[Oct-2025] Check your preparation for CompTIA CAS-005 On-Demand Exam
Practice Exam CAS-005 Realistic Dumps Verified Questions
CompTIA CAS-005 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 92
An auditor is reviewing the logs from a web application to determine the source of an incident. The web application architecture includes an internet-accessible application load balancer, a number of web servers in a private subnet, application servers, and one database server in a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets:
Web server logs:
192.168.1.10 - - [24/Oct/2020 11:24:34 +05:00] "GET /bin/bash" HTTP/1.1" 200 453 Safari/536.36
192.168.1.10 - - [24/Oct/2020 11:24:35 +05:00] "GET / HTTP/1.1" 200 453 Safari/536.36 Application server logs:
24/Oct/2020 11:24:34 +05:00 - 192.168.2.11 - request does not match a known local user. Querying DB
24/Oct/2020 11:24:35 +05:00 - 192.168.2.12 - root path. Begin processing Database server logs:
24/Oct/2020 11:24:34 +05:00 [Warning] 'option read_buffer_size1 unassigned value 0 adjusted to 2048
24/Oct/2020 11:24:35 +05:00 [Warning] CA certificate ca.pem is self-signed.
Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources?
- A. Install a software-based HIDS on the application servers.
- B. Install a certificate signed by a trusted CA.
- C. Use stored procedures on the database server.
- D. Enable the X-Forwarded-For header at the load balancer.
- E. Store the value of the $_SERVER['REMOTE_ADDR'] received by the web servers.
Answer: D
Explanation:
The issue is tracing the original source of requests in a tiered architecture with a load balancer. The web server logs show internal IPs (192.168.1.10), not the external client IPs, because the load balancer forwards requests without preserving the source. Enabling theX-Forwarded-Forheader on the load balancer adds the client's original IP to the HTTP request headers, allowing downstream servers to log it. This ensures traceability without altering the architecture significantly.
* Option A:Correct-X-Forwarded-For is the standard solution for preserving client IPs through load balancers.
* Option B:A Host-based Intrusion Detection System (HIDS) detects anomalies but doesn't address IP traceability.
* Option C:A trusted CA certificate fixes the self-signed warning but is unrelated to source tracking.
* Option D:Stored procedures improve database security but don't help with IP logging.
* Option E:Storing $_SERVER['REMOTE_ADDR'] captures the load balancer's IP, not the client's, unless X-Forwarded-For is enabled.
NEW QUESTION # 93
An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment.
For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of the impact. Which of the following should the organization perform next?
- A. Update the organization's threat model.
- B. Recalculate the magnitude of the impact.
- C. Assess the residual risk.
- D. Move to the next risk in the register.
Answer: C
Explanation:
After applying mitigations that reduce the likelihood of a risk's impact, the next step is toassess the residual risk-the risk that remains after controls are implemented. This ensures the organization understands if the mitigation is sufficient or if further action is needed, aligning with risk management best practices.
* Option A:Correct-residual risk assessment is the logical next step to evaluate the effectiveness of mitigations.
* Option B:Updating the threat model might follow but isn't immediate; residual risk comes first.
* Option C:Moving to the next risk skips evaluating the current mitigation's success.
* Option D:Recalculating impact magnitude is part of residual risk assessment but isn't the full process.
Reference:CompTIA SecurityX CAS-005 Domain 1: Risk Management - Risk Mitigation and Residual Risk Analysis.
NEW QUESTION # 94
PKI can be used to support security requirements in the change management process. Which of the following capabilities does PKI provide for messages?
- A. Confidentiality
- B. Non-repudiation
- C. Attestation
- D. Delivery receipts
Answer: B
Explanation:
Public Key Infrastructure (PKI) supports change management by securing messages (e.g., approvals, updates).
Non-repudiation, provided via digital signatures, ensures a sender cannot deny sending a message, critical for auditability in change processes.
* Option A:Correct-PKI's digital signatures ensure non-repudiation.
* Option B:Confidentiality (via encryption) is a PKI feature but less tied to change management's focus on accountability.
* Option C:Delivery receipts are not a PKI function; they're protocol-specific (e.g., SMTP).
