CompTIA CAS-005 SecurityX  Exam Dumps and Practice Test Questions Set3 Q41-60

Visit here for our full CompTIA CAS-005 SecurityX exam dumps and practice test questions.

Question 41:

Which of the following network protocols is commonly used to securely transfer files between hosts over an encrypted connection?

A. FTP
B. SFTP
C. TFTP
D. Telnet

Answer: B. SFTP

Explanation

 SFTP (Secure File Transfer Protocol) is a network protocol that provides secure file transfer over an encrypted connection, typically using SSH (Secure Shell) for encryption. Unlike FTP, which transmits data in plaintext, SFTP ensures that both authentication credentials and data files are encrypted, protecting confidentiality, integrity, and authentication.

SFTP is widely used in enterprise environments to securely exchange sensitive files between servers, remote users, or automated systems. The protocol supports commands for uploading, downloading, listing, and managing files, similar to FTP, but with the added benefit of encryption. TFTP (Trivial File Transfer Protocol) is a lightweight, unencrypted protocol primarily used for configuration or bootstrapping devices but is not secure for sensitive data. Telnet is a plaintext remote terminal protocol that exposes both credentials and data to potential interception, making it unsuitable for secure file transfer.

SFTP’s reliance on SSH keys or password authentication allows for robust access control, while encryption prevents attackers from capturing or tampering with files during transmission. Best practices for SFTP include using strong key pairs, disabling password-based authentication when possible, and enforcing strict access controls on directories and files. Additionally, organizations often integrate logging and monitoring to track file transfers and detect anomalies.

For CompTIA CAS-005, understanding the difference between SFTP and insecure protocols like FTP or Telnet is crucial, as exam objectives emphasize secure data transmission. SFTP demonstrates confidentiality, integrity, and authentication, aligning with the CIA triad. Organizations can achieve compliance and minimize risk exposure by implementing SFTP alongside secure key management, monitoring, and network segmentation. Knowledge of SFTP also underlines the importance of selecting protocols that safeguard sensitive information during remote file operations.

Question 42:

 Which type of malware is designed to execute harmful code when specific conditions or triggers occur?

A. Logic bomb
B. Worm
C. Trojan
D. Rootkit

Answer: A. Logic bomb

Explanation :

A logic bomb is a type of malicious code embedded within a system or application that executes when predefined conditions or triggers are met. These triggers could include a specific date, the deletion of a file, user inactivity, or the execution of a particular application. Logic bombs are typically used by attackers to cause damage, disrupt operations, or sabotage systems without immediately revealing their presence.

Unlike worms, which self-propagate, or Trojans, which disguise themselves as legitimate software, logic bombs remain dormant until triggered, making detection challenging. Rootkits may hide malicious activity but are not inherently conditional. Logic bombs are often inserted by insiders, malicious employees, or compromised software packages, emphasizing the importance of monitoring for unauthorized changes and performing code reviews.

The consequences of a logic bomb can range from data deletion, system crashes, file corruption, or service outages, directly impacting availability and integrity. Detection methods include file integrity monitoring, behavioral analysis, auditing, and intrusion detection systems, which help identify abnormal system actions. Preventive measures include access control, least privilege enforcement, code reviews, and change management processes, reducing the likelihood of logic bomb insertion.

In the context of CompTIA CAS-005, understanding logic bombs highlights the intersection of malware, insider threats, and detection controls. Candidates must recognize the differences between logic bombs and other malware types, as well as how administrative, technical, and detective controls can mitigate such threats. Logic bombs underscore the significance of security policies, auditing, monitoring, and proactive risk management to maintain confidentiality, integrity, and availability in enterprise environments.

Question 43:

Which type of attack involves an attacker manipulating SQL queries to access or modify a database without authorization?

A. Cross-Site Scripting (XSS)
B. SQL Injection
C. Buffer overflow
D. Directory traversal

Answer: B. SQL Injection

Explanation 

 SQL Injection (SQLi) is a web application attack that occurs when an attacker injects malicious SQL code into input fields or URL parameters to manipulate database queries. If the application does not properly sanitize or validate user input, the attacker can retrieve, modify, or delete data, escalate privileges, or bypass authentication mechanisms.

SQLi can result in unauthorized access to sensitive data, corruption of database content, and in severe cases, complete control over the underlying server. The attack typically targets poorly secured applications, especially those that construct SQL statements dynamically without input validation. It differs from Cross-Site Scripting (XSS), which executes scripts in a user’s browser, buffer overflow attacks, which exploit memory allocation, and directory traversal attacks, which access restricted filesystem paths.

