution as it converges networking and security services into a single, cloud-delivered platform. SASE is explicitly designed to provide secure, identity-driven access to both internal and external resources from any location. A core tenet of SASE is to inspect all traffic by routing it through a cloud security stack, which directly addresses the requirement to eliminate split-tunneling. A Cloud Access Security Broker (CASB) is a critical security component, often integrated within a SASE framework. It acts as a policy enforcement point between users and cloud services, providing visibility, data security, and threat protection. It directly enables secure access to cloud resources and integrates with identity and access management (IAM) systems to enforce granular policies.

Question 13

[Security Architecture]
A financial services organization is using Al lo fully automate the process of deciding client loan rates
Which of the following should the organization be most concerned about from a privacy perspective?

Accepted Answer

A

Explanation: In the context of fully automated financial decisions, model explainability is the paramount privacy concern. Regulations such as the GDPR provide individuals with a "right to explanation" for automated decisions that have significant legal or financial effects. A lack of explainability means the organization cannot determine if the AI model is using sensitive personal data to make biased or discriminatory decisions based on protected characteristics (e.g., race, gender, age). This inability to audit the AI's logic creates a significant risk of privacy violations, regulatory non-compliance, and harm to individuals, as the basis for the assigned loan rate remains an opaque "black box."

Question 14

[Governance, Risk, and Compliance (GRC)]
An auditor is reviewing the logs from a web application to determine the source of an incident. The
web application architecture includes an internet-accessible application load balancer, a number of
web servers in a private subnet, application servers, and one database server in a tiered
configuration. The application load balancer cannot store the logs. The following are sample log
snippets:
Web server logs:
192.168.1.10 - -
[24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36
192.168.1.10 - -
[24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36
Application server logs:
24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying
DB
24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing
Database server logs:
24/Oct/2020 11:24:34 +05:00
[Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048
24/Oct/2020 11:24:35 +05:00
[Warning] CA certificate ca.pem is self-signed.
Which of the following should the auditor recommend to ensure future incidents can be traced back
to the sources?

Accepted Answer

A

Explanation: The web server logs indicate that all incoming requests originate from the IP address 192.168.1.10, which is the internal IP of the application load balancer. This configuration masks the true source IP address of the external client, making incident tracing impossible. The X-Forwarded-For (XFF) HTTP header is a standard mechanism used by proxies and load balancers to carry the original client's IP address. By enabling the load balancer to add this header to requests it forwards, and configuring the web servers to log this header's value, the true source IP can be recorded, allowing for effective incident tracing.

Question 15

[Security Architecture] Which of the following are risks associated with vendor lock-in? (Select two).

Accepted Answer

B, D

Explanation: Vendor lock-in describes a situation where a client is dependent on a single vendor for products or services and cannot easily switch to another vendor without substantial costs or operational disruption. This dependency creates several risks. A primary risk is that the vendor, facing little competition for the client's business, can unilaterally change product offerings, pricing, or terms, leaving the client with no viable alternative. Another significant risk is a decreased quality of service, as the vendor may have less incentive to maintain high standards when the client is effectively "trapped."

Free CompTIA SecurityX / CASP+ CAS-005 Actual Exam Questions