* Option D:Attestation relates to verifying attributes, not a direct PKI message capability.
NEW QUESTION # 95
Embedded malware has been discovered in a popular PDF reader application and is currently being exploited in the wild. Because the supply chain was compromised, this malware is present in versions 10.0 through 10.3 of the software's official versions. The malware is not present in version 10.4.
Since the details around this malware are still emerging, the Chief Information Security Officer has asked the senior security analyst to collaborate with the IT asset inventory manager to find instances of the installed software in order to begin response activities. The asset inventory manager has asked an analyst to provide a regular expression that will identify the affected versions. The software installation entries are formatted as follows:
* Reader 10.0
* Reader 10.1
* Reader 10.2
* Reader 10.3
* Reader 10.4
Which of the following regular expression entries will accurately identify all the affected versions?
- A. Reader( )[1][0] X.[1-3:
- B. Reader( )[1][0].[0-3:
- C. Reader(*)[1][0].[0-4:
- D. Reader[11[01X.f0-3'
Answer: B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
* Understand the Question Requirements:The goal is to use a regular expression (regex) to match software versions 10.0 through 10.3, but exclude version 10.4.
* Review Regex Syntax:
* [ ] indicates a character set (matches any one character in the set).
* [0-3] matches any digit between 0 and 3.
* \. escapes the period (.) so it matches a literal period instead of acting as a wildcard.
* ( ) groups parts of the regex together.
* Analyze Each Option:
* Option A: Reader(*)[1][0].[0-4:
* Incorrect. The use of (*) is not valid syntax in this context and [0-4 is incomplete or misformatted.
* Option B: Reader[11[01X.f0-3'
* Incorrect. This is an invalid regex syntax, mixing character sets and mismatched brackets.
* Option C: Reader( )[1][0].[0-3:
* Correct. This regex is valid and matches "Reader 10.0", "Reader 10.1", "Reader 10.2", and
"Reader 10.3" while excluding "Reader 10.4".
* Breakdown:
* Reader: Matches the text "Reader".
* [1][0]: Matches "10" as a combination of two characters.
* \.: Matches the literal period.
* [0-3]: Matches any single digit between 0 and 3.
* Option D: Reader( )[1][0] X.[1-3:
* Incorrect. The syntax X.[1-3 is invalid, and this does not match the required versions.
* Conclusion:The regex in Option C correctly identifies all affected versions (10.0, 10.1, 10.2, 10.3) while excluding the unaffected version (10.4).
References:
* CompTIA Advanced Security Practitioner (CASP+) Study Guide, Chapter on Vulnerability Management.
* CompTIA CASP+ Exam Objectives: "Analyze risks associated with new vulnerabilities."
* Regular Expressions Documentation from CASP+ Official Reference Materials.
Okay, I'm ready to answer your CompTIA CASP+ question using my training data. Here's the question and answer in the requested format:
NEW QUESTION # 96
A company's internal network is experiencing a security breach, and the threat actor is still active. Due to business requirements, users in this environment are allowed to utilize multiple machines at the same time. Given the following log snippet:
Which of the following accounts should a security analyst disable to best contain the incident without impacting valid users?
- A. user-d
- B. user-c
- C. user-a
- D. user-b
Answer: B
Explanation:
Useruser-cis showinganomalous behavior across multiple machines, attempting to run administrative tools such as cmd.exe and appwiz.CPL, which are commonly used by attackers for system modification. The activity pattern suggests a lateral movement attempt, potentially indicating a compromised account.
user-a (A)anduser-b (B)attempted to run applications but only on one machine, suggesting less likelihood of compromise.
user-d (D)was blocked running cmd.com, but user-c's pattern is more consistent with an attack technique.
NEW QUESTION # 97
An external SaaS solution user reports a bug associated with the role-based access control module. This bug allows users to bypass system logic associated with client segmentation in the multitenant deployment model.
When assessing the bug report, the developer finds that the same bug was previously identified and addressed in an earlier release. The developer then determines the bug was reintroduced when an existing software component was integrated from a prior version of the platform. Which of the following is the best way to prevent this scenario?
