Free CompTIA CAS-005 Practice Questions 2026 - Page 13

Explanation:
Homomorphic encryption allows computations to be performed directly on encrypted data without decrypting it first. The result, when decrypted, matches the result of operations performed on plaintext. This is particularly useful for sending confidential data to a cloud service provider (CSP) for processing — the CSP computes on encrypted data and learns nothing about the original information.

Correct Option:

C. Transmitting confidential data to a CSP for processing on a large number of resources without revealing information

Data remains encrypted throughout processing; no decryption occurs on the CSP side.

The CSP performs computations (e.g., analytics, machine learning, queries) on ciphertext.

Sensitive information is never exposed to the CSP, addressing privacy and confidentiality concerns.

This enables outsourcing compute to untrusted environments while preserving data secrecy.

Incorrect Options:

A. Processing data on a server after decrypting in order to prevent unauthorized access in transit

Homomorphic encryption does not require decryption before processing; decrypting first defeats its purpose.

Protecting data in transit is the role of TLS, not homomorphic encryption.

This describes standard encryption (at rest/in transit), not homomorphic computation.

B. Maintaining the confidentiality of data both at rest and in transit to and from a CSP for processing

At‑rest and in‑transit encryption are standard practices (AES, TLS).

Homomorphic encryption goes beyond that: it protects data during processing, not just in transit or at rest.

This option omits the unique value of homomorphic encryption (computation on encrypted data).

D. Storing proprietary data across multiple nodes in a private cloud to prevent access by unauthenticated users

Describes distributed storage with access controls, not homomorphic encryption.

No computation is mentioned; this is simply encrypted storage or replication.

Homomorphic encryption is not typically used for storage alone; it is computationally expensive and unnecessary for that use case.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Cryptography — Homomorphic Encryption). NIST IR 8286 (Homomorphic Encryption) — “Enables computation on encrypted data without decryption, useful for untrusted cloud processing.” Craig Gentry’s seminal work (2009) — Fully Homomorphic Encryption allows arbitrary computation on ciphertexts.

Explanation:
The issue is modified timestamps on logs, indicating potential tampering by an attacker who gained access to local log files. A central logging server that only allows log ingestion (write‑once, append‑only) prevents attackers from altering logs retroactively. This preserves integrity and accurate timestamping, improving logging and auditing for incident response.

Correct Option:

C. Implement a central logging server, allowing only log ingestion.

Centralized logging (e.g., syslog-ng, Splunk, ELK) with ingestion-only controls prevents log modification by local attackers.

Timestamps are applied at ingest by the central server, not client‑controlled.

Even if an endpoint is compromised, past logs on the central server remain immutable.

This directly addresses the modified timestamp issue and strengthens audit integrity.

Incorrect Options:

A. Integrate a file‑monitoring tool with the SIEM.

File monitoring detects changes but does not prevent them; alerts occur after tampering.

An attacker can still modify timestamps before detection.

Does not provide immutable log storage.

B. Change the log solution and integrate it with the existing SIEM.

Changing the log solution does not guarantee tamper resistance unless it includes centralized, ingestion‑only controls.

Integration alone does not solve the root cause (local log modification).

Vague and less effective than implementing central immutable logging.

D. Rotate and back up logs every 24 hours, encrypting the backups.

Backups protect against loss but not against tampering of the primary logs.

Attackers can modify logs within the 24‑hour window before rotation.

Encryption prevents reading but does not prevent deletion or modification of active logs.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Logging, Auditing, Incident Response). NIST SP 800-92 (Guide to Computer Security Log Management) — “Centralized logging with append‑only controls protects log integrity.” MITRE ATT&CK T1070 (Indicator Removal on Host) — mitigation: central logging.

Explanation:
If a laptop is stolen, the risk is that locally stored sensitive data can be accessed. Using Desktop as a Service (DaaS) ensures that no company data resides on the laptop itself — all applications and data are hosted remotely. Multifactor authentication (MFA) prevents an attacker from accessing those remote resources even if they have the stolen laptop.

Correct Option:

A. Utilizing desktop as a service for all company data and multifactor authentication

DaaS (e.g., Azure Virtual Desktop, Amazon WorkSpaces) keeps corporate data in the cloud or data center, not on the endpoint.

A stolen laptop contains only a thin client or zero persistent data.

MFA adds a second layer: the thief cannot authenticate to the remote desktop without the second factor.

This eliminates data exposure from device theft.

