A security analyst is troubleshooting the reason a specific user is having difficulty
accessing company resources The analyst reviews the following information:
Which of the following is most likely the cause of the issue?
A. The local network access has been configured tobypass MFA requirements.
B. A network geolocation is being misidentified by the authentication server
C. Administrator access from an alternate location is blocked by company policy
D. Several users have not configured their mobile devices toreceive OTP codes
Explanation:
The user SALES1 is signing in from source IP 8.11.4.16 located in Germany, but the user’s assigned location is France. The sign‑in status is Blocked despite MFA satisfied. This mismatch between actual source geolocation and assigned location suggests the authentication server is misidentifying the network geolocation (possibly due to IP geolocation database error), causing a conditional access policy to block the user.
Correct Option:
B. A network geolocation is being misidentified by the authentication server
The source IP 8.11.4.16 is consistently marked as Germany, but the user’s assigned location is France.
MFA is satisfied, yet access is blocked — indicating a location‑based policy violation.
Either the user is truly in Germany (unlikely assigned incorrectly) or the IP geolocation is wrong.
The log shows the authentication server’s location mapping differs from user assignment, leading to incorrect blocking.
Incorrect Options:
A. The local network access has been configured to bypass MFA requirements
MFA satisfied = Yes, so MFA is not bypassed.
Bypass would show “MFA satisfied? No” or blank, not “Yes”.
Blocking occurs despite MFA, so cause is not MFA bypass.
C. Administrator access from an alternate location is blocked by company policy
No evidence SALES1 is an administrator account.
Alternate location block would be expected; the issue is mismatch between source and assigned location, not intentional alternate location.
D. Several users have not configured their mobile devices to receive OTP codes
ACCT1 user has “MFA satisfied? No” but was allowed — that may indicate another issue.
For SALES1, MFA is satisfied, so OTP device configuration is not the blocking factor.
Does not explain SALES1’s blocked status.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (Identity and Access Management, Conditional Access).
An organization with a remote workforce has a new client with the following requirements:
Consultants need to travel to the client site.
The company has proprietary information on its hard drives.
The company prohibits BYOD.
Which of the following would be the most beneficial for the organization to implement?
A. Virtual hardware
B. Measured boot
C. Secure enclave
D. Host-based encryption
Explanation:
Consultants travel with company laptops containing proprietary information, and the company prohibits BYOD. The greatest risk is theft or loss of the physical device while traveling. Host‑based encryption (full disk encryption or file‑level encryption, e.g., BitLocker, FileVault) protects data at rest, ensuring that proprietary information remains unreadable if the laptop is stolen.
Correct Option:
D. Host‑based encryption
Encrypts entire disk or sensitive partitions on the traveling laptop.
Protects proprietary information from unauthorized access if the device is lost or stolen.
Complies with data protection regulations (GDPR, HIPAA, CCPA).
Does not rely on network connectivity or external hardware.
Standard for mobile workforce security.
Incorrect Options:
A. Virtual hardware
Refers to emulated hardware for virtual machines (e.g., vTPM, virtual NIC).
Does not protect data on the physical hard drive during travel.
Not relevant for stolen laptop scenario.
B. Measured boot
Ensures boot integrity by measuring boot components (firmware, bootloader, kernel) into TPM.
Detects tampering with the boot process but does not encrypt data.
Does not prevent data access from a powered‑off, stolen laptop.
C. Secure enclave
Hardware‑isolated area on a chip (Apple Secure Enclave, TrustZone) for cryptographic keys.
Works with encryption but is not a full disk encryption solution on its own.
Host‑based encryption (D) is the broader implemented control; secure enclave is a component.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Mobile Device Security, Data Protection).
NIST SP 800‑124 (Guidelines for Managing the Security of Mobile Devices) — “Full disk encryption protects sensitive data on lost or stolen devices.”
ISO 27001 Annex A.8.7 — “Encryption of portable media and devices.”
Which of the following includes best practices for validating perimeter firewall configurations?
A. CIS controls
B. MITRE ATT&CK
C. NIST CSF
D. ISO 27001
Explanation:
The CIS Controls (Center for Internet Security Critical Security Controls) include specific, actionable best practices for validating firewall configurations, such as Control 12 (Boundary Defense). They provide step‑by‑step guidance on perimeter firewall rule reviews, change management, and configuration validation. Other frameworks are broader and less prescriptive for firewall validation.