Mitigation strategies for SQLi include parameterized queries, prepared statements, input validation, stored procedures, and least privilege database accounts. Security testing tools, such as automated scanners and penetration testing, can help identify vulnerabilities before they are exploited. Web application firewalls (WAFs) can also block SQLi attempts by detecting known malicious patterns.

For CompTIA CAS-005, SQL injection is an essential topic under application security and common attack types. Understanding SQLi demonstrates the importance of secure coding practices, input validation, and access control in protecting data integrity and confidentiality. Organizations must combine technical measures with security awareness for developers to reduce exposure to injection attacks. Effective defenses against SQLi enhance overall risk management and regulatory compliance, as compromised databases can have severe operational, legal, and reputational consequences.

Question 44:

Which type of attack involves intercepting and relaying network communications between two parties to steal data or credentials?

A. Replay attack
B. Man-in-the-Middle (MITM)
C. Brute-force attack
D. Phishing

Answer: B. Man-in-the-Middle (MITM)

Explanation :

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts, relays, or alters communications between two parties. The attacker can eavesdrop on confidential information, steal credentials, or modify messages without the participants’ knowledge. MITM attacks compromise confidentiality, integrity, and authentication, making them a significant threat to secure communications.

MITM attacks can occur over unsecured Wi-Fi networks, compromised routers, ARP spoofing, DNS spoofing, or SSL stripping. For example, an attacker on public Wi-Fi could capture login credentials or banking information by acting as a transparent intermediary. Replay attacks involve resending captured data but do not necessarily modify communication in real time. Brute-force attacks attempt to guess credentials, while phishing tricks users into voluntarily providing sensitive information.

Mitigation strategies include end-to-end encryption (e.g., HTTPS, TLS), VPN usage, strong certificate validation, multi-factor authentication (MFA), and network monitoring. Organizations may also implement DNSSEC, secure DNS configurations, and intrusion detection/prevention systems (IDS/IPS) to detect and prevent MITM attempts.

In CAS-005, understanding MITM attacks is crucial for demonstrating knowledge of network security vulnerabilities, secure protocols, and mitigation techniques. Candidates must recognize the risks associated with unencrypted communications, the importance of proper cryptography, and how attackers exploit trust relationships. Preventing MITM attacks involves both technical controls and user awareness, emphasizing defense-in-depth strategies that protect sensitive information from interception, manipulation, or unauthorized disclosure in enterprise environments.

Question 45:

 Which type of firewall filters traffic based on source and destination IP addresses, ports, and protocols without inspecting payload content?

A. Stateful firewall
B. Packet-filtering firewall
C. Application-layer firewall
D. Proxy firewall

Answer: B. Packet-filtering firewall

Explanation:

 A packet-filtering firewall is a network security device that examines traffic at the network and transport layers (OSI Layers 3 and 4) and filters packets based on IP addresses, ports, and protocols. It is one of the simplest forms of firewall and is effective at controlling basic network access but does not inspect the payload content of packets.

Packet-filtering firewalls operate using a rule set configured by administrators, which can allow or deny traffic based on source/destination IP, port number, or protocol type. For example, rules may allow HTTP (port 80) traffic to a web server while blocking unauthorized ports. However, they cannot analyze application data, detect malicious payloads, or protect against sophisticated attacks such as SQL injection, XSS, or malware hidden in legitimate traffic.

Stateful firewalls improve on packet filtering by tracking active connections, allowing return traffic while still filtering unauthorized packets. Application-layer firewalls (Layer 7) inspect the payload and understand specific protocols such as HTTP, FTP, or SMTP, allowing more granular control and protection. Proxy firewalls act as intermediaries, forwarding requests while hiding the internal network and providing caching and filtering at a deeper layer.

In CAS-005, understanding packet-filtering firewalls emphasizes basic traffic control, network segmentation, and access policy enforcement. Packet filters are foundational for network security, allowing organizations to implement perimeter defenses, reduce attack surfaces, and enforce minimum traffic rules. Candidates must differentiate between packet filtering, stateful inspection, and application-layer inspection to select appropriate security solutions for varying network requirements, ensuring confidentiality, integrity, and availability of network resources.

Question 46:

 Which type of attack attempts to capture user credentials by masquerading as a legitimate website or service?