Incorrect Options:

B. Using explicit allow lists of specific IP addresses and deploying single sign-on

IP allow lists restrict where access is permitted, but a stolen laptop used from an allowed IP (e.g., home network) still exposes local data.

Single sign-on (SSO) simplifies authentication but does not remove sensitive data from the laptop.

Does not address data at rest on the stolen device.

C. Deploying mobile device management and requiring stronger passwords

MDM can enforce encryption and remote wipe, but data still exists locally on the laptop.

Stronger passwords may delay but not prevent offline brute‑force attacks against encrypted drives.

If the laptop is stolen while powered on and unlocked, the password is moot.

Less effective than removing local data entirely.

D. Updating security mobile reporting policies and monitoring data breaches

Policies and monitoring are reactive and administrative controls.

They do not technically prevent data exposure from a stolen laptop.

Reporting after theft is not a preventive measure.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Endpoint Security, Data Loss Prevention). NIST SP 800-124 (Guidelines for Managing the Security of Mobile Devices) — “Thin client or VDI eliminates data at rest on stolen devices.” Zero Trust model — never trust the device, always authenticate and authorize.

Explanation:
The audit findings require permission‑based protection (roles), user action tracking, and identity validation across data access. Continuous and context‑based authentication and authorization (e.g., zero trust, Conditional Access) addresses all three: it enforces roles (authorization), enables user action tracking (session monitoring), and validates identities continuously (not just at login). This is the foundational first step before adding specific tools like federation or API authentication.

Correct Option:

A. Implement continuous and context‑based authentication and authorization

Role‑based protection is enforced through authorization policies tied to identity.

Continuous authentication enables user action tracking across the network (e.g., re‑evaluating trust per access).

Digital identity validation happens at every access request, not just once.

This approach directly maps to all three findings and is a strategic first action.

Incorrect Options:

B. Use an enhanced user credential provisioning workflow and data monitoring tools

Credential provisioning addresses identity lifecycle but not continuous validation.

Data monitoring tools track actions but do not enforce permissions or validate identities.

This is a tactical, partial solution that misses the integrated continuous validation requirement.

C. Improve federation services for digital identities and data access

Federation enables single sign‑on across domains but does not inherently provide continuous validation or user action tracking.

Federation is about identity trust between organizations, not internal role‑based protection and continuous authorization.

Too narrow in scope for the given findings.

D. Deploy OpenID Connect for API authentication

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0 for API authentication.

It does not address user action tracking across the entire network.

Does not enforce role‑based data protection or continuous validation.

Too specific and API‑focused for these general findings.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Zero Trust, Continuous Authentication). NIST SP 800-207 (Zero Trust Architecture) — “Continuous authentication and authorization are core tenets.” NIST SP 800-63B (Digital Identity Guidelines) — “Role‑based access and continuous validation improve security posture.”

Explanation:
The threat model focuses on attacks against storage products with diverse user environments (commercial/government), crypto‑export rules, and multi‑vendor hardware/software from Europe and Asia. Trust boundaries (where data and control cross between components, vendors, or environments) and supply chain access (risks introduced by external vendors) are most critical, as attackers could target vendor development, manufacturing, or integration points.

Correct Options:

C. Trust boundaries

Each external vendor (Europe/Asia) introduces a trust boundary where security assumptions change.

Data, firmware, or updates crossing from vendor to integrator to customer create potential attack surfaces.

Trust boundaries help identify where validation, encryption, or access controls must be enforced.

E. Supply chain access

Hardware and software developed by external vendors in different regions increases supply chain risk.

Attackers could insert backdoors, compromise build pipelines, or tamper with components before delivery.

Crypto‑export requirements also intersect with supply chain (e.g., restricted algorithms, regional compliance).

Incorrect Options:

A. Contractual obligations

Important for legal and compliance but not a core element of a technical threat model.

Contracts do not define attack vectors or adversary capabilities.

B. Legal hold obligations

Relevant to e‑discovery and litigation, not to identifying threats against storage products.

Does not help model attacker behavior or system vulnerabilities.

D. Cloud services enumeration

The scenario does not mention cloud deployment; products are storage systems used in various environments.

Enumerating cloud services is irrelevant if the threat model is product‑focused.

F. Homomorphic encryption usage

Homomorphic encryption is a niche cryptographic technique not mentioned or implied in the scenario.

