CompTIA SecurityX (CAS-005) · Difficulty

Medium CAS-005 practice questions

Applied — put a concept to work in a realistic situation. 72 medium questions available — no sign-up, always free.

Question 1 of 25

A security operations team at a multinational firm has been relying on quarterly authenticated internal vulnerability scans of its known asset inventory. During a recent breach investigation, responders discovered that the initial foothold was an internet-facing marketing microsite spun up by a business unit on a third-party cloud account that IT never inventoried. Leadership wants a program change that will systematically reduce the chance of another unknown internet-exposed asset being exploited. Which approach best addresses the underlying gap?

Reviewed for accuracy · Report an issue
Question 2 of 25

A financial services company is preparing for post-quantum cryptography migration. Leadership asks the security engineering team to first understand where and how cryptography is used across thousands of applications, libraries, and hardware devices before selecting replacement algorithms. Which action best positions the organization to prioritize migration and achieve crypto-agility?

Reviewed for accuracy · Report an issue
Question 3 of 25

A financial services company experienced a production outage when a TLS certificate on a customer-facing API gateway expired without warning. The certificate was manually issued 12 months earlier by an internal CA, and the responsible engineer had left the company. The security architect is tasked with preventing recurrence across hundreds of internal and public-facing certificates. Which approach BEST addresses the root cause while supporting long-term operational resilience?

Reviewed for accuracy · Report an issue
Question 4 of 25

A financial services firm is migrating a highly regulated trading platform to a public cloud provider. Compliance mandates strict isolation from other customers' workloads at the physical hardware level, and the firm's risk team will not accept any control that relies solely on hypervisor-enforced logical separation. Cost is a secondary concern. Which cloud compute deployment approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 25

A multinational manufacturer must simultaneously demonstrate compliance with ISO 27001, PCI DSS, and a new regional privacy law. The CISO notices the compliance team is running three separate audits, duplicating evidence collection, and producing conflicting control statements that confuse the board. The CISO wants to reduce audit fatigue and cost while maintaining assurance across all three regimes. Which approach best addresses this problem?

Reviewed for accuracy · Report an issue
Question 6 of 25

A DevSecOps team runs a Kubernetes platform where developers can push arbitrary images to the cluster's namespaces. Recent incident review found a workload running an unsigned image pulled from an untrusted public registry that contained a cryptominer. The team already signs internal images using Cosign and stores public keys in a trusted store. Which control most directly prevents unsigned or untrusted images from being deployed to the cluster going forward?

Reviewed for accuracy · Report an issue
Question 7 of 25

A DevSecOps engineer is hardening a containerized microservice deployment on Kubernetes. During a review, the security team discovers that database passwords and API keys are being passed to containers as plaintext environment variables defined directly in the Deployment manifest, which is stored in a Git repository. The team wants to eliminate secret exposure both at rest in source control and at runtime within the container. Which approach BEST addresses both concerns?

Reviewed for accuracy · Report an issue
Question 8 of 25

A hospital's business continuity plan is being revised after a ransomware incident forced a full recovery from backups. During recovery, teams restored systems alphabetically, which delayed the electronic health record (EHR) system and its authentication dependency for over 14 hours while a low-priority reporting server came online first. The CISO wants to prevent this during the next event. Which action MOST directly addresses the failure demonstrated during this recovery?

Reviewed for accuracy · Report an issue
Question 9 of 25

A vulnerability management analyst runs a weekly authenticated scan against a Linux server fleet. This week, one server that historically reported dozens of missing-patch findings suddenly reports only two open-port findings and no OS-level vulnerabilities. The scan job completed without errors, and the host is confirmed reachable. Other servers in the same subnet still return full patch-level results. What is the MOST likely explanation the analyst should investigate first?

Reviewed for accuracy · Report an issue
Question 10 of 25

A security engineer is standardizing how TLS certificates are requested for a fleet of application servers. Compliance requires that private keys never leave the host on which they will be used and cannot be exported or copied, even by an administrator. The engineer must define the certificate enrollment workflow. Which approach best satisfies this requirement while producing a valid certificate signing request (CSR)?

Reviewed for accuracy · Report an issue
Question 11 of 25

A financial services company stores highly sensitive customer records in a cloud-hosted database. Regulators require that the organization retain full control over the master key used to protect the data, that the master key never leave a FIPS 140-2 Level 3 boundary, and that individual data-encryption keys be rotatable without re-encrypting the entire dataset. Which data-at-rest design BEST satisfies all three requirements?

Reviewed for accuracy · Report an issue
Question 12 of 25

A financial services firm stores customer records, internal marketing plans, and public regulatory filings on the same file-sharing platform. The security architect has been asked to design a data protection scheme that applies the strongest controls (encryption, egress blocking, watermarking) only where warranted, while avoiding unnecessary friction for low-sensitivity content. Which approach should the architect implement FIRST to make the downstream control decisions defensible and consistent?

