CAS-005 Online Practice Questions and Answers

Correct Answer: A

Analysis and Remediation Options for Each IoC:

IoC 1:

Evidence:

Analysis:

Remediation:

IoC 2:

Evidence:

Analysis:

Remediation:

IoC 3:

Evidence:

Analysis:

Remediation:

References:

CompTIA Security+ Study Guide: This guide offers detailed explanations on identifying and mitigating various types of Indicators of Compromise (IoCs) and the corresponding analysis and remediation strategies. CompTIA Security+ Exam

Objectives: These objectives cover key concepts in network security monitoring and incident response, providing guidelines on how to handle different types of security events.

Security Operations Center (SOC) Best Practices: This resource outlines effective strategies for analyzing and responding to anomalous events within a SOC, including the use of blocklists, endpoint controls, and network configuration

changes.

By accurately analyzing the nature of each IoC and applying the appropriate remediation measures, the organization can effectively mitigate potential security threats and maintain a robust security posture.

Correct Answer: A

Task 1) An administrator added a rule to allow their machine terminal server access to the server subnet. This rule is not working. Identify the rule and correct this issue.

The rule shown in the image below is the rule in question. It is not working because the action is set to Deny.

This needs to be set to Permit.

Task 2) All web servers have been changed to communicate solely over SSL. Modify the appropriate rule to allow communications.

The web servers rule is shown in the image below. Port 80 (HTTP) needs to be changed to port 443 for HTTPS (HTTP over SSL).

Task 3) An administrator added a rule to block access to the SQL server from anywhere on the network. This rule is not working. Identify and correct this issue.

The SQL Server rule is shown in the image below. It is not working because the protocol is wrong. It should be TCP, not UDP.

Task 4) Other than allowing all hosts to do network time and SSL, modify a rule to ensure that no other traffic is allowed.

The network time rule is shown in the image below.

However, this rule is not being used because the `any' rule shown below allows all traffic and the rule is placed above the network time rule. To block all other traffic, the `any' rule needs to be set to Deny, not Permit and the rule needs to be

placed below all the other rules (it needs to be placed at the bottom of the list to the rule is enumerated last).

Correct Answer: CF

To provide secure access to internal and external cloud resources, eliminate split-tunnel traffic flows, and enable identity and access management capabilities, the most appropriate solutions are CASB (Cloud Access Security Broker) and

SASE (Secure Access Service Edge).

Why CASB and SASE?

CASB (Cloud Access Security Broker):

SASE (Secure Access Service Edge):

Other options, while useful, do not comprehensively address all the requirements:

A. Federation: Useful for identity management but does not eliminate split-tunnel traffic or provide comprehensive security.

B. Microsegmentation: Enhances security within the network but does not directly address secure access to cloud resources or split-tunnel traffic. D. PAM (Privileged Access Management): Focuses on managing privileged accounts and does not provide comprehensive access control for internal and external resources. E. SD-WAN: Enhances WAN performance but does not inherently provide the identity and access management capabilities or eliminate split-tunnel traffic. References: CompTIA SecurityX Study Guide "CASB: Cloud Access Security Broker," Gartner Research

Correct Answer: A

The most appropriate solution for the systems engineer to deploy is SELinux (Security- Enhanced Linux). Here's why:

Mandatory Access Control (MAC): SELinux enforces MAC policies, ensuring that only authorized users and processes can access specific resources. This helps in preventing unauthorized reading and modification of data and programs.

Access Vector Cache: SELinux utilizes an access vector cache (AVC) to improve performance. The AVC caches access decisions, reducing the need for repetitive policy lookups and thus improving system efficiency. Security Mechanisms:

SELinux provides a robust framework to enforce security policies and prevent bypassing of application security mechanisms. It controls access based on defined policies, ensuring that security measures are consistently applied. Privilege

Escalation and Process Interference: SELinux limits the ability of processes to escalate privileges and interfere with each other by enforcing strict access controls. This containment helps in isolating processes and minimizing the risk of

privilege escalation attacks.

References:

Correct Answer: A

The scenario describes a sophisticated attack where the threat actor used steganography within LDAP to exfiltrate data. Given that the hardware and OS firmware were validated and found uncompromised, the attack vector likely exploited a

network communication channel. To mitigate such risks, enforcing allow lists for authorized network ports and protocols is the most effective strategy.

Here's why this option is optimal:

Port and Protocol Restrictions: By creating an allow list, the organization can restrict communications to only those ports and protocols that are necessary for legitimate business operations. This reduces the attack surface by preventing

unauthorized or unusual traffic.

Network Segmentation: Enforcing such rules helps in segmenting the network and ensuring that only approved communications occur, which is critical in preventing data exfiltration methods like steganography. Preventing Unauthorized

Access: Allow lists ensure that only predefined, trusted connections are allowed, blocking potential paths that attackers could use to infiltrate or exfiltrate data.

Other options, while beneficial in different contexts, are not directly addressing the network communication threat:

B. Measuring and attesting to the entire boot chain: While this improves system integrity, it doesn't directly mitigate the risk of data exfiltration through network channels. C. Rolling the cryptographic keys used for hardware security modules:

This is useful for securing data and communications but doesn't directly address the specific method of exfiltration described. D. Using code signing to verify the source of OS updates: Ensures updates are from legitimate sources, but it

doesn't mitigate the risk of network-based data exfiltration.

References:

CompTIA SecurityX Study Guide

NIST Special Publication 800-41, "Guidelines on Firewalls and Firewall Policy" CIS Controls Version 8, Control 9: Limitation and Control of Network Ports, Protocols, and Services

Correct Answer: D

The best way to prevent application-focused attacks for a platform-as-a- service solution with a web-based front end is to create Web Application Firewall (WAF) policies for relevant programming languages. Here's why:

Application-Focused Attack Prevention: WAFs are designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. They help prevent attacks such as SQL injection, cross-site scripting

(XSS), and other application-layer attacks.

Customizable Rules: WAF policies can be tailored to the specific programming languages and frameworks used by the web application, providing targeted protection based on known vulnerabilities and attack patterns. Real-Time Protection:

WAFs provide real-time protection, blocking malicious requests before they reach the application, thereby enhancing the security posture of the platform.

Correct Answer: C

The most secure way to prevent inadvertent data disclosure when encrypted SSDs are reused is to securely delete the encryption keys used by the SSD. Without the encryption keys, the data on the SSD remains encrypted and is effectively

unreadable, rendering any residual data useless. This method is more reliable and efficient than overwriting data multiple times or using other physical destruction methods.

References:

CompTIA SecurityX Study Guide: Highlights the importance of managing encryption keys and securely deleting them to protect data. NIST Special Publication 800-88, "Guidelines for Media Sanitization":

Recommends cryptographic erasure as a secure method for sanitizing encrypted storage devices.

Correct Answer: C

Correct Answer: C

The most effective method for a security analyst to review suspicious email attachments is to use sandboxing. This approach allows the attachments to be executed in a safe, isolated environment, making it possible to observe any malicious activities without risking the integrity of the actual systems. Sandboxing offers a comprehensive and efficient way to analyze potentially harmful content in email attachments.

Correct Answer: A

Deploying the application using a cloud container service aligns well with the specified security and organizational infrastructure requirements. It ensures sessionless, API-based operation, supports ephemeral storage for uploaded documents with PII, enables on-demand scalability across multiple nodes, and facilitates strict restriction of network access except for the TLS port.