A. SQL injection
B. Phishing
C. Man-in-the-Middle
D. Brute-force

Answer: B. Phishing

Explanation :

 Phishing is a social engineering attack in which an attacker masquerades as a trusted entity to trick users into divulging sensitive information, such as login credentials, personal details, or financial data. This can occur via email, instant messaging, fake websites, or phone calls. Phishing relies on deception and user trust rather than technical vulnerabilities, though technical mechanisms can facilitate delivery, such as spoofed email headers or malicious links.

Successful phishing attacks can lead to account compromise, financial loss, identity theft, and unauthorized access to organizational systems. Attackers often create legitimate-looking emails, forms, or websites to lure users into providing information voluntarily. Phishing differs from SQL injection, which exploits web application vulnerabilities, MITM attacks, which intercept communications, and brute-force attacks, which attempt to guess passwords algorithmically.

Mitigation strategies include security awareness training, email filtering, anti-phishing tools, MFA implementation, and incident reporting procedures. Users trained to recognize suspicious links, unexpected requests, and spelling or formatting anomalies are less likely to fall victim. Organizations can also deploy DMARC, SPF, and DKIM to reduce email spoofing and phishing risk.

In CAS-005, phishing represents a critical example of human-centric security threats. Candidates must understand how attackers exploit human behavior, how MFA and secure authentication can reduce the impact, and the importance of combining technical and administrative controls. Recognizing phishing aligns with objectives on social engineering, risk management, and user awareness, demonstrating that effective cybersecurity requires addressing both technical vulnerabilities and human factors to protect organizational assets.

Question 47:

 Which type of authentication factor relies on something the user has, such as a smart card, token, or mobile device?

A. Knowledge factor
B. Possession factor
C. Inherence factor
D. Location factor

Answer: B. Possession factor

Explanation :

 The possession factor is one of the three main categories of authentication factors used in multi-factor authentication (MFA). It relies on something the user physically possesses, such as a smart card, hardware token, mobile authenticator app, or USB security key. The primary purpose is to strengthen security by combining possession with other factors, such as knowledge (passwords) or inherence (biometrics).

Possession-based authentication enhances security because even if a password is stolen, an attacker cannot authenticate without also having the physical device. Common implementations include time-based one-time passwords (TOTP) generated by authenticator apps, push notifications to registered devices, or PKI smart cards used for enterprise login and digital signatures.

This factor differs from knowledge factors, which rely on something the user knows (passwords, PINs), and inherence factors, which rely on biometric characteristics like fingerprints, facial recognition, or voice. Location and behavioral factors, sometimes considered a fourth factor, rely on user environment or patterns.

For CAS-005 candidates, understanding the possession factor is crucial because multi-factor authentication is a core security control. MFA reduces the likelihood of unauthorized access by combining multiple independent factors. Possession-based methods also play a role in regulatory compliance, including PCI DSS, HIPAA, and NIST guidelines, which require strong authentication for sensitive systems.

Implementing possession factors requires careful management, including secure issuance, revocation procedures, lost-device protocols, and periodic testing to ensure devices function correctly. Combined with passwords and biometrics, possession-based authentication significantly strengthens an organization’s overall security posture, supporting the CIA triad by protecting confidentiality, ensuring proper access, and maintaining integrity.

Question 48:

Which type of attack occurs when an attacker exploits a vulnerability in software before the vendor has issued a patch?

A. Zero-day exploit
B. Rootkit
C. Malware injection
D. Logic bomb

Answer: A. Zero-day exploit

Explanation :

A zero-day exploit targets a software vulnerability that is unknown to the software vendor and has no available patch. Because there is no fix, attackers can exploit the vulnerability to compromise systems, execute code, steal data, or escalate privileges, often undetected. The term “zero-day” refers to the fact that developers have had zero days to address the vulnerability.

Zero-day exploits are highly valuable in cybercrime markets and can be used in targeted attacks against critical infrastructure, corporate networks, or personal systems. Common vectors include web browsers, office applications, operating system flaws, and network services. Attackers often combine zero-day exploits with malware delivery mechanisms to create advanced persistent threats (APTs).

Zero-day exploits differ from rootkits, which hide malware presence; logic bombs, which execute under specific conditions; and general malware injection, which may exploit known vulnerabilities. Detection is challenging because traditional signature-based antivirus solutions cannot identify unknown threats. Organizations rely on behavior-based monitoring, anomaly detection, intrusion detection/prevention systems (IDS/IPS), and threat intelligence feeds to mitigate risk.

