Free CompTIA CAS-005 Practice Questions 2026 - Page 6

Explanation:
The requirement is to automatically apply a security baseline to machines as soon as they are created. This process is a cornerstone of Infrastructure as Code (IaC) and DevSecOps, aiming for consistent, secure, and repeatable deployments.

Ansible is an automation tool used for configuration management, application deployment, and orchestration. It works by defining desired system states in human-readable YAML files called "playbooks." A playbook can contain a set of security baselines (e.g., disabling unnecessary services, configuring firewall rules, applying specific security policies).

Automation:
These playbooks can be triggered automatically by orchestration tools (like Jenkins, GitLab CI/CD) the moment a new machine is provisioned. This ensures that every new system is configured identically and securely from the very beginning, eliminating manual setup errors and "configuration drift."

Analysis of Incorrect Options:

A. Short:
This is not a recognized technology or standard in the context of IT security, configuration management, or compliance. It is likely a distractor.

B. GASB:
This stands for the Governmental Accounting Standards Board. It is an organization that establishes accounting and financial reporting standards for U.S. state and local governments. It is entirely unrelated to technical security configuration or system automation.

D. CMDB:
A Configuration Management Database (CMDB) is a centralized repository that stores information about the hardware and software components (Configuration Items or CIs) within an organization and the relationships between them. Its primary purpose is service management and visibility.

While a CMDB might store information about the baseline configuration of a system, it is not an automation tool. It cannot apply configurations to a newly created machine. It is used for tracking, auditing, and understanding dependencies, not for enforcement.

Reference:
This concept falls under Domain 2.0: Security Architecture and Domain 4.0: Security Operations of the CAS-005 exam objectives. It specifically addresses:

Implementing secure designs across different domains (2.2)

Automating security operations (4.3) through tools like configuration management (Ansible, Puppet, Chef, SaltStack) to ensure consistency and enforce security baselines.

The core concept here is using automation and configuration management tools to enforce state, which is a fundamental principle of modern secure architecture.

Explanation:
The core principle of prioritization in vulnerability management and threat modeling is risk. Risk is a function of Threat, Vulnerability, and Impact. When prioritizing remediation efforts, the highest priority should be given to vulnerabilities that are:

Being actively exploited in the wild (High Threat):
The "known exploited" factor means attackers are currently using this vulnerability to compromise systems. This is no longer a theoretical risk; it is an active one.

On externally facing assets (High Impact Potential):
External-facing systems are accessible from the internet, making them low-hanging fruit for a vast number of attackers around the globe. They have a much larger attack surface than internal systems.

Option A combines these two critical factors:
it is external-facing and has known exploited vulnerabilities. This represents an immediate and severe danger to the organization, as it is highly likely to be targeted and successfully breached with minimal effort by an attacker. Therefore, it must be the absolute highest priority in any threat modeling or remediation effort.

Analysis of Incorrect Options:

B. Internal infrastructure with high-severity and Known exploited vulnerabilities:
While this is a high-priority item due to the "known exploited" factor, it is still less urgent than an external-facing system with the same flaw. Internal systems typically reside behind network security controls (firewalls, segmentation), which act as a compensating control and reduce the immediate threat. An attacker would first need to breach the perimeter to reach this system. An external system is the perimeter; breaching it is often the attacker's primary goal.

C. External facing Infrastructure with a low risk score and no known exploited vulnerabilities:
The "low risk score" and "no known exploited vulnerabilities" indicate that, while the system is external, the specific vulnerabilities are not currently a prime target for attackers. It should be remediated according to a standard patch cycle, but it does not demand immediate, emergency attention like Option A.

D. External-facing infrastructure with a high risk score that can only be exploited with local access to the resource:
This is a contradiction. If a vulnerability requires local access to exploit, its risk is dramatically lowered on an external-facing system. For an external attacker to exploit it, they would first need to gain local access through some other means (e.g., exploiting a different vulnerability). This makes it a much more complex attack chain. The "high risk score" is likely based on the CVSS impact metrics, but the local access requirement (often a high CVSS Attack Complexity or Privileges Required metric) is the key mitigating factor that reduces its real-world urgency compared to a remotely exploitable, known-exploited vulnerability.