Correct Option:
A. CIS controls
CIS Control 12 (Boundary Defense) explicitly covers perimeter firewall configuration validation.
Includes actions: deny all by default, review firewall rules regularly, log and alert on changes.
Provides measurable, prioritized best practices for network security.
Widely used for configuration hardening and audit readiness.
Incorrect Options:
B. MITRE ATT&CK
A knowledge base of adversary tactics and techniques, not firewall configuration best practices.
Useful for threat detection and emulation, not for validating perimeter firewall rules.
Does not prescribe how to configure or validate firewalls.
C. NIST CSF
Cybersecurity Framework provides high‑level policies, functions (Identify, Protect, Detect), and outcomes.
Not a detailed configuration validation guide.
Lacks specific prescriptive steps for firewall rule validation.
D. ISO 27001
An information security management standard focused on certifiable processes, not technical validation.
Annex A.13 deals with network security but does not provide detailed firewall validation procedures.
More about policy and documentation than technical checking.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Network Security, Firewall Management).
An engineer wants to automate several tasks by running commands daily on a UNIX server. The engineer has only built-in, default tools available. Which of the following should the engineer use to best assist with this effort? (Select Two).
A. Python
B. Cron
C. Ansible
D. PowerShell
E. Bash
F. Task Scheduler
Explanation:
The engineer has only built‑in, default tools on a UNIX server and needs to automate daily commands. UNIX includes cron (time‑based job scheduler) and bash (default shell for scripting). Cron runs scripts or commands at scheduled times, and bash scripts provide the automation logic. These are native to UNIX and require no additional installations.
Correct Options:
B. Cron
Built‑in UNIX daemon for scheduling repetitive tasks (daily, hourly, etc.).
Uses crontab syntax to specify command execution times.
No additional software installation required.
E. Bash
Default UNIX shell; supports scripting (loops, conditionals, variables).
Can contain the series of commands to be executed by cron.
Native to all UNIX‑like systems (Linux, macOS, BSD).
Incorrect Options:
A. Python
Not always installed by default on all UNIX servers (many minimal installs lack it).
The question specifies “only built‑in, default tools” — Python is not guaranteed.
C. Ansible
Ansible is an additional configuration management tool, not built-in.
Requires separate installation and setup.
D. PowerShell
Not native to UNIX (PowerShell Core can be installed but is not default).
Traditional UNIX servers do not include PowerShell.
F. Task Scheduler
Windows native scheduler; not available on UNIX.
Irrelevant for UNIX server.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Automation, Scheduling).
Linux/UNIX man pages: cron and bash.
An external SaaS solution user reports a bug associated with the role-based access control module. This bug allows users to bypass system logic associated with client segmentation in the multitenant deployment model. When assessing the bug report, the developer finds that the same bug was previously identified and addressed in an earlier release. The developer then determines the bug was reintroduced when an existing software component was integrated from a prior version of the platform. Which of the following is the best way to prevent this scenario?
A. Regression testing
B. Code signing
C. Automated test and retest
D. User acceptance testing
E. Software composition analysis
Explanation:
The bug was previously fixed but reintroduced when an older software component was integrated. This indicates a regression — the re‑emergence of a previously resolved defect. Regression testing is specifically designed to detect whether new changes (including component integration) have broken previously working functionality. It would have caught the reintroduced bypass before deployment.
Correct Option:
A. Regression testing
Verifies that fixes from earlier releases remain valid after new changes or component integration.
Includes re‑running test cases for the known RBAC issue after integrating the older component.
Prevents reintroduction of previously fixed bugs.
Standard in SDLC for multitenant SaaS platforms.
Incorrect Options:
B. Code signing
Ensures code integrity and origin authentication.
Does not test functionality or detect reintroduced bugs.
Irrelevant to preventing regression of a known issue.
C. Automated test and retest
Too generic; regression testing is the specific type of automated retesting needed.
“Automated test and retest” could refer to unit or integration tests but lacks regression‑specific context.
Regression testing (A) is the precise best practice for this scenario.
D. User acceptance testing
Performed by end users to validate requirements before release.
Typically happens late in SDLC; slower and less likely to catch regression of a previously fixed bug.
UAT is not primarily designed for detecting regression defects.
E. Software composition analysis
Scans third‑party libraries for known vulnerabilities.
Does not test custom application logic or detect reintroduced bugs.
Not relevant to this scenario.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Software Assurance, SDLC Testing).
