CompTIA CAS-005 SecurityX  Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full CompTIA CAS-005 SecurityX exam dumps and practice test questions.

Question 101:

An organization wants to prevent users from installing unauthorized software on corporate devices. Which security control is most appropriate?

A. Technical control
B. Administrative control
C. Physical control
D. Detective control

Answer: A. Technical control

Explanation:

Technical control: Technical controls are security mechanisms implemented through hardware or software that enforce policies automatically. In this case, using endpoint protection solutions, application whitelisting, or software restriction policies prevents users from installing unauthorized programs. Technical controls reduce human error because enforcement is automated, ensuring that only approved applications can execute. For example, Group Policy Objects (GPOs) in Windows can prevent users from installing EXE files outside specific directories, while macOS and Linux systems can use similar device management tools. In CAS-005, understanding technical controls emphasizes the importance of proactive enforcement rather than relying solely on user compliance. Technical controls also provide audit logs and reporting for compliance, making them essential for regulatory adherence.

Administrative control: Administrative controls involve policies, guidelines, and procedures, such as defining acceptable use policies or software installation policies. While administrative policies communicate rules to users and set expectations, they cannot physically prevent unauthorized software installation. They depend on human compliance and awareness. Without accompanying technical enforcement, a user could ignore the policy and install unauthorized software, rendering administrative control alone insufficient. CAS-005 emphasizes that administrative controls are part of a layered security strategy but must be complemented by technical measures to ensure effective enforcement.

Physical control: Physical controls protect physical assets like servers, workstations, and network infrastructure through locks, security cameras, access cards, and secure facilities. While securing hardware is critical to preventing theft or tampering, physical controls do not regulate software execution or installation. For instance, even if a workstation is physically secure, users with local access could still install unauthorized applications if no technical restrictions are enforced.

Detective control: Detective controls monitor and alert administrators to potential security incidents. Examples include intrusion detection systems, antivirus alerts, and system logs. While these controls can identify unauthorized software after installation, they do not prevent the activity. In this scenario, detective controls may help identify violations, but they are reactive rather than proactive. CAS-005 stresses the difference between preventive (technical), detective, and corrective controls, highlighting that prevention is crucial for software control.

Question 102:

Which type of malware allows an attacker to remotely control an infected system without the user’s knowledge?

A. Worm
B. Trojan
C. Rootkit
D. RAT

Answer: D. RAT

Explanation:

Worm: Worms are self-replicating malware designed to propagate across networks without user interaction. While they can carry payloads, worms typically do not provide the attacker with direct remote control over a system. Their purpose is primarily fast spread, often exploiting network vulnerabilities. Examples include the WannaCry and Conficker worms. CAS-005 candidates should distinguish between propagation-focused malware and malware designed for persistent access or control.

Trojan: Trojans are malicious programs disguised as legitimate software. They rely on user execution to infect a system. Trojans may deliver payloads such as keyloggers, ransomware, or remote access tools. However, not all Trojans include remote control functionality; some are limited to stealing files or corrupting systems. Understanding Trojans is critical for CAS-005 because they demonstrate the importance of user awareness and email or download filtering.

Rootkit: Rootkits are malware designed to conceal the presence of other malicious software and maintain persistent privileged access to a system. While rootkits facilitate stealth, they do not inherently provide remote access by themselves. Rootkits are often combined with other malware, such as RATs, to maintain hidden control. CAS-005 emphasizes that rootkits are a supporting component of advanced attacks rather than a standalone remote control tool.

RAT (Remote Access Trojan): RATs are a type of malware specifically designed to provide attackers with complete remote control of the infected system. This includes access to files, command execution, webcam/microphone control, and network manipulation. RATs often operate silently to avoid detection, making them particularly dangerous in enterprise environments. CAS-005 candidates should understand RAT behavior, including methods of propagation (email attachments, downloads), stealth techniques (rootkit integration, encryption), and mitigation strategies such as endpoint monitoring, patching, multi-factor authentication, and network segmentation.

Question 103:

Which security principle ensures that a user cannot deny having performed an action on a system?

A. Confidentiality
B. Integrity
C. Non-repudiation
D. Availability

Answer: C. Non-repudiation

Explanation:

Confidentiality: Confidentiality ensures that sensitive information is only accessible to authorized individuals. While critical for security, confidentiality does not provide proof that a specific user performed an action or prevent denial of that action. Techniques like encryption protect data but do not track user activity or accountability. CAS-005 stresses understanding the difference between data privacy and user accountability.

Integrity: Integrity ensures that data remains accurate and unaltered except by authorized individuals or processes. Integrity controls detect unauthorized modification but do not prove which user performed an action. For example, a hash can detect changes to a file but cannot identify who made them. CAS-005 highlights that integrity and non-repudiation complement each other, but integrity alone cannot prevent denial of action.

