Hard CAS-005 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 48 hard questions available — no sign-up, always free.
A DevSecOps team uses Ansible to orchestrate configuration of thousands of Linux hosts. During a security review, an engineer discovers that database passwords and API tokens are stored in cleartext within playbook group_vars files committed to the shared Git repository, and that playbooks run under a single privileged service account with unrestricted SSH access to all managed nodes. Which combination of changes MOST effectively hardens the automation platform against secret exposure and blast-radius escalation?
A hospital's security architect is redesigning the backup architecture after a tabletop exercise revealed that a ransomware actor with domain admin credentials could encrypt or delete both production data and the existing network-attached backup repository. Regulatory requirements mandate a 4-hour RPO for patient records, and the organization needs assurance that backups cannot be altered or deleted during their retention window, even by a compromised administrator account. Which design BEST meets these resilience requirements?
A financial services company must migrate encryption for a regulated SaaS workload to a public cloud provider. Compliance requires that the organization retain sole control over the origin of the key material and be able to demonstrate to auditors that the cloud provider never generated the master key. The team wants to use the provider's managed KMS for performance but must satisfy this key-provenance requirement. Which approach best meets the requirement?
A DevSecOps team discovers that a compromised open-source package was pulled during a recent CI build, injecting a malicious script into the resulting container image before it was pushed to the production registry. The pipeline currently pulls dependencies directly from public repositories at build time and signs images only after they reach the registry. Which combination of controls would MOST effectively prevent this class of build-integrity compromise going forward?
A retail analytics team must run demographic reports on a dataset containing customer national ID numbers stored in a cloud data warehouse. Legal requires that raw national IDs never reside in the warehouse or be recoverable by analysts, yet the reports must still correlate records belonging to the same customer across multiple tables and preserve the original field length/format for the legacy reporting tool. Which data protection design best meets these requirements?
A DevSecOps team is hardening its Kubernetes workloads. During a security review, an analyst finds that production containers run as root, mount the host Docker socket for logging sidecars, and allow shell access via kubectl exec for troubleshooting. The team wants to reduce the container attack surface while keeping the ability to investigate incidents. Which combination of controls BEST hardens these containers without eliminating incident investigation capability?
A financial services company operates a private PKI with an offline root CA. To enable trust for a newly acquired subsidiary that already deployed thousands of endpoints trusting a different existing root, the security engineer must allow certificates issued by the company's intermediate CA to validate on the subsidiary's endpoints WITHOUT redeploying a new root to those endpoints or replacing existing leaf certificates. Which approach best achieves this?
A multinational retailer's SOC confirms that attackers exfiltrated a database containing EU residents' personal data and U.S. customers' payment card information. The CISO convenes a response meeting to determine notification obligations. Legal confirms the breach involves both personal data protected under GDPR and cardholder data governed by PCI DSS agreements with the acquiring bank. Which action correctly reflects the organization's regulatory and contractual notification obligations?
A retailer wants to use existing customer purchase history to send targeted product recommendations via email. The DPO must document the appropriate GDPR lawful basis before the marketing team launches the campaign. The customers were not asked for marketing consent at signup, and the retailer believes the processing is reasonably expected by customers but wants to avoid over-relying on consent. Which action should the DPO take to establish a defensible lawful basis for this processing?
A retail company processes millions of loyalty transactions per hour and must protect customer national ID numbers. The architecture team requires that the sensitive values be replaced with surrogate tokens usable in analytics joins, but the solution must scale horizontally without a centralized data store that could become a performance bottleneck or single point of failure. Reversibility must still be supported for authorized fraud investigations. Which tokenization approach best meets these requirements?
During an enterprise incident, the SOC contained a compromised workload by isolating the affected host and rebuilding it from a golden image. Within 48 hours, the same malware family reappears on the rebuilt host and two adjacent servers. Endpoint telemetry shows the initial detection was a dropper, but the reinfection has no matching download event. Which action would most effectively prevent further reinfection during the eradication phase?
A cloud-hosted web application was compromised via an exploited API endpoint. During the enterprise incident response, the DFIR team discovers that CloudTrail management events are available but the S3 data-plane access logs and the application-tier logs were only retained for 7 days—well short of the estimated 6-week dwell time. Leadership demands a root-cause determination of the initial access vector. Which action MOST effectively enables the team to reconstruct the earliest attacker activity despite the retention gap?
A financial services firm discovers that employees are exfiltrating classified customer records by uploading them to personal cloud storage accounts over TLS-encrypted connections. The existing network DLP appliance sees only encrypted traffic and cannot inspect payloads. The security architect must design a control that reliably detects and blocks sensitive data leaving via these HTTPS uploads while preserving user privacy for personal banking and healthcare sites. Which design best meets these requirements?
