CAS-005 CompTIA SecurityX Certification Exam Questions and Answers

Automating compliance in cloudenvironments requires a tool that can enforce configurations, manage infrastructure as code, and align with industry standards (e.g., NIST, ISO). Let’s evaluate:

A. Jenkins:A CI/CD tool for automating software builds and deployments. It’s not designed for compliance enforcement or infrastructure management.

B. Python:A programming language that can be scripted for automation but lacks built-in compliance-focused features without significant custom development.

C. Ansible:An automation tool for configuration management, application deployment, and compliance enforcement. It uses playbooks to define desired states, making it ideal for automating compliance checks and remediation in cloud environments (e.g., AWS, Azure). CAS-005 emphasizes automation tools for security and compliance, and Ansible fits perfectly.

The best solution is to provide a hash of all data made available (D). Hashing ensures the integrity of the threat intelligence data provided to customers. Clients can verify that the data received via API matches the published hash, ensuring no tampering occurred in transit or at rest. This supports customer trust and aligns with the objective of protecting data integrity while maintaining availability.

Option A (API secret keys) improves authentication and reduces attack surface but does not address integrity or compute efficiency. Option B (publishing IoCs publicly) increases attack surface and reduces control over distribution, which conflicts with security objectives. Option C (rate limiting) helps availability and cost control but does not guarantee data integrity.

By providing hashes, the company ensures customers can validate authenticity regardless of delivery method, reducing the risk of manipulated IoCs. This approach also minimizes compute spend since hashing is lightweight compared to continuous verification processes.

Therefore, the strongest alignment with all stated objectives—availability, reduced spend, reduced attack surface, and integrity—is achieved by providing hashes of all threat intelligence data.

To ensure always-on VPN access is enabled and restricted to company assets, the network engineer needs to generate device certificates using the specific template settings required for the company ' s VPN solution. These certificates ensure that only authorized devices can establish a VPN connection.

Why Device Certificates are Necessary:

Authentication: Device certificates authenticate company assets, ensuring that only authorized devices can access the VPN.

Security: Certificates provide a higher level of security compared to username and password combinations, reducing the risk of unauthorized access.

Compliance: Certificates help in meeting security policies and compliance requirements by ensuring that only managed devices can connect to the corporate network.

Other options do not provide the same level of control and security for always-on VPN access:

B. Modify signing certificates for IKE version 2: While important for VPN protocols, it does not address device-specific authentication.

C. Create a wildcard certificate: This is not suitable for device-specific authentication and could introduce security risks.

D. Add the VPN hostname as a SAN entry: This is more related to certificate management and does not ensure device-specific authentication.

Collecting a large pool of behavioral observations requires handling vast datasets, which is the domain ofBig Data. Big Data technologies enable the storage, processing, and analysis of large-scale data (e.g., user behavior logs) to inform decisions, a key capability in security analytics.

Option A:Linear regression is a statistical method for modeling relationships, not collecting data.

Option B:Distributed consensus relates to agreement in distributed systems (e.g., blockchain), not data collection.

Option C:Big Data directly supports collecting and analyzing large datasets for insights, fitting the question perfectly.

Option D:Machine learning uses data to train models but relies on data being collected first, often via Big Data.

To develop a baseline of security configurations that will be automatically utilized when a machine is created, the security architect should deploy Ansible. Here’s why:

Automation: Ansible is an automation tool that allows for the configuration, management, and deployment of applications and systems. It ensures that security configurations are consistently applied across all new machines.

Scalability: Ansible can scale to manage thousands of machines, making it suitable for large enterprises that need to maintain consistent security configurations across their infrastructure.

Compliance: By using Ansible, organizations can enforce compliance with security policies and standards, ensuring that all systems are configured according to best practices.

Enabling dashboards for service status monitoring is the best action to support rapid incident response. The table shows various services with different risk, criticality, and alert severity ratings. To ensure timely and effective incident response, real-time visibility into the status of these services is crucial.

Why Dashboards for Service Status Monitoring?

Real-time Visibility: Dashboards provide an at-a-glance view of the current status of all critical services, enabling rapid detection of issues.

CentralizedMonitoring: A single platform to monitor the status of multiple services helps streamline incident response efforts.

Proactive Alerting: Dashboards can be configured to show alerts and anomalies immediately, ensuring that incidents are addressed as soon as they arise.

Improved Decision Making: Real-time data helps incident response teams make informed decisions quickly, reducing downtime and mitigating impact.

Other options, while useful, do not offer the same level of comprehensive, real-time visibility and proactive alerting:

A. Automate alerting to IT support for phone system outages: This addresses one service but does not provide a holistic view.

C. Send emails for failed log-in attempts on the public website: This is a specific alert for one type of issue and does not cover all services.

D. Configure automated isolation of human resources systems: This is a reactive measure for a specific service and does not provide real-time status monitoring.

To secure the Operational Technology (OT) environment based on the given requirements, the best approach is to implement a bastion host inthe OT network. The bastion host serves as a secure entry point for remote access, allowing third-party vendors to connect while being monitored by security tools. Using a dedicated update server for workstations ensures that security updates are applied in a controlled manner without direct internet access.

Implementing the given commands in the Dockerfile ensures that the container runs with non-root user privileges. Running applications as a non-root user reduces the risk of privilege escalation attacks because even if anattacker compromises the application, they would have limited privileges and would not be able to perform actions that require root access.

A. Implementing the following commands in the Dockerfile: This directly addresses the privilege escalation attack surface by ensuring the application does not run with elevated privileges.

B. Installing an EDR on the container ' s host: While useful for detecting threats, this does not reduce the privilege escalation attack surface within the containerized application.

C.Designing a multi-container solution: While beneficial for modularity and remediation, it does not specifically address privilege escalation.

D. Running the container in an isolated network: This improves network security but does not directly reduce the privilege escalation attack surface.

To prevent emails from being marked as spam, several DNS records related to email authentication need to be properly configured and updated when there are changes to the email server ' scertificates:

A. DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC records help email servers determine how to handle messages that fail SPF or DKIM checks, improving email deliverability and reducing the likelihood of emails being marked as spam.

B. SPF (Sender Policy Framework): SPF records specify which mail servers are authorized to send email on behalf of your domain. Updating the SPF record ensures that the new email server is recognized as an authorized sender.

C. DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to email headers, allowing the receiving server to verify that the email has not been tampered with and is from an authorized sender. Updating DKIM records ensures that emails are properly signed and authenticated.

D. DNSSEC (Domain Name System Security Extensions): DNSSEC adds security to DNS by enabling DNS responses to be verified. While important for DNS security, it does not directly address the issue of emails being marked as spam.

E. SASC: This is not a relevant standard for this scenario.

F. SAN (Subject Alternative Name): SAN is used in SSL/TLS certificates for securing multiple domain names, not for email delivery issues.

G. SOA (Start of Authority): SOA records are used for DNS zone administration and do not directly impact email deliverability.

H. MX (Mail Exchange): MX records specify the mail servers responsible for receiving email on behalf of a domain. While important, the primary issue here is the authentication of outgoing emails, which is handled by SPF, DKIM, and DMARC.