Non-repudiation: Non-repudiation provides assurance that a user cannot deny performing a specific action. This is achieved through digital signatures, secure logging, and cryptographic verification. Digital certificates, public key infrastructure (PKI), and tamper-proof logs are examples used in enterprise systems to enforce accountability. Non-repudiation is critical in auditing, legal compliance, and incident investigation. CAS-005 candidates must understand implementing non-repudiation measures alongside integrity and confidentiality to maintain a complete security posture.

Availability: Availability ensures systems, applications, and data remain accessible to authorized users when needed. While essential for operations, availability does not verify user actions or prevent denial. Systems can be highly available yet lack accountability if non-repudiation controls are absent. CAS-005 emphasizes balancing the CIA triad—confidentiality, integrity, and availability—while implementing supporting mechanisms like non-repudiation.

Question 104:

Which type of attack manipulates the Domain Name System to redirect users to malicious websites?

A. Phishing
B. DNS Spoofing
C. ARP Poisoning
D. Man-in-the-Middle

Answer: B. DNS Spoofing

Explanation:

Phishing: Phishing attacks manipulate users through deceptive messages (emails, websites) to reveal credentials or sensitive information. Phishing relies on social engineering and does not require altering DNS infrastructure. CAS-005 candidates must differentiate between user-focused attacks (phishing) and technical network manipulation (DNS attacks).

DNS Spoofing: DNS spoofing corrupts the resolution process of domain names to IP addresses, redirecting users to malicious servers. Attackers may modify DNS cache entries or respond with falsified DNS responses. This can lead to credential theft, malware infection, or MITM attacks. DNS spoofing demonstrates the importance of DNSSEC, secure caching, and monitoring DNS traffic in enterprise networks. CAS-005 emphasizes DNS attack vectors and mitigation strategies including integrity verification and network segmentation.

ARP Poisoning: ARP poisoning manipulates local network address mappings, linking an attacker’s MAC address to the IP of another host. While ARP poisoning is effective for LAN-level interception, it does not manipulate domain name resolution like DNS spoofing. CAS-005 highlights ARP poisoning in the context of local network threats and MITM scenarios.

Man-in-the-Middle: MITM attacks intercept or alter communication between two parties. DNS spoofing can facilitate MITM attacks, but MITM is a broader category, including HTTPS interception, ARP poisoning, and session hijacking. CAS-005 candidates must understand the relationships among DNS spoofing, MITM, and other attack vectors.

Question 105:

Which type of cloud deployment model allows an organization to use both private and public cloud resources?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Community cloud

Answer: C. Hybrid cloud

Explanation:

Public cloud: Public clouds are fully managed by third-party providers such as AWS, Azure, or Google Cloud. Resources are shared among multiple organizations, offering scalability and cost-efficiency. However, sensitive data may be exposed to multi-tenancy risks. Public cloud is ideal for non-sensitive workloads but does not address the need for private control in hybrid scenarios. CAS-005 candidates must evaluate trade-offs between cost, scalability, and data sensitivity.

Private cloud: Private clouds are dedicated to a single organization, providing full control over security, compliance, and customization. Private clouds may be hosted on-premises or by third-party providers. While offering maximum security, private clouds may lack the elasticity and cost benefits of public cloud resources, making them less scalable for variable workloads. CAS-005 emphasizes private clouds for regulatory compliance and handling sensitive data.

Hybrid cloud: Hybrid clouds combine private and public cloud resources, offering the flexibility to host critical data and workloads privately while utilizing public cloud for high-demand or non-sensitive services. Security strategies in hybrid environments require consistent identity and access management, network segmentation, encryption, and monitoring across both clouds. CAS-005 candidates must understand hybrid cloud architecture, benefits, and risks, including data movement, compliance, and integration complexities.

Community cloud: Community clouds are shared among organizations with common regulatory or operational requirements, providing some security and collaboration benefits. Unlike hybrid clouds, community clouds do not integrate private and public resources dynamically. CAS-005 highlights community clouds for collaboration but notes they are less flexible for balancing security and scalability compared to hybrid models.

Question 106:

Which type of authentication method verifies identity using inherent physical characteristics of a user, such as fingerprints or retina scans?

A. Knowledge factor
B. Possession factor
C. Inherence factor
D. Location factor

Answer: C. Inherence factor

Explanation:

Knowledge factor: Knowledge factors rely on information that the user knows, such as passwords, PINs, or answers to security questions. They are easy to implement but vulnerable to guessing, social engineering, or credential theft. In CAS-005, candidates must understand that while knowledge factors are widely used, relying solely on them is insecure because compromised passwords can allow attackers full access. Knowledge factors are often combined with possession or inherence factors in multi-factor authentication to enhance security.

Possession factor: Possession factors require the user to have a physical object, such as a smart card, security token, or mobile authenticator. These factors provide an additional layer of security by proving the user has something in their control. However, possession factors alone do not verify the identity inherently, because the object can be stolen or duplicated. In CAS-005, candidates are taught that combining possession factors with inherence factors significantly strengthens authentication.