Reference:
This prioritization aligns directly with guidance from leading cybersecurity authorities:

CISA's Known Exploited Vulnerabilities (KEV) Catalog:
CISA mandates federal agencies to prioritize and remediate vulnerabilities listed on its KEV catalog, emphasizing that these should be the highest priority due to their active exploitation.

NIST SP 800-40 Rev. 4 (Guide to Enterprise Patch Management Technologies):
Recommends prioritizing patches based on the severity of the vulnerability and whether it is being actively exploited.

MITRE ATT&CK Framework:
Understanding common attack vectors shows that externally facing services are the most frequent initial access points for attackers.

This logic falls under Domain 1.0:
Governance, Risk, and Compliance and Domain 3.0: Security Engineering of the CAS-005 exam, focusing on risk analysis, vulnerability management, and secure system design.

Explanation:
The scenario describes a legacy, business-critical system that is fragile ("cannot be updated") and operates in a sensitive industrial environment ("production area"). The core security challenge is protecting a vulnerable asset that cannot be patched.

Network Segmentation is the most effective security control in this situation. By creating a separate, isolated network (often called a VLAN or a purpose-built network segment) exclusively for this application and its users, the architect significantly reduces its attack surface.

Isolation:
This segmented network can be firewalled off from the corporate network, the internet, and other non-essential systems. This prevents threats from spreading to it and contains any potential compromise of the application itself. It ensures that only authorized users and systems can communicate with it, which is crucial for availability.

Compensating Control:
Since the application itself cannot be hardened (updated), security must be implemented around it. Network segmentation acts as a powerful compensating control to mitigate the risk posed by its unpatched vulnerabilities.

Analysis of Incorrect Options:

A. Disallow wireless access to the application.
While this might be a component of the overall strategy (wireless networks can introduce risk), it is not a complete solution. The primary threat to an unpatchable application isn't just wireless; it's any network-based threat from the larger corporate network, such as malware or unauthorized access attempts. This option is too narrow and does not address the broader network isolation requirement.

B. Deploy Intrusion detection capabilities using a network tap.
An Intrusion Detection System (IDS) is a monitoring and alerting tool. While valuable for visibility, it is a passive control. It can tell you an attack is happening or has happened, but it does not prevent the attack from reaching the vulnerable application. For a system that cannot be patched, prevention is far more critical than detection.

C. Create an acceptable use policy for the use of the application.
Policies are important for defining rules and user expectations, but they are administrative controls. They are not technical enforcement mechanisms. A policy cannot technically prevent a malware infection from exploiting an unpatched vulnerability in the application. It relies on users following the rules and is unenforceable against malicious software or attackers.

Reference:
This approach is a fundamental principle of the Defense-in-Depth strategy and aligns with best practices from frameworks like:

NIST Cybersecurity Framework (CSF):
Specifically the "Protect" function (PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate).

NIST SP 800-82:
Guide to Industrial Control Systems (ICS) Security, which heavily emphasizes segmenting critical OT (Operational Technology) networks from corporate IT networks.

MITRE ATT&CK Mitigations:
Network Segmentation (M1030) is a primary mitigation tactic to contain and isolate adversary movement.

This question falls under Domain 3.0: Security Engineering of the CAS-005 exam, focusing on implementing secure infrastructure designs and segmentation strategies to protect critical assets.

Explanation:
The vulnerabilities listed are a direct consequence of providing remote access without adequate security controls. The best mitigations are those that directly address the specific problems mentioned.

Exfiltration of intellectual property is the unauthorized transfer of data. Data Loss Prevention (DLP) tools are specifically designed to mitigate this risk. They can monitor, detect, and block sensitive data while in use, in motion (e.g., being emailed or uploaded), or at rest. This directly prevents the exfiltration of intellectual property.

Weak user passwords are a primary attack vector, especially for remote access services like RDP, which are constantly targeted by brute-force attacks. Enabling modern authentication that supports Multi-Factor Authentication (MFA) is the most effective control to mitigate weak passwords. MFA requires a user to present two or more pieces of evidence (factors) to authenticate, such as a password (something you know) and a code from an authenticator app (something you have). This makes account compromise vastly more difficult, even if the password is weak.