In CAS-005, understanding zero-day exploits is critical for demonstrating knowledge of vulnerability management, patching, risk assessment, and proactive defenses. Security professionals must implement defense-in-depth strategies, including network segmentation, application whitelisting, intrusion monitoring, and timely patching of known vulnerabilities to reduce exposure.

Training staff to recognize unusual system behavior, isolate affected systems, and coordinate with threat intelligence providers helps mitigate the impact of zero-day attacks. Zero-day threats emphasize the importance of continuous monitoring, vulnerability management programs, and layered defenses to protect confidentiality, integrity, and availability within enterprise networks.

Question 49:

Which type of social engineering attack uses threats or intimidation to convince a user to reveal sensitive information?

A. Phishing
B. Vishing
C. Pretexting
D. Baiting

Answer: B. Vishing

Explanation :

Vishing (voice phishing) is a social engineering technique in which attackers use telephone calls or voice messages to manipulate victims into divulging sensitive information, such as login credentials, banking details, or personal data. Attackers often pose as trusted entities, including banks, IT support, or government agencies, leveraging fear, urgency, or authority to pressure the victim into immediate action.

Vishing differs from email-based phishing, which relies on digital communications, and pretexting, which involves creating a fabricated scenario to obtain information. Baiting, by contrast, uses a tangible lure, such as a USB drive, to entice victims into performing an action that compromises security.

The success of vishing attacks relies on psychological manipulation, often exploiting human tendencies to comply with authority or avoid negative consequences. Attackers may create plausible backstories, use caller ID spoofing, and leverage knowledge obtained from social media or previous breaches to increase credibility.

Mitigation strategies include employee awareness training, verification of caller identities, policies for sharing sensitive information over the phone, and incident reporting procedures. Organizations should implement call-back protocols, authentication challenges, and strict verification standards for remote support or sensitive requests.

For CAS-005 candidates, understanding vishing demonstrates the importance of human factors in security, social engineering awareness, and administrative controls. Defense against vishing combines technical, administrative, and procedural measures, emphasizing training, policy enforcement, and layered defenses. Recognizing vishing attacks helps organizations prevent data breaches, identity theft, and unauthorized access, supporting the CIA triad by maintaining confidentiality and integrity of critical information assets.

Question 50:

 Which security control prevents unauthorized physical access to servers and sensitive equipment?

A. Administrative control
B. Technical control
C. Physical control
D. Detective control

Answer: C. Physical control

Explanation:

 Physical controls are security measures that protect physical assets and facilities from unauthorized access, theft, or damage. Examples include locked doors, keycard access systems, biometric scanners, security guards, surveillance cameras, and environmental controls such as fire suppression or HVAC systems.

Physical controls are critical because even strong technical and administrative measures can be bypassed if attackers gain physical access. Unauthorized individuals could steal servers, manipulate hardware, install malware, or access sensitive data directly. Physical security is also essential for compliance with regulations such as HIPAA, PCI DSS, and ISO 27001, which mandate protection of critical infrastructure and data centers.

Physical controls differ from technical controls, which enforce security through hardware or software mechanisms (firewalls, encryption, antivirus), and administrative controls, which guide employee behavior through policies, training, and procedures. Detective controls, such as alarms or surveillance, identify breaches but do not prevent them proactively.

Best practices for physical controls include layered security, such as perimeter fencing, secure entry points, mantraps, CCTV monitoring, visitor logging, and periodic access audits. Access should follow the principle of least privilege, ensuring only authorized personnel can enter sensitive areas. Environmental controls, like temperature, humidity, and fire suppression, maintain equipment reliability and availability.

For CAS-005, understanding physical controls emphasizes protection beyond digital systems, highlighting the comprehensive nature of cybersecurity. Physical security supports the CIA triad by preventing unauthorized access that could compromise confidentiality, integrity, or availability. Candidates should recognize physical security as a fundamental part of risk management and defense-in-depth strategies, ensuring a holistic approach to organizational security.

 Question 51:

 Which type of access control model enforces permissions based on security labels or classifications, preventing users from accessing information above their clearance level?

A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control

Answer: B. Mandatory Access Control (MAC)

Explanation :

Mandatory Access Control (MAC) is a strict access control model in which access permissions are based on system-enforced security labels or classifications, rather than user discretion. Each object (file, database, resource) is assigned a classification (e.g., Confidential, Secret, Top Secret), and each user is assigned a clearance level. Users can only access objects if their clearance meets or exceeds the object’s classification.