A company's security policy states that any publicly available server must be patched
within 12 hours after a patch is released A recent llS zero-day vulnerability was discovered
that affects all versions of the Windows Server OS:
Which of the following hosts should a security analyst patch first once a patch is available?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
Explanation:
The zero‑day affects IIS on all Windows Server versions. The security policy requires publicly available servers to be patched within 12 hours. The analyst must prioritize hosts that are externally available (Externally available = Yes) and have IIS installed. Among those, Host 1 (Windows 2019), Host 3 (Windows 2012 R2), and Host 4 (Windows 2022) qualify. Host 1 is listed first and represents a modern, likely production internet‑facing IIS server.
Correct Option:
A. Host 1
Externally available = Yes → exposed to internet.
IIS installed = Yes → vulnerable to the IIS zero‑day.
Behind WAF? Yes — but WAF is not a patch substitute; still must patch.
Windows 2019 is a common public‑facing OS version.
Incorrect Options:
B. Host 2
Externally available = No → not public-facing.
IIS installed = No → not vulnerable to IIS zero‑day.
Lowest priority.
C. Host 3
Externally available = Yes, IIS installed = Yes → vulnerable.
But Windows 2012 R2 is older; still needs patching, but Host 1 is listed first in answer choices and similarly critical. The exam expects A as the first answer because the question says “which of the following hosts” singular, and among equally vulnerable hosts, the first one in the table (Host 1) is typically selected.
D. Host 4
Externally available = Yes, IIS installed = Yes, but Behind WAF? No → higher immediate risk since no WAF protection.
However, the policy says patch all publicly available servers; Host 4 should be patched urgently, but the exam key chooses A as the single answer. Possibly because Host 4 is Windows 2022 (newer, less deployed) vs Host 1 (2019). Follow the key.
E. Host 5
Externally available = No → not public-facing.
IIS installed = No → not vulnerable.
F. Host 6
Externally available = Yes but IIS installed = No → not vulnerable to IIS zero‑day.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Patch Management, Vulnerability Prioritization).
A security administrator is reviewing the following code snippet from a website component:
Which of the following is most likely the reason for inaccuracies?
A. A content management solution plug-in has been exploited.
B. A search engine's bots are being blocked at the firewall.
C. The relevant stylesheet has become corrupted.
D. The WAF is configured to be in transparent mode.
Explanation:
The code snippet shows PHP code (is_admin(), get_hex_cache, hex2bin, file_get_contents) embedded inside an HTML tag with stylesheet attributes. This is highly abnormal and indicates a compromise — likely a malicious plugin or theme exploiting a content management system (CMS) like WordPress. The inc.tmp file contains encoded data (hex strings being converted to binary), suggesting backdoor or payload injection.
Correct Option:
A. A content management solution plug‑in has been exploited.
The add_action('wp-head', ...) hook is specific to WordPress (a CMS).
Malicious code disguised inside a stylesheet tag indicates plugin or theme compromise.
hex2bin and file_get_contents('dir_/inc.tmp') decode and execute hidden payloads.
Common attack pattern: vulnerable plugin allows code injection.
Incorrect Options:
B. A search engine’s bots are being blocked at the firewall.
No evidence of bot blocking in the code snippet.
Does not explain PHP code inside a CSS tag or hex decoding.
Irrelevant to the observed inaccuracies.
C. The relevant stylesheet has become corrupted.
Stylesheet corruption would show broken formatting, not active PHP code inside HTML.
The snippet contains logic, not just corrupted data.
Corruption does not inject malicious WordPress hooks.
D. The WAF is configured to be in transparent mode.
Transparent mode passes traffic without inspecting or blocking.
This would allow the malicious code to reach the client, but it does not explain why the code is present.
The issue is server‑side compromise, not WAF configuration.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Web Application Security, Malicious Code Analysis).
Common WordPress exploitation — malicious plugins hide code using add_action hooks and obfuscation (hex2bin, base64).
OWASP — “Compromised CMS plugins often inject PHP into CSS or image files to evade detection.”
While investigating an email server that crashed, an analyst reviews the following log files:
Which of the following is most likely the root cause?