While "unencrypted files" is listed, it is a secondary concern in this specific context. The primary attack path described is an attacker using weak passwords to gain remote access (via RDP) and then exfiltrating data. The most direct mitigations are therefore focused on preventing the initial compromise (MFA) and blocking the data theft (DLP). Encrypting files would protect them at rest if stolen, but DLP would prevent the theft from occurring in the first place, which is a more robust mitigation for the "exfiltration" symptom.

Analysis of Incorrect Options:

B. Deploying file integrity monitoring (FIM):
FIM is used to detect unauthorized changes to files, configurations, or systems (e.g., alerting if a system file is altered). It is excellent for detecting certain types of intrusions but does not prevent data exfiltration or strengthen authentication. It's a detective control, not a preventive one for these specific issues.

C. Restricting access to critical file services only:
This is a form of access control and network segmentation. While a good general practice (following the principle of least privilege), it is implied the attackers are already gaining access via legitimate (but compromised) user credentials through RDP. Once in, they would have the same access as the user. This control might limit the damage but does not address the root cause of weak authentication or directly prevent exfiltration like DLP does.

D. Deploying directory-based group policies:
Group Policies can be used to enforce security settings, including password policies (length, complexity). However, the problem is "weak user passwords," which implies the existing policies may be insufficient or poorly enforced. Even strong passwords can be phished or breached. MFA is a fundamentally stronger and more modern control than relying solely on password policies.

F. Implementing a version control system:
Version control (e.g., Git) manages changes to source code and files. It is a development tool and has no bearing on preventing unauthorized remote access or data exfiltration from a production environment.

G. Implementing a CMDB platform:
A Configuration Management Database (CMDB) is an inventory of assets and their relationships. It is used for IT service management, change management, and impact analysis. It is a valuable tool for governance but does not perform authentication or prevent data loss.

Reference:
This scenario falls under Domain 1.0: Governance, Risk, and Compliance and Domain 4.0: Security Operations of the CAS-005 exam. It addresses:

Implementing controls to protect data (Data Security - 1.4).

Designing and implementing identity and access management (IAM) controls (Identity and Access Management - 3.5).

Securing remote access capabilities, a critical aspect of network security.

The choices align with standard defense-in-depth strategies for securing remote access: strengthening the initial login (MFA) and protecting the data itself (DLP).

Explanation:
From a privacy perspective, the core concern is the fair and lawful processing of clients' personal data. In regions with strong privacy regulations like the GDPR (EU) or CCPA (California), individuals have a right to explanation for automated decision-making that significantly affects them.

Automated Decision-Making:
Denying a loan or assigning a high interest rate is a significant decision. If a client is subjected to an entirely automated process, they have the legal right to understand the logic behind that decision.

"Black Box" Problem:
Many complex AI/ML models (e.g., deep neural networks) can be "black boxes," meaning it's difficult or impossible to explain why they arrived at a specific output for a given input.

Privacy Implication:
This lack of explainability directly violates privacy principles. If the organization cannot explain which personal data points (e.g., income, zip code, spending habits) contributed to the decision and how they were weighted, it cannot ensure the decision was non-discriminatory, fair, or based on accurate data. This risks processing data in a way the client did not consent to and could lead to biases that violate privacy and fairness laws.

Analysis of Incorrect Options:

B. Credential Theft:
This is a primary security concern. While stealing an administrator's credentials could lead to a massive privacy breach (exposing all client data), it is not a inherent privacy concern of the AI system's design and function itself. It is a general security threat that applies to any system holding sensitive data.

C. Possible prompt Injections:
This is a specific security vulnerability for AI systems that use prompt-based interfaces (like LLMs). An attacker could craft a clever prompt to manipulate the AI into bypassing its instructions. This could lead to unauthorized actions or data leaks, which is a security problem that could result in a privacy incident. However, it is not the core privacy concern of the automated decision-making process itself. This system likely uses a predictive model, not a generative LLM with a chat prompt interface.

D. Exposure to social engineering:
This is a human factors and security concern. Social engineering attacks trick employees into divulging credentials or secrets. A successful attack could lead to a privacy breach, but again, it is not a direct privacy concern of the AI's automated function. It is an external threat targeting human weaknesses, not an inherent issue with how the AI model processes personal data to make decisions.

Reference:

This concept is central to Domain 1.0:
Governance, Risk, and Compliance of the CAS-005 exam, specifically:

Privacy Impact Assessments (PIA):
A PIA for this AI system would immediately flag the lack of explainability as a high-risk item for compliance with privacy regulations.

