Free CompTIA CAS-005 Practice Questions 2026 - Page 10

Explanation:
The requirements listed are the core, defining functions of a Mobile Device Management (MDM) system. While the term "mobile" is in the name, modern MDM solutions (often called Unified Endpoint Management or UEM) extend these capabilities to a wide range of "specialized endpoints," including:

Mobile phones and tablets (iOS, Android)

Laptops (Windows, macOS, ChromeOS)

IoT devices

Other specialized endpoints

Let's map the requirements to MDM capabilities:

Centrally manage configurations:
MDM provides a central console to create and manage configuration profiles (e.g., Wi-Fi settings, VPN settings, security baselines).

Push policies:
MDM automatically deploys these configurations and compliance policies to enrolled devices over-the-air.

Remotely wipe devices:
This is a fundamental security feature of any MDM solution, allowing an admin to remotely erase a device if it is lost or stolen.

Maintain asset inventory:
MDM automatically maintains a detailed inventory of all enrolled devices, including hardware specs, OS versions, and installed applications.

Analysis of Incorrect Options:

A. Use a configuration management database (CMDB):
A CMDB is a repository that stores information about IT assets and their relationships. It is used for IT Service Management (ITSM) and provides visibility into what assets exist. However, a CMDB is a passive inventory tool. It cannot actively push configurations, enforce policies, or remotely wipe devices. It is for tracking, not for management.

C. Configure contextual policy management:
This is a feature or capability, not a product or solution. "Contextual policy management" refers to making access decisions based on context (user, device, location). This functionality is often a part of a larger solution like an MDM or Identity and Access Management (IAM) platform. This option does not describe a solution that can perform all the required tasks, especially remote wipe and centralized configuration.

D. Deploy a software asset manager:
Software Asset Management (SAM) tools are focused on managing software licenses, ensuring compliance, and optimizing software spend. They help track software installations but are not designed to manage device configurations, push security policies, or perform remote wipes. Their focus is financial and legal compliance, not endpoint security management.

Reference:
This solution falls under Domain 4.3: Automation of Security Operations and Domain 3.5: Identity and Access Management of the CAS-005 exam. MDM/UEM is the standard tool for automating the management and security of endpoints at scale.

An MDM solution (B) is purpose-built to meet all the listed requirements for managing specialized endpoints effectively and securely.

Explanation:
The core concept of implementing "guardrails" in an AI system is to create boundaries and constraints that prevent the AI from causing harm, making mistakes, or being misused.

Principle of Least Functionality:
This answer embodies a fundamental security principle: only allow the minimum level of access and capability necessary for a system to perform its intended function. By restricting the AI digital worker to only non-sensitive functions, the organization creates a powerful guardrail.

How it Secures the Environment:
This limitation directly mitigates a wide range of risks:

Data Exfiltration/Loss:
Prevents the AI from processing, storing, or transmitting sensitive personal data (PII), intellectual property, or financial information.

Harmful Actions:
Prevents the AI from taking autonomous actions that could have serious consequences (e.g., sending emails, making calendar changes, editing sensitive documents) without human review.

Reputational Risk:
Reduces the chance of the AI generating incorrect or inappropriate content based on sensitive data.

This is a proactive, architectural control that defines the AI's operational boundaries from the outset.

Analysis of Incorrect Options:

B. Enhance the training model's effectiveness.
While improving the model's accuracy and reducing errors is important, it is not a "guardrail." A more effective model might be better at its tasks, but it does not inherently prevent it from operating on sensitive data or performing unauthorized actions. This is about improving core functionality, not implementing security boundaries.

C. Grant the system the ability to self-govern.
This is the opposite of implementing guardrails. "Self-governance" implies giving the AI system autonomy to make its own decisions about what is right or wrong. Without predefined, human-created guardrails, this is extremely dangerous and could lead to unpredictable and uncontrollable outcomes. Guardrails are external controls imposed on the AI system.