On-path decryption attacks, such as BEAST (Browser Exploit Against SSL/TLS) and other related vulnerabilities, often exploit weaknesses in the implementation of CBC (Cipher Block Chaining) mode. To mitigate these attacks, the following actions are recommended:

B. Removing support for CBC-based key exchange and signing algorithms: CBC mode is vulnerable to certain attacks like BEAST. By removing support for CBC-based ciphers, you can eliminate one of the primary vectors for these attacks. Instead, use modern cipher modes like GCM (Galois/Counter Mode) which offer better security properties.

C. Adding TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256: This cipher suite uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for key exchange, which provides perfect forward secrecy. It also uses AES in GCM mode, which is not susceptible to the same attacks as CBC. SHA-256 is a strong hash function that ensures data integrity.

Step-by-Step Explanation:

Both samples share similar function names, variable naming styles, and logic flow, indicating that they were likely written by the same developer. This is a keyobservation in malware attribution, as cyber threat analysts often look for unique coding styles to link malware to specific threat actors.

The presence of C2 (Command and Control) communication in both samples supports this theory, as attackers often reuse parts of their own malware code across different attacks.

The hijacked administrator account was used across multiple ASNs (indicating different network locations) in a short time, despite MFA and SSO. This suggests a stolen session or token misuse. Let’s analyze:

A. Token theft detection with lockouts:Useful for detecting stolen SSO tokens, but it’s reactive and may not prevent initial misuse across networks.

B. Context-based authentication:This adds real-time checks (e.g., geolocation, IP changes) to verify login attempts. Given the rapid ASN changes, this proactively mitigates the issue by challenging suspicious logins, aligning with CAS-005’s focus on adaptive security.

C. Decentralize accounts:This removes SSO, increasing complexity and weakening MFA enforcement, which isn’t practical or secure.

10.1.45.65 SFTP ServerDisable 8080

10.1.45.66 Email Server Disable 415 and 443

10.1.45.67 Web Server Disable 21, 80

10.1.45.68 UTM Appliance Disable 21

The log snippet indicates a DNS AXFR (zone transfer) request, which can be exploited by attackers to gather detailed information about an internal network ' s infrastructure. Disabling DNS zone transfers is the best solution to mitigate this risk. Zone transfers should generally be restricted to authorized secondary DNS servers and not be publicly accessible, as they can reveal sensitive network information that facilitates lateral movement during an attack.

To improve the vulnerability management process in an environment where new devices/IPs are added and dropped regularly, the company should perform regular discovery scanning throughout the IT landscape using the vulnerability management tool. Here’s why:

Accurate Asset Inventory: Regular discovery scans help maintain an up-to-date inventory of all assets, ensuring that the vulnerability management process includes all relevant devices and IPs.

Consistency in Reporting: By continuously discovering and scanning new and existing assets, the company can generate consistent and comprehensive vulnerability reports that reflect the current state of the network.

Proactive Management: Regular scans enable the organization to proactively identify and address vulnerabilities on new and existing assets, reducing the window of exposure to potential threats.

Implementing digital signatures ensures the integrity and authenticity of software binaries. When a binary is digitally signed, any tampering with the file (e.g., replacing it with amalicious version) would invalidate the signature. This allows systems to verify the origin and integrity of binaries before execution, preventing the execution of unauthorized or compromised binaries.

A. Improving patching processes: While important, this does not directly address the issue of verifying the integrity of binaries.

B. Implementing digital signatures: This ensures that only valid, untampered binaries are executed, preventing attackers from substituting legitimate binaries with malicious ones.

C. Performing manual updates via USB ports: This is not practical and does not scale well, especially in large environments.

D. Allowing only files from internal sources: This reduces the risk but does not provide a mechanism to verify the integrity of binaries.

When dealing with false positives and false negatives reported by a Security Information and Event Management (SIEM) system, the goal is to enhance the accuracy of the alerts and ensure that actual threats are identified correctly. The following sources of information best support the analysis process:

A. Third-party reports and logs: Utilizing external sources of information such as threat intelligence reports, vendor logs, and other third-party data can provide a broader perspective on potential threats. These sources often contain valuable insights and context that can help correlate events more accurately, reducing the likelihood of false positives and false negatives.

B. Trends: Analyzing trends over time can help inunderstanding patterns and anomalies in the data. By observing trends, the security team can distinguish between normal and abnormal behavior, which aids in fine-tuning the SIEM configurations to better detect true positives and reduce false alerts.

Other options such as dashboards, alert failures, network traffic summaries, and manual review processes are also useful but are more operational rather than foundational for understanding the root causes of reporting errors in SIEM configurations.

The correct answer is Playbooks (A). In incident response, playbooks are structured workflows that define step-by-step actions for specific incident types (e.g., ransomware, phishing, insider threats). They allow SOC analysts to standardize responses across multiple platforms and tools, ensuring consistency and faster mitigation. By leveraging playbooks, organizations integrate existing incident response tools into automated or semi-automated processes, improving efficiency and reducing human error.

Option B (event collectors) consolidate logs but do not directly improve response processes. Option C (centralized logging) enhances visibility but does not provide a framework for action. Option D (endpoint detection) expands detection capabilities but does not enhance the process effectiveness of incident response.

CAS-005 emphasizes structured response through automation and orchestration. Playbooks, often implemented via SOAR platforms, allow integration of detection, triage, and remediation steps, making them the most effective way to increase incident response maturity.

The log-in activity indicates a security threat, particularly involving the ADMIN account with a high-risk failure status. This suggests that the account may be targeted by malicious activities such as credential stuffing or brute force attacks.

Updating log configuration settings (A) may help in better logging future activities but does not address the immediate threat.

Changing the admin account password (B) is a good practice but may not fully mitigate the ongoing threat if the account has already been compromised.

Blocking employees (C) from logging into non-business applications might help in reducing attack surfaces but doesn ' t directly address the compromised account issue.

Implementing automation to disable accounts associated with high-risk activities ensures an immediate response to the detected threat, preventing further unauthorized access and allowing time for thorough investigation and remediation.

In serverless computing, organizations rely heavily on CSPs to manage the infrastructure, runtime, and scaling. A key risk is thelevel of control and influence governments have over CSPs, potentially affecting availability, access, or confidentiality of hosted services due to legal orders or government actions. Concerns about virtualization technologies, scalability, or third-party monitoring are valid but less critical compared to the overarching legal and control risks tied to CSP reliance.

D. STIX (Structured Threat Information eXpression): STIX is a standardized language for representing threat information in a structured and machine-readable format. It facilitates the sharing ofthreat intelligence by ensuring that data is consistent and can be easily understood by all parties involved.

E. TAXII (Trusted Automated eXchange of Indicator Information): TAXII is a transport mechanism that enables the sharing of cyber threat information over a secure and trusted network. It works in conjunction with STIX to automate the exchange of threat intelligence among organizations.

