CAS-005 CompTIA SecurityX Certification Exam Free Practice Exam Questions (2026 Updated)

Step by Step Explanation:

Understanding the Scenario: The organization wants a strict application control policy: deny all software execution by default and only allow specifically authorized applications. This must be enforced across all operating systems. It is implied that they mean an Allow list, but Block List is the only reasonable answer.

Analyzing the Answer Choices:

A. SELinux (Security-Enhanced Linux): SELinux is a security module for the Linux kernel that provides Mandatory Access Control (MAC). While it can enforce application control, it ' s specific to Linux and doesn ' t meet the " regardless of OS " requirement.

In the context of improving incident response and reducing dwell time, the security analyst needs to focus on proactive measures that can quickly detect and alert on potential security breaches. Here’s a detailed analysis of the options provided:

A. Adjusting the SIEM to alert on attempts to visit phishing sites: While this is a useful measure to prevent phishing attacks, it primarily addresses external threats and doesn’t directly impact dwell time reduction, which focuses on the time a threat remains undetected within a network.

B. Allowing TRACE method traffic to enable better log correlation: The TRACE method in HTTP is used for debugging purposes, but enabling it can introduce security vulnerabilities. It’s not typically recommended for enhancing security monitoring or incident response.

C. Enabling alerting on all suspicious administrator behavior: This option directly targets the potential misuse of administrator accounts, which are often high-value targets for attackers. By monitoring and alerting on suspicious activities from admin accounts, the organization can quickly identify and respond to potential breaches, thereby reducing dwell time significantly. Suspicious behavior could include unusual login times, access to sensitive data not usually accessed by the admin, or any deviation from normal behavior patterns. This proactive monitoring is crucial for quick detection and response, aligning well with best practices in incident response.

D. Utilizing allow lists on the WAF for all users using GET methods: This measure is aimed at restricting access based on allowed lists, which can be effective in preventing unauthorized access but doesn’t specifically address the need for quick detection and response to internal threats.

Multicloud provider solutionsinvolve using services from more than one cloud provider to ensure resiliency and redundancy. In the event of a failure or SLA breach by one CSP, another provider can maintain service continuity. An on-premises backup could help, but does not address CSP-specific SLA concerns directly. Round-robin load balancing and active-active within the same tenant still depend on a single provider, thus posing risks if the CSP fails.

The best option is Mandatory Access Control (MAC). In MAC, access decisions are centrally controlled by the system or administrators, not by individual users. This ensures that healthcare staff who enter patient information cannot grant access to others, thereby preventing accidental or malicious disclosure. MAC enforces strict policies based on data sensitivity and user clearance, which aligns with compliance requirements like HIPAA.

Option A (rule-based) defines access through specific rules but is not as rigidly enforced as MAC. Option B (attribute-based) is flexible but could still allow dynamic grants of access. Option D (discretionary) explicitly allows users to assign access rights, which is exactly what must be avoided in this scenario.

CAS-005 stresses using centralized, non-discretionary controls when protecting sensitive medical data, making MAC the correct choice for hospitals.

10.1.45.65 SFTP ServerDisable 8080

10.1.45.66 Email Server Disable 415 and 443

10.1.45.67 Web Server Disable 21, 80

10.1.45.68 UTM Appliance Disable 21

Creatingsecure baseline imagesensuresconsistent, repeatabledeployment aligned with hardening standards. These images can be used acrosson-premises and cloud environments, ensuring compliance and reducing misconfigurations.

Vulnerability alerts (A)are reactive, not preventive.

Building images from scratch (C)is time-consuming and unnecessary if baselines exist.

Scripts for cleanup (D)are useful but do not prevent initial insecure configurations.

