CAS-005 Exam Dumps - CompTIA CASP Questions and Answers

Homomorphic encryptionallows computations to be performed directly on encrypted data without decrypting it first. This technology is particularly useful for securely transmitting confidential data to a cloud service provider (CSP) and allowing the CSP to process the data without having any visibility into its content. This maintains data confidentiality even during processing. It is not about securing data at rest and in transit or simply storing data across nodes.

Using X.509 certificates for authentication with HTTPS encrypts credentials in transit and provides server identity verification. In SecurityX CAS-005 objectives, securing internal web services with TLS and mutual authentication is a primary method to reduce credential interception or reuse.

802.1X EAP-TTLS is for network access control, not web authentication.

DNS security (DNSSEC) ensures DNS integrity, not web session encryption.

IDS rules help detect, but not prevent, credential exposure.

Code signing uses cryptographic digital signatures to prove that software or updates come from a trusted source and have not been altered. In the SecurityX CAS-005 objectives, this is covered under security engineering and cryptographic assurance mechanisms.

Envelope encryption protects confidentiality but does not authenticate the source.

File integrity monitoring detects file changes but does not confirm the origin of the update.

Application control manages which software can run but does not ensure authenticity of distributed files.Only code signing meets all three objectives: verifying the source, ensuring authorization, and proving integrity.

Theregulated lab environment (Yes)shares the same VLAN (10.2.0.0/22) withusers, creatingzone traversalrisk from unregulated zones to sensitive datanetworks.

This allows pivoting and lateral movement from non-regulated user devices into regulated lab environments — a classiczone boundary violation.

Zone traversal should be mitigated with segmentation and firewall enforcement.

FromCAS-005, Domain 2: Risk Management and Mitigation Strategies:

“Zone traversal occurs when segmentation boundaries are misconfigured or merged, leading to regulatory and risk compliance failures.”

Step by Step Explanation:

Understanding the Scenario: Theorganization is using customer-managed encryption keys in the cloud, which is more expensive than using the cloud provider's free managed keys. The CISO needs to find a way to reduce costs without significantly weakening the security posture.

Analyzing the Answer Choices:

A. Utilize an on-premises HSM to locally manage keys: While on-premises HSMs offer strong security, they introduce additional costs and complexity (procurement, maintenance, etc.). This option is unlikely to reduce costs compared to cloud-based key management.

B. Adjust the configuration for cloud provider keys on data that is classified as public: This is the most practical and cost-effective approach. Data classified as public doesn't require the same level of protection as sensitive data. Using the cloud provider's free managed keys for public data can significantly reduce costs without compromising security, as the data is intended to be publicly accessible anyway.

Anacceptable use policy (AUP)defines what is considered appropriate use of corporate email and prevents unnecessary emails to personal accounts. This helps in reducing false DLP alerts while maintaining compliance.

Quarantining emails (A)is unnecessary since the content was not flagged as sensitive.

Encryption (C)secures emails but does not address overuse.

Phishing awareness training (D)is unrelated to policy enforcement for outgoing emails.

Step-by-Step Explanation:

Regression testing ensures that new changes do not break existing functionality. It would have identified the memory leak before deployment, preventing downtime.

For operational technology (OT) and non-traditional devices, downtime must be avoided. CAS-005 recommends passive monitoring and proactive response for environments where active scanning or changes could disrupt operations. Observing the environment continuously and acting on malicious indicators allows security without interrupting critical manufacturing processes.

Honeypots (A) are good for research but don’t provide full facility monitoring.

Behavioral analysis (B) is reactive without proactive measures.

Patching (C) is important but could cause downtime and may be limited in OT environments.

To prevent sensitive corporate information from being exposed if a laptop is stolen, the solution must ensure that data is not stored locally and access is tightly controlled. According to the CompTIA SecurityX CAS-005 study guide (Domain 4: Governance, Risk, and Compliance, 4.3), Desktop as a Service (DaaS) hosts data and applications in the cloud, reducing the risk of data exposure on physical devices. Combining DaaS with multifactor authentication (MFA) ensures that even if a laptop is stolen, unauthorized access to the cloud environment is prevented.

Option B:IP allow lists and SSO do not address data stored locally on the laptop, which could be accessed offline.

Option C:MDM and stronger passwords help but do not prevent data exposure if the device is compromised (e.g., via offline attacks).

Option D:Updating policies and monitoring breaches are reactive measures that do not directly protect data on a stolen laptop.

Option A:DaaS ensures no sensitive data resides on the device, and MFA secures access, making it the best solution.

The logs indicate unauthorized access from104.18.16.29, an external IP, to the building camera’s administrative console during off-hours.Restricting access only to approved IPsensures that only authorized personnel can remotely control the cameras, reducing the risk of unauthorized access and manipulation.

Implementing WAF protection (A)secures against web application attacks but does not restrict unauthorized administrative access.

Upgrading the firmware (B)is good security hygiene but does not immediately mitigate the active threat.

Blocking IP 104.18.16.29 (D)is a temporary measure, as an attacker can switch to another IP. A better long-term solution is whitelisting trusted IPs.