- A. Automated test and retest
- B. Software composition analysis
- C. Regression testing
- D. User acceptance testing
- E. Code signing
Answer: C
Explanation:
Regression testing is a software testingpractice that ensures that recent code changes have not adversely affected existing functionalities. In this scenario, the reintroduction of a previously fixed bug indicates that changes or integrations brought back the old issue. Implementing comprehensive regression testing would help detect such reintroductions by systematically retesting the existing functionalities whenever changes are made to the codebase. This practice is crucial in maintaining the integrity of the application, especially in complexsystems where multiple components interact.
Reference:CompTIA SecurityX CAS-005 Official Study Guide, Chapter 8: "Software Development Security," Section 8.3: "Testing and Validation Processes."
NEW QUESTION # 98
The security team is receiving escalated support tickets stating that one of the company's publicly available websites is not loading as expected. Given the following observations:
Which of the following is most likely the root cause?
- A. A certificate signed by a global root certification authority has expired.
- B. One certificate is being bound to multiple websites on the same server.
- C. Subject alternative names were not used appropriately for subdomains.
- D. A protocol mismatch error is expected to occur when using outdated browsers.
Answer: C
NEW QUESTION # 99
A systems administrator wants to reduce the number of failed patch deployments in an organization. The administrator discovers that system owners modify systems or applications in an ad hoc manner. Which of the following is the best way to reduce the number of failed patch deployments?
- A. Situational awareness
- B. Compliance tracking
- C. Change management
- D. Quality assurance
Answer: C
Explanation:
To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.
Reference:
CompTIA SecurityX Study Guide: Emphasizes the importance of change management in maintaining system integrity and ensuring successful patch deployments.
ITIL (Information Technology Infrastructure Library) Framework: Provides best practices for change management in IT services.
"The Phoenix Project" by Gene Kim, Kevin Behr, and George Spafford: Discusses the critical role of change management in IT operations and its impact on system stability and reliability.
NEW QUESTION # 100
During a vulnerability assessment, a scan reveals the following finding:
Windows Server 2016 Missing hotfix KB87728 - CVSS 3.1 Score: 8.1 [High] - Affected host 172.16.15.2 Later in the review process, the remediation team marks the finding as a false positive. Which of the following is the best way to avoid this issue on future scans?
- A. Coordinating the scan execution with the remediation team early in the process
- B. Performing an authenticated scan on the servers
- C. Getting an up-to-date list of assets from the CMDB
- D. Configuring the sensor with an advanced policy for fingerprinting servers
Answer: B
Explanation:
Authenticated scans allow the scanner to verify installed patches and configurations, reducing false positives.
Other options:
A (CMDB updates) improve asset tracking but do not validate patch installations.
C (Advanced fingerprinting) improves accuracy but does not replace authentication.
D (Coordination with teams) is good practice but does not prevent false positives.
NEW QUESTION # 101
A security architect is implementing more restrictive policies to improve secure coding practices.
Which of the following solutions are the best ways to improve the security coding practices?
(Choose two.)
- A. Perform regular code reviews and implement pair programming methodology.
- B. Implement a SAST tool along the pipeline for every new commit.
- C. Perform regular vulnerability assessments on production software, defining tight SLAs for treatment.
- D. Hire a third-party company to perform regular software tests, including quality and unity tests.
- E. Deliver regular training for the software developers based on best practices.
- F. Define security gates and tests along the CI/CD flow with strict exception rules.
Answer: B,E
NEW QUESTION # 102
SIMULATION
[Security Architecture]
An organization is planning for disaster recovery and continuity ofoperations, and has noted the following relevant findings:
1. A natural disaster may disrupt operations at Site A, which would then cause an evacuation. Users are unable to log into the domain from-their workstations after relocating to Site B.
2. A natural disaster may disrupt operations at Site A, which would then cause the pump room at Site B to become inoperable.
3. A natural disaster may disrupt operations at Site A, which would then cause unreliable internet connectivity at Site B due to route flapping.
INSTRUCTIONS
Match each relevant finding to the affected host by clicking on the host name and selecting the appropriate number.