Other options:

A. CWPP (Cloud Workload Protection Platform): This focuses on securing cloud workloads and is not directly related to threat intelligence sharing.

B. YARA: YARA is used for malware research and identifying patterns in files, but it is not a platform for sharing threat intelligence.

C. ATT & CK: This is a knowledge base of adversary tactics andtechniques but does not facilitate the sharing of threat intelligence data.

F. JTAG: JTAG is a standard for testing and debugging integrated circuits, not related to threat intelligence.

Removing unnecessary services from existing endpoints reduces the attack surface by minimizing the number of potential vulnerabilities attackers could exploit. This is a cost-effective method to harden devices without requiring new purchases, aligning perfectly with a purchasing freeze. Deploying new EDR solutions or disposing of devices would likely conflict with the resource freeze, and reimaging systems does not address minimizing services proactively.

The most cost-effective and secure solution is to configure VPN concentrators inside the OT networks at both sites (Option D). This setup allows encrypted communications between Site A and Site B, enabling controllers at either site to serve as secondary or failover devices for the other. By leveraging VPN tunnels, the organization avoids the expensive and time-consuming process of laying new fiber infrastructure, while still ensuring secure, authenticated, and encrypted connections across sites.

Option A, direct fiber connectivity, provides high performance but is extremely costly and less flexible than VPN solutions. Option B, deploying redundant SCADA controllers at each site, increases hardware, licensing, and management costs while still requiring interconnectivity. Option C, air-gapping the OT network, may improve isolation but would prevent remote failover capabilities, contradicting the requirement for cross-site control.

By implementing VPN concentrators, the organization achieves secure cross-site redundancy, supports operational continuity in case of controller outages, and does so in a cost-effective manner aligned with common OT security practices.

When differentiating between valid and invalid findings from vulnerability scans, the systemsadministrator should verify that the scanning credentials are properly configured. Valid credentials ensure that the scanner can authenticate and access the systems being evaluated, providing accurate and comprehensive results. Without proper credentials, scans may miss vulnerabilities or generate false positives, making it difficult to prioritize and address the findings effectively.

The best answer is B. Implementing Conditional Access with device certifications and compliance requirements . The CISO’s concerns are not only about patch latency; they also include missing security agents and a rise in unapproved BYOD endpoints . Conditional Access tied to device identity, compliance posture, and certificates can block or limit access from unmanaged or noncompliant devices. That directly addresses all three concerns at once: only compliant devices with required controls can access enterprise resources, which pressures patching hygiene, ensures agent presence, and reduces unauthorized BYOD access. CompTIA’s SecurityX objectives include IAM controls and enterprise enforcement of access decisions based on trust and security posture.

Why the other options are weaker:

A helps remote connectivity for patch delivery, but it does not solve missing agents or rogue BYOD. C is governance-oriented and too slow and indirect compared with an enforceable technical control. D helps with managed devices, but it does not adequately stop unapproved BYOD devices unless access control is tied to device compliance. Conditional Access is the strongest enterprise control because it can enforce both identity and endpoint posture before access is granted.

Phishing simulations are a proven method for reinforcing security awareness, meeting compliance training requirements, and improving user incident reporting. In CAS-005, social engineering testing is a recommended component of organizational security culture programs.

DoS attacks (A) and penetration tests (B) assess technical security, not user awareness.

Fake ransomware (D) can cause unnecessary alarm and operational disruption.

A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted.

F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

Other options:

B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage.

C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network communication risks.

D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications.

E. Executing daily health checks: Useful for maintaining system health but does not directly reduce the risk of network-based compromise or sabotage.

CVE (Common Vulnerabilities and Exposures)provides unique identifiers for publicly known cybersecurity vulnerabilities and exposures. Each CVE entry includes a description and, often, remediation information. CVSS refers to scoring severity, CCE focuses on configuration issues, and CPE deals with naming standardized platforms and systems.

The first action should be to reset access for John and Joe, who are corporate accounts belonging to the organization. Their credentials were exposed in recent leaks, including one from an initial access broker (Joe), which indicates an active exploitation risk. Immediate password resets and session invalidations prevent adversaries from using the compromised credentials to gain access.

Ann’s account (@hotmail.com) is personal and not under corporate management, so while her exposure is concerning, it does not pose a direct risk to organizational systems. Contacting her can follow later steps but should not delay urgent remediation for John and Joe.

Option B delays remediation. Option C overreaches by including Ann in corporate resets. Option D includes contacting authorities prematurely, which is important but secondary to immediate containment.

CAS-005 emphasizes rapid containment of credential leaks affecting corporate identities, making access resets for John and Joe the first step.

Step-by-Step Explanation:

Regression testing ensures that new changes do not break existing functionality. It would have identified the memory leak before deployment, preventing downtime.

Homomorphic encryptionallows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.

To protect company information on stolen mobile devices, implementingremote wipe proceduresensures data can be erased if a device is suspected lost or stolen.Biometric access controlwith enforced timeouts further secures the device, requiring biometric authentication periodically, thus limiting unauthorized access even if the device is stolen. Geofencing and certificates provide additional security layers but are less immediate protections against information exposure after theft. Application control and side-loading prevention are important for malware threats but less so for stolen device scenarios.

Input sanitation is a critical process in cybersecurity that involvesvalidating and cleaning data provided by users to prevent malicious inputs from causing harm. In the context of AI concerns:

A. Model inversion involves an attacker inferring sensitive data from model outputs, typically requiring sophisticated methods beyond just manipulating input data.

B. Prompt Injection is a form of attack where an adversary provides malicious input to manipulate the behavior of AI models, particularly those dealing with natural language processing (NLP). Input sanitation directly addresses this by ensuring that inputs are cleaned and validated to remove potentially harmful commands or instructions that could alter the AI ' s behavior.

C. Data poisoning involves injecting malicious data into the training set to compromise the model. While input sanitation can help by filtering out bad data, data poisoning is typically addressed through robust data validation and monitoring during the model training phase, rather than real-time input sanitation.

D. Non-explainable model refers to the lack of transparency in how AI models make decisions. This concern is not addressed by input sanitation, as it relates more to model design and interpretability techniques.

Input sanitation is most relevant and effective for preventing Prompt Injection attacks, where the integrity of user inputs directly impacts the performance and security of AI models.

The best way to address these requirements is to apply Role-Based Access Controls (RBAC) combined with geolocation policies. RBAC ensures that customers are authenticated and authorized to access only the data they are entitled to, thereby minimizing data exposure risks. At the same time, geolocation policies enforce restrictions on which regions customers can access data from, helping with compliance requirements such as GDPR or regional sovereignty laws.

Option B (replicating data in each customer environment) is inefficient, expensive, and introduces additional risks related to data sprawl. Option C (regional hosting with unique links) complicates access management and does not inherently prevent exposure or enforce strong authentication. Option D (restricting to a single region provider) removes flexibility and may conflict with customer needs for global access.

Therefore, implementing RBAC along with geolocation controls provides fine-grained access management, ensures compliance, prevents unnecessary data exposure, and is scalable for a global cloud environment.

