CAS-005 Exam Dumps - CompTIA SecurityX Certification Exam

Searching for workable clues to ace the CompTIA CAS-005 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s CAS-005 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

<< First
Prev
2
3
4
5
6
7
8
9
10
11
Next
Last >>

Question # 49

An organization mat performs real-time financial processing is implementing a new backup solution Given the following business requirements?

* The backup solution must reduce the risk for potential backup compromise

* The backup solution must be resilient to a ransomware attack.

* The time to restore from backups is less important than the backup data integrity

* Multiple copies of production data must be maintained

Which of the following backup strategies best meets these requirement?

Creating a secondary, immutable storage array and updating it with live data on a continuous basis

Utilizing two connected storage arrays and ensuring the arrays constantly sync

Enabling remote journaling on the databases to ensure real-time transactions are mirrored

Setting up antitempering on the databases to ensure data cannot be changed unintentionally

Full Access

Question # 50

An engineering team determines the cost to mitigate certain risks is higher than the asset values The team must ensure the risks are prioritized appropriately. Which of the following is the best way to address the issue?

Data labeling

Branch protection

Vulnerability assessments

Purchasing insurance

Full Access

Question # 51

You are tasked with integrating a new B2B client application with an existing OAuth workflow that must meet the following requirements:

. The application does not need to know the users' credentials.

. An approval interaction between the users and theHTTP service must be orchestrated.

. The application must have limited access to users' data.

INSTRUCTIONS

Use the drop-down menus to select the action items for the appropriate locations. All placeholders must be filled.

Full Access

Answer:

Explanation:

Select the Action Items for the Appropriate Locations:

Authorization Server:

Action Item: Grant access

The authorization server's role is to authenticate the user and then issue an authorization code or token that the client application can use to access resources. Granting access involves the server authenticating the resource owner and providing the necessary tokens for the client application.

Resource Server:

Action Item: Access issued tokens

The resource server is responsible for serving the resources requested by the client application. It must verify the issued tokens from the authorization server to ensure the client has the right permissions to access the requested data.

B2B Client Application:

Action Item: Authorize access to other applications

The B2B client application must handle the OAuth flow to authorize access on behalf of the user without requiring direct knowledge of the user's credentials. This includes obtaining authorization tokens from the authorization server and using them to request access to the resource server.

Detailed Explanation:

OAuth 2.0 is designed to provide specific authorization flows for web applications, desktopapplications, mobile phones, and living room devices. The integration involves multiple steps and components, including:

Resource Owner (User):

The user owns the data and resources that are being accessed.

Client Application (B2B Client Application):

Requests access to the resources controlled by the resource owner but does not directly handle the user's credentials. Instead, it uses tokens obtained through the OAuth flow.

Authorization Server:

Handles the authentication of the resource owner and issues the access tokens to the client application upon successful authentication.

Resource Server:

Hosts the resources that the client application wants to access. It verifies the access tokens issued by the authorization server before granting access to the resources.

OAuth Workflow:

The resource owner accesses the client application.

The client application redirects the resource owner to the authorization server for authentication.

The authorization server authenticates the resource owner and asks for consent to grant access to the client application.

Upon consent, the authorization server issues an authorization code or token to the client application.

The client application uses the authorization code or token to request access to the resources from the resource server.

The resource server verifies the token with the authorization server and, if valid, grants access to the requested resources.

[References:, CompTIA Security+ Study Guide: Provides comprehensive information on various authentication and authorization protocols, including OAuth., OAuth 2.0 Authorization Framework (RFC 6749): The official documentation detailing the OAuth 2.0 framework, its flows, and components., OAuth 2.0 Simplified: A book by Aaron Parecki that provides a detailed yet easy-to-understand explanation of the OAuth 2.0 protocol., By ensuring that each component in the OAuth workflow performs its designated role, the B2B client application can securely access the necessary resources without compromising user credentials, adhering to the principle of least privilege., , , , , , ]

Question # 52

Operational technology often relies upon aging command, control, and telemetry subsystems that were created with the design assumption of:

operating in an isolated/disconnected system.

communicating over distributed environments

untrustworthy users and systems being present.

an available EtherneVIP network stack for flexibility.

anticipated eavesdropping from malicious actors.