Not relevant to threat modeling for storage products with external vendors.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Threat Modeling, Trust Boundaries, Supply Chain Risk). NIST SP 800-161 (Supply Chain Risk Management Practices). Microsoft SDL Threat Modeling — “Identify trust boundaries between components, external vendors, and environments.” OWASP Threat Modeling — supply chain and third‑party components are critical attack surfaces.

Explanation:
The log shows multiple failed login attempts (Login success? = "No") for User1 across two different computers (VM01 and VM02) at the exact same timestamp (8:01:23 AM). This pattern suggests a password spraying or credential stuffing attack targeting User1's account. Compromised accounts often show rapid, simultaneous failures before a successful break-in. User1 should be disabled first for investigation.

Correct Option:

D. Disable User1's account

User1 appears twice in the same second from two different machines (VM01, VM02) — highly suspicious.

Failed logins across multiple systems simultaneously indicate automated attack, not user error.

No corresponding success for User1 in the log, but the attack may still be ongoing.

Disabling User1 stops lateral movement attempts using that credential.

Incorrect Options:

A. Disable User2's account

User2 has only one failed attempt (on VM03) at 8:00:23 AM.

Single failure could be a typo; no pattern of multiple attempts.

Not the priority compared to User1's widespread failures.

B. Disable User12's account

User12 does not appear anywhere in the provided log extract.

No evidence of suspicious activity for this account.

Cannot be justified based on given data.

C. Disable User8's account

User8 does not appear in the log extract.

No failed or successful login events shown.

No basis for action.

Note: The log shows successful logins for User3 and User6 (marked "Yes") — those are likely legitimate and not immediate disable candidates. The question asks for first action, and User1 presents the clearest evidence of an active attack.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Log Analysis, Incident Response). MITRE ATT&CK T1110 (Brute Force: Password Spraying) — indicators include multiple failed logins for a single account across different systems. NIST SP 800-61 (Incident Handling) — disable compromised accounts as a containment step.

Explanation:
The issue is intellectual property data being placed on unauthorized collaboration web applications (e.g., public slide template sites). The CASB (Cloud Access Security Broker) is specifically designed to discover and control access to cloud applications. Enforcing a policy to block unauthorized web applications directly prevents users from uploading sensitive data to those sites, addressing the root cause.

Correct Option:

B. Enforce a policy to block unauthorized web applications within CASB.

CASB provides visibility into shadow IT and sanctioned vs. unsanctioned cloud apps.

Blocking policies prevent users from accessing or uploading data to prohibited collaboration sites.

This is a preventive control that stops the data exfiltration at the application access layer.

Other tools (WAF, SIEM, DLP endpoints) are not designed for cloud app discovery and policy enforcement at this level.

Incorrect Options:

A. Enable blocking for all WAF policies.

WAF protects web applications from injection attacks (SQLi, XSS), not from users uploading data to external collaboration sites.

WAF is typically inbound-focused; does not control outbound SaaS application access.

Irrelevant to preventing IP leakage to slide template websites.

C. Create an alert within the SIEM for outgoing network traffic to the suspected website.

Alerting is detective, not preventive; data has already left the organization.

Does not stop the user from uploading intellectual property.

Useful for visibility but does not address the requirement to "prevent this issue."

D. Configure DLP endpoints to block sensitive data to removable storage.

Removable storage (USB drives) is not the problem — collaboration web applications are.

DLP endpoints may have web upload controls, but CASB is more effective for cloud app enforcement.

This option addresses a different exfiltration vector, not the stated issue.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (CASB, Shadow IT, Data Loss Prevention). NIST SP 800-210 (CASB guidance) — “Enforce access and data security policies for cloud applications.” Gartner — “CASB provides policy enforcement for sanctioned and unsanctioned cloud apps.”

Explanation:
The controllers communicate over the internet via cellular network, exposing them to interception and attack. Encryption is not possible due to overhead tolerance. The best compensating control is to reduce the attack surface by replacing the public cellular internet with a dedicated, physically isolated wireless link using a private base station and directional antennas, preventing external adversaries from reaching the control traffic at all.

Correct Option:

D. Deploying a dedicated base station and reducing the footprint with highly directional antennas

A private cellular base station (e.g., microcell) creates a closed, non‑internet‑routed network.

Directional antennas limit signal propagation to the river width (0.5mi), minimizing eavesdropping risk.

Eliminates exposure to internet-based threats without adding encryption overhead.

This is a network segmentation/air gap strategy appropriate for legacy OT systems.