The best answer is C. Enabling network segmentation controls . The most obvious security weakness shown in the configuration is the interface address 10.12.14.1/8 , which places the device in an extremely broad network range instead of a tightly bounded segment. From a SecurityX perspective, the strongest improvement is to reduce unnecessary trust exposure by applying segmentation and tighter network boundaries. CompTIA’s official SecurityX objectives explicitly call out “Network architecture: segmentation, microsegmentation, virtual local area networks (VLANs), virtual routing and forwarding (VRF), software-defined networking (SDN)” and also emphasize “Security boundaries: secure zones, access control lists (ACLs), virtual private network (VPN)” under Security Architecture.

Why the other options are not the best choice:

A may improve cryptographic strength, but the configuration already shows SSH and HTTPS , so encrypted management access is already present. B is not the best answer because no unencrypted terminal service such as Telnet is shown in the configuration. D is generally useful operationally, but automatic patching and rebooting is not the main architectural weakness indicated by the config excerpt. The clearest risk visible in the router snippet is inadequate network scoping and boundary control, which points to segmentation as the best improvement.

Tokenization replaces sensitive data elements with non-sensitive equivalents, called tokens, that can be used within the internal tests. The original data is stored securely and can be retrieved if necessary. This approach allows the software development team to work with data that appears realistic and valid without exposing the actual sensitive information.

Configuring data hashing (Option A) is not suitable for test data as ittransforms the data into a fixed-length value that is not usable in the same way as the original data. Replacing data with null records (Option C) is not useful as it does not provide valid data for testing. Data obfuscation (Option D) could be an alternative but might not meet the regulatory requirements as effectively as tokenization.

To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.

MDM Capabilities:

Central Management: MDM allows administrators to manage the configurations of all devices from a central console.

Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.

Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.

Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.

Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.

The code snippet exposes a hardcoded access token in a public repository. According to SecurityX CAS-005 secure coding best practices, the immediate action must be to revoke the exposed secret to prevent unauthorized access.

Removing the code from public view without revoking the token leaves the secret still usable by any attacker who has already seen or copied it.

SAST scanning would detect the issue but not mitigate it immediately.

Security awareness training is a long-term prevention measure but does not fix the immediate exposure.Revoking the secret first stops ongoing exploitation, after which the code can be removed, and preventative measures can be implemented.

The best solution is Conditional Access (D). Conditional access policies enforce access requirements based on contextual signals such as device compliance, user identity, location, or risk profile. In this case, the administrator can configure conditional access to ensure that only managed, corporate-approved devices are allowed to access confidential data. If an employee attempts to use a personal laptop, the access request will be blocked or redirected to a secure process (e.g., virtual desktop).

Option A (OCSP stapling) relates to certificate revocation checking and does not control device access. Option B (CASB) provides cloud access visibility and control but is broader and less precise than enforcing direct device-level conditional policies. Option C (SOAR) orchestrates responses but is not primarily designed for access enforcement. Option E (package monitoring) detects software changes but does not prevent unauthorized device usage.

Conditional access is a core principle in Zero Trust and modern IAM, making it the best solution for ensuring that sensitive data can only be accessed from trusted devices.

The best answer is D. Host-based encryption . The strongest clue is that the company has proprietary information on its hard drives and consultants must travel with company-managed devices because BYOD is prohibited. That makes protection of data at rest on the endpoint the primary concern. Host-based encryption protects the contents of the drive if a laptop is lost, stolen, or physically accessed during travel. CompTIA’s SecurityX certification emphasizes building secure solutions across complex environments and supporting resilient enterprise protection, which includes securing endpoints and sensitive data stored on them.

Why the other options are not best:

A. Virtual hardware does not directly protect the data on the hard drive if the device is lost or stolen. B. Measured boot helps validate platform integrity at startup, but it does not primarily protect confidential data at rest. C. Secure enclave can protect certain secrets and key material, but it is narrower than full host-based encryption for an entire laptop drive. Because the requirement is specifically about proprietary data on traveling endpoints, full device or host-based encryption is the most beneficial control.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, preserving confidentiality. However, its adoption faces significant challenges due to performance overhead. According to the CompTIA SecurityX CAS-005 study materials (Domain 3: Cybersecurity Technology, 3.3), homomorphic encryption requires substantial computational resources, which standard processors struggle to provide efficiently. Specialized hardware, such as coprocessors (e.g., GPUs or TPUs), is oftenneeded to handle the complex mathematical operations involved. The lack of widespread, optimized coprocessor support in existing infrastructure is a primary barrier to adoption.