For findings 1 and 2, select the items that should be replicated to Site B. For finding 3, select the item requiring configuration changes, then select the appropriate corrective action from the drop-down menu.

Answer:
Explanation:
See the solution below in Explanation
Explanation:
Matching Relevant Findings to the Affected Hosts:
Finding 1:
Affected Host: DNS
Reason: Users are unable to log into the domain from their workstations after relocating to Site B, which implies a failure in domain name services that are critical for user authentication and domain login.
Finding 2:
Affected Host: Pumps
Reason: Thepump room at Site B becoming inoperable directly points to the critical infrastructure components associated with pumping operations.
Finding 3:
Affected Host: VPN Concentrator
Reason: Unreliable internet connectivity at Site B due to route flapping indicates issues with network routing, which is often managed by VPN concentrators that handle site-to-site connectivity.
Corrective Actions for Finding 3:
Finding 3 Corrective Action:
Action: Modify the BGP configuration
Reason: Route flapping is often related to issues with Border Gateway Protocol (BGP) configurations. Adjusting BGP settings can stabilize routes and improve internet connectivity reliability.
Replication to Site B for Finding 1:
Affected Host: DNS
Domain Name System (DNS) services are essential for translating domain names into IP addresses, allowing users to log into the network. Replicating DNS services ensures that even if Site A is disrupted, users at Site B can still authenticate and access necessary resources.
Replication to Site B for Finding 2:
Affected Host: Pumps
The operation of the pump room is crucial for maintaining various functions within the infrastructure. Replicating the control systems and configurations for the pumps at Site B ensures that operations can continue smoothly even if Site A is affected.
Configuration Changes for Finding 3:
Affected Host: VPN Concentrator
Route flapping is a situation where routes become unstable, causing frequent changes in the best path for data to travel. This instability can be mitigated by modifying BGP configurations to ensure more stable routing. VPN concentrators, which manage connections between sites, are typically configured with BGP for optimal routing.
Reference:
CompTIA Security+ Study Guide: This guide provides detailed information on disaster recovery and continuity of operations, emphasizing the importance of replicating critical services and making necessary configuration changes to ensure seamless operation during disruptions.
CompTIA Security+ Exam Objectives: These objectives highlight key areas in disaster recovery planning, including the replication of critical services and network configuration adjustments.
Disaster Recovery and Business Continuity Planning (DRBCP): This resource outlines best practices for ensuring that operations can continue at an alternate site during a disaster, including the replication of essential services and network stability measures.
By ensuring that critical services like DNS and control systems for pumps are replicated at the alternate site, and by addressing network routing issues through proper BGP configuration, the organization can maintain operational continuity and minimize the impact of natural disasters on their operations.
NEW QUESTION # 103
A security team is responding to malicious activity and needs to determine the scope of impact the malicious activity appears to affect certain version of an application used by the organization Which of the following actions best enables the team to determine the scope of Impact?
- A. Reviewing the asset inventory
- B. Performing a port scan
- C. Inspecting egress network traffic
- D. Analyzing user behavior
Answer: A
Explanation:
Reviewing the asset inventory allows the security team to identify all instances of the affected application versions within the organization. By knowing which systems are running the vulnerable versions, the team can assess the full scope of the impact, determine which systems might be compromised, and prioritize them for further investigation and remediation.
Performing a port scan (Option A) might help identify open ports but does not provide specific information about the application versions. Inspecting egress network traffic (Option B) and analyzing user behavior (Option D) are important steps in the incident response process but do not directly identify which versions of the application are affected.
Reference:
CompTIA Security+ Study Guide
NIST SP 800-61 Rev. 2, "Computer Security Incident Handling Guide"
CIS Controls, "Control 1: Inventory and Control of Hardware Assets" and "Control 2: Inventory and Control of Software Assets"
NEW QUESTION # 104
An organization is implementing Zero Trust architecture A systems administrator must increase the effectiveness of the organization's context-aware access system. Which of the following is the best way to improve the effectiveness of the system?