Unlike Discretionary Access Control (DAC), where owners can grant access to their files, MAC is centrally enforced and cannot be modified by end users. MAC differs from Role-Based Access Control (RBAC), which grants access based on organizational roles rather than security labels, and Rule-Based Access Control, which grants access based on rules or policies like time-of-day or IP address.

MAC is widely used in government and military environments, where controlling information flow and ensuring compliance with strict confidentiality rules is critical. MAC supports the CIA triad, particularly confidentiality, by ensuring sensitive information cannot be accessed by unauthorized personnel.

Implementing MAC involves labeling resources, classifying users, and enforcing system policies. Enforcement is typically handled by the operating system or security kernel. While MAC provides high security, it can be less flexible in dynamic business environments due to strict classification rules.

For CAS-005 candidates, understanding MAC demonstrates knowledge of access control models, security policy enforcement, and information classification. MAC emphasizes risk mitigation through centralized, mandatory enforcement, reducing the likelihood of data leaks or accidental disclosure. It highlights the difference between flexible models like DAC or RBAC and rigid, highly secure models that protect sensitive and classified data in enterprise or government networks.

Question 52:

Which type of malware hides its presence on a system and allows attackers to maintain persistent, covert control?

A. Rootkit
B. Trojan
C. Worm
D. Adware

Answer: A. Rootkit

Explanation:

 A rootkit is a type of malicious software designed to hide its presence and maintain persistent access to a compromised system. Rootkits can modify system files, drivers, and processes to remain undetected by traditional antivirus or monitoring tools. They often operate at the kernel level, giving attackers deep control over system functions and the ability to execute commands, exfiltrate data, or deploy additional malware without detection.

Rootkits differ from Trojans, which rely on user execution, worms, which self-replicate across networks, and adware, which primarily delivers advertisements. The stealthy nature of rootkits makes them particularly dangerous, as compromised systems may continue to operate normally while attackers maintain covert access for extended periods.

Detection and mitigation require advanced techniques, such as behavior-based monitoring, memory scanning, offline analysis, and integrity checks. Removing a rootkit often involves complete system reinstallation, as some rootkits can reinstall themselves if only partially removed. Modern security solutions combine endpoint protection platforms, intrusion detection systems, and active threat hunting to identify rootkit activity.

In the CAS-005 exam context, understanding rootkits is important for malware awareness, detection strategies, and layered security. Rootkits highlight the need for defense-in-depth, combining technical controls (antivirus, monitoring), administrative controls (incident response), and physical safeguards to prevent installation. Awareness of rootkits also emphasizes the importance of software updates, secure boot mechanisms, and system hardening to prevent installation in the first place.

Rootkits directly threaten confidentiality, integrity, and availability, and their persistent, hidden presence underscores the need for proactive monitoring, forensic capabilities, and rapid incident response to maintain secure enterprise environments.

Question 53:

 Which protocol is widely used to provide secure remote access over an encrypted channel?

A. Telnet
B. SSH
C. FTP
D. HTTP

Answer: B. SSH

Explanation :

Secure Shell (SSH) is a network protocol that provides encrypted remote access to systems, allowing users to execute commands, manage files, and administer servers securely. SSH encrypts all traffic, including authentication credentials, command execution, and data transfer, protecting against eavesdropping, tampering, and Man-in-the-Middle (MITM) attacks.

SSH differs from Telnet, which transmits data in plaintext, exposing credentials to interception. FTP, while used for file transfer, also transmits data without encryption unless combined with secure extensions like SFTP. HTTP is the foundational web protocol, which transmits web traffic, but standard HTTP is unencrypted (HTTPS provides encryption).

SSH supports public/private key authentication, enhancing security by reducing reliance on passwords. Key-based authentication enables stronger access controls, with the ability to enforce passphrases, restrict access to certain hosts, and log user activity. SSH is commonly used for remote system administration, secure file transfer, and tunneling applications, including port forwarding and VPN-like functions.

For CAS-005 candidates, understanding SSH demonstrates knowledge of network security, secure protocols, encryption, and remote access management. Secure remote access is critical for maintaining confidentiality and integrity of enterprise data while enabling administrative functions.

Organizations implementing SSH should follow best practices, including disabling root logins, enforcing key-based authentication, rotating keys, monitoring SSH logs, and limiting access through firewalls or VPNs. SSH provides a secure alternative to legacy protocols, forming a foundational component of a robust network security posture that aligns with defense-in-depth principles and regulatory compliance requirements.