D. Require end-user acknowledgement of organizational policies.
This is an administrative control aimed at users, not a technical control for the AI platform itself. While user training and policy acknowledgment are important, they are unreliable as a sole security measure. Users can make mistakes, ignore policies, or find ways to misuse the technology. A technical guardrail built into the system itself is a far more secure and enforceable method.

Reference:
This approach aligns with Domain 2.0: Security Architecture and Domain 1.0: Governance, Risk, and Compliance of the CAS-005 exam. The key principles are:

Secure by Design: Building security into the architecture of a system from the beginning, which includes limiting its capabilities to a well-defined scope.

Risk Mitigation: Proactively identifying and reducing the attack surface and potential for misuse.

The most effective way to secure the AI environment with guardrails is to technically restrict its capabilities (A), ensuring it cannot be used in a way that poses a risk to the organization, even accidentally.

Explanation:
The specific concern is an insider threat where a single employee with individual access to encrypted material could potentially misuse that access (e.g., decrypt and steal sensitive data). The goal is to technically prevent any one person from having the complete ability to access the encrypted data on their own.

Key Splitting (Sharding):
This is a cryptographic technique where a decryption key is divided into multiple unique parts (shards). A certain number of these shards (e.g., 3 out of 5) are required to reconstruct the original key and decrypt the data.

How it Addresses Insider Threat:
This technique implements a separation of duties and dual control for cryptographic access. No single employee ever possesses the entire key. To decrypt the material, multiple employees (e.g., from different departments) must collaborate and provide their individual key shards. This effectively mitigates the risk of a lone insider acting maliciously, as they cannot act alone.

Analysis of Incorrect Options:
A. SSO with MFA (Single Sign-On with Multi-Factor Authentication):
This improves authentication security by requiring a second factor to prove identity. However, once authenticated, the employee still has individual, complete access to the encrypted material. It does nothing to prevent a malicious insider from using their legitimate access to decrypt data.

B. Salting and hashing:
These are techniques used to protect stored passwords. A salt is added to a password before it is hashed to defeat precomputed rainbow table attacks. This is irrelevant to controlling access to encrypted data and does not address the insider threat scenario.

C. Account federation with hardware tokens:
Federation allows users to access multiple systems with a single set of credentials, and hardware tokens provide strong authentication. Similar to SSO, this is an access mechanism. It does not change the fact that once access is granted, the user has individual control over the encrypted material. It strengthens the gate but doesn't change what's behind it.

D. SAE (Simultaneous Authentication of Equals):
SAE is a cryptographic protocol used in Wi-Fi networks (WPA3) for establishing a secure connection. It is designed to prevent offline dictionary attacks on Wi-Fi passwords and is not relevant for managing access to stored encrypted data or mitigating insider threats.

Reference:
This solution falls under Domain 3.6: Cryptography and Domain 1.0: Governance, Risk, and Compliance of the CAS-005 exam. Key concepts include:

Cryptographic Key Management: Implementing controls like key splitting to enforce separation of duties.

Principle of Least Privilege and Dual Control: Ensuring that critical actions (like decrypting sensitive data) require the collaboration of multiple parties, preventing any single point of failure or misuse.

Key splitting (E) is the only technique that directly and technically addresses the risk of a single insider misusing their individual access to encrypted material.

Explanation:
The problem is data exfiltration to unsanctioned cloud applications (personal storage accounts like Dropbox, Google Drive, etc.). The goal is to not just block or alert, but to actively monitor and control the data that is being sent to cloud services.

Cloud-Access Security Broker (CASB):
A CASB is a security policy enforcement point that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. It acts as a gatekeeper to ensure secure cloud usage.

How it Decreases Risk:
A CASB provides several critical functions that directly address this risk:

Discovery & Visibility:
It identifies all cloud services in use (sanctioned and unsanctioned).

Data Loss Prevention (DLP):
This is the key feature. A CASB can inspect data in motion to the cloud. It can identify sensitive content (based on patterns, fingerprints, or labels) being uploaded to personal storage sites and block the upload in real-time.

Access Control:
It can enforce policies to allow, block, or limit access to specific cloud applications based on user, device, or location.