A financial analytics firm must process highly sensitive customer datasets on a public cloud provider. Regulatory reviewers accept the firm's existing controls for data at rest (envelope encryption with a CMK) and in transit (mTLS), but they raise a concern: during active computation, plaintext data and the derived models reside in host memory where a compromised hypervisor or malicious cloud administrator could theoretically extract them. The architecture team must select a control that protects data while it is being processed, without moving the workload off the provider. Which approach BEST addresses this specific requirement?
A security engineer is hardening a fleet of Windows workstations that run an EDR agent. During a recent incident, an attacker who gained local administrator rights was able to stop the EDR service, delete its logs, and load an unsigned kernel driver to disable telemetry before exfiltrating data. The engineer must implement controls that prevent a privileged local attacker from neutralizing endpoint protection in a similar way. Which combination of controls BEST addresses the root cause?
A software vendor distributes signed installers to millions of customers. During an audit, security discovers the code-signing private key is stored on a build server's disk and reused across all releases for the past three years. A recent near-miss showed an attacker with build-server access could have exfiltrated the key and signed malware trusted by every customer. The team must redesign the signing process to minimize the blast radius of a key compromise while preserving the ability to validate previously released software. Which approach BEST meets these goals?
A multinational retailer operating in the EU receives a GDPR Article 17 (right to erasure) request from a former customer. However, the company's legal team has placed a litigation hold on all records related to a pending class-action lawsuit, and this customer's transaction records are within the scope of that hold. The Data Protection Officer (DPO) must respond within the regulatory timeframe. What is the MOST appropriate action?
A security architect is preparing a cryptographic inventory ahead of the organization's post-quantum migration. Leadership asks which currently deployed algorithms require the least urgent action because they remain adequately secure against quantum attacks with modest parameter adjustments, versus those that are fundamentally broken by a cryptographically relevant quantum computer. Which recommendation is technically correct?
A security engineer is designing a mobile field-inspection application that must store a per-device private key used to sign inspection records. The organization requires that the private key never be exportable, that key operations be gated by biometric user presence, and that the backend be able to cryptographically verify the key was generated and is stored inside the device's hardware security module rather than in software. Which approach best satisfies all of these requirements?
A financial services company federates its on-premises Active Directory to a cloud SaaS suite using SAML through an on-premises identity provider (IdP). The security architect learns that a compromised token-signing certificate could allow an attacker to forge assertions for any user, including administrators, without triggering authentication logs at the IdP. Which design change most directly reduces the impact of a forged-assertion (golden SAML) attack against the SaaS environment?
During an active incident, a SecurityX analyst confirms that a threat actor has compromised a domain-joined workstation and is using stolen Kerberos tickets to authenticate laterally to file servers. The finance department is actively closing quarter-end books and their file share resides on one of the targeted servers. Leadership has authorized aggressive containment but wants business disruption minimized. Which containment action BEST limits lateral movement while preserving evidence and critical business function?
A manufacturer is hardening a fleet of industrial IoT sensors that push telemetry to a cloud platform. Threat modeling identifies persistent malware surviving reboots and unauthorized firmware modifications as the highest risks. The devices have constrained TPMs, limited compute, and must remain in the field for a decade with over-the-air (OTA) updates. Which control combination BEST addresses the identified risks while remaining feasible on the constrained hardware?
A DevSecOps engineer is hardening a production Kubernetes cluster after an audit found that several application pods run with privileged security contexts, mount the host filesystem, and use the default service account with cluster-wide RBAC bindings. The applications are standard stateless web APIs that do not require host-level access. The engineer must reduce the container breakout and lateral movement risk with the least disruption to legitimate workloads. Which combination of controls MOST directly addresses the identified weaknesses?
A company is deploying an internal LLM-based assistant that uses a tool/function-calling framework, allowing the model to invoke backend APIs (ticketing, HR lookups, database queries) on behalf of employees. Security testing shows that a crafted prompt can coax the model into chaining tool calls to retrieve data the requesting user is not authorized to see. Which control most directly reduces the impact of this attack?
A financial services company deploys a production image-classification model that approves or rejects check deposits based on scanned images. A red team demonstrates that by adding carefully crafted, human-imperceptible pixel noise to fraudulent check images, they can reliably force the model to misclassify forged checks as legitimate at inference time. The training pipeline and model weights were never accessed. Which mitigation most directly addresses this specific attack?