Question 54:

Which type of attack captures and retransmits network traffic to gain unauthorized access or escalate privileges?

A. Replay attack
B. MITM attack
C. Phishing
D. SQL injection

Answer: A. Replay attack

Explanation :

 A replay attack is a network attack where an adversary captures valid network communications and retransmits them to gain unauthorized access, impersonate a legitimate user, or escalate privileges. Replay attacks exploit the fact that authentication tokens, session keys, or encrypted messages can sometimes be reused if not protected by timestamps, sequence numbers, or cryptographic mechanisms.

Replay attacks differ from MITM attacks, which intercept and manipulate data in real-time, and phishing, which deceives users into revealing credentials voluntarily. SQL injection targets databases and does not manipulate network traffic. Replay attacks are particularly dangerous in authentication protocols, wireless networks, and financial transactions, where reusing captured packets could grant attackers access without needing passwords.

Mitigation strategies include implementing nonces, timestamps, session tokens, and cryptographic protocols such as TLS that ensure message uniqueness and prevent replay. Strong authentication mechanisms, like time-based one-time passwords (TOTP) and sequence-based challenge-response protocols, can also reduce susceptibility. Network monitoring and intrusion detection systems can detect repeated attempts of captured packets, providing an additional defensive layer.

For CAS-005, understanding replay attacks is essential under network attacks, cryptography, and secure communications. Replay attacks highlight the importance of secure protocol design, message integrity checks, encryption, and session management. Organizations should evaluate systems for vulnerability to replay attacks, implement proper cryptographic protections, and enforce secure session handling to maintain confidentiality, integrity, and availability. Awareness of replay attacks demonstrates the need for technical controls combined with procedural enforcement, ensuring attackers cannot leverage captured data to compromise enterprise networks.

Question 55:

Which type of malware can self-replicate across networks without user intervention, consuming resources and potentially delivering payloads?

A. Trojan
B. Worm
C. Rootkit
D. Adware

Answer: B. Worm

Explanation :

A worm is a type of self-replicating malware designed to spread automatically across networks by exploiting vulnerabilities in operating systems, applications, or network protocols. Unlike Trojans, which require user execution, worms operate without direct user interaction, propagating rapidly and often consuming system resources or network bandwidth.

Worms can deliver payloads, such as ransomware, spyware, or backdoors, once they infect a system. They are a major threat to availability, as uncontrolled replication can cause network congestion, system slowdowns, or outages. Examples include WannaCry, SQL Slammer, and ILOVEYOU, which leveraged vulnerabilities to infect millions of machines globally.

Worms differ from rootkits, which hide malware presence; Trojans, which rely on user action; and adware, which delivers advertisements. Detection and mitigation require patch management, intrusion detection systems (IDS), antivirus software, and network segmentation to prevent lateral movement. Early detection and containment are critical to limit worm propagation.

For CAS-005, understanding worms illustrates malware types, attack vectors, and mitigation strategies. Worms demonstrate the impact of automated propagation, vulnerability exploitation, and resource exhaustion. Defense strategies include network monitoring, timely patching, firewall restrictions, endpoint protection, and user awareness. Candidates must recognize worms as a threat to availability and integrity, understand detection and prevention methods, and implement layered security measures to protect enterprise systems.

Question 56:

Which backup type copies all selected files every time a backup is performed, allowing faster restoration but consuming more storage?

A. Incremental
B. Differential
C. Full
D. Snapshot

Answer: C. Full

Explanation :

A full backup is a backup type in which all selected files, folders, or systems are copied in their entirety every time the backup process runs. This approach ensures that a complete and consistent copy of all data exists at the time of the backup, which significantly simplifies the restoration process. In the event of data loss, system failure, or a disaster, only the latest full backup is required to restore all files to their original state. This is in contrast to incremental backups, which store only the changes made since the last backup of any type, or differential backups, which store changes made since the last full backup. While incremental and differential methods reduce storage usage and shorten backup windows, they complicate restoration because multiple backup sets must be applied sequentially.

The main disadvantage of full backups is their storage and time requirements. Each backup consumes more disk space and takes longer to complete than incremental or differential backups. However, the benefits outweigh these costs in environments where rapid recovery and minimal data loss are critical. Full backups are often combined with incremental or differential backups in hybrid strategies to balance storage efficiency, backup speed, and recovery time objectives (RTO). For example, an organization may perform a full backup weekly and incremental backups daily, providing both comprehensive data protection and storage efficiency.

