Free CompTIA CAS-005 Practice Questions 2026 - Page 2

Explanation:

Why D is Correct:
This option most accurately and completely captures the core business and regulatory requirements for a healthcare provider.

Protecting Privacy:
This is the primary driver. Regulations like HIPAA (Health Insurance Portability and Accountability Act) in the United States mandate the protection of patient Protected Health Information (PHI). Encryption of data at rest is a key safeguard to ensure confidentiality and privacy, preventing unauthorized access if devices are lost, stolen, or improperly accessed. It directly addresses the fundamental ethical and legal duty to keep patient information private.

Supporting Portability:
This is a critical business enabler. Healthcare data needs to be portable—it must be stored on laptops, mobile devices, USB drives, and in cloud data centers to facilitate modern healthcare delivery, backups, and research. Encryption is the technology that makes this portability secure. It allows data to be moved and stored flexibly without incurring the high risk of a data breach. The "portability" in HIPAA's name hints at this need for data movement in a secure manner.

Why A is Incorrect:
Encrypting data at rest protects data while it is stored on a device (e.g., a database, hard drive). Securing data transfer between hospitals is the role of encrypting data in transit (e.g., using TLS for network transmission). This is an important requirement, but it is not the one fulfilled by encryption at rest.

Why B is Incorrect:
Non-repudiation provides proof of the origin of data and prevents a sender from denying having sent it. This is a security service achieved through digital signatures and cryptographic hashing, not through encryption at rest. Encryption ensures confidentiality, not non-repudiation.

Why C is Incorrect:
While reducing liability from identity theft is a positive outcome of encrypting data, it is not the best explanation of the direct business requirement. The requirement is driven by proactive compliance with privacy laws (like HIPAA) and the duty of care to protect patients. Reducing liability is a beneficial consequence of meeting that primary requirement, not the requirement itself. Option D is a more precise and comprehensive description of the core business and regulatory need.

Reference:
This question falls under Domain 4.0: Governance, Risk, and Compliance. It tests the ability to map a technical control (encryption at rest) back to the fundamental business and legal requirements that mandate its use, particularly in a heavily regulated industry like healthcare. Understanding the "why" behind a control is crucial for a CASP+.

Explanation:
The core problem identified is privilege creep due to employees changing roles. This means users accumulate permissions over time because old access rights are not removed when they are no longer needed for their new position. The solutions must directly address this accumulation and ensure permissions align with current job functions.

Why A is Correct (Implementing a role-based access policy):
Role-Based Access Control (RBAC) is a fundamental solution to this exact problem. Instead of assigning permissions directly to users, permissions are assigned to roles (e.g., "Accountant," "Marketing Manager"). Users are then assigned to these roles. When an employee changes departments, their old role is simply removed, and their new role is assigned. This automatically revokes the old permissions and grants the new, appropriate ones, effectively preventing privilege creep by design.

Why D is Correct (Performing periodic access reviews):
Even with RBAC in place, processes can break down. Periodic user access reviews (also known as recertification) are a critical administrative control to catch and correct privilege creep. In these reviews, managers or system owners periodically attest to whether their employees' current access levels are still appropriate for their job functions. This process proactively identifies and removes excessive permissions that may have been missed during a role transition.

Why the Other Options Are Incorrect:

B. Designing a least-needed privilege policy:
While the principle of least privilege is the ultimate goal, this option describes a concept or principle, not an actionable solution to the problem of privilege creep. Implementing RBAC (Option A) is how you operationalize and enforce a least privilege policy. Therefore, A is a more direct and specific solution.

C. Establishing a mandatory vacation policy:
This is a detective control primarily used to uncover fraud (e.g., requiring an employee to take vacation forces someone else to perform their duties, potentially revealing fraudulent activity). It does not directly address the procedural issue of permissions not being removed during role changes.

E. Requiring periodic job rotation:
Job rotation is a security practice used to reduce the risk of fraud and collusion and to cross-train employees. It would actually exacerbate the problem of privilege creep, as more employees changing roles would lead to even more accumulated permissions if a proper process (like RBAC and access reviews) is not in place to manage the transitions.

Reference:
This question falls under Domain 4.0: Governance, Risk, and Compliance. It tests knowledge of identity and access management (IAM) best practices, specifically the controls used to implement and maintain the principle of least privilege and prevent authorization vulnerabilities like privilege creep. RBAC and access recertification are cornerstone practices for any mature IAM program.