The CIO needs to clarify the organization’s risk appetite, which defines the level of residual risk the business is willing to accept after all mitigation measures are applied. Risk appetite reflects the balance between operational requirements, security controls, and cost constraints. In business continuity planning, risk appetite helps decision-makers determine which risks must be reduced through additional investments (e.g., redundant systems, faster recovery strategies) and which risks are tolerable based on business priorities.

Mitigation (A) refers to the strategies used to reduce risk but not the threshold of acceptable residual risk. Impact (B) and Likelihood (C) are components of risk assessment—measuring severity and probability—but they do not define acceptance criteria. Risk appetite is the guiding principle that aligns technical controls with executive tolerance for disruption or loss.

By clarifying appetite, the CIO provides the compliance team and IT leadership with a framework for designing remediation activities that ensure continuity of critical internal processes while aligning with the organization’s strategic objectives and regulatory requirements.

The strings utility extracts human-readable text from binary files. Security analysts use it to identify Indicators of Compromise (IoCs) such as URLs, IP addresses, filenames, and commands embedded in the malware.

Option A (reconstructing timeline) would require event logs or forensic timeline tools.

Option C (replicating the attack) involves execution in a sandbox, not static string extraction.

The table indicates varying load times for users accessing the website from different geographic locations. Customers from Australia and India are experiencingsignificantly higher load times compared to those from the United States. This suggests that latency and geographical distance are affecting the website ' s performance.

A. IDS (Intrusion Detection System): While an IDS is useful for detecting malicious activities, it does not address performance issues related to latency and geographical distribution of content.

B. CDN (Content Delivery Network): A CDN stores copies of the website ' s content in multiple geographic locations. By serving content from the nearest server to the user, a CDN can significantly reduce load times and improve user experience globally.

C. WAF (Web Application Firewall): A WAF protects web applications by filtering and monitoring HTTP traffic but does not improve performance related to geographical latency.

D. NAC (Network Access Control): NAC solutions control access to network resources but are not designed to address web performance issues.

Implementing a CDN is the best solution to resolve the performance issues observed in the log output.

Per SecurityX CAS-005 GRC principles, outsourcing a function does not transfer accountability for protecting personally identifiable information (PII). While subprocessors handle data, the originating organization remains responsible under most data protection laws and frameworks (e.g., GDPR, CCPA).

Due care in procurement (option B) is important, but it is a supporting concept, not the primary driver in this context.

Jurisdictional compliance (option D) is a requirement, but the underlying reason for risk assessment is that accountability for PII protection remains with the organization.

Understanding Business Impact Analysis (BIA):

ABIA assesses the effects of disruptionsto an organization ' s operations.

It helpsprioritize resourcesbased on the potential impact ofdowntime, compliance issues, and critical processes.

Why Options B, C, and F are Correct:

B (Applicable contract obligations)→ Many companies havelegal and compliance obligationsregarding downtime, availability, and SLAs. This information helps determine whatrisk levelsare acceptable.

C (Costs associated with downtime)→ BIA quantifies the financial impact of system failures. Knowinglost revenue, regulatory fines, and recovery costshelps in planning.

F (Critical processes)→ Identifyingcore business processesallows an organization toprioritize recoveryeffortsandmaintain operational continuity.

Why Other Options Are Incorrect:

A (Inventory details)→ While useful for asset management, it doesnot directly impact business continuity planning.

D (Network diagrams)→ These help in security architecture but arenot directly related to the financial/business impact analysis.

E (Contingency plans)→ BIA isperformed before contingency planningto identifywhat needs protection.

A computer screen shot of a diagram Description automatically generated

A screenshot of a computer error Description automatically generated

The requirements for archiving data and immutable backups directly align with legal hold compliance (E) and ransomware resilience (F).

Legal hold compliance ensures that organizations can retain data in a tamper-proof manner when required for litigation, regulatory mandates, or audits. Immutable backups satisfy this by preventing unauthorized changes or deletion, ensuring evidence and records are preserved.

Ransomware resilience is also a key factor. Immutable backups allow recovery from ransomware attacks, as attackers cannot encrypt or delete data stored in read-only or write-once media. This reduces downtime and supports business continuity.

Options A (crypto-export), B (supply chain), C (device attestation), and D (quality assurance) do not relate directly to data archiving or immutable storage.

CAS-005 stresses aligning security controls with business continuity and compliance requirements. By focusing on legal and ransomware-related considerations, the organization ensures both regulatory and operational resilience.

The “cipher unavailable” message indicates that the client and server could not agree on a common cipher suite. After the OpenSSL update, the server likely dropped support for older, insecure ciphers (such as RC4 or 3DES) that legacy clients still use. The safest remediation is to update or configure the client applications to support modern, secure ciphers such as AES in Galois/Counter Mode (AES-GCM) or an equivalent strong cipher suite that is supported by the updated OpenSSL server.

Option A (SSL 3.0) is unsafe because SSL 3.0 is deprecated and vulnerable to multiple attacks (e.g., POODLE).

Option C (ECB mode) is insecure due to pattern leakage and should never be enforced.

Option D (ECC signatures) relates to key exchange and signatures, not to the “cipher unavailable” issue directly.

This approach aligns with SecurityX CAS-005 cryptographic interoperability guidance—modernize clients rather than reintroduce insecure protocols.

To design resilience in an enterprise system that can survive environmental catastrophes, recover within 24 hours, and be resilient to active exploitation, the best strategy is to allocate fully redundant and geographically distributed standby sites. Here’s why:

Geographical Redundancy: Having geographically distributed standby sites ensures that if one site is affected by an environmental catastrophe, the other sites can take over, providing continuity of operations.

Full Redundancy: Fully redundant sites mean that all critical systems and data are replicated, enabling quick recovery in the event of a critical loss of availability.

Resilience to Exploitation: Distributing resources across multiple sites reduces the risk of a single point of failure and increases resilience against targeted attacks.

User and Entity Behavior Analytics (UEBA) is the best solution to help the company overcome challenges associated with suspicious activity that cannot be categorized by traditional detection tools. UEBA uses advanced analytics to establish baselines of normal behavior for users and entities within the network. It then identifies deviations from these baselines, which may indicate malicious activity. This approach is particularly effective for detecting unknown threats and sophisticated attacks that do not match known indicators of compromise (IoCs).

The most critical considerations are trust boundaries (C) and supply chain access (E). Trust boundaries define where sensitive data crosses between systems or organizations, requiring strict cryptographic protections—especially important in government and commercial environments subject to crypto-export controls.

Supply chain access is also critical because hardware and software are sourced from external vendors. If suppliers are compromised, attackers could introduce malicious code, backdoors, or tampered firmware, endangering customers worldwide.

Option A (contractual obligations) and B (legal hold) are compliance-related but not direct security threats. Option D (cloud services enumeration) is irrelevant unless the storage is cloud-based. Option F (homomorphic encryption) is an advanced technology but not required for base threat modeling.

CAS-005 highlights modeling adversary capabilities at trust boundaries and accounting for supply chain risks, making C and E the most important.

