[Q12-Q31] 2024 Reliable Study Materials & Testing Engine for CAS-005 Exam Success! : Exam for engine : http://blog.test4engine.com

NO.12 A security engineer performed a code scan that resulted in many false positives. The security engineer must find a solution that improves the quality of scanning results before application deployment. Which of the following is the best solution?

Limiting the tool to a specific coding language and tuning the rule set

Configuring branch protection rules and dependency checks

Using an application vulnerability scanner to identify coding flaws in production

Performing updates on code libraries before code development

NO.13

An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS
Review the following scenarios and instructions. Match each relevant finding to the affected host.
After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may be used more than once.
If at any time you would like to bring back the initial state of the simul-ation, please click the Reset All button.

NO.14 A company isolated its OT systems from other areas of the corporate network These systems are required to report usage information over the internet to the vendor Which oi the following b*st reduces the risk of compromise or sabotage’ (Select two).

Implementing allow lists

Monitoring network behavior

Encrypting data at rest

Performing boot Integrity checks

Executing daily health checks

Implementing a site-to-site IPSec VPN

NO.15 A security configure is building a solution to disable weak CBC configuration for remote access connections lo Linux systems. Which of the following should the security engineer modify?

The /etc/openssl.conf file, updating the virtual site parameter

The /etc/nsswith.conf file, updating the name server

The /etc/hosts file, updating the IP parameter

The /etc/etc/sshd, configure file updating the ciphers

NO.16 A security analyst is reviewing the following authentication logs:

Which of the following should the analyst do first?

Disable User2’s account

Disable User12’s account

Disable User8’s account

Disable User1’s account

NO.17 An organization is planning for disaster recovery and continuity of operations, and has noted the following relevant findings:
1. A natural disaster may disrupt operations at Site A, which would then cause an evacuation. Users are unable to log into the domain from-their workstations after relocating to Site B.
2. A natural disaster may disrupt operations at Site A, which would then cause the pump room at Site B to become inoperable.
3. A natural disaster may disrupt operations at Site A, which would then cause unreliable internet connectivity at Site B due to route flapping.
INSTRUCTIONS
Match each relevant finding to the affected host by clicking on the host name and selecting the appropriate number.
For findings 1 and 2, select the items that should be replicated to Site B. For finding 3, select the item requiring configuration changes, then select the appropriate corrective action from the drop-down menu.

NO.18 Which of the following best explains the importance of determining organization risk appetite when operating with a constrained budget?

Risk appetite directly impacts acceptance of high-impact low-likelihood events.

Organizational risk appetite varies from organization to organization

Budgetary pressure drives risk mitigation planning in all companies

Risk appetite directly influences which breaches are disclosed publicly

NO.19 A company is having issues with its vulnerability management program New devices/lPs are added and dropped regularly, making the vulnerability report inconsistent Which of the following actions should the company lake to most likely improve the vulnerability management process’

Request a weekly report with all new assets deployed and decommissioned

Extend the DHCP lease lime to allow the devices to remain with the same address for a longer period.

Implement a shadow IT detection process to avoid rogue devices on the network

Perform regular discovery scanning throughout the 11 landscape using the vulnerability management tool

NO.20 A security analyst wants to use lessons learned from a poor incident response to reduce dwell lime in the future The analyst is using the following data points

Which of the following would the analyst most likely recommend?

Adjusting the SIEM to alert on attempts to visit phishing sites

Allowing TRACE method traffic to enable better log correlation

Enabling alerting on all suspicious administrator behavior

utilizing allow lists on the WAF for all users using GFT methods

In the context of improving incident response and reducing dwell time, the security analyst needs to focus on proactive measures that can quickly detect and alert on potential security breaches. Here’s a detailed analysis of the options provided:
A: Adjusting the SIEM to alert on attempts to visit phishing sites: While this is a useful measure to prevent phishing attacks, it primarily addresses external threats and doesn’t directly impact dwell time reduction, which focuses on the time a threat remains undetected within a network.
B: Allowing TRACE method traffic to enable better log correlation: The TRACE method in HTTP is used for debugging purposes, but enabling it can introduce security vulnerabilities. It’s not typically recommended for enhancing security monitoring or incident response.
C: Enabling alerting on all suspicious administrator behavior: This option directly targets the potential misuse of administrator accounts, which are often high-value targets for attackers. By monitoring and alerting on suspicious activities from admin accounts, the organization can quickly identify and respond to potential breaches, thereby reducing dwell time significantly. Suspicious behavior could include unusual login times, access to sensitive data not usually accessed by the admin, or any deviation from normal behavior patterns.
This proactive monitoring is crucial for quick detection and response, aligning well with best practices in incident response.
D: Utilizing allow lists on the WAF for all users using GET methods: This measure is aimed at restricting access based on allowed lists, which can be effective in preventing unauthorized access but doesn’t specifically address the need for quick detection and response to internal threats.
References:
* CompTIA SecurityX Study Guide: Emphasizes the importance of monitoring and alerting on admin activities as part of a robust incident response plan.
* NIST Special Publication 800-61 Revision 2, “Computer Security Incident Handling Guide”: Highlights best practices for incident response, including the importance of detecting and responding to suspicious activities quickly.
* “Incident Response & Computer Forensics” by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia:
Discusses techniques for reducing dwell time through effective monitoring and alerting mechanisms, particularly focusing on privileged account activities.
By focusing on enabling alerting for suspicious administrator behavior, the security analyst addresses a critical area that can help reduce the time a threat goes undetected, thereby improving the overall security posture of the organization.
Top of Form
Bottom of Form

NO.21 An organization is required to
* Respond to internal and external inquiries in a timely manner
* Provide transparency.
* Comply with regulatory requirements
The organization has not experienced any reportable breaches but wants to be prepared if a breach occurs in the future. Which of the following is the best way for the organization to prepare?