Explanation:

Why A is Correct:
The root cause of the vulnerabilities is that the application uses third-party libraries with known, publicly disclosed vulnerabilities. The most direct and effective solution is to update these dependencies to their latest, patched versions. Infrastructure as Code (IaC) is the best practice for automating and managing this process. IaC tools (like Terraform, Ansible, or cloud-specific templates) allow developers to define the application's infrastructure and dependencies in code files.

These definitions can specify the exact versions of libraries to be used. To remediate, a team can update the version number in the IaC script and redeploy. This ensures consistency, repeatability, and speed in pushing the patched libraries across all environments (dev, test, prod).

This approach directly fixes the reported problem by replacing the vulnerable component with a secure one.

Why B is Incorrect:

A bug bounty program is a crowdsourced initiative to incentivize external security researchers to find and report unknown vulnerabilities. The vulnerabilities in this scenario are already known and were reported by third parties. A bug bounty might help find future unknown issues, but it does nothing to fix the current, known problem with the libraries.

Why C is Incorrect:
Implementing a continuous security assessment program (which might include SAST, DAST, etc.) is a broad and valuable practice for finding vulnerabilities. However, like a bug bounty, it is a detective control. It would help identify that the vulnerable libraries are present, but the team already knows this because they've been notified. The requirement is to address or fix the vulnerability, not just to find it again. The fix is to update the library.

Why D is Incorrect:
Integrating a SAST (Static Application Security Testing) tool into the pipeline is also a detective control. It scans source code for patterns that indicate vulnerabilities. While it could potentially detect the use of a vulnerable library if its rules are tuned for that, its primary function is to find flaws in custom code. More importantly, it identifies problems but does not remediate them. The remediation is still the action of updating the dependency, which is best managed through IaC.

In summary:
While options B, C, and D are all valuable parts of a mature application security program, they are focused on finding vulnerabilities. The problem stated is that vulnerabilities have already been found. The necessary action is to patch them. Using IaC to automate dependency management and deployment is the most effective way to execute that patch quickly and consistently.

Reference:
This question falls under Domain 2.0: Security Operations and Domain 1.0: Security Architecture. It addresses vulnerability management and the practical application of DevOps practices (like IaC) to ensure secure and consistent configurations across environments.

Explanation:
The question requires selecting solutions that best help an administrator apply and enforce a specific set of OS security configurations (like disk encryption, firewall settings, etc.) across endpoints. The goal is to close the gap between the current state and the desired benchmark.

Why C is Correct (SCAP):
The Security Content Automation Protocol (SCAP) is a suite of standards specifically designed for this exact task. It allows for:

Automated Compliance Checking:
SCAP-compliant tools can automatically scan an endpoint (using benchmarks like CIS or DISA STIGs) and check its configuration against hundreds of required settings (firewall rules, password policies, time sync, etc.).

Remediation:
Many SCAP tools can not only identify misconfigurations but also automatically remediate them to bring the system into compliance.

Standardized Benchmarks:
The requirements listed (firewall, time sync, password policies) are classic configuration items that are defined in SCAP benchmarks. SCAP is the industry standard for automating technical compliance and hardening.

Why D is Correct (SASE):
Secure Access Service Edge (SASE) is a cloud architecture that converges networking and security functions. It directly addresses two requirements from the list:

Zero Trust application access:
This is a core principle of SASE. It ensures users and devices are authenticated and authorized before granting access to applications, regardless of their location, which fulfills the "Zero Trust application access" requirement.

Host-based firewall (extension):
While SASE provides a cloud-delivered firewall, it can also help enforce security policies that complement or supersede the need for a host-based firewall by applying consistent security at the network edge.

SASE provides a framework to enforce these policies consistently across all endpoints.

Why the Other Options Are Incorrect:

A. CASB (Cloud Access Security Broker):
A CASB is primarily focused on securing access to cloud applications (SaaS) and enforcing security policies between users and the cloud. It does not manage OS-level configurations on endpoints like disk encryption, host firewalls, or time synchronization.

B. SBoM (Software Bill of Materials):
An SBoM is an inventory of components in a software product. It is used for vulnerability management in the software supply chain (e.g., finding vulnerable libraries). It is completely unrelated to configuring operating system settings on an endpoint.