The most appropriate technique to improve the cryptographic strength of a password-storage component in a web application without completely replacing the crypto-module is key stretching. Here ' s why:

Enhanced Security: Key stretching algorithms, such as PBKDF2, bcrypt, and scrypt, increase the computational effort required to derive the encryption key from the password, making brute-force attacks more difficult and time-consuming.

Compatibility: Key stretching can be implemented alongside existing cryptographic modules, enhancing their security without the need for a complete overhaul.

Industry Best Practices: Key stretching is a widely recommended practice for securely storing passwords, as it significantly improves resistance to password-cracking attacks.

Zero Trust security is based on the principle of “never trust, always verify.” For a mobile and frequently traveling workforce, enforcing rigid access models without adaptability creates friction and hampers productivity. The first priority in Zero Trust design for such a workforce is to deploy context-aware reauthentication combined with User Behavior Analytics (UBA). This ensures that deviations from baseline user behavior—such as unusual geographic access, time of day anomalies, or device changes—trigger additional authentication or session restrictions.

Option A (hardware OTPs) enhances authentication security but does not provide adaptive, risk-based controls for varying user behavior. Option B (TLS decryption) focuses on network traffic inspection, which is important but secondary to ensuring identity and access enforcement in a Zero Trust model. Option C (posture compliance checks) is necessary but typically part of ongoing device security enforcement rather than the initial step.

By starting with context-aware reauthentication, the organization ensures its Zero Trust strategy adapts dynamically to user behavior, providing both stronger security and a smoother experience for a global, remote workforce.

To determine how the acquisition of Company B will impact the attack surface, the following steps are crucial:

A. Documenting third-party connections used by Company B: Understanding all external connections is essential for assessing potential entry points for attackers and ensuring that these connections are secure.

E. Performing an architectural review of Company B ' s network: This review will identify vulnerabilities and assess the security posture of the acquired company ' s network, providing a comprehensive understanding of the new attack surface.

These actions will provide a clear picture of the security implications of the acquisition and help in developing a plan to mitigate any identified risks.

To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).

Why Conditional Access and NAC?

Conditional Access:

User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.

Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more.

Network Access Control (NAC):

DeviceConfiguration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.

Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.

Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:

A. Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.

D. PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.

E. SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance.

F. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance.

Microsegmentation is a critical strategy within Zero Trust architecture that enhances context-aware access systems by dividing the network into smaller, isolated segments. This reduces the attack surface and limits lateral movement of attackers within the network. It ensures that even if one segment is compromised, the attacker cannot easily access other segments. This granular approach to network security is essential for enforcing strict access controls and monitoring within Zero Trust environments.

The logs indicate multiple failed login attempts for user10, who may have been part of the staff reduction 60 days prior. If user10 ' s account was removed, and their home directory deleted, any applications or services relying on files or configurations within that directory would fail. This scenario is common when service accounts are not properly identified and preserved during staff reductions.

Ensuring that service accounts are documented and maintained separately from user accounts is essential to prevent unintended disruptions to applications and services.

Disabling unneeded servicesreduces the attack surface by closing open ports.Patchingensures that endpoint protection software and operating systems are up-to-date, reducing vulnerability exposure.Removing unused accountseliminates access paths for malicious users exploiting dormant accounts. Secure boot, BIOS passwords, and drive encryption are important, but they address different layers of security than the vulnerabilities listed.

Device attestationensures that only corporate-approved devices can perform privileged actions in SaaS applications.Continuous authorizationmonitors ongoing device compliance, dynamically adjusting permissions based onsecurity posture.

Blocking connections (A)is too restrictive and does not accommodate BYOD.

Machine certificates (B)help with authentication but do not provide continuous security assessment.

MDM policies (D)secure mobile devices but do not apply real-time access controls for SaaS applications.

The application allows users to input URLs, which the application then fetches using requests.get(url). This functionality can be exploited if not properly validated, leading to potential security vulnerabilities such as Server-Side Request Forgery (SSRF).

Implementing a code scanner as part of the development pipeline can help identify insecure coding practices, such as unsanitized user inputs and improper handling of external requests. Code scanners analyze the source code for known vulnerabilities and coding errors, enabling developers to remediate issues before deployment.

The best two controls are C and E because the scenario has two distinct technical problems :

the biomedical devices are EOL and vulnerable to known CVEs , and

the attacker also used VLAN hopping .

Since the devices cannot be patched, replaced, or materially changed , the strongest response is to apply compensating network controls around them. That makes this primarily a Security Architecture question focused on segmentation and preventive controls . CompTIA’s official SecurityX CAS-005 objectives explicitly include “Network architecture: segmentation, microsegmentation…” and also list “proactive, detective, and preventative controls” as part of control strategy design.

Why C is correct:

Limiting trunking protocols to specific uplink ports of access switches directly addresses the VLAN hopping portion of the attack. VLAN hopping commonly succeeds when switch ports are incorrectly allowed to negotiate or carry trunk traffic where they should function only as access ports. Restricting trunking to designated uplinks reduces the chance that an attacker can pivot between VLANs by abusing switch behavior. This fits CompTIA’s official SecurityX objective area covering network segmentation and secure boundary enforcement.

Why E is correct:

Inserting an in-line IPS between network segments of the affected hosts is the strongest compensating control for the known CVE exploit traffic against EOL devices. Because the systems cannot be updated, an in-line IPS can actively inspect and block malicious payloads moving between segments. This is much more effective than passive monitoring alone because it is a preventive control, not just a detective one. CompTIA’s official SecurityX objectives specifically emphasize preventative controls and segmentation/microsegmentation , which is exactly what this design uses to protect unpatchable assets.

Why the other options are not the best answers:

A. IDS with active response from a network tap is weaker than an in-line IPS in this case. A network tap is out-of-band, so detection may help visibility, but it does not provide the same direct traffic-blocking capability as an in-line preventive control. In a hospital with unpatchable biomedical systems, prevention at segmentation boundaries is more effective than relying mainly on monitoring. CompTIA’s objectives distinguish between detective and preventative controls, and this scenario clearly favors prevention.

B. QoS limiting throughput does not address either root cause. Lower bandwidth does not stop CVE exploitation and does not prevent VLAN hopping. It may reduce traffic volume, but it is not a meaningful security mitigation for the attack described.

D. Adding a proxy and requiring staff authentication every connection is not the most effective answer because the compromise described is tied to device vulnerabilities and network segmentation weaknesses , not primarily to user authentication. It also may be operationally unsuitable for biomedical workflows.

F. Security awareness training is valuable in general, but it is not an effective primary control for exploit payloads against EOL medical devices or VLAN hopping . The problem is architectural and technical, so the answer must also be architectural and technical.

Official extract alignment:

A short official extract from CompTIA’s SecurityX CAS-005 objectives summary that supports this answer is: “Network architecture: segmentation, microsegmentation…” and “Cloud control strategies: proactive, detective, and preventative controls…” . Also, in CompTIA’s official SecurityX practice questions, CompTIA gives a related design pattern for constrained/embedded devices: “Operating IoT devices on a separate network with no access to other devices internally” , which reinforces isolation and segmentation as the preferred control approach for hard-to-modify devices.