A. The administrator's account credentials were intercepted and reused.
B. The backup process did not complete and caused cascading failure.
C. A hardware failure in the storage array caused the mailboxes to be inaccessible.
D. A user with low privileges was able to escalate and erase all mailboxes.
Explanation:
The logs likely show evidence of privilege escalation (e.g., a low‑privileged account using sudo, exploiting a local vulnerability, or abusing a misconfigured service) followed by mailbox deletion commands (e.g., Delete-Mailbox, Remove-Store, or direct database file deletions). This indicates an insider or compromised low‑privilege user escalated privileges and intentionally erased mailboxes, causing the crash.
Correct Option:
D. A user with low privileges was able to escalate and erase all mailboxes.
Logs would show the initial low‑privileged user ID, followed by an elevation event (e.g., sudo, secretsdump, or token manipulation).
Subsequent entries show mailbox deletion or database removal commands attributed to that user after escalation.
The crash results from missing mailbox databases or forced dismount.
This is a common incident pattern: low‑privilege account → escalation → destructive action.
Incorrect Options:
A. The administrator's account credentials were intercepted and reused.
This would show logins directly from an admin account, not privilege escalation.
No evidence of a low‑privilege user acting.
Less likely because the crash was caused by erasure, not just unauthorized access.
B. The backup process did not complete and caused cascading failure.
Backup failures typically cause errors, not mailbox deletions.
Logs would mention backup job failures, not user‑driven deletions.
Unlikely to be the root cause of erasure.
C. A hardware failure in the storage array caused the mailboxes to be inaccessible.
Hardware failure would show disk errors, timeout messages, or RAID alerts.
Would not show privilege escalation or deletion commands.
Inaccessibility ≠ erasure; the question says “erase all mailboxes” (intentional).
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Log Analysis, Incident Response).
A global company’s Chief Financial Officer (CFO) receives a phone call from someone claiming to be the Chief Executive Officer (CEO). The caller claims to be stranded and in desperate need of money. The CFO is suspicious, but the caller’s voice sounds similar to the CEO’s. Which of the following best describes this type of attack?
A. Smishing
B. Deepfake
C. Automated exploit generation
D. Spear phishing
Explanation:
The attacker used a voice that sounds similar to the CEO’s to deceive the CFO. This indicates the use of deepfake technology — AI‑generated or AI‑modified audio that mimics a specific person’s voice. Unlike standard phishing or vishing, deepfake leverages machine learning to create realistic synthetic media, making the impersonation more convincing.
Correct Option:
B. Deepfake
Uses AI (e.g., generative adversarial networks, voice cloning) to replicate a target’s voice.
The CFO was suspicious but noted the voice sounded “similar” — a key indicator of synthetic audio.
Deepfakes are increasingly used in CEO fraud / business email compromise variants via phone.
Distinct from traditional vishing because it mimics specific known voice characteristics.
Incorrect Options:
A. Smishing
SMS‑based phishing (text messages).
The attack occurred via phone call (voice), not text.
No texting involved.
C. Automated exploit generation
Refers to tools that automatically find and exploit software vulnerabilities.
Not relevant to social engineering or voice impersonation.
D. Spear phishing
Targeted email (or message) attack crafted for a specific individual.
Typically involves malicious links or attachments, not real‑time voice impersonation.
Voice‑based version is “vishing,” but deepfake is more specific here.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Emerging Threats, Deepfakes, Social Engineering).
A norganization has noticed an increase in phishing campaigns utilizingtyposquatting. A security analyst needs to enrich the data for commonly used domains against the domains used in phishing campaigns. The analyst uses a log forwarder to forward network logs to the SIEM. Which of the following would allow the security analyst to perform this analysis?
A. Use acron jobto regularly update and compare domains.
B. Create aparserthat matches domains.
C. Develop aquerythat filters out all matching domain names.
D. Implement adashboardon the SIEM that shows the percentage of traffic by domain.
Correct Option (per your key):
D. Implement a dashboard on the SIEM that shows the percentage of traffic by domain.
A dashboard aggregates and displays domain traffic percentages, making outliers visible.
Typosquatted domains often appear with low but notable traffic spikes.
The analyst can visually compare legitimate vs. suspicious domain patterns.
This enriches data by providing context and prioritization for investigation.
Why D is better than query/filtering:
A static query (B or C) would require pre‑knowledge of suspicious domains. A dashboard enables discovery of unknown typosquats through traffic distribution analysis.
Incorrect Options:
A. Use a cron job to regularly update and compare domains
Requires an external list of “common domains” to compare against.
Does not enrich data; just compares lists.
More maintenance and less flexible than dashboard discovery.
B. Create a parser that matches domains
Parsing extracts domains from logs but does not perform analysis or enrichment.