E. HIDS (Host-Based Intrusion Detection System):
A HIDS monitors a host for signs of malicious activity and policy violations. It is a detective control. While it might alert on a misconfiguration, it is not the tool used to apply the required configurations from a benchmark. SCAP is the tool for applying the configuration; a HIDS might monitor for changes to that configuration afterward.

Reference:
This question falls under Domain 2.0: Security Operations and Domain 1.0: Security Architecture. It tests the knowledge of specific security technologies and their appropriate application for system hardening, compliance automation (SCAP), and modern secure access principles (SASE).

Explanation:

Why B is Correct:
The question describes the implementation of hardware security keys (e.g., YubiKey, Google Titan) to prevent access with a stolen password. This is a classic description of multi-factor authentication (MFA) where the hardware key provides the "something you have" factor.

The most common protocol used by these hardware keys for generating the one-time passcode is the Time-based One-Time Password (TOTP) algorithm. This algorithm generates a code that is synchronized with the authentication server and changes every 30-60 seconds. Even if a password is stolen, an attacker cannot access the system without physically possessing the hardware key that generates the current, valid code. Therefore, the company is implementing a time-based authentication model.

Why A is Incorrect:
Rule-based access control involves making access decisions based on a set of predefined rules or filters (e.g., "Allow access if the request comes from the HR network segment"). It is a type of access control model, not an authentication factor model. It does not describe how the one-time code from a hardware key is generated.

Why C is Incorrect:
Role-based access control (RBAC) is an authorization model where access permissions are assigned to roles, and users are assigned to those roles. It governs what a user can do after they are authenticated. The question is specifically about the authentication process (proving identity), not authorization (assigning permissions).

Why D is Incorrect:
Context-based authentication is a more advanced form of MFA that considers additional contextual factors (e.g., geographic location, time of day, network reputation, device posture) when making an authentication decision. While a hardware key could be part of a context-based system, the core functionality described—using a hardware token to generate a one-time code—is fundamentally time-based. Context-based would be a broader, more adaptive model that might use time-based codes as one input.

Reference:
This question falls under Domain 3.0: Security Engineering and Cryptography. It tests the understanding of authentication protocols and factors, specifically the operation of hardware security tokens and the underlying time-based model that makes them secure.

Explanation:

Why A is Correct:
The core requirements are to automate reporting from disparate security appliances that do not currently communicate, using existing resources. APIs (Application Programming Interfaces) are the standard method for enabling different software systems to communicate and share data. Most modern security appliances (firewalls, IDS/IPS, EDR, etc.) have APIs designed specifically for this purpose—to extract logs, alerts, and configuration data.

Automation:
By writing scripts (e.g., in Python) that call these APIs, the systems administrator can automatically pull data from each disparate appliance on a scheduled basis without manual intervention.

Aggregation:
The data collected from these various APIs can then be parsed, normalized, and aggregated into a single format for reporting (e.g., fed into a dashboard, a SIEM, or a custom database). This approach directly leverages existing appliance capabilities (their APIs) and can often be implemented with existing scripting skills and resources.

Why B is Incorrect:
Combining back-end application storage into a single relational database is often not feasible. The appliances likely use different, proprietary storage formats and databases. Directly combining these back-ends would require deep access to each system, risk corruption, and is not a standard or supported method for integration. APIs are the intended, supported way to access this data.

Why C is Incorrect:
Purchasing commercial off-the-shelf (COTS) aggregation software (like a SIEM or a dedicated log management tool) is a very common and effective solution. However, the question specifies the administrator wants to use existing resources. Purchasing new software contradicts this requirement, as it involves acquiring new resources (budget, software, and potentially hardware).

Why D is Incorrect:
Migrating logs to on-premises storage is a data consolidation step, but it does not solve the communication or automation problem. You would still have logs in different formats from different systems sitting in the same storage location. Without a way to parse, normalize, and aggregate them (a function an API integration or a SIEM performs), you cannot automate reporting from them. This is just moving the data, not making it usable for automated reporting.

Reference:
This question falls under Domain 2.0: Security Operations. It tests the practical knowledge of how to integrate security tools and automate processes, a key skill for security analysts and engineers. Using APIs is the modern, scalable, and resource-efficient method for achieving this integration.