Legal and Regulatory Compliance:
Regulations like GDPR Article 22 specifically address automated individual decision-making, including profiling, and grant individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, with certain exceptions. This necessitates explainability. The other options (B, C, D) are important security concerns, but the question specifically asks for the concern from a privacy perspective, making model explainability the most direct and critical answer.

Explanation:
The symptoms point to two distinct but common problems in a modern hybrid network: general connectivity and endpoint security posture.

"Inability to download corporate applications on mobile endpoints while working remotely" and "Certificate errors when accessing internal web applications" are classic signs of a problematic VPN connection. Remote mobile devices rely on a VPN to securely connect to the corporate network to access resources like application repositories and internal web apps.

A. Review VPN throughput:
If the VPN concentrator is overloaded or has low bandwidth, it can cause timeouts, failed connections, and slow speeds. This would prevent mobile devices from downloading large corporate applications and could even interrupt secure TLS handshakes, leading to certificate errors as connections drop or fail to complete properly.

"Connectivity issues between local computers and file servers within branch offices" and "Certificate errors..." can also be caused by incorrect system time. A very common requirement for proper network authentication (like domain access to file servers) and for validating digital certificates is that the device's clock must be synchronized correctly. A certificate will appear invalid if the system time is outside its validity period.

F. Validate MDM asset compliance:
A core function of a Mobile Device Management (MDM) system is to enforce compliance policies on enrolled devices. One of the most basic and critical compliance checks is ensuring that the device's time and date are set correctly and are synchronizing properly. An MDM can report on non-compliant devices that are out of sync, which would explain both the local domain connectivity issues (e.g., Kerberos authentication failures) and the certificate errors.

Analysis of Incorrect Options:

B. Check IPS rules:
An Intrusion Prevention System (IPS) blocks malicious traffic. If it were misconfigured, it could cause connectivity issues. However, this is less likely to be the root cause across all three scenarios, especially the certificate errors. It's a more specific security check, not a general connectivity and compliance one.

C. Restore static content on the CDN:
A Content Delivery Network (CDN) is used to cache and deliver public-facing web content (like a company's public website) to external users. The issues described are with internal corporate resources (file servers, internal web apps, corporate app downloads). A CDN is irrelevant to this internal network traffic.

D. Enable secure authentication using NAC:
Network Access Control (NAC) checks a device's health before allowing it onto the network. Enabling it is a proactive security measure, not a troubleshooting step for existing issues. If NAC were already enabled and misconfigured, it could be the cause, but the option says "enable," not "check" or "review."

E. Implement advanced WAF rules:
A Web Application Firewall (WAF) protects web apps from attacks like SQL injection or XSS. Implementing new rules is a security hardening action, not a troubleshooting step for connectivity and certificate problems. A misconfigured WAF could cause issues, but again, the action is to "implement," not to "review."

Reference:
This troubleshooting process falls under Domain 4.0: Security Operations of the CAS-005 exam. It requires understanding:

Network Security Architecture (4.1):
Understanding how VPNs work and their potential bottlenecks.

Security Operations (4.3):
Using endpoint management tools like MDM to validate device compliance and configuration as a standard troubleshooting step.

Vulnerability Management (4.4):
Recognizing that system misconfigurations, like incorrect time sync, are a common cause of operational issues.

The most relevant actions are those that directly address the most likely common causes: VPN performance for remote access and device compliance (especially time sync) for general connectivity and certificate validation.

Explanation:
The root cause of the problem is password fatigue—users have too many passwords to remember. The most effective solution directly addresses this root cause by drastically reducing the number of passwords a user needs to manage.

Single Sign-On (SSO) allows a user to authenticate once with a single set of credentials and gain access to multiple integrated applications and systems without needing to log in again. This means a user might go from remembering 20+ passwords to remembering just one (often their main network/domain password).

Decreasing Risk:
By eliminating the need for numerous passwords, SSO directly eliminates the behavior of writing passwords down. Furthermore, it centralizes authentication, allowing for stronger password policies and easier monitoring on that one primary credential set. It is a user-friendly solution that aligns security with usability.