Inherence factor: Inherence factors are based on who the user is rather than what they know or have. Biometrics such as fingerprints, iris scans, facial recognition, and voice patterns provide a unique, non-transferable method of verifying identity. CAS-005 emphasizes inherence factors as critical for high-security environments because they are difficult to replicate or share. However, implementing inherence factors requires attention to privacy, false positives, false negatives, and secure storage of biometric templates. Combining inherence with knowledge and possession factors creates strong multi-factor authentication, which is a key objective in CAS-005.

Location factor: Location-based authentication uses geographic information, network location, or IP address to supplement identity verification. While this factor adds security by limiting access to authorized locations, it does not inherently identify a user. Location factors are typically part of risk-based or adaptive authentication. CAS-005 teaches candidates to integrate location awareness with other factors but not as a primary authentication method.

Question 107:

Which type of malware is designed to replicate itself across systems without user interaction?

A. Trojan
B. Worm
C. Rootkit
D. Spyware

Answer: B. Worm

Explanation:

Trojan: Trojans disguise themselves as legitimate applications and rely on users to execute them. While they can deliver payloads, they are not self-replicating. CAS-005 emphasizes recognizing Trojan delivery mechanisms such as email attachments or malicious downloads, and understanding their reliance on social engineering.

Worm: Worms are self-replicating malware that propagate across networks autonomously. They exploit vulnerabilities to spread without user intervention, consuming bandwidth and resources. Examples include WannaCry and Blaster. CAS-005 teaches candidates to differentiate worms from Trojans, highlighting the importance of patch management, network segmentation, and intrusion detection to mitigate worm outbreaks. Worms pose threats to availability and can carry additional payloads such as ransomware, increasing their impact.

Rootkit: Rootkits are designed to hide malware and maintain persistent access on a system. They do not self-replicate, although they can facilitate stealthy propagation when combined with worms or Trojans. CAS-005 focuses on rootkit detection techniques like integrity monitoring, behavioral analysis, and trusted boot processes.

Spyware: Spyware collects data from users, such as browsing activity, credentials, or system information, often without consent. It may be delivered via Trojans but does not self-replicate across networks. CAS-005 highlights spyware as a confidentiality risk, emphasizing endpoint protection and user awareness as preventive measures.

Question 108:

Which network security device is capable of inspecting incoming and outgoing packets and enforcing rules based on content and context at multiple OSI layers?

A. Packet-filtering firewall
B. Stateful firewall
C. Next-Generation Firewall (NGFW)
D. Intrusion Detection System (IDS)

Answer: C. Next-Generation Firewall (NGFW)

Explanation:

Packet-filtering firewall: Operates at OSI Layer 3, examining headers for source/destination IP and port. Simple and fast but cannot inspect payload or enforce application-level rules. CAS-005 emphasizes its limitations against modern threats like SQL injection or malware embedded in HTTP traffic.

Stateful firewall: Tracks session state at Layer 4, allowing return traffic only if a session is legitimate. While more secure than packet filtering, it still cannot deeply inspect application payloads or identify advanced threats. CAS-005 teaches that stateful firewalls are foundational but insufficient against modern application-layer attacks.

Next-Generation Firewall (NGFW): Integrates Layer 3–7 inspection, intrusion prevention, application awareness, and threat intelligence. NGFWs can enforce granular policies based on user identity, application type, or content patterns. CAS-005 covers NGFW capabilities extensively, showing how they combine traditional firewall functions with advanced security intelligence. NGFWs help protect against zero-day exploits, malware, and application-layer attacks while supporting logging, monitoring, and compliance reporting.

Intrusion Detection System (IDS): IDS monitors traffic for known attack signatures or anomalies but does not block traffic by default. It is a detective control rather than a preventive control. CAS-005 emphasizes the complementary use of IDS with firewalls, NGFWs, and IPS to achieve layered security.

Question 109:

 Which security principle ensures that critical tasks are divided among multiple users to prevent fraud or errors?

A. Principle of least privilege
B. Separation of duties
C. Defense in depth
D. Mandatory access control

Answer: B. Separation of duties

Explanation

Principle of least privilege: This principle limits users’ access to only what is necessary to perform their job functions. While least privilege reduces the attack surface and limits potential misuse of systems, it does not inherently divide tasks among multiple users. CAS-005 emphasizes least privilege in access control and identity management but distinguishes it from separation of duties, which focuses on distributing responsibility to prevent fraud and operational errors. Implementing least privilege involves assigning granular permissions, integrating role-based access controls, and reviewing access periodically. While it complements separation of duties, it alone cannot prevent collusion or single-user abuse of critical functions.

Separation of duties: Separation of duties is a foundational administrative control that divides critical processes among multiple individuals. For example, in financial operations, the person authorizing a payment should not also be responsible for processing it. This prevents a single user from executing fraudulent activities undetected. CAS-005 stresses separation of duties in risk management, auditing, and internal controls. It helps maintain accountability, improve oversight, and reduce the likelihood of insider threats. Implementation includes clearly defining roles, assigning complementary responsibilities, monitoring workflows, and performing audits to ensure adherence. Separation of duties also integrates with technical controls by limiting system privileges and enforcing workflow approvals. By distributing tasks, organizations protect confidentiality, integrity, and availability of critical processes while reducing operational risk.

Defense in depth: Defense in depth involves layering multiple security controls—technical, administrative, and physical—to protect assets. While it strengthens overall security posture, it is not specifically about dividing responsibilities. CAS-005 candidates must understand that defense in depth complements separation of duties by providing multiple barriers against attack but does not replace procedural controls designed to prevent fraud or errors. Examples include combining access control, firewalls, encryption, monitoring, and training to reduce overall risk.

Mandatory access control (MAC): MAC enforces strict access based on security labels and classifications, such as Confidential or Top Secret. Users cannot alter access permissions. While MAC is critical in government or high-security environments, it governs access rights rather than distributing responsibilities for processes. CAS-005 highlights MAC as a technical control to protect sensitive information but distinguishes it from administrative principles like separation of duties that focus on process-level risk mitigation.

Question 110:

Which type of attack involves inserting malicious code into a web application to manipulate backend databases?

A. SQL Injection
B. Cross-Site Scripting (XSS)
C. Cross-Site Request Forgery (CSRF)
D. Command Injection

Answer: A. SQL Injection

Explanation

SQL Injection: SQL injection targets vulnerabilities in web application input fields by sending malicious SQL queries to manipulate the backend database. This can allow attackers to read, modify, or delete data, bypass authentication, or escalate privileges. CAS-005 emphasizes SQL injection as a critical application-level threat that undermines confidentiality, integrity, and availability. Mitigation strategies include input validation, parameterized queries, stored procedures, and web application firewalls. Understanding SQL injection helps candidates assess risks, secure applications, and implement defense-in-depth strategies for data protection.

Cross-Site Scripting (XSS): XSS attacks inject scripts into web pages that execute in users’ browsers. XSS primarily targets end users, stealing session cookies or performing actions on their behalf. Unlike SQL injection, XSS manipulates the client side rather than the backend database. CAS-005 candidates must understand XSS to protect user data and prevent account compromise. Mitigation includes content encoding, sanitization, and CSP policies.

Cross-Site Request Forgery (CSRF): CSRF exploits authenticated users by sending unauthorized requests without their knowledge. It targets trust between users and the application but does not directly manipulate backend databases like SQL injection. CAS-005 emphasizes CSRF mitigation through anti-CSRF tokens, same-site cookie attributes, and session management.

Command Injection: Command injection occurs when attackers execute system-level commands through vulnerable applications. While it affects system integrity and potentially data, it targets the underlying OS rather than SQL databases. CAS-005 covers command injection under secure coding practices, emphasizing input validation and privilege restriction.

Question 111:

 Which type of cloud service model provides virtualized infrastructure, allowing organizations to deploy and manage applications without managing underlying hardware?

A. Software as a Service (SaaS)
B. Platform as a Service (PaaS)
C. Infrastructure as a Service (IaaS)
D. Function as a Service (FaaS)

Answer: B. Platform as a Service (PaaS)

Explanation:

Software as a Service (SaaS): SaaS delivers fully managed applications over the internet. Users access software without managing infrastructure or platform. CAS-005 candidates must distinguish SaaS as a service model where the provider handles everything, unlike PaaS, which provides more control over application development environments. Examples include Office 365 or Google Workspace.

Platform as a Service (PaaS): PaaS provides virtualized platforms including OS, middleware, runtime, and development tools, enabling organizations to deploy and manage applications without worrying about underlying hardware. CAS-005 emphasizes PaaS for its balance of control, scalability, and security responsibilities. Security considerations include application-level patching, access management, and monitoring within the platform. Examples include Microsoft Azure App Services or Google App Engine.

Infrastructure as a Service (IaaS): IaaS provides virtualized computing resources—servers, storage, networking—but requires customers to manage OS, middleware, and applications. CAS-005 highlights IaaS as more flexible but with greater responsibility for security configuration compared to PaaS. Examples include AWS EC2 or Google Compute Engine.

Function as a Service (FaaS): FaaS, or serverless computing, executes code in response to events without managing servers. CAS-005 candidates must understand FaaS is highly abstracted, ideal for event-driven workloads, but different from PaaS as developers do not control runtime or platform configuration. Examples include AWS Lambda or Azure Functions.

Question 112:

Which type of backup captures only data that has changed since the last full backup, reducing storage requirements but requiring multiple backups for restoration?

A. Full backup
B. Incremental backup
C. Differential backup
D. Snapshot backup

Answer: B. Incremental backup

Explanation:

Full backup: Copies all selected data every time, simple for restoration but storage-intensive. CAS-005 emphasizes full backups for disaster recovery baseline.

Incremental backup: Captures only changed data since the last backup of any type, reducing storage but requiring the last full backup plus all subsequent incrementals for restoration. CAS-005 emphasizes incremental backups for optimizing storage and recovery time. Proper testing ensures data integrity.

Differential backup: Captures changes since the last full backup. Restoration requires only the full and latest differential backup, balancing speed and storage. CAS-005 teaches candidates to differentiate differential from incremental to plan recovery strategies.

Snapshot backup: Captures system state at a point in time, often used for quick rollback or virtualization, not for long-term archival. CAS-005 includes snapshots in recovery planning but emphasizes their limitations versus traditional backups.

Question 113:

Which network attack intercepts communications between two parties to steal, modify, or manipulate transmitted data?

A. Man-in-the-Middle (MITM)
B. ARP Poisoning
C. DNS Spoofing
D. Replay Attack

Answer: A. Man-in-the-Middle (MITM)

Explanation:

MITM: Attacker intercepts communications to eavesdrop, inject malicious content, or impersonate parties. CAS-005 emphasizes securing communications using TLS, VPNs, and certificate validation.

ARP Poisoning: Manipulates LAN traffic mapping to perform MITM locally, but scope is limited to the subnet. CAS-005 covers mitigation via dynamic ARP inspection and static entries.

C. DNS Spoofing: Redirects users to malicious IPs, facilitating MITM indirectly but focuses on DNS resolution rather than direct session interception.

Replay Attack: Captures valid messages to retransmit them for unauthorized actions; CAS-005 highlights the use of timestamps, nonces, and session tokens for mitigation.

Question 114:

Which security measure requires users to provide two or more independent credentials to verify their identity?

A. Single-factor authentication
B. Multi-factor authentication
C. Role-based access control
D. Biometric authentication

Answer: B. Multi-factor authentication

Explanation:

Single-factor authentication: Single-factor authentication relies on only one type of credential, such as a password or PIN. CAS-005 candidates must understand that this form of authentication provides a minimal layer of security and is highly vulnerable to phishing, brute force attacks, or credential compromise. Single-factor systems are insufficient for protecting sensitive resources in modern enterprise environments, particularly with remote access and cloud integrations. While easier for users, single-factor authentication does not provide the layered security required to mitigate modern threat vectors. Administrative controls may enforce password policies, but without additional factors, single-factor authentication cannot fully satisfy security objectives.

Multi-factor authentication (MFA): MFA enhances security by requiring two or more independent authentication factors. These factors generally fall into three categories: something the user knows (password), something the user has (smart card, token), and something the user is (biometric). CAS-005 emphasizes MFA as a critical control to protect accounts, particularly for high-privilege users or remote access scenarios. MFA mitigates the risk of compromised credentials, strengthens identity verification, and supports regulatory compliance such as PCI-DSS or HIPAA. Implementation of MFA requires secure token issuance, biometric data protection, integration with single sign-on systems, and proper logging for audit purposes. MFA contributes directly to confidentiality and integrity by ensuring that only authorized users can access sensitive systems and data. It also supports accountability, as actions can be tied to a verified user. Proper deployment requires balancing security, usability, and operational impact.

Role-based access control (RBAC): RBAC assigns permissions based on roles rather than individual users. While RBAC helps enforce least privilege and manage access efficiently, it is not an authentication mechanism. CAS-005 candidates must distinguish between access control models like RBAC and authentication methods like MFA. RBAC can complement MFA by ensuring that only properly authenticated users gain access to role-specific resources.

Biometric authentication: Biometric authentication relies on unique physical or behavioral traits, such as fingerprints, facial recognition, or iris scans. While this provides a strong inherence factor, biometrics alone do not constitute MFA unless combined with an additional factor, such as a password or token. CAS-005 highlights biometrics as part of layered security but notes that alone they cannot fully mitigate risks associated with credential compromise, spoofing, or system misconfiguration.

Question 115:

 Which type of security control monitors systems and networks to detect unauthorized activity or policy violations?

A. Technical control
B. Administrative control
C. Detective control
D. Preventive control

Answer: C. Detective control

Explanation:

Technical control: Technical controls involve automated systems like firewalls, intrusion prevention, or encryption to enforce security policies. CAS-005 emphasizes technical controls for preventing unauthorized actions, but they are not primarily designed to detect ongoing activity.

Administrative control: Administrative controls involve policies, procedures, and guidelines, such as security awareness training, change management, and incident response policies. While they support detection indirectly, they do not provide real-time monitoring or alerts.

Detective control: Detective controls actively monitor systems and networks to identify suspicious or unauthorized activity. Examples include intrusion detection systems (IDS), log monitoring, security information and event management (SIEM) systems, and audit trails. CAS-005 stresses that detective controls complement preventive controls by providing visibility into attempted or successful security violations. They allow organizations to respond quickly, investigate incidents, and adjust security policies. Detective controls maintain accountability, support regulatory compliance, and contribute to forensic analysis and incident response planning.

Preventive control: Preventive controls aim to stop security incidents before they occur, such as access controls, encryption, and firewalls. CAS-005 differentiates preventive from detective controls by emphasizing that prevention seeks to block unauthorized actions, while detection identifies and alerts on incidents that occur despite preventive measures.

Question 116

 Which type of malware disguises itself as legitimate software to trick users into executing it?

A. Virus
B. Trojan
C. Worm
D. Rootkit

Answer: B. Trojan

Explanation:

Virus: Viruses attach to files and require user execution to propagate. CAS-005 candidates must understand viruses as self-replicating programs that infect systems, but they often exhibit overt symptoms.

Trojan: Trojans appear to be legitimate programs but deliver malicious payloads when executed. CAS-005 highlights Trojans for their social engineering aspect, stealth, and capability to install additional malware, exfiltrate data, or provide remote access. Unlike viruses, Trojans do not self-replicate. Detection requires antivirus solutions, user training, and endpoint monitoring. Trojans can undermine confidentiality, integrity, and availability.

Worm: Worms self-replicate and spread across networks without user action. CAS-005 differentiates worms from Trojans by their propagation method and network-based impact.

Rootkit: Rootkits hide malware or malicious activity to maintain persistence. While they enable stealth, they are not inherently disguises for initial execution like Trojans. CAS-005 emphasizes rootkits in persistence and privilege escalation contexts.

Question 117:

Which authentication method relies on physical or behavioral traits unique to an individual?

A. Knowledge factor
B. Possession factor
C. Inherence factor
D. Location factor

Answer: C. Inherence factor

Explanation:

Knowledge factor: Relies on something the user knows, like passwords or PINs. Vulnerable to theft, phishing, and guessing. CAS-005 emphasizes knowledge factors in MFA frameworks but notes limitations in isolation.

Possession factor: Requires something the user has, such as smart cards or tokens. Provides a physical barrier but can be lost or stolen. CAS-005 highlights management and issuance considerations.

Inherence factor: Uses biometric or behavioral traits, such as fingerprints, iris scans, or typing patterns. CAS-005 emphasizes inherence factors for identity verification, their role in MFA, and considerations for template storage, encryption, and privacy compliance. Biometrics mitigate risks from password compromise but require fallback mechanisms in case of sensor failure or spoofing attempts.

Location factor: Verifies identity based on geolocation or network origin. Enhances security but is secondary to primary authentication factors. CAS-005 recommends combining location checks with MFA for high-risk operations.

Question 118:

 Which type of firewall inspects network packets and can make decisions based on IP addresses and ports?

A. Packet-filtering firewall
B. Stateful firewall
C. Application-layer firewall
D. Next-generation firewall

Answer: A. Packet-filtering firewall

Explanation:

Packet-filtering firewall: Examines headers of individual packets, filtering based on IP addresses, ports, and protocols. CAS-005 emphasizes their role as foundational controls for perimeter security. While efficient, they lack context for session state or content inspection, making them vulnerable to sophisticated attacks.

Stateful firewall: Tracks session state, allowing return traffic while monitoring connections. CAS-005 teaches the advantage of stateful over simple packet-filtering for TCP-based protocols.

Application-layer firewall: Examines payload content for malicious patterns, blocking threats at Layer 7. CAS-005 emphasizes protection against SQL injection, XSS, and protocol-specific attacks.

Next-generation firewall (NGFW): Combines stateful, application-layer inspection, intrusion prevention, and advanced features. CAS-005 highlights NGFWs as integrated solutions for modern threats.

Question 119:

Which type of wireless security protocol uses AES encryption to secure Wi-Fi networks?

A. WEP
B. WPA
C. WPA2
D. WPS

 Answer: C. WPA2

Explanation:

WEP (Wired Equivalent Privacy): WEP was the original security protocol designed to protect wireless networks and was standardized in the late 1990s. Its primary goal was to provide a level of confidentiality comparable to wired networks. WEP uses the RC4 stream cipher for encryption and relies on a static 40-bit or 104-bit key combined with a 24-bit initialization vector (IV). Despite its initial adoption, WEP has several critical vulnerabilities that make it insecure in modern environments.

One of the key weaknesses is the predictability and short length of the IV, which allows attackers to capture enough packets to deduce the encryption key using readily available tools. In addition, WEP does not provide strong integrity verification; the CRC-32 checksum used for data integrity is not cryptographically secure and can be manipulated by attackers. CAS-005 emphasizes WEP as a legacy protocol that is obsolete and should never be used in production networks. Candidates should understand that while WEP may still exist in older devices or as a backward compatibility option, it is inherently insecure and vulnerable to attacks such as key recovery, packet injection, and traffic decryption. WEP serves primarily as a historical reference for understanding the evolution of Wi-Fi security.

WPA (Wi-Fi Protected Access): WPA was introduced as an interim solution to address the weaknesses of WEP while the IEEE 802.11i standard was being finalized. WPA replaced WEP’s RC4 with TKIP (Temporal Key Integrity Protocol), which dynamically changes encryption keys for each packet, thereby reducing the risk of key reuse and certain replay attacks. WPA also incorporates a message integrity check called Michael to improve data integrity, although it is not as robust as modern standards.

While WPA represents an improvement over WEP, it is still considered less secure than WPA2, particularly because TKIP is susceptible to certain attacks such as dictionary-based key recovery or fragmentation attacks. CAS-005 candidates must understand that WPA is transitional, providing better security than WEP but not meeting contemporary encryption and integrity requirements. WPA is sometimes still encountered in legacy hardware, and understanding its mechanisms helps security professionals evaluate risk, perform network audits, and plan for migration to stronger protocols. WPA demonstrates the evolution of Wi-Fi security and the need for cryptographically sound methods such as AES.

WPA2 (Wi-Fi Protected Access II): WPA2 is the modern standard for securing Wi-Fi networks and implements AES (Advanced Encryption Standard) in conjunction with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for both confidentiality and integrity. AES is a symmetric block cipher recognized worldwide for its robustness and is widely used across government, enterprise, and commercial environments. CCMP provides strong message integrity verification, ensuring that transmitted data has not been altered or tampered with.

CAS-005 highlights WPA2 as the primary protocol for secure wireless deployment in enterprise and personal networks. Candidates must understand that WPA2 offers two operational modes: WPA2-Personal (using pre-shared keys for home and small business networks) and WPA2-Enterprise (leveraging IEEE 802.1X and RADIUS servers for centralized authentication in larger networks). Proper implementation includes strong password selection, disabling legacy support for WEP or TKIP, monitoring for rogue access points, and applying firmware updates to access points and wireless clients. WPA2 also serves as a foundation for WPA3, which addresses remaining vulnerabilities and improves security for modern IoT and enterprise environments.

Beyond encryption, WPA2 aligns with the CIA triad:

Confidentiality is provided by AES encryption, protecting data from eavesdropping.

Integrity is ensured through CCMP, detecting any alteration of transmitted packets.

Availability is indirectly supported, as strong encryption reduces the likelihood of network compromise and service disruptions caused by unauthorized access.

In CAS-005, candidates are expected to understand the technical configuration, key management practices, and security policies necessary to enforce WPA2 securely, including disabling outdated protocols, rotating pre-shared keys periodically, and leveraging enterprise authentication for centralized management.

WPS (Wi-Fi Protected Setup): WPS is not a wireless security protocol but a convenience feature designed to simplify the connection of client devices to a wireless network. WPS allows users to join a Wi-Fi network using a PIN, push-button configuration, or NFC without manually entering complex passwords. While convenient, WPS introduces a significant security risk. The PIN-based mechanism is vulnerable to brute-force attacks because the eight-digit PIN can be divided and attacked in two halves, drastically reducing the time required for a successful compromise.

CAS-005 emphasizes that WPS should be disabled in enterprise and security-conscious environments, as it undermines the security benefits provided by protocols like WPA2. Understanding WPS is crucial for security professionals, as misconfigured networks with enabled WPS can be easily exploited, allowing attackers unauthorized access despite strong underlying encryption. While WPS facilitates network deployment, it should be considered a liability rather than a protective measure.

In CAS-005 candidates must clearly differentiate between these options: WEP represents insecure legacy encryption, WPA offers interim improvements but is still vulnerable, WPA2 provides strong AES-based encryption and integrity through CCMP and is the standard for modern Wi-Fi networks, and WPS is a convenience feature with inherent vulnerabilities. Correctly implementing WPA2 involves not only enabling AES encryption but also managing keys, disabling weaker protocols, auditing wireless networks, and combining it with administrative policies to enforce secure network access. Understanding these distinctions ensures that security professionals can design, configure, and audit wireless networks effectively, mitigating risks from eavesdropping, unauthorized access, and other attacks on wireless communications.

Question 120:

Which principle requires providing users only the access necessary to perform their job functions?

A. Separation of duties
B. Principle of least privilege
C. Mandatory access control
D. Role-based access control

Answer: B. Principle of least privilege

Explanation:

Separation of duties: Separation of duties (SoD) is a foundational security principle that focuses on dividing responsibilities for critical or sensitive tasks among multiple individuals to reduce the risk of fraud, error, or misuse. The primary purpose of SoD is to prevent any single individual from having unilateral control over a process that could compromise security or business operations. For example, in a financial environment, the person who approves payment requests should not be the same person who reconciles accounts or authorizes wire transfers. This division ensures accountability, enables cross-checking, and mitigates the potential for malicious or unintentional misuse of systems. In the context of CAS-005, SoD is emphasized under administrative and operational controls, particularly in governance, risk management, and compliance frameworks. While separation of duties enhances security by distributing authority and increasing oversight, it is not primarily concerned with minimizing access rights. It may indirectly reduce risk, but it does not specifically enforce the principle of providing only the minimum access needed to perform one’s job. SoD focuses more on procedural controls, audits, and policy enforcement rather than technical permission management.

Principle of least privilege: The principle of least privilege (PoLP) is one of the most critical and widely applied security concepts in modern IT and cybersecurity practices. It dictates that users, processes, and systems should be granted only the minimum level of access or permissions necessary to perform their assigned tasks and nothing more. By minimizing access rights, organizations reduce the attack surface, limit potential damage from compromised accounts, prevent unauthorized activities, and mitigate insider threats. For example, a junior accountant who only needs access to reporting systems should not have administrative rights to modify financial databases. Similarly, a web server process should only have access to files it requires for operation and no additional system-level privileges.

CAS-005 places significant emphasis on understanding PoLP as a technical and administrative control. Implementation involves carefully configuring permissions, roles, and access controls, often through role-based access control (RBAC), discretionary access control (DAC), or mandatory access control (MAC) models, while continuously auditing user activities to ensure compliance. Auditing is essential because permissions often accumulate over time—users may move roles, project requirements change, or temporary elevated access is granted and forgotten. This phenomenon, known as “privilege creep,” can undermine the principle of least privilege if not managed properly.

PoLP contributes directly to confidentiality, integrity, and accountability, which are core components of the CIA triad. Limiting access ensures that only authorized personnel can view or modify sensitive information, reducing the likelihood of data breaches, system misconfigurations, or unintentional errors. Least privilege is also critical in defending against malware and ransomware: if a compromised account has minimal permissions, the malware’s impact is constrained. CAS-005 stresses integrating PoLP with multi-factor authentication, session timeouts, and privilege elevation auditing to further reduce risks. Effective application of PoLP requires not only technical enforcement but also administrative oversight, including policies for temporary privilege escalation, periodic review of roles and access rights, and removal of unnecessary permissions.

Mandatory access control (MAC): Mandatory access control is an access control model in which access to resources is determined by predefined security policies and classification labels, rather than individual user discretion. Each resource is assigned a sensitivity level (e.g., Top Secret, Secret, Confidential), and users are granted clearances corresponding to these levels. The system enforces policies strictly, preventing users from overriding or changing access permissions. CAS-005 candidates must understand MAC primarily in government, military, or highly regulated environments, where confidentiality and strict data control are paramount.

While MAC enforces a strong security posture by ensuring that users cannot exceed their authorized clearance levels, it does not inherently enforce the principle of minimal access. Users may still have access to all resources at their assigned classification level, even if not strictly necessary for their daily tasks. Thus, MAC complements least privilege by enforcing strict access based on classification, but PoLP goes further by refining access rights to the bare minimum required for job function. MAC is often integrated with PoLP in high-security environments to balance rigorous policy enforcement with operational efficiency.

Role-based access control (RBAC): RBAC is an access control methodology that assigns permissions to roles rather than individuals. Users are then assigned roles based on their job responsibilities, and they inherit the associated permissions. RBAC simplifies administration in complex organizations by grouping access rights, reducing administrative overhead, and supporting policy consistency. CAS-005 emphasizes RBAC for large-scale enterprise systems where managing individual permissions would be impractical.

RBAC is highly compatible with the principle of least privilege when roles are carefully defined. However, RBAC alone does not automatically enforce minimal access. Poorly designed roles can grant excessive permissions, creating privilege creep. To adhere to PoLP in an RBAC system, organizations must conduct role engineering, define permissions precisely, and perform regular access audits. RBAC can also be combined with MAC or discretionary controls to enhance security. CAS-005 highlights the use of RBAC in conjunction with auditing and logging to enforce accountability, ensure compliance, and reduce the risk of insider threats.

In  while separation of duties, MAC, and RBAC are all important security principles and access control methods, the principle of least privilege is the most directly aligned with providing users only the access necessary for their job functions. It minimizes attack surfaces, mitigates insider threats, reduces potential damage from compromised accounts, and reinforces accountability. Implementing PoLP requires careful planning, auditing, and integration with access control models and administrative policies. CAS-005 emphasizes PoLP as a core security practice applicable across network devices, servers, endpoints, and cloud systems. By consistently applying least privilege, organizations can enhance confidentiality, integrity, availability, and overall enterprise security posture.