A CASB provides a proactive, data-centric control designed specifically for the cloud era.

Analysis of Incorrect Options:
A. Improve firewall rules to avoid access to those platforms & D. Deploy an internet proxy that filter certain domains:

These are similar network-based blocking solutions. While they can technically block access to the domains of popular storage platforms, they are very coarse and ineffective controls.

* Easy to Bypass: Employees can use personal devices on cellular networks to bypass corporate proxies and firewalls.

* Too Broad: It blocks the entire application, which might be used legitimately for non-sensitive work. A CASB offers much more granular control.

* Reactive: The list of personal storage sites is endless; new ones pop up constantly, making it a game of whack-a-mole.

C. Create SIEM rules to raise alerts for access to those platforms:
A SIEM is a detective control. It can alert after the data has already been exfiltrated. By the time the SOC analyst sees the alert, the sensitive data is already on a server outside the company's control. The requirement is to decrease the risk (prevent the leak), not just to discover it after the fact.

Reference:
This solution is a core component of Domain 3.4: Secure Network Architecture and Domain 1.4: Data Security of the CAS-005 exam. CASBs are a critical technology for implementing a data-centric security strategy in a hybrid cloud world.

While the other options provide partial, often ineffective solutions, implementing a CASB (B) is the most comprehensive and effective way to directly decrease the risk of data leaks to personal cloud storage accounts by inspecting and controlling the data itself.

Explanation:
The threat posed by quantum computing is highly specific to certain types of cryptographic algorithms.

Shor's Algorithm:
This is a quantum algorithm that, if run on a sufficiently powerful quantum computer, can efficiently solve the mathematical problems that underpin the security of most widely used public-key cryptography.

Vulnerable Algorithms:

These include:

RSA:
Based on the practical difficulty of factoring the product of two large prime numbers.

Diffie-Hellman & ECC (Elliptic-Curve Cryptography):
Based on the difficulty of the discrete logarithm problem.

The Risk:
A cryptographically relevant quantum computer (CRQC) could use Shor's algorithm to break these encryption and digital signature schemes, rendering them useless. This would compromise the security of virtually all secure web traffic (TLS/SSL), digital signatures, and encrypted data that has been stored for future decryption. This specific and existential threat to current standards is the primary driver for the development and deployment of Post-Quantum Cryptography (PQC) – new encryption algorithms designed to be secure against both classical and quantum computer attacks.

Analysis of Incorrect Options:

B. Zero Trust security architectures will require homomorphic encryption.
Zero Trust is a security model centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. While homomorphic encryption (performing computations on encrypted data) is an advanced cryptographic technique, it is not a requirement for Zero Trust. Zero Trust primarily relies on strong identity verification and access controls. The push for new algorithms is driven by quantum threats, not by Zero Trust architecture needs.

C. Perfect forward secrecy will prevent deployment of advanced firewall monitoring techniques.
Perfect Forward Secrecy (PFS) is a feature of key agreement protocols that ensures a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. PFS is a security benefit, not a hindrance. It does not prevent advanced firewall monitoring; firewalls can still inspect TLS traffic if they are configured as a trusted man-in-the-middle. This option is a distractor and not related to the quantum threat.

D. Quantum computers will enable malicious actors to capture IP traffic in real time.
The ability to capture IP traffic is a function of network access (e.g., through a compromised node or wiretap), not computational power. Quantum computers do not provide a new capability to capture traffic; they threaten the ability to decrypt the captured traffic that was encrypted using vulnerable algorithms. The threat is to breaking the encryption, not the capture itself.

Reference:
This topic is a key part of Domain 3.6: Cryptography in the CAS-005 exam. It requires an understanding of:

Quantum Threats: The specific risk that quantum computing poses to asymmetric cryptography based on integer factorization and discrete logarithm problems.

Cryptographic Agility: The need to prepare for the migration to post-quantum cryptographic algorithms, a effort being led by standards bodies like NIST.

The main and direct reason for deploying new encryption algorithms is the vulnerability of current prime number-based systems to quantum attacks, as described in option A.