Option A (Incomplete mathematical primitives):While early homomorphic encryption schemes had limitations, modern schemes (e.g., CKKS, BFV) have mature mathematical foundations, making this less of a challenge today.

Option B (No use cases):Use cases exist, such as secure cloud computing and privacy-preserving data analytics, so this is not accurate.

Option C (Quantum computers):Homomorphic encryption is not dependent on quantum computing, and quantum computers are unrelated to its current challenges.

Option D (Insufficient coprocessor support):This is the most accurate, as performance bottlenecks require specialized hardware that is not yet widely available or integrated.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

Step-by-Step Explanation:

Privacy regulations (C), such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), require companies to provide data subject access request (DSAR) handling processes. A DSAR allows individuals to request details about their personal data stored by a company and request modifications or deletions.

Information security standards (A) focus on overall security controls, while e-discovery requirements (B) relate to legal investigations rather than ongoing compliance.

When a security analyst receives a notification about an attack that appears to originate from an internal vulnerability scanner, it suggests that the scanner itself might have been compromised. This situation is critical because a compromised scanner can potentially conduct unauthorized scans, leak sensitive information, or execute malicious actions within the network. The appropriate first action involves containing the threat to prevent further damage and allow for a thorough investigation.

Here’s why quarantining the scanner sensor is the best immediate action:

Containment and Isolation: Quarantining the scanner will immediately prevent it from continuing any malicious activity or scans. This containment is crucial to protect the rest of the network from potential harm.

Forensic Analysis: By isolating the scanner, a forensic analysis can be performed to understand how it was compromised, what actions it took, and what data or systems might have been affected. This analysis will provide valuable insights into the nature of the attack and help in taking appropriate remedial actions.

Preventing Further Attacks: If the scanner is allowed to continue operating, it might execute more unauthorized actions, leading to greater damage. Quarantine ensures that the threat is neutralized promptly.

Root Cause Identification: A forensic analysis can help identify vulnerabilities in the scanner’s configuration, software, or underlying system that allowed the compromise. This information is essential for preventing future incidents.

Other options, while potentially useful in the long term, are not appropriate as immediate actions in this scenario:

A. Create an allow list for the vulnerability scanner IPs to avoid false positives: This action addresses false positives but does not mitigate the immediate threat posed by the compromised scanner.

B. Configure the scan policy to avoid targeting an out-of-scope host: This step is preventive for future scans but does not deal with the current incident where the scanner is already compromised.

C. Set network behavior analysis rules: While useful for ongoing monitoring and detection, this does not address the immediate need to stop the compromised scanner’s activities.

In conclusion, the first and most crucial action is to quarantine the scanner sensor to halt any malicious activity and perform a forensic analysis to understand the scope and nature of the compromise. This step ensures that the threat is contained and provides a basis for further remediation efforts.

The hijacked administrator account was used across multiple ASNs (indicating different network locations) in a short time, despite MFA and SSO. This suggests a stolen session or token misuse. Let’s analyze:

A. Token theft detection with lockouts:Useful for detecting stolen SSO tokens, but it’s reactive and may not prevent initial misuse across networks.

B. Context-based authentication:This adds real-time checks (e.g., geolocation, IP changes) to verify login attempts. Given the rapid ASN changes, this proactively mitigates the issue by challenging suspicious logins, aligning with CAS-005’s focus on adaptive security.

C. Decentralize accounts:This removes SSO, increasing complexity and weakening MFA enforcement, which isn’t practical or secure.