Step-by-Step Explanation:

Sigma (A) is a rule-based detection language that is vendor-agnostic, meaning it can be used across different SIEM (Security Information and Event Management) tools. Unlike YARA (B), which focuses on file-based detection, Sigma provides a standardized way to create rules that work across various security platforms.

A crisis management plan defines coordinated communication and response strategies for high-profile incidents that may harm an organization’s public reputation and shareholder confidence. CAS-005 GRC content includes crisis communication planning for regulatory compliance and public relations in the wake of breaches.

A Data Subject Access Request (A) addresses individual data rights, not overall crisis handling.

Business Impact Analysis (B) helps assess potential operational and financial impacts but does not manage public perception during an incident.

Supply chain management (C) is preventative for vendor risks, not responsive to current crises.

Forward secrecy (also known as perfect forward secrecy, PFS) ensures that session keys used in a VPN tunnel are ephemeral, meaning that even if an attacker compromises a long-term private key, past sessions cannot be decrypted. According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.1), enabling forward secrecy on VPN tunnels reduces the risk of cryptanalysis by ensuring that each session’s encryption key is unique and not derived from a single compromised key. This directly mitigates the impact of attacks like key theft or future decryption attempts.

Option A:Forward secrecy is not required for hardware-accelerated cryptography, which depends on processor capabilities, not key management.

Option C:While confidentiality is important, this is too vague and does not specifically explain why forward secrecy is chosen.

Option D:Modern protocols (e.g., TLS 1.3, IPsec with ECDHE) support forward secrecy but donot mandate it as a prerequisite for use.

Option B:This is the most precise, as forward secrecy directly reduces the success of cryptanalysis by limiting the scope of key compromise.

In the given scenario, the security engineer is likely examining login activities and their associated geolocations. This type of analysis is aimed at identifying unusual login patterns that might indicate an impossible travel scenario. An impossible travel scenario is when a single user account logs in from geographically distant locations in a short time, which is physically impossible. By assessing login activities using geolocation, the engineer can tune alerts to identify and respond to potential security breaches more effectively.

To meet the requirements of having allendpoints establish telemetry with a SIEM, integrate into an XDR platform, and allow SOC services to monitor the XDR platform, the best approach is to implement Host Intrusion Prevention Systems (HIPS) and a host-based firewall. HIPS can provide detailed telemetry data to the SIEM and can be integrated into the XDR platform for comprehensive monitoring and response. The host-based firewall ensures that only authorized traffic is allowed, providing an additional layer of security.

When a security analyst receives a notification about an attack that appears to originate from an internal vulnerability scanner, it suggests that the scanner itself might have been compromised. This situation is critical because a compromised scanner can potentially conduct unauthorized scans, leak sensitive information, or execute malicious actions within the network. The appropriate first action involves containing the threat to prevent further damage and allow for a thorough investigation.

Here’s why quarantining the scanner sensor is the best immediate action:

Containment and Isolation: Quarantining the scanner will immediately prevent it from continuing any malicious activity or scans. This containment is crucial to protect the rest of the network from potential harm.

Forensic Analysis: By isolating the scanner, a forensic analysis can be performed to understand how it was compromised, what actions it took, and what data or systems might have been affected. This analysis will provide valuable insights into the nature of the attack and help in taking appropriate remedial actions.

Preventing Further Attacks: If the scanner is allowed to continue operating, it might execute more unauthorized actions, leading to greater damage. Quarantine ensures that the threat is neutralized promptly.

Root Cause Identification: A forensic analysis can help identify vulnerabilities in the scanner’s configuration, software, or underlying system that allowed the compromise. This information is essential for preventing future incidents.

Other options, while potentially useful in the long term, are not appropriate as immediate actions in this scenario:

A. Create an allow list for the vulnerability scanner IPs to avoid false positives: This action addresses false positives but does not mitigate the immediate threat posed by the compromised scanner.

B. Configure the scan policy to avoid targeting an out-of-scope host: This step is preventive for future scans but does not deal with the current incident where the scanner is already compromised.

C. Set network behavior analysis rules: While useful for ongoing monitoring and detection, this does not address the immediate need to stop the compromised scanner’s activities.

In conclusion, the first and most crucial action is to quarantine the scanner sensor to halt any malicious activity and perform a forensic analysis to understand the scope and nature of the compromise. This step ensures that the threat is contained and provides a basis for further remediation efforts.

Incident response follows a standard process (e.g., NIST 800-61): Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. After identifying the attack (file and origin), the next step isContainment—limiting the spread or impact (e.g., isolating systems) before remediation or recovery.

Option A:Remediation (fixing the root cause) follows containment.

Option B:Correct—containment prevents further damage post-identification.

Option C:“Response” is too vague; it encompasses all steps.

Option D:Recovery (restoring systems) comes after containment and eradication.

The best way to prevent application-focused attacks for a platform-as-a-service solution with a web-based front end is to create Web Application Firewall (WAF) policies for relevant programming languages. Here ' s why:

Application-Focused Attack Prevention: WAFs are designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. They help prevent attacks such as SQL injection, cross-site scripting (XSS), and other application-layer attacks.

Customizable Rules: WAF policies can be tailored to the specific programming languages and frameworks used by the web application, providing targeted protection based on known vulnerabilities and attack patterns.

Real-Time Protection: WAFs provide real-time protection, blocking malicious requests before they reach the application, thereby enhancing the security posture of the platform.

The General Data Protection Regulation (GDPR) is the regulation most likely being addressed by the news organization. GDPR includes provisions for the " right to be forgotten, " which allows individuals to request the deletion of personal data that is no longer necessary for the purposes for which it was collected. This regulation aims to protect the privacy and personal data of individuals within the European Union.

Limiting the platform ' s abilities to only non-sensitive functions helps to mitigate risks associated with AI operations. By ensuring that the AI-enabled digital worker is only allowed to perform tasks that do not involve sensitive or critical data, the organization reduces the potential impact of any security breaches or misuse.

Enhancing the training model ' s effectiveness (Option B) is important but does not directly address security guardrails. Granting the system the ability to self-govern (Option C) could increase risk as it may act beyond the organization ' s control. Requiring end-user acknowledgement of organizational policies (Option D) is a good practice but does not implement technical guardrails to secure the AI environment.

The best answer is C. To block malicious radio connections . The agency is preventing the government-issued endpoint itself from directly attaching to foreign cellular networks while roaming. That reduces the exposure of the endpoint to hostile or untrusted cellular infrastructure, including rogue or malicious radio environments. Requiring the use of agency-issued hotspots keeps the endpoint off direct cellular attachment and places the radio exposure on a controlled intermediary device instead. In CompTIA SecurityX CAS-005, one of the core expected skills is to “utilize cryptographic technologies and techniques while evaluating the impact of emerging trends… on information security” and to design secure solutions across complex environments. This question fits that theme of managing risk from modern communications technologies through architecture and control choices.

