Pass the CompTIA CompTIA CASP CAS-005 Questions and answers with CertsForce

The most likely cause of the anti-malware alerts on customer workstations is unsecure bundled libraries. When developing and deploying new applications, it is common for developers to use third-party libraries. If these libraries are not properly vetted for security, they can introduce vulnerabilities or malicious code.

Why Unsecure Bundled Libraries?

Third-Party Risks: Using libraries that are not secure can lead to malware infections if the libraries contain malicious code or vulnerabilities.

Code Dependencies: Libraries may have dependencies that are not secure, leading to potential security risks.

Common Issue: This is a frequent issue in software development where libraries are used for convenience but not properly vetted for security.

Other options, while relevant, are less likely to cause widespread anti-malware alerts:

A. Misconfigured code commit: Could lead to issues but less likely to trigger anti-malware alerts.

C. Invalid code signing certificate: Would lead to trust issues but not typically anti-malware alerts.

D. Data leakage: Relevant for privacy concerns but not directly related to anti-malware alerts.

The best way to mitigate the ability of attackers or penetration testers to execute arbitrary payloads is to enforce application controls with allow lists (B). Application allow listing ensures that only pre-approved, trusted software and scripts can be executed on the system. This prevents attackers from dropping or running malicious binaries, even if they exploit vulnerabilities to gain access. CAS-005 emphasizes allow listing as a preventive control against post-exploitation persistence and lateral movement.

Option A (ASLR) randomizes memory addresses and helps mitigate buffer overflow exploits but does not directly prevent execution of unauthorized programs. Option C (OS restrictions of globally writable folders) improves security hygiene but still does not stop attackers from executing already placed payloads in non-restricted locations. Option D (EDR signatures) are reactive and limited, since attackers often use novel or obfuscated payloads not yet captured by signature databases.

Therefore, implementing application controls with allow lists provides the strongest defense against unauthorized payload execution in this context.

Model poisoning occurs when an attacker manipulates the training data or the training process of an AI model so that its predictions are deliberately inaccurate or biased. In the SecurityX CAS-005 objectives, this is part of understanding emerging technology threats, specifically AI/ML vulnerabilities. This differs from:

Social engineering, which manipulates humans rather than AI models.

Output handling, which deals with how outputs are processed but doesn’t cause inaccuracy at the model level.

Prompt injections, which manipulate the model at query time, not during training.Because model poisoning directly corrupts the AI model itself, it is the clearest reason AI outputs could be inaccurate.

Reviewing data sovereignty laws in countries where the organization has no presence is likely due to concerns about regulatory enforcement. Data sovereignty laws dictate how data can be stored, processed, and transferred across borders. Understanding these laws is crucial for compliance, especially if the organization handles data that may be subject to foreign regulations.

A. The organization is performing due diligence of potential tax issues: This is less likely as tax issues are generally not directly related to data sovereignty laws.

B. The organization has been subject to legal proceedings in countries where it has a presence: While possible, this does not explain the focus on countries where the organization has no presence.

C. The organization is concerned with new regulatory enforcement in other countries: This is the most likely reason. New regulations could impact the organization’s operations, especially if they involve data transfers or processing data from these countries.

D. The organization has suffered brand reputation damage from incorrect media coverage: This is less relevant to the need for reviewing data sovereignty laws.

The best way to reduce liability and secure customer environments is to require that all employee-owned laptops have a corporate-licensed and managed Endpoint Detection and Response (EDR) solution installed. This ensures that devices accessing sensitive customer infrastructure are monitored for malware, unauthorized processes, and suspicious behaviors. EDR provides visibility into endpoint security posture and enforces corporate security baselines, which unmanaged personal devices typically lack.

Option A (MDM with attestation) works well for corporate-owned devices but is difficult to enforce reliably across personally owned laptops. Option C (VPN with certificate authentication) ensures encrypted access but does not validate whether the device is secure. Option D (host checking to jump boxes) reduces exposure but still allows unmanaged endpoints to connect indirectly.

CAS-005 emphasizes endpoint controls and assurance mechanisms for environments with third-party or bring-your-own-device (BYOD) risk. Deploying managed EDR ensures visibility, consistent policies, and rapid response across all devices, making this the most secure and practical option.

The output indicates that the software tool contains hard-coded credentials, which attackers can exploit to bypass user access controls and load the database. The mostlikely recommendation is to remove hard-coded credentials from the source code. Here’s why:

Security Best Practices: Hard-coded credentials are a significant security risk because they can be easily discovered through reverse engineering or simple inspection of the code. Removing them reduces the risk of unauthorized access.

Credential Management: Credentials should be managed securely using environment variables, secure vaults, or configuration management tools that provide encryption and access controls.

Mitigation of Exploits: By eliminating hard-coded credentials, the organization can prevent attackers from easily bypassing authentication mechanisms and gaining unauthorized access to sensitive systems.

The goal is to optimize bandwidth, increase speed, and maintain threat visibility in a low-bandwidth satellite office.Local cachingstores frequently accessed data locally, reducing bandwidth usage by minimizing repeated requests to external or internal resources. It speeds up access and doesn’t inherently reduce security visibility if paired with monitoring tools.

Option A:Distributed connection allocation might balance traffic but doesn’t directly reduce bandwidth usage or speed up access.

Option B:Local caching is ideal—reduces bandwidth, improves performance, and maintains visibility with proper security controls.

Option C:A CDN is great for external content delivery but less relevant for internal resources and doesn’t inherently address threat visibility.

Option D:SD-WAN improves WAN performance, but "vertical heterogeneity" is vague and not a standard term; it’s less tailored to this scenario than caching.

Adversary emulation simulates specific advanced persistent threat (APT) behaviors and techniques to test an organization’s security posture. In SecurityX CAS-005, this is part of red-teaming and purple-teaming strategies for realistic resilience testing.

Reliability factors (B) relate to operational uptime, not threat simulation.

Honeypots (C) attract attackers but do not directly emulate specific adversaries.

Internal reconnaissance (D) is one phase of an attack simulation, not the full emulation of advanced threat actors.

SecurityX CAS-005 endpoint security and network control objectives emphasize least privilege network access.

Creating a firewall rule to allow outbound traffic only via a proxy (A) ensures centralized inspection and control.

Configuring the proxy to allow only the required FQDNs for EDR management communication (C) limits exposure to necessary destinations.Options D and E allow broader access than necessary, and B would block required communications entirely. F relies on blocklists instead of allowlists, which is less secure for high-assurance environments.