Full Access

Answer:

Explanation:

Step by Step Explanation:

Understanding the Scenario: The question focuses on the historical design assumptions behind older operational technology (OT)systems, particularly in the context of command, control, and telemetry.

Analyzing the Answer Choices:

A. operating in an isolated/disconnected system: This is the most accurate assumption for many legacy OT systems. Historically, these systems weredesigned to operate in air-gapped environments, completely isolated from external networks (including the internet).

[Reference: This aligns with the historical evolution of OT security. Initially, security was based on physical isolation rather than network security controls. This is a common topic in CASP+ discussions on OT security challenges., B. communicating over distributed environments: While OT systems can be distributed, the core design assumption, especially for older systems, wasn't centered around interconnectivity in the way modern IT systems are., C. untrustworthy users and systems being present: This is a more modern security principle (Zero Trust). Older OT systems often operated under a model of implicit trust within their isolated environment., D. an available EtherneVIP network stack for flexibility: Ethernet/IP is a relatively newer industrial protocol. Older OT systems often used proprietary or less flexible communication protocols. Also, there is no such thing as EtherneVIP., E. anticipated eavesdropping from malicious actors: While security was a concern, the primary threat model for older, isolated OT systems didn't heavily emphasize external malicious actors due to the assumed isolation., Why A is the Correct Answer:, Air Gap: The concept of an air gap (physical isolation) was the cornerstone of security for many legacy OT systems. These systems were not connected to the internet or corporate networks, making them less susceptible to remote attacks., Legacy Protocols: Older OT systems often used proprietary or serial communication protocols, not designed for internet connectivity., Implicit Trust: Within the isolated environment, there was often an assumption of trust among the connected components., CASP+ Relevance: The challenges of securing legacy OT systems, especially in the face of increasing connectivity, are a key area of focus in CASP+. Understanding the historical context and the shift in security paradigms is crucial., Modern OT Security Considerations (Elaboration):, Convergence: Today, the lines between IT and OT are blurring. OT systems are increasingly connected to corporate networks and the internet, necessitating a shift from isolation-based security to a more comprehensive approach., Threat Landscape: Modern OT systems face a wider range of threats, including targeted attacks from sophisticated actors., Security Controls: Modern OT security involves implementing network segmentation, intrusion detection, access controls, and other measures to protect against these evolving threats., In conclusion, the primary design assumption for many older OT systems was that they would operate in isolated or disconnected environments. This historical context is important for understanding the security challenges faced by organizations today as they integrate these legacy systems into modern, connected environments. This is a core concept discussed in CASP+ in the context of OT security and risk management., =================, , , , ]

Question # 53

A systems engineer is configuring SSO for a business that will be using SaaS applications for its remote-only workforce. Privileged actions in SaaS applications must be allowed only from corporate mobile devices that meet minimum security requirements, but BYOD must also be permitted for other activity. Which of the following would best meet this objective?

Block any connections from outside the business's network security boundary.

Install machine certificates on corporate devices and perform checks against the clients.

Configure device attestations and continuous authorization controls.

Deploy application protection policies using a corporate, cloud-based MDM solution.

Full Access

Question # 54

An organization must provide access to its internal system data. The organization requires that this access complies with the following:

Access must be automated.

Data confidentiality must be preserved.

Access must be authenticated.

Data must be preprocessed before it is retrieved.

Which of the following actions should the organization take to meet these requirements?

Configure a reverse proxy to protect the data.

Implement an on-demand VPN connection.

Deploy an API gateway protected with access tokens.

Continually publish all relevant data to a CDN.

Full Access

Question # 55

A compliance officer is reviewing the data sovereignty laws in several countries where the organization has no presence Which of the following is the most likely reason for reviewing these laws?

The organization is performing due diligence of potential tax issues.

The organization has been subject to legal proceedings in countries where it has a presence.

The organization is concerned with new regulatory enforcement in other countries

The organization has suffered brand reputation damage from incorrect media coverage

Full Access