Reviewed for accuracy · Report an issue
Question 13 of 25

A financial services firm is designing a data security architecture that spans Microsoft 365, an on-premises file server, and an AWS S3 data lake used for analytics. Regulators require that once a document is labeled 'Restricted,' the classification and its associated protections must remain enforced regardless of where the file is moved, copied, or downloaded. The security architect must select an approach that ensures the label and its protection travel with the data across all three environments. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 14 of 25

A multinational manufacturer is establishing a formal data governance program after an audit found that no one could authoritatively decide who may approve access to sensitive engineering design files. The CISO wants to assign accountability for the business value, classification level, and acceptable use of these datasets, while separating that responsibility from the team that manages storage, backups, and technical access controls. Which role assignment best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 25

A financial services company is redesigning the TLS configuration for its customer-facing web portal. The security architect wants to ensure that even if the server's long-term private key is compromised in the future, previously captured encrypted session traffic cannot be retroactively decrypted. Which configuration decision most directly achieves this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 25

A financial services firm discovers that employees are exfiltrating sensitive client records by copying files to USB drives and by pasting data into personal webmail accessed over HTTPS from company laptops. The existing DLP deployment consists solely of a network-based inspection appliance at the internet egress gateway that decrypts and scans outbound traffic. The security architect is asked to close the identified gaps while minimizing additional decryption infrastructure. Which design change most directly addresses BOTH exfiltration vectors?

Reviewed for accuracy · Report an issue
Question 17 of 25

A DevSecOps team is integrating automated security testing into a CI/CD pipeline for a customer-facing web application. Leadership wants defects caught as early as possible to reduce remediation cost, but also insists that runtime vulnerabilities involving authentication flows and server misconfiguration be detected before production release. The team must select where to place Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST). Which pipeline design best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 18 of 25

During an enterprise incident, an analyst recovers a suspicious executable from a compromised finance workstation. The malware appears heavily packed, and static string extraction reveals only obfuscated data. The IR team needs to determine the file's command-and-control infrastructure and file-system modifications as quickly as possible while preserving the ability to attribute behavior to the sample. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 25

During an active intrusion on a Linux production server, the IR team must collect evidence before decommissioning the host. Business requires the server be reimaged within 30 minutes to restore service. The lead analyst wants to maximize forensic value while respecting the time constraint. Which data should be collected FIRST to preserve the most fragile evidence?

Reviewed for accuracy · Report an issue
Question 20 of 25

During an enterprise incident response engagement, a forensic analyst must acquire a bit-for-bit image of a suspect employee's laptop SSD that has already been powered off. The evidence may be used in future litigation. Which combination of actions BEST preserves the forensic integrity and admissibility of the acquired image?

Reviewed for accuracy · Report an issue
Question 21 of 25

A financial services company is designing a resilient enterprise architecture. Their threat model identifies data exfiltration via DNS tunneling as a critical risk because compromised endpoints have been observed encoding stolen data into DNS queries to attacker-controlled authoritative name servers. The security architect must design a control that preserves normal name resolution for legitimate business while preventing covert data channels over DNS. Which design approach BEST addresses this requirement?

Reviewed for accuracy · Report an issue
Question 22 of 25

A financial services company is deploying a microservices application across a Kubernetes cluster. Security requirements mandate that all service-to-service traffic be encrypted and that each service cryptographically prove its identity before communication is allowed, without embedding credentials in application code. Services scale up and down dynamically, so certificates must be issued and rotated automatically. Which approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A security engineer is hardening a fleet of Windows workstations used by financial analysts. Incident data shows repeated infections from malicious macro-enabled documents and unsigned PowerShell scripts downloaded from the internet. Leadership wants to block execution of untrusted code without preventing analysts from running their approved line-of-business applications and internally developed automation scripts. Which control set most directly and durably meets these requirements?

Reviewed for accuracy · Report an issue
Question 24 of 25

A business unit at a financial services firm needs to deploy a legacy application that cannot support the company's mandatory 15-character password standard; the vendor confirms the platform is limited to 8 characters and will not be updated for 18 months. The business unit wants to proceed to meet a regulatory reporting deadline. As the security governance lead, what is the MOST appropriate way to handle this deviation from the established standard?

Reviewed for accuracy · Report an issue
Question 25 of 25

During enterprise-scale incident response, a forensic analyst has collected disk images from five compromised hosts. Investigators need to reconstruct the exact sequence of attacker actions across filesystem metadata, registry hives, event logs, and browser artifacts to determine the initial access vector. Which approach best supports this reconstruction?

Reviewed for accuracy · Report an issue