Incorrect Options:

A. Monitoring control traffic for command sequences with out-of-range or unexpected values

Monitoring detects anomalies but does not prevent compromise.

Attackers could still send malicious commands; detection may be after damage occurs.

Passive monitoring does not reduce risk of initial interception or injection.

B. Disconnecting cellular radios in favor of shielded Cat 5e cables to each of the controllers

Cat 5e cable maximum length is 100 m (328 ft); the river is 0.8 km wide — physically impossible.

Cables across water are impractical, costly, and vulnerable to environmental damage.

Not a feasible solution.

C. Reviewing the ladder logic on the controllers to determine whether unauthorized changes have been introduced

This is a forensic or audit activity, not a real‑time risk reduction strategy.

Does not prevent future compromise; only detects past changes.

Reactive, not preventive.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (OT/IoT Security, Industrial Control Systems). NIST SP 800-82 (Guide to ICS Security) — “Use network segmentation and dedicated wireless links for legacy controllers that cannot support encryption.” CISA Best Practices — “Directional antennas and private base stations reduce RF attack surface.”

Explanation: Legacy operational technology (OT) subsystems — such as SCADA, PLCs, and industrial controllers — were designed decades ago under the assumption that they would operate in physically isolated or air‑gapped environments. Security was not a design priority because there was no network connectivity to external threats. This is why many OT systems lack encryption, authentication, or modern security controls.

Correct Option:

A. operating in an isolated/disconnected system.

Early OT systems assumed air‑gapped networks with no external connectivity.

No security mechanisms (encryption, authentication, logging) were built in because physical access was the only threat.

Modern convergence with IT networks exposes these legacy design weaknesses.

This assumption directly explains why aging command, control, and telemetry subsystems are insecure by today’s standards.

Incorrect Options:

B. communicating over distributed environments

Many legacy OT systems were designed for local, not distributed, communication (e.g., serial links, proprietary fieldbuses).

Distributed environments introduce security challenges, but that was not the original design assumption.

C. untrustworthy users and systems being present

Legacy OT assumed trustworthy users (operators) and no external systems.

Untrustworthy users were not part of the design basis; that is a modern zero‑trust concept.

D. an available Ethernet/IP network stack for flexibility

Early OT used proprietary or serial protocols (Modbus RTU, Profibus, DNP3 over serial), not Ethernet/IP.

Ethernet/IP and flexibility came later, not as an original design assumption.

E. anticipated eavesdropping from malicious actors

Eavesdropping was not anticipated; physical isolation was presumed.

If eavesdropping were anticipated, encryption would have been included, which it was not.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (OT/IoT, Legacy System Design). NIST SP 800-82 (Guide to ICS Security) — Section 2.2: “Legacy ICS were designed for isolated environments with no security mechanisms.” CISA — “Many OT systems assume a trusted, air‑gapped network.”

Explanation:
To reconstruct a timeline of an incident and determine source of malicious files, initial attack vector, and lateral movement, the response team needs persistent and historical data. Operating system logs (event logs, audit logs, Sysmon, PowerShell logs) and storage disk data (file system timestamps, registry, prefetch, $MFT) provide the chronological record required for timeline reconstruction.

Correct Option:

D. Collecting operational system logs and storage disk data

System logs (Security, Application, Sysmon) record process creation, logins, service starts, and network connections.

Storage disk data includes file creation/modification timestamps, registry changes, and prefetch files.

Together, they enable timeline reconstruction to answer what happened, when, and in what order.

This is standard digital forensics practice for incident response.

Incorrect Options:

A. Executing decompilation of binary files

Decompilation reveals code logic in malicious binaries but does not provide timeline or attack vector.

Does not explain how the file arrived or where it moved laterally.

Useful for malware analysis, not incident timeline reconstruction.

B. Analyzing all network routes and connections

Network analysis can show lateral movement (e.g., RDP, SMB connections), but only if logs or NetFlow are preserved.

Without logs stored on disk, network analysis alone is incomplete.

Does not provide file source or initial attack vector (e.g., phishing email, vulnerable service).

C. Performing primary memory analysis

Memory analysis captures running processes, network connections, and open files at the time of acquisition.

It is volatile and may not contain historical timeline data (e.g., events from days prior).

Useful for detecting active malware, but not for reconstructing events before memory capture.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Digital Forensics, Incident Response). NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response) — “System logs and disk images are primary sources for timeline reconstruction.” SANS FOR508 — “Timeline analysis requires file system metadata and event logs.”