Free Practice Questions for CompTIA CAS-005 Exam

The best way to reduce liability and secure customer environments is to require that all employee-owned laptops have a corporate-licensed and managed Endpoint Detection and Response (EDR) solution installed. This ensures that devices accessing sensitive customer infrastructure are monitored for malware, unauthorized processes, and suspicious behaviors. EDR provides visibility into endpoint security posture and enforces corporate security baselines, which unmanaged personal devices typically lack.

Option A (MDM with attestation) works well for corporate-owned devices but is difficult to enforce reliably across personally owned laptops. Option C (VPN with certificate authentication) ensures encrypted access but does not validate whether the device is secure. Option D (host checking to jump boxes) reduces exposure but still allows unmanaged endpoints to connect indirectly.

CAS-005 emphasizes endpoint controls and assurance mechanisms for environments with third-party or bring-your-own-device (BYOD) risk. Deploying managed EDR ensures visibility, consistent policies, and rapid response across all devices, making this the most secure and practical option.

Useruser-cis showinganomalous behavior across multiple machines, attempting to run administrative tools such as cmd.exe and appwiz.CPL, which are commonly used by attackers for system modification. The activity pattern suggests a lateral movement attempt, potentially indicating a compromised account.

user-a (A)anduser-b (B)attempted to run applications but only on one machine, suggesting less likelihood of compromise.

user-d (D)was blocked running cmd.com, but user-c’s pattern is more consistent with an attack technique.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.

OpenSSH vulnerabilityispublic facingand has acritical CVSS of 9.2.

Exploitable SSH services can lead to direct server compromise.

Although Apache has a higher score, it's internal.

FromCAS-005, Domain 3: Vulnerability Management:

“Prioritize external vulnerabilities with high CVSS and exposed attack surfaces.”

The most likely driver for approving additional network security budget is that the audit revealed that the existing architecture contained security controls that could be easily bypassed. This indicates fundamental weaknesses in defense-in-depth and suggests that attackers could gain access to sensitive systems or data despite the presence of controls.

Option A (unused budgets) is not a strategic reason for approving security investment. Option B (compliance reports requested by customers) may influence investment in compliance initiatives, but it does not explain the need for an in-depth defense architecture. Option D (PCI DSS low score) is a compliance-specific issue but would not, on its own, drive a broad architectural budget approval unless PCI was the only focus.

Security audits often uncover systemic flaws—such as flat networks, insufficient segmentation, or single points of failure—that create the conditions for bypassing controls. Addressing these issues requires rearchitecting the environment, introducing layered defenses, and strengthening monitoring capabilities, all of which demand significant budget. Thus, option C aligns with the decision to invest in robust defense-in-depth strategies.

The best option is to provide sanitized devices with remote connections to a Virtual Desktop Infrastructure (VDI). This ensures that no sensitive intellectual property is stored locally on the laptops carried across borders. Even if the devices are inspected, seized, or tampered with, attackers cannot access corporate data since all sensitive files remain within secure, centralized infrastructure.

Option A (Measured Boot) reports firmware tampering but does not prevent data theft if the device is compromised. Option C (self-encrypting drives) protect data at rest but can be bypassed if customs agents demand login credentials. Option D (tamper-evident stickers) provide only physical inspection indicators and are ineffective against sophisticated data theft attempts.

CAS-005 emphasizes secure remote access strategies and temporary “clean laptops” for high-risk travel scenarios. Sanitized laptops with VDI access minimize exposure while maintaining productivity, making this the strongest mitigation.

To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).

Why Conditional Access and NAC?

Conditional Access:

User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.

Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more.

Network Access Control (NAC):

DeviceConfiguration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.

Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.

Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:

A. Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.

D. PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.

E. SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance.

F. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance.

Geofencingallows the device to be restricted based on its physical location — disabling or locking devices when they move outside of trusted zones.Full disk encryptionensures that if a device is lost, the data remains inaccessible to unauthorized users. Containerization protects specific apps or data, but does not disable the entire device. Patch management, allow/blocklists, and geotagging serve other important functions but are not directly linked to the requirements in this scenario.

The logs show the device checking in from two distant locations (USA and Qatar) at nearly the same time, which indicatesimpossible travel— a strong indicator that either the device has been cloned, compromised, or credentials stolen. The best immediate action is todisable the device's account and accessto prevent potential misuse while an investigation is conducted. Malicious application installation or resource issues are possible but secondary concerns here compared to account compromise.

Homomorphic encryption allows computations to be performed on encrypted data without decrypting it, providing strong privacy guarantees. However, the adoption of homomorphic encryption is challenging due to several factors:

A. Incomplete mathematical primitives: This is not the primary barrier as the theoretical foundations of homomorphic encryption are well-developed.

B. No use cases to drive adoption: There are several compelling use cases for homomorphic encryption, especially in privacy-sensitive fields like healthcare and finance.

C. Quantum computers not yet capable: Quantum computing is not directly related to the challenges of adopting homomorphic encryption.

D. Insufficient coprocessor support: The computational overhead of homomorphic encryption is significant, requiring substantial processing power. Current general-purpose processors are not optimized for the intensive computations required by homomorphic encryption, limiting its practical deployment. Specialized hardware or coprocessors designed to handle these computations more efficiently are not yet widely available.