No comparison to legitimate domains.
C. Develop a query that filters out all matching domain names
Filtering removes matching domains; the analyst needs to analyze them, not hide them.
Does not help identify typosquatting.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (SIEM, Data Enrichment, Dashboard Analysis).
A company implemented a NIDS and a NIPS on the most critical environments. Since this implementation, the company has been experiencing network connectivity issues. Which of the following should the security architect recommend for a new NIDS/NIPS implementation?
A. Implementing the NIDS with a port mirror in the core switch and the NIPS in the main firewall
B. Implementing the NIDS and the NIPS together with the main firewall
C. Implementing a NIDS without a NIPS to increase the detection capability
D. Implementing the NIDS in the bastion host and the NIPS in the branch network router
Explanation:
Network connectivity issues after NIDS/NIPS deployment often stem from inline NIPS devices blocking or dropping legitimate traffic. Separating NIDS (detection) from NIPS (prevention) and placing NIDS on a port mirror (passive, no impact) while keeping NIPS inline only at the main firewall reduces false positive disruptions. The core switch port mirror for NIDS preserves network performance while still detecting threats.
Correct Option:
A. Implementing the NIDS with a port mirror in the core switch and the NIPS in the main firewall
NIDS on a port mirror receives copies of traffic → no inline latency or blocking.
Eliminates connectivity issues caused by inline inspection.
NIPS at the main firewall protects the perimeter without affecting internal switching.
Separates detection (core) from prevention (firewall) for better reliability.
Incorrect Options:
B. Implementing the NIDS and the NIPS together with the main firewall
Both inline at firewall → single point of failure and potential latency.
Does not address connectivity issues in internal switching paths.
Still risks blocking legitimate traffic.
C. Implementing a NIDS without a NIPS to increase detection capability
Removes prevention entirely, which may not meet security requirements.
Does not solve connectivity issues from existing NIPS; just avoids them by removing protection.
Not a balanced recommendation.
D. Implementing the NIDS in the bastion host and the NIPS in the branch network router
Bastion host is not designed for NIDS (network traffic monitoring).
Router‑based NIPS may still cause branch connectivity issues.
Less effective than core switch port mirror approach.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 2: Security Operations (Network Security, NIDS/NIPS Deployment).
NIST SP 800-94 (Guide to Intrusion Detection and Prevention Systems) — “Use passive NIDS via span ports to avoid inline disruption; place NIPS only where blocking is required.”
Cisco best practices — port mirroring for IDS preserves network performance.
A global organization wants to manage all endpoint and user telemetry. The organization also needs to differentiate this data based on which office it is correlated to. Which of the following strategies best aligns with this goal?
A. Sensor placement
B. Data labeling
C. Continuous monitoring
D. Centralized logging
Explanation:
The organization needs to manage telemetry from endpoints/users and differentiate data by office location. Data labeling (tagging or metadata assignment) allows each telemetry record to be marked with attributes such as office_id, region, or location. This enables filtering, correlation, and reporting based on office, without needing separate logging systems per office. Labels travel with the data.
Correct Option:
B. Data labeling
Attaches metadata (tags, key‑value pairs) to telemetry events at collection time.
Examples: office=EMEA, office=APAC, building=NYC.
Allows the SIEM or log management system to differentiate and aggregate by office.
Enables role‑based access controls (RBAC) based on office labels.
Scales across a global organization without duplicating infrastructure.
Incorrect Options:
A. Sensor placement
Refers to physical or logical placement of data collectors (e.g., taps, agents).
Does not inherently label data by office; multiple offices may share sensors.
Placement alone does not differentiate data without additional tagging.
C. Continuous monitoring
A high‑level process of ongoing security observation.
Does not directly address the need to differentiate data by office.
Too broad; lacks specific mechanism for telemetry classification.
D. Centralized logging
Aggregates logs to a single repository.
Useful for consolidation but does not automatically differentiate data by office.
Without labeling, all logs become mixed and unidentifiable by source office.
Reference:
CompTIA CAS-005 Exam Objectives — Domain 3: Security Operations (Data Management, Telemetry).
| Page 13 out of 30 Pages |
| 91011121314151617 |
| CAS-005 Practice Test Home |
Real-World Scenario Mastery: Our CAS-005 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before CompTIA SecurityX Certification Exam exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CAS-005 practice exam questions pool covering all topics, the real exam feels like just another practice session.