CompTIA Updated CAS-005 Exam Questions and Answers by fearne

The best way to mitigate the ability of attackers or penetration testers to execute arbitrary payloads is to enforce application controls with allow lists (B). Application allow listing ensures that only pre-approved, trusted software and scripts can be executed on the system. This prevents attackers from dropping or running malicious binaries, even if they exploit vulnerabilities to gain access. CAS-005 emphasizes allow listing as a preventive control against post-exploitation persistence and lateral movement.

Option A (ASLR) randomizes memory addresses and helps mitigate buffer overflow exploits but does not directly prevent execution of unauthorized programs. Option C (OS restrictions of globally writable folders) improves security hygiene but still does not stop attackers from executing already placed payloads in non-restricted locations. Option D (EDR signatures) are reactive and limited, since attackers often use novel or obfuscated payloads not yet captured by signature databases.

Therefore, implementing application controls with allow lists provides the strongest defense against unauthorized payload execution in this context.

Dynamic Application Security Testing (DAST) is crucial for identifying and addressing security vulnerabilities during the software development life cycle (SDLC). Ensuring that DAST scans are routinely scheduled helps in maintaining a secure development process.

Why Routine DAST Scans?

Continuous Security Assessment: Regular DAST scans help in identifying vulnerabilities in real-time, ensuring they are addressed promptly.

Compliance: Routine scans ensure that the development process complies with security standards and regulations.

Proactive Threat Mitigation: Regular scans help in early detection and mitigation of potential security threats, reducing the risk of breaches.

Integration into SDLC: Ensures security is embedded within the development process, promoting a security-first approach.

Other options, while relevant, do not directly address the continuous assessment and proactive identification of threats:

A. If developers are unable to promote to production: This is more of an operational issue than a security assessment.

B. If DAST code is being stored to a single code repository: This concerns code management rather than security testing frequency.

D. If role-based training is deployed: While important, training alone does not ensure continuous security assessment.

Integrating IDS, firewall, and DLP to reduce response time requires orchestration and automation. Let’s evaluate:

A. SOAR(Security Orchestration, Automation, and Response):SOAR integrates security tools, automates workflows, and speeds up incident response. It’s the best fit for this scenario, as CAS-005 highlights SOAR for operational efficiency.

B. CWPP (CloudWorkload Protection Platform):Focused on securing cloud workloads, not integrating on-premises tools.

C. XCCDF (Extensible Configuration Checklist Description Format):A standard for compliance checklists, not a tool for integration or response.

The sshd_config file is the main configuration file for the OpenSSH server. To disable weak CBC (Cipher Block Chaining) ciphers for SSH connections, the security engineer should modify the sshd_config file to update the list of allowed ciphers. This file typically contains settings for the SSH daemon, including which encryption algorithms are allowed.

By editing the /etc/ssh/sshd_config file and updating the Ciphers directive, weak ciphers can be removed, and only strong ciphers can be allowed. This change ensures that the SSH server does not use insecure encryption methods.