Outsourcing the handling of necessary regulatory filing to an external consultant

Integrating automated response mechanisms into the data subject access request process

Developing communication templates that have been vetted by internal and external counsel

Conducting lessons-learned activities and integrating observations into the crisis management plan

NO.22 A security analyst needs to ensure email domains that send phishing attempts without previous communications are not delivered to mailboxes The following email headers are being reviewed

Which of the following is the best action for the security analyst to take?

Block messages from hr-saas.com because it is not a recognized domain.

Reroute all messages with unusual security warning notices to the IT administrator

Quarantine all messages with sales-mail.com in the email header

Block vendor com for repeated attempts to send suspicious messages

In reviewing email headers and determining actions to mitigate phishing attempts, the security analyst should focus on patterns of suspicious behavior and the reputation of the sending domains. Here’s the analysis of the options provided:
A; Block messages from hr-saas.com because it is not a recognized domain: Blocking a domain solely because it is not recognized can lead to legitimate emails being missed. Recognition alone should not be the criterion for blocking.
B: Reroute all messages with unusual security warning notices to the IT administrator: While rerouting suspicious messages can be a good practice, it is not specific to the domain sending repeated suspicious messages.
C: Quarantine all messages with sales-mail.com in the email header: Quarantining messages based on the presence of a specific domain in the email header can be too broad and may capture legitimate emails.
D: Block vendor com for repeated attempts to send suspicious messages: This option is the most appropriate because it targets a domain that has shown a pattern of sending suspicious messages. Blocking a domain that repeatedly sends phishing attempts without previous communications helps in preventing future attempts from the same source and aligns with the goal of mitigating phishing risks.
References:
* CompTIA SecurityX Study Guide: Details best practices for handling phishing attempts, including blocking domains with repeated suspicious activity.
* NIST Special Publication 800-45 Version 2, “Guidelines on Electronic Mail Security”: Provides guidelines on email security, including the management of suspicious email domains.
* “Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft” by Markus Jakobsson and Steven Myers: Discusses effective measures to counter phishing attempts, including blocking persistent offenders.
By blocking the domain that has consistently attempted to send suspicious messages, the security analyst can effectively reduce the risk of phishing attacks.

NO.23 A company receives reports about misconfigurations and vulnerabilities in a third-party hardware device that is part of its released products. Which of the following solutions is the best way for the company to identify possible issues at an earlier stage?

Performing vulnerability tests on each device delivered by the providers

Performing regular red-team exercises on the vendor production line

Implementing a monitoring process for the integration between the application and the vendor appliance

Implementing a proper supply chain risk management program

NO.24 After remote desktop capabilities were deployed in the environment, various vulnerabilities were noticed.
* Exfiltration of intellectual property
* Unencrypted files
* Weak user passwords
Which of the following is the best way to mitigate these vulnerabilities? (Select two).

Implementing data loss prevention

Deploying file integrity monitoring

Restricting access to critical file services only

Deploying directory-based group policies

Enabling modem authentication that supports MFA

Implementing a version control system

Implementing a CMDB platform

NO.25 A security architect for a global organization with a distributed workforce recently received funding lo deploy a CASB solution Which of the following most likely explains the choice to use a proxy-based CASB?

The capability to block unapproved applications and services is possible

Privacy compliance obligations are bypassed when using a user-based deployment.

Protecting and regularly rotating API secret keys requires a significant time commitment

Corporate devices cannot receive certificates when not connected to on-premises devices

NO.26 A software engineer is creating a CI/CD pipeline to support the development of a web application The DevSecOps team is required to identify syntax errors Which of the following is the most relevant to the DevSecOps team’s task’

Static application security testing

Software composition analysis

Runtime application self-protection

Web application vulnerability scanning

NO.27 Users are willing passwords on paper because of the number of passwords needed in an environment. Which of the following solutions is the best way to manage this situation and decrease risks?

Increasing password complexity to require 31 least 16 characters

implementing an SSO solution and integrating with applications

Requiring users to use an open-source password manager

Implementing an MFA solution to avoid reliance only on passwords

NO.28 A security officer received several complaints from users about excessive MPA push notifications at night The security team investigates and suspects malicious activities regarding user account authentication Which of the following is the best way for the security officer to restrict MI~A notifications”

Provisioning FID02 devices

Deploying a text message based on MFA

Enabling OTP via email

Configuring prompt-driven MFA

NO.29 An audit finding reveals that a legacy platform has not retained loos for more than 30 days The platform has been segmented due to its interoperability with newer technology. As a temporary solution, the IT department changed the log retention to 120 days. Which of the following should the security engineer do to ensure the logs are being properly retained?

Configure a scheduled task nightly to save the logs

Configure event-based triggers to export the logs at a threshold.

Configure the SIEM to aggregate the logs

Configure a Python script to move the logs into a SQL database.

NO.30 The identity and access management team is sending logs to the SIEM for continuous monitoring. The deployed log collector is forwarding logs to the SIEM. However, only false positive alerts are being generated. Which of the following is the most likely reason for the inaccurate alerts?

The compute resources are insufficient to support the SIEM

The SIEM indexes are 100 large

The data is not being properly parsed

The retention policy is not property configured

NO.31 A company receives several complaints from customers regarding its website. An engineer implements a parser for the web server logs that generates the following output:

which of the following should the company implement to best resolve the issue?

IDS

CDN

WAF

NAC