Organizations must implement best practices to maximize the effectiveness of full backups. This includes regularly verifying backup integrity to ensure data can be restored accurately, encrypting backups to protect sensitive information, and maintaining offsite or offline copies to protect against ransomware attacks and physical disasters. Snapshots, while useful for quick rollbacks, are generally unsuitable for long-term archival or comprehensive disaster recovery.

In the CAS-005 exam context, understanding full backups is essential for data security, disaster recovery, and business continuity planning. Candidates must grasp how full backups impact availability, integrity, and recovery speed, and how they fit into broader backup strategies. Full backups form the cornerstone of robust data protection, ensuring that organizations can restore critical systems and maintain operations during ransomware incidents, hardware failures, or other emergencies, thereby supporting overall operational resilience.

Question 57:

Which type of social engineering attack leaves a physical device, such as a USB drive, to trick users into connecting it to their system?

A. Vishing
B. Phishing
C. Baiting
D. Tailgating

Answer: C. Baiting

Explanation 

Baiting is a form of social engineering attack in which an attacker deliberately leaves a physical device, such as a USB drive, CD, or other removable media, in a location where potential victims are likely to find it. The device is often labeled enticingly, for example, “Confidential Payroll Data” or “Bonus Information,” to provoke curiosity or a sense of urgency. When an unsuspecting user connects the device to their system, it can automatically execute malicious code, install malware, keyloggers, ransomware, or spyware, and provide the attacker with unauthorized access to sensitive data or control over the system. The attack exploits human behavior, particularly curiosity, trust, or the desire to access seemingly valuable information, rather than relying on technical vulnerabilities.

Baiting differs from other social engineering methods. Vishing uses telephone calls to trick individuals into revealing sensitive information, phishing employs deceptive emails or messages to achieve similar goals, and tailgating involves physically following authorized personnel into restricted areas to bypass security controls. Baiting uniquely combines the physical and digital realms, requiring organizations to manage both human behavior and endpoint security to mitigate risk effectively.

To prevent baiting, organizations should implement multiple layers of defense. User awareness training is critical, teaching employees to recognize and avoid suspicious devices. Endpoint protection solutions, including antivirus and endpoint detection and response (EDR), can detect malicious activity when a device is connected. Disabling auto-run features, controlling USB or removable media access, segmenting networks, and monitoring device usage further reduce the risk. Administrative controls, such as policies defining approved hardware, logging and auditing external device connections, and labeling trusted equipment, complement technical measures.

In CAS-005, understanding baiting emphasizes the role of human factors in security and the importance of social engineering awareness. By recognizing how attackers exploit curiosity and trust, organizations can implement policies, training, and technical safeguards that prevent malware introduction, data compromise, and unauthorized system access. Baiting attacks highlight the necessity of integrating technical, procedural, and administrative controls to protect confidentiality, integrity, and availability of critical systems and information.

Question 58:

Which security principle ensures that data is accurate and cannot be altered improperly?

A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation

Answer: B. Integrity

Explanation:

Integrity is a fundamental security principle and one of the three pillars of the CIA triad—confidentiality, integrity, and availability. It ensures that data remains accurate, consistent, and trustworthy, and that it cannot be modified, deleted, or corrupted except by authorized users or processes. Maintaining integrity is critical for organizations because decisions, operational processes, and regulatory compliance rely on the accuracy and reliability of information. Any compromise to integrity can lead to incorrect decision-making, financial loss, or operational disruption.

Threats to integrity can come from various sources, including malware that modifies or deletes files, insider threats where employees intentionally alter information, network-based attacks such as man-in-the-middle alterations, software bugs, human error, and even environmental factors that corrupt storage media. Because threats can be both intentional and accidental, organizations must implement multiple layers of controls to preserve data integrity. Technical measures include cryptographic hashing (such as SHA or MD5), which produces a unique fingerprint of data to detect changes, digital signatures for authentication and tamper-proofing, strong access control policies to limit who can modify data, version control systems for tracking changes, and audit logging to monitor and review alterations.

Integrity differs from confidentiality, which focuses on preventing unauthorized access, and availability, which ensures users can access systems when needed. Non-repudiation guarantees that actions cannot be denied by users, but it does not directly validate the accuracy of data itself. CAS-005 candidates must understand integrity not only as a conceptual principle but also as a practical measure, including how to implement secure transmission protocols, verification processes, change management procedures, and monitoring tools to detect tampering or errors.

