CAS-005 Online Practice Questions and Answers

Correct Answer: C

Configuring a span port on the perimeter firewall to ingest logs is the best architectural change to ensure that all client proxy traffic is captured for analysis. Here's why:

Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter firewall can capture all inbound and outbound traffic, including traffic that might bypass the proxy. This ensures that all network traffic is available for analysis.

Centralized Logging: By capturing logs at the perimeter firewall, the organization can centralize logging and analysis, making it easier to detect and investigate anomalies. Minimal Disruption: Implementing a span port is a non-intrusive

method that does not require significant changes to the network architecture, thus minimizing disruption to existing services.

Correct Answer: A

Implementing the given commands in the Dockerfile ensures that the container runs with non-root user privileges. Running applications as a non-root user reduces the risk of privilege escalation attacks because even if an attacker compromises the application, they would have limited privileges and would not be able to perform actions that require root access. A. Implementing the following commands in the Dockerfile: This directly addresses the privilege escalation attack surface by ensuring the application does not run with elevated privileges. B. Installing an EDR on the container's host: While useful for detecting threats, this does not reduce the privilege escalation attack surface within the containerized application. C. Designing a multi-container solution: While beneficial for modularity and remediation, it does not specifically address privilege escalation. D. Running the container in an isolated network: This improves network security but does not directly reduce the privilege escalation attack surface. References: CompTIA Security+ Study Guide Docker documentation on security best practices NIST SP 800-190, "Application Container Security Guide"

Correct Answer: A

When creating a threat model to identify vulnerabilities in an organization's infrastructure, prioritizing external-facing infrastructure with known exploited vulnerabilities is critical.

Here's why:

Exposure to Attack: External-facing infrastructure is directly exposed to the internet, making it a primary target for attackers. Any vulnerabilities in this layer pose an immediate risk to the organization's security. Known Exploited Vulnerabilities:

Vulnerabilities that are already known and exploited in the wild are of higher concern because they are actively being used by attackers. Addressing these vulnerabilities reduces the risk of exploitation significantly. Risk Mitigation: By

prioritizing external-facing infrastructure with known exploited vulnerabilities, the organization can mitigate the most immediate and impactful threats, thereby improving overall security posture.

Correct Answer: AF

The reported issues suggest problems related to network connectivity, remote access, and certificate management:

A. Review VPN throughput: Connectivity issues and the inability to download applications while working remotely may be due to VPN bandwidth or performance issues. Reviewing and optimizing VPN throughput can help resolve these

problems by ensuring that remote users have adequate bandwidth for accessing corporate resources.

F. Validate MDM asset compliance: Mobile Device Management (MDM) systems ensure that mobile endpoints comply with corporate security policies. Validating MDM compliance can help address issues related to the inability to download

applications and certificate errors, as non-compliant devices might be blocked from accessing certain resources.

B. Check IPS rules: While important for security, IPS rules are less likely to directly address the connectivity and certificate issues described. C. Restore static content on the CDN: This action is related to content delivery but does not address

VPN or certificate-related issues. D. Enable secure authentication using NAC: Network Access Control (NAC) enhances security but does not directly address the specific issues described. E. Implement advanced WAF rules: Web Application

Firewalls protect web applications but do not address VPN throughput or mobile device compliance.

References:

CompTIA Security+ Study Guide

NIST SP 800-77, "Guide to IPsec VPNs"

CIS Controls, "Control 11: Secure Configuration for Network Devices"

Correct Answer: B

The table indicates varying load times for users accessing the website from different geographic locations. Customers from Australia and India are experiencing significantly higher load times compared to those from the United States. This suggests that latency and geographical distance are affecting the website's performance. A. IDS (Intrusion Detection System): While an IDS is useful for detecting malicious activities, it does not address performance issues related to latency and geographical distribution of content.

B. CDN (Content Delivery Network): A CDN stores copies of the website's content in multiple geographic locations. By serving content from the nearest server to the user, a CDN can significantly reduce load times and improve user

experience globally.

C. WAF (Web Application Firewall): A WAF protects web applications by filtering and monitoring HTTP traffic but does not improve performance related to geographical latency. D. NAC (Network Access Control): NAC solutions control access

to network resources but are not designed to address web performance issues. Implementing a CDN is the best solution to resolve the performance issues observed in the log output.

References:

CompTIA Security+ Study Guide

"CDN: Content Delivery Networks Explained" by Akamai Technologies NIST SP 800-44, "Guidelines on Securing Public Web Servers"

Correct Answer: A

The best action to address the requirement of accessing the historian server within a SCADA system is to isolate the historian server for connections only from the SCADA environment. Here's why:

Security and Isolation: Isolating the historian server ensures that only authorized devices within the SCADA environment can connect to it. This minimizes the attack surface and protects sensitive data from unauthorized access. Access

Control: By restricting access to the historian server to only SCADA devices, the organization can better control and monitor interactions, ensuring that only legitimate queries and data retrievals occur. Best Practices for Critical Infrastructure:

Following the principle of least privilege, isolating critical components like the historian server is a standard practice in securing SCADA systems, reducing the risk of cyberattacks.

Correct Answer: C

To reduce the number of failed patch deployments, the systems administrator should implement a robust change management process. Change management ensures that all modifications to systems or applications are planned, tested, and

approved before deployment. This systematic approach reduces the risk of unplanned changes that can cause patch failures and ensures that patches are deployed in a controlled and predictable manner.

References:

CompTIA SecurityX Study Guide: Emphasizes the importance of change management in maintaining system integrity and ensuring successful patch deployments.

ITIL (Information Technology Infrastructure Library) Framework: Provides best practices for change management in IT services.

"The Phoenix Project" by Gene Kim, Kevin Behr, and George Spafford: Discusses the critical role of change management in IT operations and its impact on system stability and reliability.

Correct Answer: BE

To design resilience in an enterprise system that can survive environmental catastrophes, recover within 24 hours, and be resilient to active exploitation, the best strategy is to allocate fully redundant and geographically distributed standby sites. Here's why: Geographical Redundancy: Having geographically distributed standby sites ensures that if one site is affected by an environmental catastrophe, the other sites can take over, providing continuity of operations. Full Redundancy: Fully redundant sites mean that all critical systems and data are replicated, enabling quick recovery in the event of a critical loss of availability. Resilience to Exploitation: Distributing resources across multiple sites reduces the risk of a single point of failure and increases resilience against targeted attacks.

Correct Answer: A

Correct Answer: D

The Rules of Engagement (ROE) document is essential for ensuring all parties understand their roles, responsibilities, and limitations during an assessment. It provides a clear framework that helps prevent legal and operational misunderstandings, making it the most appropriate choice for the CISO to have each party sign in this scenario.