Explanation:
Let's break down the requirements and see which solutions best address them:

Provide secure access to internal and external cloud resources:
This requires a solution that can securely connect users to applications, whether they are in a corporate data center, a public cloud (IaaS/PaaS), or a SaaS application (like Office 365).

Eliminate split-tunnel traffic flows:
Split tunneling allows some user traffic to go directly to the internet while other traffic goes through the corporate network. To eliminate this, all user traffic must be routed through a central security checkpoint for inspection and enforcement.

Enable identity and access management capabilities:
The solution must integrate strongly with identity systems to enforce access policies based on user identity, group, and other context.

Why F is Correct (SASE):
Secure Access Service Edge (SASE) is the overarching architecture that perfectly meets all three requirements.

It provides secure, identity-driven access to all resources (internal and cloud-based) from anywhere.

A core principle of SASE is to funnel all user traffic through a cloud-based security stack (SWG, CASB, ZTNA, FWaaS), which eliminates split tunneling by ensuring all traffic is inspected.

It has identity and access management as a foundational component, using user identity as the key for applying security policies.

Why A is Correct (Federation):
Federation (e.g., using SAML, OIDC) is a critical identity capability that integrates with a SASE solution to fulfill the IAM requirement.

It allows users to authenticate once with a central identity provider (like Azure AD) and gain seamless access to multiple cloud services and applications without needing separate passwords.

This provides the strong identity and access management foundation that a SASE platform uses to make access decisions. SASE relies on federated identity to know who the user is before applying policy.

Why the Other Options Are Incorrect:

B. Microsegmentation:
This is for controlling east-west traffic between workloads within a data center or cloud network. It does not address secure user access to resources or internet-bound traffic flows.

C. CASB (Cloud Access Security Broker):
A CASB is a component that can be part of a SASE solution. It secures access to SaaS applications and provides data security for cloud services. However, by itself, it does not eliminate split tunneling for all internet traffic or provide secure access to internal resources—it's focused on cloud services. SASE is the broader architecture that incorporates CASB functionality.

D. PAM (Privileged Access Management):
PAM is used to secure, manage, and monitor access for privileged accounts (e.g., administrators). It is a critical security solution but is focused on a specific set of users and systems, not the general workforce's secure access to all cloud resources.

E. SD-WAN (Software-Defined Wide Area Network):
SD-WAN is a technology for intelligently routing traffic between branch offices and data centers. It optimizes network performance but is not a security solution. In fact, traditional SD-WAN can create split tunnels. SASE often incorporates SD-WAN capabilities but adds the crucial security and identity layer.

Reference:
This question falls under Domain 1.0: Security Architecture. It tests the understanding of modern secure access architectures, specifically how SASE converges networking and security functions with identity to address the challenges of cloud-centric and remote work environments. Federation is the key identity component that enables this.

Explanation:

Why D is Correct:
The core challenge is that "security detection tools are unable to categorize" the "suspicious activity." This indicates that the activity does not match any known signatures, patterns, or Indicators of Compromise (IoCs). This is a classic scenario for User and Entity Behavior Analytics (UEBA).

UEBA uses machine learning and advanced analytics to establish a baseline of normal behavior for users, hosts, and network entities.

It then detects anomalies that deviate from this baseline, without relying on known threat signatures.

This makes it exceptionally effective at identifying novel attacks, insider threats, and suspicious activity that evades traditional, signature-based detection tools. It can categorize unknown activity based on its anomalous nature.

Why A is Incorrect:
An interactive honeypot is a decoy system designed to attract and engage attackers to study their techniques. While it can provide valuable intelligence on new attack methods, it is a proactive research tool, not a direct solution for detecting and categorizing ongoing, suspicious activity on the production network. The suspicious activity is already happening; a honeypot wouldn't help analyze it.

Why B is Incorrect:
Mapping network traffic to known IoCs is the function of traditional signature-based tools like IDS/IPS and many SIEM rules. The problem states that these tools have already failed to categorize the activity, meaning it does not match any known IoCs. Therefore, this approach will not help overcome the challenge.

Why C is Incorrect:
Monitoring the dark web is a strategic intelligence-gathering activity. It is used to find stolen credentials, learn about upcoming attacks, or discover if company data is for sale. It is not a tactical solution for analyzing and categorizing specific, ongoing suspicious network activity within the company's environment.