Organizations often use a combination of technical, administrative, and procedural controls to protect integrity. Examples include enforcing change approval processes, regularly auditing critical data, deploying file integrity monitoring systems, and educating personnel on proper data handling. Violations of integrity can result in severe consequences such as fraud, operational disruption, financial loss, or reputational damage. By ensuring integrity, organizations maintain trust in their information systems, uphold compliance standards, and protect the reliability of operational and strategic decisions.

Question 59:

Which type of attack exploits vulnerabilities in web applications to execute scripts in a user’s browser?

A. SQL Injection
B. Cross-Site Scripting (XSS)
C. Man-in-the-Middle
D. Phishing

Answer: B. Cross-Site Scripting (XSS)

Explanation :

Cross-Site Scripting (XSS) is a prevalent web application vulnerability in which attackers inject malicious scripts into web pages that are executed by unsuspecting users’ browsers. These scripts can perform a range of malicious activities, including stealing cookies, session tokens, or sensitive information, redirecting users to malicious websites, or executing actions on behalf of the victim without their consent. XSS exploits arise primarily from insufficient input validation and improper output encoding, which allow attackers to inject and execute code within the context of a trusted website.

XSS attacks can be categorized into three main types. Stored XSS occurs when malicious scripts are permanently saved in the application’s database or backend and are served to users whenever they access the affected page. This type is particularly dangerous because it can impact multiple users over time. Reflected XSS happens when the malicious input is immediately processed by the server and reflected back to the user, typically through URLs or search forms, requiring user interaction for the attack to succeed. DOM-based XSS manipulates client-side scripts directly in the browser without interacting with the server, exploiting vulnerabilities in the web page’s Document Object Model.

XSS differs from other web-based attacks, such as SQL injection, which targets database queries to manipulate or extract data; Man-in-the-Middle (MITM) attacks, which intercept and modify network traffic; and phishing attacks, which rely on social engineering to trick users into revealing credentials. Mitigation strategies for XSS include rigorous input validation, proper output encoding, implementation of content security policies (CSP), and adoption of secure coding practices throughout the software development lifecycle. Web Application Firewalls (WAFs) can detect known attack patterns and provide an additional layer of defense.

In the context of CAS-005, understanding XSS is critical for application security, vulnerability management, and risk mitigation. Candidates must grasp how insecure coding practices expose users to attacks, the potential impact on confidentiality, integrity, and even availability, and how to implement layered defenses. Effective XSS defense combines technical controls, developer education, and ongoing security testing, emphasizing the need to protect both the web application and its users from client-side exploitation.

Question 60:

Which type of disaster recovery strategy involves maintaining a fully operational backup site ready to take over immediately in case of failure?

A. Hot site
B. Warm site
C. Cold site
D. Snapshot site

Answer: A. Hot site

Explanation:

A hot site is a comprehensive disaster recovery strategy in which an organization maintains a fully operational backup facility that mirrors the primary site in terms of hardware, software, network connectivity, and data. The key advantage of a hot site is its ability to take over operations almost immediately after a primary site failure, minimizing downtime and ensuring business continuity. This is particularly critical for organizations that rely on continuous availability, such as financial institutions, healthcare providers, e-commerce platforms, and other services with low tolerance for disruption.

Hot sites differ from other disaster recovery options. Warm sites provide pre-installed infrastructure and connectivity but often require additional configuration, data restoration, or software deployment before they can become fully operational. Cold sites, in contrast, offer only physical space and utilities, meaning hardware, software, and data must be installed or restored before operations can resume, resulting in longer recovery times. Snapshots are useful for rapid data restoration but do not provide a complete operational environment capable of running applications and supporting users in real time.

Implementing a hot site requires meticulous planning and investment. Real-time data replication ensures that all critical systems and files are synchronized between the primary and backup sites. Network connectivity, application synchronization, and hardware redundancy must be maintained to prevent service interruptions. Regular testing and validation of the hot site are essential to confirm that failover procedures work correctly, systems operate as expected, and staff are familiar with the recovery process.

In CAS-005, understanding hot sites highlights the importance of disaster recovery planning, business continuity, and high-availability strategies. Hot sites ensure that availability, a key pillar of the CIA triad, is maintained even during catastrophic events. They also support integrity by maintaining synchronized and up-to-date data, and operational resilience by allowing seamless failover. When combined with strong backup policies, incident response plans, and failover procedures, hot sites help organizations reduce risk, protect critical assets, and maintain uninterrupted operations during emergencies.