Analysis of Incorrect Options:

A. Increasing password complexity to require at least 16 characters:
This would exacerbate the problem. If users are already struggling to remember numerous passwords, making the one password they can remember longer and more complex will only increase their reliance on writing it down. This approach increases security in theory but fails in practice due to poor usability, leading to worse overall security.

C. Requiring users to use an open-source password manager:
While a password manager is a good technical solution for storing many passwords, it is not the best solution in this corporate context. "Requiring" an open-source solution poses management, support, and security challenges for an organization. More importantly, it does not reduce the number of passwords; it just provides a digital vault for them. SSO is a superior solution because it eliminates the passwords entirely.

D. Implementing an MFA solution to avoid reliance only on passwords:
Multi-Factor Authentication (MFA) is an excellent security control that greatly enhances account security. However, it does not solve the problem stated. If users have 20 passwords and you add MFA, they now have 20 passwords and 20 MFA prompts to manage. This could actually increase frustration and does nothing to reduce the number of primary credentials they must remember, meaning the insecure behavior (writing passwords down) is likely to continue.

Reference:
This solution aligns with Domain 3.5: Identity and Access Management in the CAS-005 exam objectives. Key principles include:

Implementing centralized access management systems (like SSO) to simplify the user experience and improve security.

Understanding the usability vs. security balance. The most secure solution is one that users will adopt without resorting to insecure workarounds. SSO perfectly embodies this principle.
The best solution addresses the human factor—the root cause of the insecure behavior—by reducing the cognitive load on the user, thereby decreasing risk effectively and sustainably.

Explanation:
The lessons-learned review identifies failures in process, procedure, and coordination, not a lack of technical capability or knowledge. The best solution is one that creates muscle memory for the correct procedures and tests the entire response framework.

Building Playbooks:
Incident Response (IR) playbooks provide detailed, step-by-step instructions for handling specific types of incidents (e.g., ransomware, data breach, phishing). They directly address the finding of "did not follow the right steps" by documenting what the "right steps" are for various scenarios. They also include sections on evidence preservation to prevent the "loss of important information" and define the exact "chain of communication" for reporting and escalation.

Performing Table-Top Exercises:
These are simulated incident scenarios where team members walk through their roles and responsibilities verbally. This practice:

Reinforces the use of playbooks, ensuring the "right steps" are followed.

Tests and familiarizes the team with the communication chain, ensuring everyone knows who to contact, when, and how.

Highlights gaps in evidence collection procedures to prevent the loss of critical forensic data.

Builds team cohesion and confidence, which is crucial during a high-stress real incident.

Analysis of Incorrect Options:

A. Requesting budget for better forensic tools:
While better tools can aid analysis, the problem was losing information, not being unable to analyze it. This failure is a process issue (e.g., not properly imaging a drive, not collecting volatile memory correctly, not maintaining a proper evidence custody log). New tools won't fix a broken process; they will just be used incorrectly. This solution addresses a technical need, not the procedural failures identified.

C. Requiring professional incident response certifications:
Certifications (like GCIH, GCFA) are excellent for building individual knowledge and are highly recommended. However, they focus on individual competency. The problems identified are team-wide and organizational—a breakdown in communication and procedure. A certified individual can still be part of a disorganized team that fails to follow its own plans. This is a long-term training goal, not a direct solution to the immediate process failures.

D. Publishing the incident response policy and enforcing it:
An IR policy is a high-level document that outlines what must be done and why (goals, objectives, management support). It is not a procedural guide. Publishing it and raising awareness might inform people of its existence, but it does not teach them how to execute the steps, communicate effectively, or preserve evidence during the chaos of an incident. This is a foundational step, but it is insufficient for addressing the specific operational failures reported.

Reference:
This approach is core to Domain 4.2: Building and Managing a Security Operations Center and Domain 4.4: Incident Management in the CAS-005 exam objectives. It emphasizes:

The importance of preparation through detailed procedures (playbooks).

The necessity of training and testing through exercises to ensure the IR plan is effective and the team is proficient.

The concept of continuous improvement based on lessons learned from both real incidents and simulations.

The answer choice directly turns the "lessons learned" into actionable, practical improvements for the entire team's response process.

Explanation:
The core problem is a high rate of false positives (invalid findings) from the vulnerability scanner. False positives occur when the scanner incorrectly reports a vulnerability that does not actually exist. A very common cause of this is inadequate authentication.