Why the other options are less accurate:

A is too specific because the scenario is broader than SIM hijacking; disabling direct cellular service on the endpoint is not solely about SIM theft. B is less accurate because the hotspot still depends on a carrier, so this does not fully eliminate over-the-air carrier-related risks. D is possible as a radio-security concern, but the question is framed more broadly around disallowing direct endpoint cellular connections altogether, so malicious radio connections is the more complete rationale. E is incorrect because directed electromagnetic interference is not what mobile hotspots are primarily designed to mitigate in this context.

To mitigate the identified vulnerabilities, the followingsolutions are most appropriate:

A. Implementing data loss prevention (DLP): DLP solutions help prevent the unauthorized transfer of data outside the organization. This directly addresses the exfiltration of intellectual property by monitoring, detecting, and blocking sensitive data transfers.

E. Enabling modern authentication that supports Multi-Factor Authentication (MFA): This significantly enhances security by requiring additional verification methods beyond just passwords. It addresses the issue of weak user passwords by making it much harder for unauthorized users to gain access, even if they obtain the password.

Other options, while useful in specific contexts, do not address all the vulnerabilities mentioned:

B. Deploying file integrity monitoring helps detect changes to files but does not prevent data exfiltration or address weak passwords.

C. Restricting access to critical file services improves security but is not comprehensive enough to mitigate all identified vulnerabilities.

D. Deploying directory-based group policies can enforce security policies but might not directly prevent data exfiltration or ensure strong authentication.

F. Implementing a version control system helps manage changes to files but is not a security measure for preventing the identified vulnerabilities.

G. Implementing a CMDB platform (Configuration Management Database) helps manage IT assets but does not address the specific security issues mentioned.

Implementing a Single Sign-On (SSO) solution and integrating it with applications is the best way to manage the situation and decrease risks. Here’s why:

Reduced Password Fatigue: SSO allows users tolog in once and gain access to multiple applications and systems without needing to remember and manage multiple passwords. This reduces the likelihood of users writing down passwords.

Improved Security: By reducing the number of passwords users need to manage, SSO decreases the attack surface and potential for password-related security breaches. It also allows for the implementation of stronger authentication methods.

User Convenience: SSO improves the user experience by simplifying the login process, which can lead to higher productivity and satisfaction.

Adversary emulation simulates specific advanced persistent threat (APT) behaviors and techniques to test an organization’s security posture. In SecurityX CAS-005, this is part of red-teaming and purple-teaming strategies for realistic resilience testing.

Reliability factors (B) relate to operational uptime, not threat simulation.

Honeypots (C) attract attackers but do not directly emulate specific adversaries.

Internal reconnaissance (D) is one phase of an attack simulation, not the full emulation of advanced threat actors.

Regression testing is a software testingpractice that ensures that recent code changes have not adversely affected existing functionalities. In this scenario, the reintroduction of a previously fixed bug indicates that changes or integrations brought back the old issue. Implementing comprehensive regression testing would help detect such reintroductions by systematically retesting the existing functionalities whenever changes are made to the codebase. This practice is crucial in maintaining the integrity of the application, especially in complexsystems where multiple components interact.​

Creatingsecure baseline imagesensuresconsistent, repeatabledeployment aligned with hardening standards. These images can be used acrosson-premises and cloud environments, ensuring compliance and reducing misconfigurations.

Vulnerability alerts (A)are reactive, not preventive.

Building images from scratch (C)is time-consuming and unnecessary if baselines exist.

Scripts for cleanup (D)are useful but do not prevent initial insecure configurations.

In a federated environment divided by region, if user identities are not synchronized across regions, authentication may be slow or fail when employees travel. CAS-005 IAM guidance states that identity synchronization ensures user attributes and credentials are consistently available in all regions, reducing latency and login issues.

Option A creates separate identities, which breaks single identity management.

Option C is unrelated to the login performance issue.

Option D may resolve SSO appliance sync but not cross-region identity data availability.

The best answer is B. The attacker registered a new domain . The key evidence is in the visible sender fields: From: jdoe@exampl.com and Reply-To: jdoe@exampl.com . The legitimate company domain appears to be example.com , but the fraudulent email uses exampl.com , which is a lookalike domain missing the letter “e” . That is a classic typosquatting/business email compromise pattern. The headers also show Received-SPF: pass , which means the message passed SPF for the domain it actually came from, not that it was legitimate for the intended organization. The presence of a DKIM-Signature also shows that lack of domain keys is not the issue. This is therefore best explained by an attacker creating or registering a deceptive domain and sending authenticated email from it. CompTIA SecurityX’s Security Operations domain includes activities around analyzing indicators, email artifacts, and attack patterns to identify malicious activity.

Why the other options are incorrect:

A is not the best explanation because the scenario says John Doe’s account had been compromised earlier, but the specific headers here point to a spoof-like lookalike domain attack, not necessarily direct reuse of John’s real mailbox. C is incorrect because the headers explicitly show a DKIM-Signature , so domain keys were used. D is incorrect because the headers show Received-SPF: pass , not fail. The payment succeeded because the attacker used a deceptive domain that looked close enough to the legitimate one to fool the recipient during the invoice exchange.

Multicloud provider solutionsinvolve using services from more than one cloud provider to ensure resiliency and redundancy. In the event of a failure or SLA breach by one CSP, another provider can maintain service continuity. An on-premises backup could help, but does not address CSP-specific SLA concerns directly. Round-robin load balancing and active-active within the same tenant still depend on a single provider, thus posing risks if the CSP fails.

The best approach for managing and monitoring IoT devices, such as thermostats, is to operate them on a separate network with no access to other internal devices. This segmentation ensures that the IoT devices are isolated from the main network, reducing the risk of potential security breaches affecting other critical systems. Additionally, this setup allows for secure vendor updates without exposing the broader network to potential vulnerabilities inherent in IoT devices.

Proper parsing of data is crucial for the SIEM to accurately interpret and analyze the logs being forwarded by the log collector. If the data is not parsed correctly, the SIEM may misinterpret the logs, leading to false positives and inaccurate alerts. Ensuring that the log data is correctly parsed allows the SIEM to correlate and analyze the logs effectively, which is essential for accurate alerting and monitoring.

User behavior analytics (UBA)detectsanomalousactivityby analyzing historical patterns and comparing them to recent behavior. The time shift in account activity suggestspotential compromise or misuse.

TTP-based inquiries (A)focus on known attack tactics, techniques, and procedures but do not involve behavior tracking.

Adversary emulation (C)simulates attacks but does not analyze real data trends.

OSINT analysis (D)gathers intelligence from public sources, which is unrelated to internal account behavior analysis.

The best answer is B. Conducting an OSINT assessment . In the early phases of threat modeling , the analyst wants to understand the organization’s exposed attack surface, public footprint, prior breaches, reputational visibility, externally visible infrastructure, and information that threat actors can readily gather. Because the scenario explicitly says prior security failures were publicly disclosed and the organization operates globally, OSINT is the most practical first step to inform the threat model. CompTIA’s official SecurityX objectives include “Given a scenario, perform threat-modeling activities” as part of the GRC domain, and that early work centers on understanding attacker perspective, exposure, and context before applying more specialized controls.