Reference:
This question falls under Domain 2.0: Security Operations. It tests the knowledge of advanced security analytics tools and their appropriate application. UEBA is specifically designed to address the limitation of traditional tools by using behavioral analysis to detect unknown threats and anomalous activity.

Explanation:

Why A is Correct:
The requirement has two key parts:

Always-on VPN:
This means the VPN connection is established automatically, typically at device startup or user logon, without user interaction.

Restricted to company assets:
This means only devices that are owned and managed by the company should be able to connect.

The best way to meet both requirements is through device certificate authentication. In this model:

Each company-issued device is provisioned with a unique device certificate issued by the company's own Private Public Key Infrastructure (PKI).

The VPN gateway is configured to only accept connection attempts that present a valid certificate from this specific PKI.

The "always-on" feature can be configured to use this certificate for automatic authentication without requiring user input.

This effectively restricts access to devices that possess this certificate (i.e., company assets). Non-company devices will lack the required certificate and be unable to connect.

The network engineer would need to ensure the certificate templates in the PKI are configured correctly to issue certificates with the necessary properties (e.g., client authentication EKU) for this purpose.

Why B is Incorrect:
Modifying signing certificates for IKEv2 relates to the cryptographic negotiation of the VPN tunnel itself. While IKEv2 is a common protocol that supports certificate authentication, this option does not address the core requirement of restricting access to company assets. It is a step in configuring the protocol, not the access control method.

Why C is Incorrect:
A wildcard certificate is used to secure multiple subdomains under a single domain name (e.g., *.example.com). It is used for TLS/SSL encryption for web services, not for client device authentication. Using a wildcard certificate for VPN clients would be a major security anti-pattern, as the same certificate would be on every device, making it impossible to distinguish or revoke individual devices. It violates the principle of unique device identity.

Why D is Incorrect:
Adding the VPN hostname as a Subject Alternative Name (SAN) on the root certificate is incorrect and nonsensical. The root certificate is the top-level, trusted anchor of a PKI hierarchy and should be kept offline and secure. Server certificates (not root certificates) for the VPN gateway itself contain the SAN field to list the DNS names they are valid for (e.g., vpn.company.com). This is important for ensuring clients are connecting to the legitimate server but does nothing to authenticate or restrict the client devices that are connecting.

Reference:
This question falls under Domain 3.0: Security Engineering and Cryptography. It tests the practical application of PKI and certificate-based authentication to achieve specific security goals like device compliance and automated access in a zero-trust framework.

Explanation:

Why D is Correct:
The scenario describes a highly anomalous and potentially severe situation. The key clues are:

The attack came from an internal IP address assigned to a vulnerability scanner.

The scanner is not configured to target the cloud servers.

This indicates the scanner itself is likely compromised. An attacker has likely gained control of the vulnerability scanner and is using its capabilities, permissions, and internal network position to launch attacks against other systems (in this case, cloud servers).

The first and most critical action is to contain the threat. Quarantining the scanner sensor immediately isolates it from the network, preventing it from causing further damage or being used to pivot to other systems. After containment, a forensic analysis is required to determine how it was compromised, what the attacker did, and what data might have been accessed. This is an incident response priority.

Why A is Incorrect:
Creating an allow list for the scanner's IP would be a disastrous action. It would effectively tell the security systems to ignore all malicious activity originating from the compromised scanner, allowing the attacker to operate with impunity. This is the opposite of what should be done.

Why B is Incorrect:
Reconfiguring the scan policy is a corrective action for a misconfiguration. The problem is not a misconfiguration; the problem is that the scanner itself is behaving maliciously against its configuration. This implies the scanner is under external control, making reconfiguration irrelevant until the device itself is investigated and secured.

Why C is Incorrect:
Setting network behavior analysis rules is a good proactive measure for detecting anomalies in the future. However, the attack has already been detected. This is a reactive incident response scenario, and the immediate priority is to stop the active attack, not to create new detection rules. This can be done after the compromised system is contained.

Reference:
This question falls under Domain 2.0: Security Operations, specifically focusing on incident response procedures. It tests the understanding of the incident response lifecycle, where the first steps are always to contain and then eradicate a threat. The anomalous behavior of a trusted security tool is a major red flag that indicates a compromise, requiring immediate isolation.