- A. Microsegmentation
- B. Secure zone architecture
- C. Accurate asset inventory
- D. Always-on VPN
Answer: A
Explanation:
Microsegmentation is a critical strategy within Zero Trust architecture that enhances context-aware access systems by dividing the network into smaller, isolated segments. This reduces the attack surface and limits lateral movement of attackers within the network. It ensures that even if one segment is compromised, the attacker cannot easily access other segments. This granular approach to network security is essential for enforcing strict access controls and monitoring within Zero Trust environments.
Reference: CompTIA SecurityX Study Guide, Chapter on Zero Trust Security, Section on Microsegmentation and Network Segmentation.
NEW QUESTION # 105
A security analyst isreviewing the following event timeline from an COR solution:
Which of the following most likely has occurred and needs to be fixed?
- A. A logic law has introduced a TOCTOU vulnerability and must be addressed by the COR vendor
- B. An EDRbypass was utilized by a threat actor and updates must be installed by the administrator.
- C. A potential insider threat is being investigated and will be addressed by the senior management team.
- D. The Dl P has failed to block malicious exfiltration and data tagging is not being utilized property
Answer: A
Explanation:
The event timeline indicates a sequence where a file (hr-reporting.docx) was saved, scanned, executed, and eventually found to contain malware. The critical issue here is that the malware scan completed after the file was already executed. This suggests a Time-Of-Check to Time-Of-Use (TOCTOU) vulnerability, where the state of the file changed between the time it was checked and the time it was used.
References:
CompTIA SecurityX Study Guide: Discusses TOCTOU vulnerabilities as a timing attack where the state of a resource changes after it has been validated.
NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations": Recommends addressing TOCTOU vulnerabilities to ensure the integrity of security operations.
"The Art of Software Security Assessment" by Mark Dowd, John McDonald, and Justin Schuh: Covers logic flaws and timing vulnerabilities, including TOCTOU issues.
NEW QUESTION # 106
A company'sSIEMis designed to associate the company'sasset inventorywith user events. Given the following report:
Which of thefollowing should asecurity engineer investigate firstas part of alog audit?
- A. Unauthorized usage attempts of the administrator account
- B. Anendpointthat is not submitting any logs
- C. Amisconfigured syslog servercreating false negatives
- D. Potential activity indicating an attackermoving laterally in the network
Answer: A
Explanation:
Comprehensive and Detailed
Understanding the Security Event:
Administrator accounts are highly privilegedand require strict monitoring.
Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.
The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.
Why Option D isCorrect:
Failed logins for administrator accounts are a critical security concern.
If an attacker gains access, they couldescalate privileges and compromise the network.
Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.
Why Other Options Are Incorrect:
A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.
B (Lateral movement):There's no evidence of a compromised account moving between servers yet.
C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.
Reference:
CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise
NEW QUESTION # 107
A company needs a highly secure method to transfer documents over an insecure network. The documents are highly sensitive, and the documents' encryption must be guaranteed even if the network traffic is intercepted. Which of the following encryption techniques is the best option?
- A. Symmetric
- B. One-time pad
- C. Asymmetric
- D. Lightweight
Answer: B
NEW QUESTION # 108
A security officer performs due diligence activities before implementing a third-party solution into the enterprise environment. The security officer needs evidence from the third party that a data subject access request handling process is in place. Which of the following is the security officer most likely seeking to maintain compliance?
- A. Certification requirements
- B. Reporting frameworks
- C. E-discovery requirements
- D. Privacy regulations
- E. Information security standards
Answer: D
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Privacy regulations (C), such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), require companies to provide data subject access request (DSAR) handling processes. A DSAR allows individuals to request details about their personal data stored by a company and request modifications or deletions.
Information security standards (A) focus on overall security controls, while e-discovery requirements (B) relate to legal investigations rather than ongoing compliance.
NEW QUESTION # 109
......
Valid CAS-005 Dumps for Helping Passing CompTIA Exam: https://www.validtorrent.com/CAS-005-valid-exam-torrent.html
Download Free CompTIA CAS-005 Exam Questions & Answer: https://drive.google.com/open?id=1heP2Jq1T7J-pGxf11OL5-z9NOcd2v8ef