Why the other options are less appropriate early on:

A. STIX and TAXII are threat intelligence sharing and automation mechanisms, but they are not the first action for defining the organization’s own threat model. C. Reviewing user behavior analytics and identity logs is useful for monitoring and investigations, but threat modeling starts earlier and more broadly than just log review. D. Performing a supply chain analysis could become important because development occurs overseas, but the question asks for the best action in the early phases , and OSINT more directly captures public exposure, previous incidents, and likely attacker reconnaissance opportunities. That makes it the most practical starting point.

For SSDs,incinerationis considered the most secure method of physical destruction, ensuring no data remanence. SSDs store data differently compared to traditional spinning disks, making degaussing ineffective. Overwriting and formatting may not reliably erase all storage cells due to wear-leveling technologies. Shredding may work if the granularity is extremely fine, but incineration guarantees complete destruction beyond recovery.

The best answer is D. Deploying a dedicated base station and reducing the footprint with highly directional antennas . The biggest risk in the scenario is that unencrypted control traffic is traversing the internet over a cellular network . Since encryption is not feasible, the best compensating control is to reduce exposure by making the wireless path more private, more local, and less accessible to unintended parties. A dedicated base station with directional antennas narrows the RF footprint and reduces interception and unauthorized access opportunities compared with broad internet-based cellular exposure. CompTIA’s SecurityX objectives emphasize Security Architecture , including secure boundaries, compensating controls, and resilient design choices when ideal controls cannot be used.

Why the other options are not best:

A is helpful as a detective control, but it does not reduce the core exposure of unencrypted communications over public infrastructure. B is impractical and technically weak here; standard Cat 5e is not the right medium for a 0.5-mile river crossing. C may detect post-compromise changes, but it does not reduce the likelihood of network compromise in the first place. Because encryption cannot be used, the best risk-reduction strategy is to minimize signal exposure and dependence on public internet-connected cellular paths.

The issue is tracing the original source of requests in a tiered architecture with a load balancer. The web server logs show internal IPs (192.168.1.10), not the external client IPs, because the load balancer forwards requests without preserving the source. Enabling theX-Forwarded-Forheader on the load balancer adds the client’s original IP to the HTTP request headers, allowing downstream servers to log it. This ensures traceability without altering the architecture significantly.

Option A:Correct—X-Forwarded-For is the standard solution for preserving client IPs through load balancers.

Option B:A Host-based Intrusion Detection System (HIDS) detects anomalies but doesn’t address IP traceability.

Option C:A trusted CA certificate fixes the self-signed warning but is unrelated to source tracking.

Option D:Stored procedures improve database security but don’t help with IP logging.

Option E:Storing $_SERVER[ ' REMOTE_ADDR ' ] captures the loadbalancer’s IP, not the client’s, unless X-Forwarded-For is enabled.

Creating a separate network for users who need access tothe application is the best action to secure an internal application that is critical to the production area and cannot be updated.

Why Separate Network?

Network Segmentation: Isolates the critical application from the rest of the network, reducing the risk of compromise and limiting the potential impact of any security incidents.

Controlled Access: Ensures that only authorized users have access to the application, enhancing security and reducing the attack surface.

Minimized Risk: Segmentation helps in protecting the application from vulnerabilities that could be exploited from other parts of the network.

Other options, while beneficial, do not provide the same level of security for a critical application:

A. Disallow wireless access: Useful but does not provide comprehensive protection.

B. Deploy intrusion detection capabilities using a network tap: Enhances monitoring but does not provide the same level of isolation and control.

C. Create an acceptable use policy: Important for governance but does not provide technical security controls.

The logs show that the user connected fromToronto (104.18.16.29)andLos Angeles (95.67.137.12)within minutes. The sudden location change is a typical trigger forgeoblocking in a Next-Generation Firewall (NGFW), leading to theHR System being denied.

A compromised account (B)would show failed login attempts or unusual activities, but all other access attempts were allowed.

Business hours restriction (C)is unlikely since the user was granted access earlier.

Approved subnet issues (D)would affect all applications, not just HR System access.

The best solution to reduce the likelihood of firmware-level attacks and rootkits is to implement measured boot. Measured boot is a hardware-assisted security mechanism that leverages Trusted Platform Module (TPM) and Secure Boot processes. It records cryptographic measurements of each stage of the boot process—from firmware to operating system loaders—and stores them in the TPM. Security software, such as attestation services, can then verify that the system booted into a known, trusted state. If firmware or boot-level code has been tampered with, the measurements will not match expected values, alerting administrators to compromise.

Option A (software integrity checks) validates application-level integrity but does not address firmware rootkits that load before the operating system. Option B (self-encrypting drives) protects data at rest but does not prevent rootkits. Option D (host-based encryption) ensures confidentiality but does not detect or mitigate firmware-level persistence.

Measured boot specifically targets low-level tampering, making it the most relevant control to defend against rootkits and firmware exploits.

The technique that best addresses the issue of insider threats from employees who have individual access to encrypted material is key splitting. Here’s why:

Key Splitting: Key splitting involves dividing a cryptographic key into multiple parts anddistributing these parts among different individuals or systems. This ensures that no single individual has complete access to the key, thereby mitigating the risk of insider threats.

Increased Security: By requiring multiple parties to combine their key parts to access encrypted material, key splitting provides an additional layer of security. This approach is particularly useful in environments where sensitive data needs to be protected from unauthorized access by insiders.

Compliance and Best Practices: Key splitting aligns with best practices and regulatory requirements for handling sensitive information, ensuring that access is tightly controlled and monitored.

The event timeline indicates a sequence where a file (hr-reporting.docx) was saved, scanned, executed, and eventually found to contain malware. The critical issue here is that the malware scan completed after the file was already executed. This suggests a Time-Of-Check to Time-Of-Use (TOCTOU) vulnerability, where the state of the file changed between the time it was checked and the time it was used.

Encrypting patient data at rest ensures that sensitive information is protected from unauthorized access, thereby maintaining patient privacy. Additionally, encryption supports data portability by allowing secure transfer and storage of data across different systems and devices without compromising confidentiality. This practice is crucial for healthcare providers to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of patient information.​

Post-Quantum Cryptography (PQC) preparation is critical to protect data against future quantum computing attacks that could break current cryptographic algorithms (e.g., RSA, ECC). According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.3), quantum computers with sufficient computational power could perform calculations (e.g., Shor’s algorithm) to decrypt data protected by traditional algorithms. PQC focuses on developing algorithms resistant to such increases in computational resources, ensuring long-term data security.

Option B:Key stretching is a technique to strengthen passwords, not related to PQC.

Option C:PQC algorithms often have higher computational costs, not improved performance.

Option D:Asymmetric encryption is not ideal for large data sets, and PQC is not specifically about this use case.

Option A:This accurately describes PQC’s purpose to safeguard data against quantum-driven decryption.