Explanation:
The issue is that known vulnerable open-source libraries are being detected late (during DAST), causing deployment delays. The best solution is to identify these issues earlier in the software development life cycle (SDLC), ideally during development or integration, before the application reaches the DAST phase.

Correct Option:

D. Using a software dependency management solution

Scans dependencies (open-source libraries) against CVE databases during build or commit time.

Identifies vulnerable libraries before code is deployed, shifting security left.

Integrates with CI/CD pipelines to prevent vulnerable components from progressing to later stages.

Incorrect Options:

A. Directing application logs to the SIEM for continuous monitoring
SIEM monitors runtime events and logs, not static vulnerabilities in libraries. It detects post-deployment anomalies but cannot prevent using vulnerable libraries early in the life cycle. Too late and reactive.

B. Modifying the WAF policies to block against known vulnerabilities
WAF provides runtime protection by blocking exploits, but it does not fix or identify vulnerable libraries during development. It’s a compensating control, not a shift‑left solution for early detection.

C. Completing an IAST scan against the web application
IAST (Interactive Application Security Testing) works during application testing (often in QA), still later than dependency scanning. It can find some library issues, but it’s heavier and not as early or efficient as a dedicated dependency management tool integrated into the IDE/pipeline.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Architecture (Software Assurance / Shift Left). NIST SSDF (Secure Software Development Framework) PW.1: “Identify and protect against use of vulnerable components.” OWASP Dependency-Check / SCA best practices.

Explanation:
The question focuses on defending against future attacks through information sharing after a threat actor attacked public infrastructure providers. While SIEM, UEBA, DLP, and TIP are useful, the most critical missing component for collective defense is joining the industry ISAC (Information Sharing and Analysis Center), which enables sector-wide threat intelligence sharing.

Correct Option:

C. Failure to join the industry ISAC
ISACs are sector-specific (e.g., energy) and enable trusted, real-time sharing of attack indicators and response lessons among member organizations.

Without ISAC membership, the energy sector companies cannot benefit from shared threat intelligence or coordinate defense against adversary TTPs.

In critical infrastructure, ISAC participation is a recognized best practice for collective resilience.

Incorrect Options:

A. Failure to implement a UEBA system

UEBA helps detect insider threats and anomalous behavior, but the scenario involves external threat actors attacking public infrastructure providers.

UEBA absence increases detection time, but it does not prevent the core failure of missing cross‑organization intelligence sharing. Less critical than ISAC.

B. Failure to implement a DLP system

DLP prevents data exfiltration; however, the attack described is against infrastructure providers, not primarily a data theft incident.

DLP addresses a different risk (confidentiality) rather than the need to share attack indicators for future defense. Not the most important issue shown.

D. Failure to integrate with the TIP

TIP integration centralizes and automates threat intelligence, but it depends on having sources of intelligence to ingest.

Without ISAC membership, TIP has limited sector‑specific intelligence. ISAC is the foundational information-sharing mechanism; TIP is an enabler, not the primary gap.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Threat Intelligence & Information Sharing). NIST SP 800-150 (Cyber Threat Information Sharing). CISA guidance on ISACs for critical infrastructure sectors (e.g., Energy ISAC, E-ISAC).

Explanation:
A Data Subject Access Request (DSAR) is a right granted to individuals under privacy regulations such as GDPR (Articles 15–22) or CCPA. The security officer needs assurance that the third party can properly handle requests from data subjects to access, correct, or delete their personal data. This is a core privacy compliance requirement.

Correct Option:

C. Privacy regulations

DSAR handling is explicitly mandated by privacy laws like GDPR, CCPA, LGPD, and others.

The officer seeks evidence of a formal DSAR process to ensure the third party complies with applicable privacy regulations when processing personal data.

Without this, the enterprise risks regulatory fines and legal liability for non-compliance.

Incorrect Options:

A. Information security standards

Security standards (e.g., ISO 27001, NIST) focus on confidentiality, integrity, and availability of information, not on individual data subject rights like DSAR. While important for overall risk management, they do not mandate or verify DSAR handling processes.

