CompTIA Updated CAS-005 Exam Questions and Answers by orin

The best answer is C. OWIN29 ' s EDR has an unknown vulnerability that was exploited by the attacker . The decisive clue is that OWIN29 had EDR status: Enabled (bypass) in both reports and changed from Clean to Infected after five days. That strongly indicates the endpoint protection on that host was being bypassed, allowing compromise despite the agent being present. In SecurityX terms, this fits the theme of resilience against advanced threats and the possibility that a defensive tool can be circumvented or affected by a zero-day or other unknown weakness. CompTIA’s SecurityX certification emphasizes designing and operating secure solutions that remain resilient in the face of modern threats.

Why the other options are less likely:

A is not supported because OWIN23 remained Clean . B is speculative; LN002 stayed Unknown , but there is no evidence it propagated malware to OWIN29. D is also unsupported because MAC005 was Clean even after its EDR became disabled. The only host with a direct clue pointing to failed protection and subsequent infection is OWIN29 , making the EDR bypass or exploitation on that host the most likely cause.

The beststrategy for securely managing cryptographic material is to use a Hardware Security Module (HSM). Here’s why:

Security and Integrity: HSMs are specialized hardware devices designed to protect and manage digital keys. They provide high levels of physical and logical security, ensuring that cryptographic material is well protected against tampering and unauthorized access.

Centralized Key Management: Using HSMs allows for centralized management of cryptographic keys, reducing the risks associated with decentralized and potentially insecure key storage practices, such as on personal laptops.

Compliance and Best Practices: HSMs comply with various industry standards and regulations (such as FIPS 140-2) for secure key management. This ensures that the organization adheres to best practices and meets compliance requirements.

Understanding the Security Event:

Unauthorized usersgained access from non-production to production.

IAM policies were weak, allowingbulk user creation.

Vulnerability assessments were disabled, andpatching was delayed.

Logs were unavailable, making incident response difficult.

Why Options A, D, and E areCorrect:

A (Disable bulk user creation by IAM team)→ Prevents unauthorized mass user account creation, which could beexploited by attackers.

D (Routine updates for endpoints & network devices)→ Patch management ensuresvulnerabilities are not left open for attackers.

E (Ensure all security/network devices send logs to SIEM)→ Helps withreal-time monitoring and detection of unauthorized activities.

Why Other Options Are Incorrect:

B (180-day log retention)→ While log retention is good,real-time monitoring is the priority.

C (Review application allow list daily)→ Reviewing itdaily is impractical. Regular audits are better.

F (Restrict production-to-non-production traffic)→ The issue isunauthorized access, not traffic routing.

The best approach for managing and monitoring IoT devices, such as thermostats, is to operate them on a separate network with no access to other internal devices. This segmentation ensures that the IoT devices are isolated from the main network, reducing the risk of potential security breaches affecting other critical systems. Additionally, this setup allows for secure vendor updates without exposing the broader network to potential vulnerabilities inherent in IoT devices.