Scanning Credentials:
Vulnerability scanners are far more accurate when they can authenticate to the target systems. With proper credentials, a scanner can:

Log in to the operating system.

Check installed software versions accurately against a database (rather than guessing from banners).

Review system configurations and security settings.

Perform a credentialed scan, which dramatically reduces false positives by gathering precise, detailed information directly from the system.

If the scanner is running without credentials or with incorrect/insufficient permissions, it must rely on remote detection methods, which are often error-prone and lead to the challenge described.

Analysis of Incorrect Options:

A. Report retention time:
This refers to how long scan reports are stored. While important for compliance and historical analysis, it has absolutely no bearing on the technical accuracy of the scan results or the ability to differentiate between valid and invalid findings.

C. Exploit definitions:
Vulnerability scanners use vulnerability definitions or plugins (not typically called "exploit definitions," which are more associated with penetration testing tools like Metasploit). While it is crucial to keep these definitions updated to detect new vulnerabilities, outdated definitions would cause false negatives (missing real vulnerabilities), not an influx of false positives. The problem described is too many invalid findings, not a lack of findings.

D. Testing cadence:
This refers to the frequency of scans (e.g., daily, weekly, monthly). While more frequent scanning is good for discovering new issues quickly, it does not affect the fundamental accuracy of each individual scan. A misconfigured scanner will produce false positives whether it runs daily or weekly. Adjusting the cadence might change how often the team is annoyed by false positives, but it doesn't solve the root cause.

Reference:

This topic falls under Domain 4.4:
Vulnerability Management of the CAS-005 exam objectives. A key part of managing a vulnerability program is ensuring the scanning tools are configured correctly to provide accurate and actionable data.

Credentialed vs. Non-Credentialed Scans:
A fundamental concept in vulnerability management is that credentialed scans provide more accurate and reliable results, significantly reducing false positives. Verifying that the scanning service account has the correct permissions across all systems is a primary troubleshooting step for accuracy issues.

Therefore, the systems administrator would most likely check that the scanning credentials are correct and have the necessary permissions on all target systems to perform an authenticated scan.

Explanation:
The key to this question is understanding the purpose of each environment in a standard software development lifecycle (SDLC). The goal is to test a "newly released feature" in a setting that most closely mimics the final production environment without being production itself.

Staging Environment: This environment is designed to be a
n exact replica of the production environment. It has identical hardware, software, network configurations, and data (often sanitized). Its sole purpose is final validation testing before deployment.

Testing here ensures the new feature will work as expected under real-world conditions and will not cause conflicts or break existing functionality. It is the last line of defense before changes are pushed to users.

Analysis of Incorrect Options:

B. Testing Environment:
A testing environment (or QA environment) is used for quality assurance activities, such as functional testing, integration testing, and user acceptance testing (UAT). While crucial, it is often not a perfect copy of production. It might have different specifications, smaller scale, or synthetic data. It's a great place to find bugs, but it's not the best place for the final pre-production test to guarantee compatibility.

C. CI/CD Pipeline:
A CI/CD (Continuous Integration/Continuous Deployment) pipeline is an automation toolchain, not a physical environment. It is the process that automatically builds, tests, and stages code for deployment. The pipeline may deploy code to a testing or staging environment as part of its process, but the pipeline itself is not a location where testing is performed. You don't test in the pipeline; you use the pipeline to facilitate testing in another environment.

D. Development Environment:
This is the environment where developers write and initially test their code. It is highly volatile, constantly changing, and does not resemble production. It is the first place code is tested, but it is wholly unsuitable for validating that a feature is ready for release, as it cannot simulate production performance or interactions.

Reference:
This concept is fundamental to secure deployment strategies and falls under Domain 2.0: Security Architecture and Domain 4.0: Security Operations of the CAS-005 exam. It relates to:

Secure Systems Design:
Implementing environments segregated by purpose and security control.

Change Management:
Having a formal process for testing and validating changes in a pre-production environment before deployment.

Deployment Strategies:
Using a staging environment as a final validation step is a core practice in blue-green or canary deployment methodologies.

The staging environment is explicitly designed for the final, pre-production test of new features to minimize the risk of introducing errors into the live environment.