B. E-discovery requirements

E-discovery relates to producing electronically stored information for legal proceedings (e.g., litigation holds, court orders).

DSARs are privacy-driven and do not require litigation; they are distinct from e-discovery obligations under rules like FRCP.

D. Certification requirements

Certifications (e.g., SOC 2, ISO 27701) may include privacy controls, but the specific need for a DSAR process stems directly from privacy regulations, not from certification alone.

Certification is evidence of compliance, not the regulatory driver itself.

E. Reporting frameworks

Reporting frameworks (e.g., COBIT, ITIL) focus on governance, metrics, and operational reporting.

They do not create legal obligations for DSAR handling; privacy regulations do.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 4: Governance, Risk, and Compliance (Third‑Party Risk Management & Privacy). GDPR Article 15 (Right of Access by the Data Subject). CCPA Section 1798.100 (Consumer Access Requests).

Explanation:
The requirement is that past intercepted communications stay secure even if a future encryption key is compromised. This property is known as forward secrecy (also called perfect forward secrecy). It ensures that compromise of long-term keys does not expose previously recorded session keys or encrypted traffic.

Correct Option:

C. Forward secrecy
Forward secrecy uses ephemeral session keys that are derived per session and not stored long-term.

Even if an attacker compromises the server’s private key later, they cannot decrypt previously captured sessions because those session keys are already discarded and unrecoverable.

Common implementations include DHE (Diffie‑Hellman Ephemeral) and ECDHE in TLS.

Incorrect Options:

A. Tokenization

Tokenization replaces sensitive data with non‑sensitive tokens, typically for data storage or payment processing.

It does not protect past communications from future key compromise because it focuses on data substitution, not session key management or encryption history.

B. Key stretching

Key stretching (e.g., PBKDF2, bcrypt) strengthens weak passwords by making brute‑force attacks harder.

It does not provide forward secrecy; it only increases the cost of deriving a key from a low‑entropy secret.

D. Simultaneous authentication of equals

SAE (Simultaneous Authentication of Equals) is a password‑authenticated key exchange protocol used in WPA3.

While it protects against offline dictionary attacks, it does not inherently provide forward secrecy for past communications if a long‑term key is compromised later.

Reference:

CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Cryptography). RFC 8446 (TLS 1.3) — Section 1.2: “Forward secrecy is a property that ensures that compromise of a long‑term key does not compromise the confidentiality of past sessions.” NIST SP 800‑57 Part 1 (Key Management).

Explanation:
An always‑on VPN ensures that remote devices are continuously connected to the corporate network before user logon. This allows device authentication against on‑premises directory services (e.g., Active Directory) and enables application of Group Policy, certificate validation, and security posture checks before the user gains interactive access.

Correct Option:

A. To facilitate device authentication using on‑premises directory services

Always‑on VPN establishes a tunnel during system startup, before user login.

This enables machine authentication via RADIUS, certificates, or domain controllers.

It ensures only domain‑joined and compliant devices access corporate resources, enforcing zero trust network access (ZTNA) principles.

Incorrect Options:

B. To allow access to directly connected print and scan resources

Always‑on VPN is for remote network access, not for local peripheral access.

Printers and scanners physically connected to the remote device are accessible via local drivers, not dependent on a VPN.

C. To enable usability of locally attached removable storage

Local USB drives or external storage work regardless of VPN connectivity.

The VPN does not enable or disable local storage; it only secures network traffic back to the corporate environment.

D. To authorize updates to change the PIN on a smart card

Smart card PIN changes are typically handled locally via the operating system or middleware, or through a dedicated smart card management system.

An always‑on VPN is not required for this function; it is unrelated to smart card PIN management.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Enterprise Security Operations (Remote Access & VPN Architectures). Microsoft Always On VPN documentation: “Supports device tunnel for machine authentication and policy retrieval before user logon.” NIST SP 800‑46 (Guide to Enterprise Telework, Remote Access, and BYOD).