CAS-005 Free Practice Test

Company A acquired Company B and needs to determine how the acquisition will impact the attack surface of the organization as a whole. Which of the following is the best way to achieve this goal? (Select two).
Implementing DLP controls preventing sensitive data from leaving Company B's network

1. A. Documenting third-party connections used by Company B
2. B. Reviewing the privacy policies currently adopted by Company B
3. C. Requiring data sensitivity labeling tor all files shared with Company B
4. D. Forcing a password reset requiring more stringent passwords for users on Company B's network
5. E. Performing an architectural review of Company B's network

Correct Answer: AB
To determine how the acquisition of Company B will impact the attack surface, the following steps are crucial:
* A. Documenting third-party connections used by Company B: Understanding all external connections is essential for assessing potential entry points for attackers and ensuring that these connections are secure.
* E. Performing an architectural review of Company B's network: This review will identify
vulnerabilities and assess the security posture of the acquired company's network, providing a comprehensive understanding of the new attack surface.
These actions will provide a clear picture of the security implications of the acquisition and help in developing a plan to mitigate any identified risks.
References:
✑ CompTIA SecurityX Study Guide: Emphasizes the importance of understanding third-party connections and conducting architectural reviews during acquisitions.
✑ NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems": Recommends comprehensive reviews and documentation of third-party connections.
✑ "Mergers, Acquisitions, and Other Restructuring Activities" by Donald DePamphilis: Discusses the importance of security assessments during acquisitions.

A developer needs to improve the cryptographic strength of a password-storage component in a web application without completely replacing the crypto-module. Which of the following is the most appropriate technique?

1. A. Key splitting
2. B. Key escrow
3. C. Key rotation
4. D. Key encryption
5. E. Key stretching

Correct Answer: E
The most appropriate technique to improve the cryptographic strength of a password-storage component in a web application without completely replacing the crypto- module is key stretching. Here's why:
✑ Enhanced Security: Key stretching algorithms, such as PBKDF2, bcrypt, and scrypt, increase the computational effort required to derive the encryption key from the password, making brute-force attacks more difficult and time-consuming.
✑ Compatibility: Key stretching can be implemented alongside existing cryptographic modules, enhancing their security without the need for a complete overhaul.
✑ Industry Best Practices: Key stretching is a widely recommended practice for securely storing passwords, as it significantly improves resistance to password- cracking attacks.
✑ References:

A network engineer must ensure that always-on VPN access is enabled Curt restricted to company assets Which of the following best describes what the engineer needs to do''

1. A. Generate device certificates using the specific template settings needed
2. B. Modify signing certificates in order to support IKE version 2
3. C. Create a wildcard certificate for connections from public networks
4. D. Add the VPN hostname as a SAN entry on the root certificate

Correct Answer: A
To ensure always-on VPN access is enabled and restricted to company assets, the network engineer needs to generate device certificates using the specific template settings required for the company's VPN solution. These certificates ensure that only authorized devices can establish a VPN connection.
Why Device Certificates are Necessary:
✑ Authentication: Device certificates authenticate company assets, ensuring that only authorized devices can access the VPN.
✑ Security: Certificates provide a higher level of security compared to username and password combinations, reducing the risk of unauthorized access.
✑ Compliance: Certificates help in meeting security policies and compliance requirements by ensuring that only managed devices can connect to the corporate network.
Other options do not provide the same level of control and security for always-on VPN access:
✑ B. Modify signing certificates for IKE version 2: While important for VPN protocols,
it does not address device-specific authentication.
✑ C. Create a wildcard certificate: This is not suitable for device-specific authentication and could introduce security risks.
✑ D. Add the VPN hostname as a SAN entry: This is more related to certificate management and does not ensure device-specific authentication.
References:
✑ CompTIA SecurityX Study Guide
✑ "Device Certificates for VPN Access," Cisco Documentation
✑ NIST Special Publication 800-77, "Guide to IPsec VPNs"

Within a SCADA a business needs access to the historian server in order together metric about the functionality of the environment. Which of the following actions should be taken to address this requirement?

1. A. Isolating the historian server for connections only from The SCADA environment
2. B. Publishing the C$ share from SCADA to the enterprise
3. C. Deploying a screened subnet between 11 and SCADA
4. D. Adding the business workstations to the SCADA domain

Correct Answer: A
The best action to address the requirement of accessing the historian server within a SCADA system is to isolate the historian server for connections only from the SCADA environment. Here??s why:
✑ Security and Isolation: Isolating the historian server ensures that only authorized
devices within the SCADA environment can connect to it. This minimizes the attack surface and protects sensitive data from unauthorized access.
✑ Access Control: By restricting access to the historian server to only SCADA
devices, the organization can better control and monitor interactions, ensuring that only legitimate queries and data retrievals occur.
✑ Best Practices for Critical Infrastructure: Following the principle of least privilege,
isolating critical components like the historian server is a standard practice in securing SCADA systems, reducing the risk of cyberattacks.
✑ References:

A security architect is establishing requirements to design resilience in un enterprise system trial will be extended to other physical locations. The system must
• Be survivable to one environmental catastrophe
• Re recoverable within 24 hours of critical loss of availability
• Be resilient to active exploitation of one site-to-site VPN solution

1. A. Load-balance connection attempts and data Ingress at internet gateways
2. B. Allocate fully redundant and geographically distributed standby sites.
3. C. Employ layering of routers from diverse vendors
4. D. Lease space to establish cold sites throughout other countries
5. E. Use orchestration to procure, provision, and transfer application workloads lo cloudservices
6. F. Implement full weekly backups to be stored off-site for each of the company's sites

Correct Answer: B
To design resilience in an enterprise system that can survive environmental catastrophes, recover within 24 hours, and be resilient to active exploitation, the best strategy is to allocate fully redundant and geographically distributed standby sites. Here??s why:
✑ Geographical Redundancy: Having geographically distributed standby sites ensures that if one site is affected by an environmental catastrophe, the other sites can take over, providing continuity of operations.
✑ Full Redundancy: Fully redundant sites mean that all critical systems and data are replicated, enabling quick recovery in the event of a critical loss of availability.
✑ Resilience to Exploitation: Distributing resources across multiple sites reduces the risk of a single point of failure and increases resilience against targeted attacks.
✑ References: