CompTIA CAS-005 SecurityX  Exam Dumps and Practice Test Questions Set 10  Q181-200

Visit here for our full CompTIA CAS-005 SecurityX exam dumps and practice test questions.

Question 181:

Which type of malware is designed to remain hidden and undetectable while providing persistent access to a system?

A. Rootkit
B. Worm
C. Trojan
D. Adware

Answer: A. Rootkit

Explanation:

Rootkit: A rootkit is a type of malware specifically designed to gain privileged access to a system and remain hidden from standard detection methods such as antivirus or system monitoring tools. CAS-005 emphasizes rootkits as a significant threat because they compromise the integrity and confidentiality of a system by allowing attackers to control processes, files, or network connections covertly. Rootkits can be installed at the kernel level, application level, or firmware level, making detection extremely difficult. They often intercept system calls, modify operating system behavior, and hide malicious processes, files, and network activity from the user and security software. Detection methods include integrity checking, behavioral analysis, and specialized rootkit scanners. CAS-005 candidates must understand the importance of layered defenses, such as endpoint protection, intrusion detection systems, patch management, and hardware security modules to mitigate rootkit risks. Rootkits often serve as the foundation for advanced persistent threats (APTs), enabling attackers to maintain long-term access to sensitive environments without detection. Prevention strategies include restricting administrative privileges, enabling secure boot mechanisms, maintaining up-to-date security patches, and monitoring for anomalous system behavior. Because rootkits can undermine system integrity, CAS-005 highlights the necessity of incident response plans and forensic analysis to identify compromise and restore trust in affected systems.

Worm: Worms are self-replicating malware that spread autonomously across networks. CAS-005 teaches that worms focus primarily on propagation rather than stealth or persistence at the system level. While worms can carry additional payloads, such as rootkits or ransomware, their primary goal is rapid infection. Mitigation includes patching vulnerabilities, network segmentation, and intrusion detection.

Trojan: Trojans disguise themselves as legitimate applications or files to trick users into executing malicious code. CAS-005 notes that Trojans can deliver payloads such as keyloggers, ransomware, or rootkits, but their stealth and persistence are dependent on the type of payload, not inherent to Trojans themselves. User education, endpoint protection, and careful software installation policies mitigate Trojan risks.

Adware: Adware displays unwanted advertisements on user devices, often bundled with free software. CAS-005 teaches that adware primarily impacts confidentiality and user experience rather than providing persistent hidden access or system control. While intrusive, adware does not typically constitute a covert, high-risk security threat like a rootkit.

Rootkits exemplify the intersection of stealth, persistence, and privilege escalation in CAS-005, highlighting why understanding them is essential for securing critical enterprise systems, maintaining system integrity, and designing layered defense strategies.

Question 182:

Which method of authentication requires users to provide two or more verification factors to gain access?

A. Single sign-on
B. Multi-factor authentication
C. Password-only authentication
D. Biometric-only authentication

Answer: B. Multi-factor authentication

Explanation:

Single sign-on (SSO): SSO allows a user to log in once and access multiple applications without repeatedly entering credentials. CAS-005 teaches SSO as an identity management convenience, improving productivity and reducing password fatigue. However, SSO alone does not provide multiple verification factors; it relies on a single authentication event. While SSO can integrate with MFA for enhanced security, SSO itself is not a multi-factor mechanism.

Multi-factor authentication (MFA): MFA requires users to provide two or more distinct verification factors before granting access. CAS-005 emphasizes three primary authentication categories: something you know (password or PIN), something you have (token, smart card), and something you are (biometric). Combining these factors significantly reduces the likelihood of unauthorized access, as compromising multiple factors is considerably more difficult than a single factor. MFA is crucial for high-value accounts, cloud applications, VPNs, and administrative systems. CAS-005 candidates must understand proper implementation, including enrollment, factor selection, token management, and fallback mechanisms. MFA supports confidentiality, integrity, and accountability by mitigating credential compromise risks, credential stuffing attacks, and phishing threats. Integration with SSO, adaptive authentication, and risk-based policies further strengthens enterprise security. MFA also aligns with compliance frameworks, including NIST, PCI DSS, and HIPAA, demonstrating its practical and regulatory importance. Proper user training, secure factor distribution, and monitoring of authentication logs are essential for effective MFA deployment.

Password-only authentication: Single-factor authentication using only a password is weak because passwords are vulnerable to guessing, brute-force attacks, phishing, and credential reuse. CAS-005 teaches that password-only systems fail to meet modern enterprise security expectations and should be supplemented with additional verification factors.

Biometric-only authentication: Biometric authentication uses physical characteristics, such as fingerprints or facial recognition, to verify identity. While stronger than passwords alone, biometrics as a single factor do not qualify as MFA. CAS-005 emphasizes combining biometrics with other factors for layered security.

MFA embodies the principle of defense-in-depth in authentication, strengthening access control, and aligning with CAS-005 objectives by protecting sensitive data, administrative systems, and cloud resources.

Question 183:

Which type of attack involves intercepting communication between two parties to eavesdrop or manipulate data?

A. Phishing
B. Man-in-the-Middle (MITM)
C. SQL Injection
D. Denial-of-Service (DoS)

Answer: B. Man-in-the-Middle (MITM)

Explanation:

Phishing: Phishing attacks deceive users into revealing sensitive information or credentials, usually through email or malicious websites. CAS-005 emphasizes phishing as a social engineering threat targeting human behavior rather than intercepting communication between systems. Mitigation includes user awareness training, email filtering, and web content security.

Man-in-the-Middle (MITM): MITM attacks occur when an attacker intercepts and potentially modifies communication between two parties without their knowledge. CAS-005 highlights MITM as a critical confidentiality and integrity threat. MITM can occur over unsecured networks, via ARP poisoning, rogue access points, or DNS spoofing. Attackers can eavesdrop, steal credentials, manipulate transactions, or inject malware. Detection and prevention include using strong encryption (TLS, HTTPS, VPNs), certificate validation, network monitoring, mutual authentication, and intrusion detection systems. CAS-005 candidates must understand MITM attack vectors, indicators, and mitigations to protect enterprise communications. For example, secure Wi-Fi networks with WPA2/WPA3, certificate pinning, and enforcing encryption for all endpoints are essential defenses. MITM attacks compromise trust in communication systems, demonstrating why encryption and authentication are core objectives in CAS-005.

C. SQL Injection: SQL injection targets database applications, allowing attackers to manipulate queries. CAS-005 emphasizes SQL injection as an input validation vulnerability, not a communication interception technique. Proper mitigation includes prepared statements, parameterized queries, and input validation.

D. Denial-of-Service (DoS): DoS attacks aim to make systems unavailable by exhausting resources. CAS-005 teaches DoS as primarily an availability threat, differing from MITM, which targets confidentiality and integrity.

MITM exemplifies CAS-005’s focus on network security, cryptography, and secure communication practices, reinforcing the need for proactive monitoring, encryption, and trust verification.

Question 184:

Which type of firewall inspects traffic at the application layer to filter malicious content?

A. Packet-filtering firewall
B. Stateful firewall
C. Application-layer firewall
D. Circuit-level gateway

Answer: C. Application-layer firewall

Explanation:

Packet-filtering firewall: Packet-filtering firewalls inspect network traffic at the network or transport layer (IP addresses, ports, protocol type). CAS-005 emphasizes their efficiency but notes they cannot analyze application content, leaving systems vulnerable to application-specific attacks.

Stateful firewall: Stateful firewalls track the state of network connections and enforce rules based on session context. CAS-005 highlights stateful firewalls for transport layer protection and session validation, but they do not inspect application payloads for malicious commands or content.

Application-layer firewall: Application-layer firewalls (also called proxy firewalls) examine traffic at the application layer (Layer 7) of the OSI model. CAS-005 emphasizes their importance in filtering malicious payloads, enforcing content policies, and preventing application-specific attacks such as SQL injection or cross-site scripting. Application-layer firewalls understand application protocols like HTTP, FTP, SMTP, and DNS, enabling more granular control and threat detection. Candidates must understand deployment scenarios, proxy configuration, and integration with intrusion prevention systems (IPS). These firewalls inspect the content, not just headers, allowing detection of malware, unauthorized commands, or policy violations. They are critical for defending web applications, mail servers, and sensitive services while supporting enterprise compliance and threat mitigation strategies.

Circuit-level gateway: Circuit-level gateways monitor TCP sessions between hosts but do not inspect application data. CAS-005 teaches that while they provide session-level control and some anonymity benefits, they lack content awareness for application-layer attacks.

Application-layer firewalls are integral to CAS-005 objectives by combining threat prevention, content filtering, and granular traffic inspection for secure enterprise operations.

Question 185:

Which protocol is used to encrypt email messages, ensuring confidentiality and authentication?

A. SMTP
B. POP3
C. IMAP
D. S/MIME

Answer: D. S/MIME

Explanation:

SMTP: Simple Mail Transfer Protocol (SMTP) is used to send email messages between servers. CAS-005 emphasizes that SMTP alone does not provide encryption, authentication, or message integrity. Without additional security measures, email transmitted via SMTP is susceptible to interception and modification.

POP3: Post Office Protocol 3 (POP3) is used to retrieve email from a server, typically downloading messages to a local client. CAS-005 notes that POP3 does not inherently provide encryption or authentication for message content, leaving data at risk during transmission.

IMAP: Internet Message Access Protocol (IMAP) allows email retrieval and server-side message management. CAS-005 highlights IMAP for flexibility and multiple-device synchronization but notes that like POP3, it does not natively encrypt email content. Encryption must be added via SSL/TLS.

S/MIME: Secure/Multipurpose Internet Mail Extensions (S/MIME) provides end-to-end encryption and digital signatures for email messages. CAS-005 emphasizes S/MIME for ensuring confidentiality, integrity, and authentication. S/MIME uses public key cryptography to encrypt email content and verify sender identity. Proper deployment involves certificate management, key distribution, and secure handling of private keys. It protects sensitive corporate communications, ensures compliance with privacy regulations, and mitigates risks from interception or tampering. CAS-005 candidates must understand how S/MIME integrates with email clients, PKI infrastructure, and organizational policies to secure communications. S/MIME supports auditability and non-repudiation, making it a cornerstone of secure email practices in enterprise environments.

Question 186:

Which type of attack attempts to gain access by systematically trying all possible password combinations?

A. Brute-force attack
B. Dictionary attack
C. Phishing
D. Rainbow table attack

Answer: A. Brute-force attack

Explanation:

Brute-force attack: A brute-force attack is a method where an attacker attempts every possible combination of characters until the correct password is discovered. CAS-005 emphasizes that brute-force attacks are a fundamental threat to authentication systems because they exploit weak or short passwords. While modern systems often employ account lockouts, rate limiting, or multi-factor authentication (MFA) to mitigate brute-force risks, the attack remains effective against poorly configured accounts. Brute-force attacks can target local systems, web applications, or remote services, and their success depends on password complexity, system defenses, and computational power. For CAS-005 candidates, understanding brute-force attacks involves knowing prevention techniques, including enforcing strong password policies, implementing MFA, using salted hashes for password storage, and monitoring failed login attempts. Tools used in brute-force attacks range from simple scripts to sophisticated software leveraging GPU acceleration for rapid key testing. The attack threatens confidentiality by potentially exposing credentials, and compromised accounts may lead to integrity and availability issues. Brute-force attacks also demonstrate the need for layered security controls, combining technical measures with administrative policies such as password management and user education.

Dictionary attack: A dictionary attack is a variation of brute-force that uses a precompiled list of common passwords, words, or phrases. CAS-005 teaches that dictionary attacks are more efficient than pure brute-force, as they target predictable human behavior and commonly used passwords. While faster, dictionary attacks still require password complexity mitigation, including passphrases, random characters, and MFA. Organizations must enforce strong password policies and combine them with account lockout mechanisms to defend against both brute-force and dictionary attacks.

Phishing: Phishing relies on social engineering to trick users into revealing credentials or sensitive data, rather than attempting all possible combinations. CAS-005 emphasizes that phishing attacks exploit human behavior and complement technical attacks but differ fundamentally from brute-force, which is automated and systematic. User training and email filtering are the primary mitigation strategies for phishing.

Rainbow table attack: Rainbow table attacks leverage precomputed hash tables to reverse hashed passwords. CAS-005 highlights that while rainbow tables are effective against unsalted hashes, using salts in password storage significantly mitigates this risk. Unlike brute-force, rainbow tables exploit weaknesses in hash storage rather than the raw password space.

Brute-force attacks are foundational in CAS-005 knowledge because they illustrate the importance of secure password policies, hashing, MFA, and monitoring, combining technical and administrative controls to protect authentication systems.

Question 187:

Which cloud service model provides access to software applications over the internet without managing the underlying infrastructure?

A. IaaS
B. PaaS
C. SaaS
D. DaaS

Answer: C. SaaS

Explanation:

IaaS (Infrastructure as a Service): IaaS provides virtualized computing resources such as servers, storage, and networking. CAS-005 emphasizes that IaaS users are responsible for operating system configuration, application deployment, and security patching. While flexible, IaaS requires more administrative effort than SaaS, and security responsibilities are shared between the provider and consumer.

PaaS (Platform as a Service): PaaS provides a platform for developing, testing, and deploying applications without managing the underlying hardware. CAS-005 highlights that PaaS users focus on application logic and configuration, while the provider manages the platform stack. PaaS is ideal for developers but still requires knowledge of secure application deployment practices.

SaaS (Software as a Service): SaaS delivers fully functional software applications over the internet. CAS-005 teaches that users interact with software via web browsers or APIs, while the provider handles infrastructure, platform, updates, and security patches. Examples include Office 365, Salesforce, and Google Workspace. Security considerations include identity and access management (IAM), data encryption at rest and in transit, backup and recovery, and monitoring for compliance. CAS-005 emphasizes that SaaS simplifies operational management but requires careful attention to user authentication, cloud policies, and compliance frameworks such as GDPR or HIPAA. SaaS reduces administrative burden but does not absolve organizations from ensuring proper configuration, secure access, and regulatory adherence.

DaaS (Desktop as a Service): DaaS provides virtual desktop environments hosted in the cloud. CAS-005 notes that while DaaS offers endpoint flexibility and centralized management, it is distinct from SaaS because the user receives a complete desktop environment rather than a single application. Security considerations include secure access, session management, and endpoint protection.

Understanding SaaS within CAS-005 ensures candidates recognize cloud security responsibilities, shared security models, and the trade-offs between convenience, control, and compliance in enterprise cloud adoption.

Question 188:

Which type of attack injects malicious SQL statements into an application to manipulate databases?

A. Cross-Site Scripting (XSS)
B. SQL Injection
C. Command Injection
D. LDAP Injection

Answer: B. SQL Injection

Explanation:

Cross-Site Scripting (XSS): XSS targets web application clients by injecting scripts executed in the victim’s browser. CAS-005 highlights XSS as an integrity and confidentiality threat at the client level but not a database manipulation attack. Mitigation involves input validation, output encoding, and content security policies.

SQL Injection: SQL injection exploits vulnerabilities in web applications to execute unauthorized SQL queries. CAS-005 emphasizes that SQL injection can expose, modify, or delete sensitive data, compromise confidentiality, integrity, and availability, and potentially escalate privileges. Preventive measures include parameterized queries, prepared statements, input validation, stored procedures, and least privilege access to database accounts. SQL injection is a critical skill area for CAS-005 candidates because it illustrates the intersection of application security, database protection, and secure coding practices. Detection may involve web application firewalls (WAFs), monitoring query patterns, and automated security testing. Organizations must combine secure development lifecycle practices, user training, and runtime monitoring to mitigate SQL injection risks effectively.

Command Injection: Command injection targets the underlying operating system by executing arbitrary commands via vulnerable applications. CAS-005 differentiates this from SQL injection, as the attack operates at the OS layer, affecting server operations, not database queries directly. Mitigation includes input validation, using least privilege execution contexts, and avoiding direct system command execution in web applications.

LDAP Injection: LDAP injection manipulates Lightweight Directory Access Protocol queries to gain unauthorized access or bypass authentication. CAS-005 teaches LDAP injection as a directory-specific attack, similar conceptually to SQL injection but limited to LDAP-based systems. Mitigation includes input sanitization and secure binding practices.

SQL injection exemplifies CAS-005’s focus on secure application development, input validation, and defense-in-depth, demonstrating the consequences of poorly coded database interactions.

Question 189:

Which access control model grants permissions based on user roles within an organization?

A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control

Answer: C. Role-Based Access Control

Explanation:

Discretionary Access Control (DAC): DAC allows resource owners to assign access rights at their discretion. CAS-005 notes DAC’s flexibility but highlights risks when users assign permissions inconsistently or insecurely. DAC is prone to privilege escalation and accidental exposure.

Mandatory Access Control (MAC): MAC enforces access based on security labels, such as Top Secret or Confidential, which are controlled by administrators. CAS-005 emphasizes MAC in high-security environments where users cannot override policy.

Role-Based Access Control (RBAC): RBAC assigns permissions based on organizational roles rather than individual users. CAS-005 highlights RBAC as efficient for large enterprises, reducing administrative overhead, enforcing least privilege, and aligning with job functions. RBAC supports compliance, simplifies auditing, and mitigates insider threats by ensuring users only have access needed for their role. Implementation involves defining roles, mapping permissions, integrating with directory services (e.g., Active Directory), and monitoring for unauthorized role changes. RBAC also enables separation of duties, preventing a single individual from performing conflicting critical tasks. Proper RBAC deployment aligns with CAS-005 objectives of identity and access management, secure privilege administration, and operational efficiency.

Rule-Based Access Control: Rule-based control uses conditions, such as time of day or network location, to enforce access. CAS-005 emphasizes that this model complements RBAC or MAC but is not inherently role-based, focusing instead on dynamic policy enforcement.

RBAC exemplifies CAS-005 focus areas including scalability, least privilege enforcement, auditing, and integration with enterprise IAM solutions.

Question 190:

Which type of backup only saves data that has changed since the last full backup, optimizing storage while simplifying recovery?

A. Full backup
B. Incremental backup
C. Differential backup
D. Snapshot

Answer: C. Differential backup

Explanation:

Full backup: A full backup copies all selected files every time it runs. CAS-005 teaches full backups  ensure complete recovery but require more storage and time. While reliable, they are less efficient than differential backups for routine operations.

Incremental backup: Incremental backups save data changed since the last backup of any type. CAS-005 highlights their efficiency in storage but notes that recovery is slower, requiring restoration of the last full backup plus all subsequent incremental backups.

Differential backup: Differential backups save all data changed since the last full backup. CAS-005 emphasizes that this strikes a balance between recovery speed and storage usage. Recovery requires the last full backup and the latest differential, simplifying restoration while reducing the storage overhead compared to full backups. Differential backups are critical in disaster recovery planning, ensuring that data can be restored promptly in alignment with recovery time objectives (RTOs) and recovery point objectives (RPOs). They support confidentiality and integrity by ensuring backup data is consistent and recoverable, which is crucial for enterprise operations, ransomware mitigation, and regulatory compliance.

Snapshot: Snapshots capture the state of a system or volume at a point in time. CAS-005 notes snapshots are fast for temporary recovery but may not be suitable for long-term archival or disaster recovery due to storage and consistency limitations.

Differential backups exemplify CAS-005 best practices for disaster recovery, data protection, and business continuity planning, balancing efficiency, security, and rapid recovery capability.

Question 191

Which type of attack involves intercepting and altering communications between two parties without their knowledge?

A. Man-in-the-Middle (MITM)
B. Phishing
C. SQL Injection
D. ARP Poisoning

Answer: A. Man-in-the-Middle (MITM)

Explanation:

Man-in-the-Middle (MITM): A MITM attack occurs when an attacker secretly intercepts and possibly alters communications between two parties who believe they are directly communicating with each other. CAS-005 emphasizes MITM as a critical threat to confidentiality and integrity in both wired and wireless networks. Attackers may employ techniques like ARP spoofing, DNS spoofing, HTTPS stripping, or rogue Wi-Fi hotspots to insert themselves into the communication path. MITM can compromise sensitive data such as login credentials, financial information, or session tokens, and may be used as a vector for additional attacks, including credential harvesting and malware delivery. Mitigation strategies highlighted in CAS-005 include end-to-end encryption using TLS/SSL, certificate validation, network segmentation, VPN deployment, intrusion detection systems, and user awareness regarding untrusted networks. Understanding MITM is essential for CAS-005 candidates because it illustrates the intersection of technical and administrative security controls, highlighting the need for encryption, secure authentication mechanisms, and monitoring to preserve the confidentiality and integrity of communications.

Phishing: Phishing exploits human behavior rather than network communications. Attackers deceive users into providing credentials or sensitive information through email, messaging, or social engineering. CAS-005 differentiates phishing from MITM because phishing relies on user action rather than intercepting existing communication channels. Preventive measures include user training, email filtering, and anti-phishing technologies.

SQL Injection: SQL injection targets database-driven applications by inserting malicious SQL commands into input fields to manipulate backend databases. CAS-005 notes that SQL injection is distinct from MITM because it attacks the application and database layer rather than network communications. Prevention involves input validation, parameterized queries, and secure database access management.

ARP Poisoning: ARP poisoning manipulates local network tables to associate the attacker’s MAC address with another host’s IP address. While ARP poisoning can be used to facilitate MITM attacks, CAS-005 clarifies that ARP poisoning alone does not constitute a full MITM attack. It is one method for enabling interception of LAN communications.

MITM attacks illustrate the necessity of layered defenses, including encryption, monitoring, endpoint security, and user awareness, all critical CAS-005 objectives.

Question 192:

Which type of authentication factor relies on something inherent to the user, such as fingerprints or retinal scans?

A. Knowledge factor
B. Possession factor
C. Inherence factor
D. Location factor

Answer: C. Inherence factor

Explanation:

A. Knowledge factor: Knowledge factors involve information the user knows, such as passwords, PINs, or security questions. CAS-005 emphasizes that knowledge factors are vulnerable to guessing, brute-force, or social engineering attacks. They are foundational for authentication but insufficient alone for strong security.

Possession factor: Possession factors require users to have a physical object, such as a smart card, security token, or mobile authenticator. While possession factors strengthen multi-factor authentication, they do not rely on inherent traits of the user and can be lost, stolen, or cloned.

Inherence factor: Inherence factors, also known as biometric authentication, rely on unique physiological or behavioral traits of users, including fingerprints, retinal patterns, facial recognition, voice, or gait. CAS-005 highlights the significance of inherence factors in multi-factor authentication (MFA) for high-security environments. Biometric systems prevent credential sharing and strengthen authentication by tying access directly to the individual. However, they introduce unique considerations, such as privacy concerns, template storage security, false acceptance rates (FAR), false rejection rates (FRR), and potential spoofing attacks. Implementing inherence factors requires careful system design, encryption of biometric data, secure transmission, and integration with overall identity management strategies. CAS-005 candidates must understand the benefits and limitations of biometrics, how they complement knowledge and possession factors, and how they align with the principle of least privilege and access control enforcement. Inherence factors are increasingly critical in enterprise security, mobile device management, and secure cloud access scenarios.

Location factor: Location factors validate user access based on physical location or network origin, such as geofencing, IP address, or GPS coordinates. CAS-005 emphasizes that location factors are contextual, not inherent, and primarily used to strengthen access decisions rather than serve as standalone authentication.

Inherence factors exemplify CAS-005 best practices for MFA, user accountability, and secure access policies.

Question 193:

 Which type of malware encrypts user files and demands payment for decryption?

A. Ransomware
B. Spyware
C. Trojan
D. Rootkit

Answer: A. Ransomware

Explanation:

Ransomware: Ransomware is malicious software that encrypts user files or system data and demands a ransom payment for decryption keys. CAS-005 stresses ransomware as a top threat to organizational confidentiality, integrity, and availability. Ransomware often spreads via phishing emails, malicious downloads, or exploit kits. Organizations mitigate ransomware through regular backups, patch management, endpoint protection, network segmentation, user training, and incident response plans. CAS-005 candidates must understand encryption techniques used by ransomware, behavioral detection, ransomware containment strategies, and recovery planning to maintain business continuity and minimize operational disruption. Ransomware highlights the need for layered defenses, blending technical, administrative, and procedural controls.

Spyware: Spyware collects information from a system without the user’s consent, including browsing behavior, credentials, or system data. CAS-005 differentiates spyware from ransomware because spyware does not encrypt data or demand payment but poses confidentiality and privacy risks. Mitigation involves endpoint protection, user awareness, and privacy policies.

Trojan: Trojans disguise themselves as legitimate applications to deliver payloads. CAS-005 notes that some Trojans may act as a delivery mechanism for ransomware, keyloggers, or RATs, but not all Trojans perform encryption attacks. Detection requires malware scanning, endpoint monitoring, and secure software installation policies.

Rootkit: Rootkits hide malware and system modifications to maintain persistent unauthorized access. CAS-005 clarifies that while rootkits facilitate stealthy attacks, they do not encrypt user data or demand payment, unlike ransomware. Rootkit mitigation involves kernel-level monitoring, integrity checks, and secure boot processes.

Understanding ransomware aligns with CAS-005 objectives including malware analysis, incident response, disaster recovery, and layered security architecture.

Question 194:

Which protocol is used to securely transfer files over an encrypted SSH connection?

A. FTP
B. SFTP
C. HTTP
D. Telnet

Answer: B. SFTP

Explanation:

FTP: File Transfer Protocol (FTP) is an older protocol used to transfer files between systems. CAS-005 highlights that FTP is insecure because it transmits credentials and data in plaintext, exposing sensitive information to interception and MITM attacks. It is generally discouraged in modern enterprise environments.

SFTP: Secure File Transfer Protocol (SFTP) operates over SSH (Secure Shell) to provide encrypted file transfers, authentication, and data integrity. CAS-005 emphasizes that SFTP protects both credentials and transmitted data, making it suitable for secure enterprise file operations. SFTP ensures confidentiality using SSH encryption algorithms (AES, ChaCha20) and integrity through cryptographic checksums. It allows secure automation of backups, system configuration files, and cross-site data exchange. CAS-005 candidates must understand SFTP’s advantages over FTP, FTPS, and SCP, including secure authentication methods (password, public/private key pairs), auditing capabilities, and compliance alignment. Organizations implementing SFTP must manage SSH keys, rotate credentials, and monitor transfers for anomalies to prevent data leakage.

HTTP: Hypertext Transfer Protocol (HTTP) is unencrypted and unsuitable for secure file transfer. CAS-005 distinguishes between HTTP and HTTPS, noting that plain HTTP exposes credentials and sensitive data to eavesdropping and tampering.

Telnet: Telnet provides remote terminal access over plaintext connections. CAS-005 emphasizes that Telnet is insecure because it transmits all communication in cleartext, making it vulnerable to interception. SSH or SFTP should replace Telnet in secure environments.

SFTP is a critical CAS-005 concept for ensuring secure file transfer, data confidentiality, and operational integrity in enterprise networks.

Question 195:

Which disaster recovery site type is fully equipped and ready to operate immediately after a primary site failure?

A. Cold site
B. Warm site
C. Hot site
D. Snapshot site

Answer: C. Hot site

Explanation:

Cold site: Cold sites provide only the physical infrastructure, such as power and space. CAS-005 highlights that cold sites require additional setup, including installing hardware, restoring data, and configuring software, resulting in longer downtime. They are cost-effective but slow to resume operations.

Warm site: Warm sites include some infrastructure, pre-installed hardware, and partial data, but require additional configuration and data synchronization. CAS-005 emphasizes that warm sites reduce recovery time compared to cold sites but are slower than hot sites.

Hot site: Hot sites are fully equipped with hardware, software, network connectivity, and real-time data replication, ready for immediate operation. CAS-005 underscores that hot sites support high availability, rapid disaster recovery, and minimal downtime, which is critical for enterprises with low tolerance for service disruption. Organizations implementing hot sites must manage data replication, failover procedures, regular testing, and alignment with recovery objectives (RTO and RPO). Hot sites are an essential concept in CAS-005 for business continuity planning, demonstrating the integration of backup strategies, high availability systems, and operational resilience.

Snapshot site: Snapshot solutions capture the state of systems at a point in time, useful for quick restoration, but they are not full alternative sites. CAS-005 teaches that snapshots complement backups but do not provide full operational continuity like hot sites.

Understanding disaster recovery site types in CAS-005 helps candidates design resilient enterprise systems, ensure availability, and plan for efficient recovery during service disruptions.

Question 196:

 Which type of access control model grants permissions based on the roles assigned to users within an organization?

A. Discretionary Access Control (DAC)
B. Role-Based Access Control (RBAC)
C. Mandatory Access Control (MAC)
D. Rule-Based Access Control

Answer: B. Role-Based Access Control (RBAC)

Explanation:

Discretionary Access Control (DAC): DAC is an access control model where resource owners have the discretion to assign permissions to other users. CAS-005 emphasizes that DAC is flexible but introduces risks because users may grant access to untrusted individuals, potentially exposing sensitive data. While DAC allows user autonomy, it can lead to inconsistent enforcement of organizational security policies and challenges in auditing. For enterprises, DAC alone may not provide sufficient safeguards for regulatory compliance or confidential information, which is why RBAC is often preferred in professional environments.

Role-Based Access Control (RBAC): RBAC assigns permissions based on predefined roles that correspond to job functions within an organization. CAS-005 highlights RBAC as essential for enforcing the principle of least privilege, reducing administrative overhead, and improving consistency in access management. Users inherit permissions through their role assignment, which simplifies auditing, compliance, and access review processes. RBAC integrates seamlessly with identity management solutions, MFA, and privileged access management systems. It supports separation of duties by allowing administrators to define complementary roles and prevent conflicts of interest. Implementing RBAC requires careful planning, role definition, periodic review, and monitoring to ensure that permissions reflect current responsibilities and align with security policies. CAS-005 candidates must understand RBAC’s role in minimizing insider threats, supporting confidentiality, integrity, and availability, and providing scalable access control mechanisms across cloud, on-premises, and hybrid environments.

Mandatory Access Control (MAC): MAC enforces strict access policies based on classifications and labels, such as Confidential, Secret, or Top Secret. CAS-005 teaches that MAC is highly secure but inflexible, and permissions are determined by system administrators rather than users. While MAC is effective in government or military environments, it may be impractical for dynamic enterprise settings, unlike RBAC, which scales efficiently with organizational changes.

Rule-Based Access Control: Rule-based access control applies conditions such as time, location, or network attributes to grant or deny access. CAS-005 emphasizes that rule-based controls enhance flexibility but are complementary to RBAC rather than a replacement. Rules may be applied to roles for finer-grained access management but do not independently manage organizational roles or job function alignment.

RBAC is foundational in CAS-005 objectives because it combines access efficiency, auditability, and security alignment with business needs.

Question 197:

 Which type of attack exploits software vulnerabilities to execute arbitrary code on a target system?

A. Buffer Overflow
B. Man-in-the-Middle (MITM)
C. Phishing
D. Denial-of-Service (DoS)

Answer: A. Buffer Overflow

Explanation:

Buffer Overflow: A buffer overflow occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory. CAS-005 emphasizes buffer overflow as a critical threat to system integrity, allowing attackers to execute arbitrary code, escalate privileges, or crash applications. Common exploitation techniques include stack smashing, heap overflows, and format string vulnerabilities. Preventive measures involve secure coding practices, input validation, compiler protections (like stack canaries), ASLR (Address Space Layout Randomization), and DEP (Data Execution Prevention). Understanding buffer overflow is crucial for CAS-005 candidates because it highlights the intersection of software security, system architecture, and vulnerability management. Buffer overflow exploits compromise integrity and can result in complete system takeover if not mitigated.

Man-in-the-Middle (MITM): MITM attacks intercept and possibly alter communications between parties. While MITM affects confidentiality and integrity, it is network-focused rather than exploiting software buffer vulnerabilities. CAS-005 differentiates MITM from buffer overflow to ensure candidates recognize attack vectors and mitigation strategies specific to code-level vulnerabilities versus network-based threats.

Phishing: Phishing manipulates human behavior to steal credentials or sensitive information. CAS-005 notes that phishing targets the human layer of security, not software vulnerabilities. Awareness training, email filters, and MFA mitigate phishing but do not address buffer overflow risks.

Denial-of-Service (DoS): DoS attacks overwhelm system resources to disrupt availability. CAS-005 teaches that DoS differs from buffer overflow because it may not execute arbitrary code; it targets resource exhaustion rather than program memory vulnerabilities.

Buffer overflow remains a cornerstone of CAS-005 for understanding secure software development, vulnerability management, and the importance of layered defenses.

Question 198:

Which type of social engineering attack impersonates a trusted entity to trick users into revealing credentials?

A. Phishing
B. Baiting
C. Tailgating
D. Shoulder Surfing

Answer: A. Phishing

Explanation:

Phishing: Phishing attacks deceive users into providing sensitive information by masquerading as a trusted source, such as a bank, company, or colleague. CAS-005 emphasizes phishing as a critical vector for credential theft, ransomware deployment, and data breaches. Attack vectors include email, SMS (smishing), and social media. Phishing may involve malicious links, attachments, or forms requesting login information. Mitigation strategies include user awareness training, anti-phishing software, DMARC/SPF/ DKIM email authentication, and MFA. CAS-005 candidates must recognize the psychological manipulation in phishing and the importance of integrating technical, administrative, and procedural defenses. Phishing is often a precursor to advanced attacks such as ransomware, MITM, or account takeover, highlighting the need for proactive security culture and layered defense strategies.

Baiting: Baiting involves leaving physical media, like USB drives, to lure victims into executing malware. CAS-005 differentiates baiting as targeting curiosity, not impersonation, although both attacks exploit human behavior.

Tailgating: Tailgating is a physical security attack where an unauthorized individual gains entry by following an authorized person. CAS-005 notes that tailgating compromises physical access controls, not digital credentials.

Shoulder Surfing: Shoulder surfing involves observing users’ input (PINs, passwords) in person. CAS-005 teaches that shoulder surfing targets the observation of behavior, not impersonation, and requires physical mitigation like privacy screens or controlled access areas.

Phishing is a primary concern in CAS-005 because it bridges technical and human layers of security, emphasizing defense-in-depth.

Question 199:

Which protocol provides secure email encryption and signing for confidentiality, integrity, and non-repudiation?

A. S/MIME
B. SMTP
C. POP3
D. IMAP

Answer: A. S/MIME

Explanation:

S/MIME: Secure/Multipurpose Internet Mail Extensions (S/MIME) provides public key encryption and digital signing for email, ensuring confidentiality, integrity, and non-repudiation. CAS-005 teaches that S/MIME secures both the content and sender identity, protecting against interception, tampering, and impersonation. Proper implementation requires certificate management, key distribution, and integration with email clients. S/MIME aligns with the CIA triad, ensuring encrypted email transmission, validated sender identity through digital signatures, and compliance with security policies. Candidates must understand S/MIME configuration, trust hierarchies, and interaction with enterprise PKI systems to maintain secure communication.

SMTP: Simple Mail Transfer Protocol (SMTP) is a delivery protocol for email but does not provide encryption or authentication by default. CAS-005 emphasizes that SMTP alone is insecure without extensions like STARTTLS.

POP3: Post Office Protocol version 3 retrieves email from a server but lacks built-in encryption or signing. CAS-005 distinguishes POP3 from S/MIME to ensure secure storage and retrieval practices.

IMAP: Internet Message Access Protocol allows email access and synchronization across devices but does not inherently provide encryption or integrity. CAS-005 teaches that S/MIME complements IMAP for secure enterprise messaging.

S/MIME is crucial in CAS-005 for email security, cryptographic application, and protecting sensitive communications.

Question 200:

Which backup strategy captures only data that has changed since the last full backup, reducing storage requirements but requiring multiple steps for recovery?

A. Full Backup
B. Differential Backup
C. Incremental Backup
D. Snapshot Backup

Answer: C. Incremental Backup

Explanation:

Full Backup: A full backup copies all selected data each time. CAS-005 notes that while recovery is simple, storage and time requirements are high.

Differential Backup: Differential backups copy all changes since the last full backup, providing faster recovery than incremental backups but growing larger over time. CAS-005 emphasizes the trade-off between speed and storage.

Incremental Backup: Incremental backups only capture changes since the last backup of any type. CAS-005 teaches that incremental backups minimize storage and backup windows but require a chain of backups (full + all incrementals) for restoration. Proper scheduling, integrity checks, encryption, and offsite storage are critical to prevent data loss. Incremental backups are integral to disaster recovery planning, aligning with RTO and RPO objectives. CAS-005 candidates must understand the operational benefits, challenges, and implementation strategies for incremental backups, including software selection, automation, monitoring, and test restoration to ensure business continuity.

Snapshot Backup: Snapshots capture a point-in-time state of a system, useful for rapid rollback, but may not provide comprehensive long-term archival solutions. CAS-005 highlights snapshots as complementary to traditional backup strategies rather than standalone solutions.

Incremental backups exemplify CAS-005 principles of efficiency, disaster recovery, and layered data protection.