Pass the CompTIA CompTIA CASP CAS-005 Questions and answers with CertsForce

The best solution to reduce the likelihood of firmware-level attacks and rootkits is to implement measured boot. Measured boot is a hardware-assisted security mechanism that leverages Trusted Platform Module (TPM) and Secure Boot processes. It records cryptographic measurements of each stage of the boot process—from firmware to operating system loaders—and stores them in the TPM. Security software, such as attestation services, can then verify that the system booted into a known, trusted state. If firmware or boot-level code has been tampered with, the measurements will not match expected values, alerting administrators to compromise.

Option A (software integrity checks) validates application-level integrity but does not address firmware rootkits that load before the operating system. Option B (self-encrypting drives) protects data at rest but does not prevent rootkits. Option D (host-based encryption) ensures confidentiality but does not detect or mitigate firmware-level persistence.

Measured boot specifically targets low-level tampering, making it the most relevant control to defend against rootkits and firmware exploits.

10.1.45.65 SFTP ServerDisable 8080

10.1.45.66 Email Server Disable 415 and 443

10.1.45.67 Web Server Disable 21, 80

10.1.45.68 UTM Appliance Disable 21

The event timeline indicates a sequence where a file (hr-reporting.docx) was saved, scanned, executed, and eventually found to contain malware. The critical issue here is that the malware scan completed after the file was already executed. This suggests a Time-Of-Check to Time-Of-Use (TOCTOU) vulnerability, where the state of the file changed between the time it was checked and the time it was used.

For a disaster recovery (DR) plan requiring immediate data availability, the first step is understanding what needs to be protected and recovered. Identifying critical business processes and their associated software and hardware requirements establishes the foundation for the DR plan. This ensures that backups and recovery mechanisms align with business priorities, meeting the " moment ' s notice " requirement.

Option A:A change management plan is important for system consistency but doesn’t directly address immediate data availability in a DR context.

Option B:Hiring staff supports execution but doesn’t define what needs to be recovered or how. It’s a later step.

Option C:A warm site (a partially operational backup site) is a good DR solution, but designing it comes after identifying critical processes and resources.

Option D:This is the first step in any DR planning process—knowing what’s critical ensures the plan meets availability goals efficiently.

The reported issues suggest problems related to network connectivity, remote access, and certificate management:

A. Review VPN throughput: Connectivity issues and the inability to download applications while working remotely may be due to VPN bandwidth or performance issues. Reviewing and optimizing VPN throughput can help resolve these problems by ensuring that remote users have adequate bandwidth for accessing corporate resources.

F. Validate MDM asset compliance: Mobile Device Management (MDM) systems ensure that mobile endpoints comply with corporate security policies. Validating MDM compliance can help address issues related to the inability to download applications and certificate errors, as non-compliant devices might be blocked from accessing certain resources.

B. Check IPS rules: While important for security, IPS rules are less likely to directly address the connectivity and certificate issues described.

C. Restore static content on the CDN: This action is related to content delivery but does not address VPN or certificate-related issues.

D. Enable secure authentication using NAC: Network Access Control (NAC) enhances security but does not directly address the specific issues described.

E. Implement advanced WAF rules: Web Application Firewalls protect web applications but do not address VPN throughput or mobile device compliance.

Understanding the Ransomware Issue:

The key issue here is thatbackups were not recoverable within the required RPO timeframe.

This means the organizationdid not properly testitsbackup and disaster recovery (DR) processes.

To prevent this from happening again, regular disaster recovery testing is essential.

Why Option C is Correct:

Disaster recovery testing ensures that backups are functionaland can meetbusiness continuity needs.

Frequent DR testingallows organizations to identify and fixgaps in recovery strategies.

Regular testing ensuresthat recoverymeets the RPO & RTO (Recovery Time Objective) requirements.

Why Other Options Are Incorrect:

A (Encrypt & label backup tapes):While encryption is important, it does not address thefailure to meet RPO requirements.

B (Reverting to manual business processes):While amanual continuity planis good for resilience, it doesnot resolve the backup and recovery failure.

D (Tabletop exercise & RACI matrix):Atabletop exerciseis a planning activity, butit does not involve actual recovery testing.