CAS-005 Exam Dumps - CompTIA CASP Questions and Answers

The best answer is C. Correlating based on source field in batches of time . To identify trends in SIEM data, the analyst should group related events over a time window and correlate them around a common field. In this excerpt, user1 appears repeatedly across multiple alert types, including unusual authentication, access to sensitive resources, and elevated risk score. That pattern is exactly the sort of repeated behavior that becomes visible when events are correlated by source over time. CompTIA’s official SecurityX objectives in the Security Operations domain include “Data analysis: indicators of malicious activity, trend analysis, statistics, and deduplication/correlation.” That objective language directly supports this answer.

Why the other options are not best:

A narrows only one rule window and does not systematically identify trends across multiple event types. B may reduce volume, but reduction alone does not reveal trends. D is risky because noisy rules might still provide useful context, and disabling them based only on total daily alerts can hide meaningful multi-event patterns. The practical, operational ap proach is to correlate records by a shared field such as source/user across time batches so repeated suspicious behavior stands out.

SecurityX CAS-005 endpoint security and network control objectives emphasize least privilege network access.

Creating a firewall rule to allow outbound traffic only via a proxy (A) ensures centralized inspection and control.

Configuring the proxy to allow only the required FQDNs for EDR management communication (C) limits exposure to necessary destinations.Options D and E allow broader access than necessary, and B would block required communications entirely. F relies on blocklists instead of allowlists, which is less secure for high-assurance environments.

In a Discretionary Access Control (DAC) model, the data owner or an assigned stakeholder has the authority to determine who can access resources. SecurityX CAS-005 IAM objectives describe DAC as user- or owner-controlled, where permissions can be granted or revoked at the owner’s discretion.

In this scenario, because permissions from the legacy system could not be migrated, multiple stakeholders were made responsible for assigning and managing access—matching the DAC model’s characteristics.

Option A relates to outsourcing, which does not define an access control model.

Option C is about authentication limitations, unrelated to the choice of DAC.

Option D describes backup responsibilities, which are operational tasks, not access control.

Step by Step Explanation:

Understanding the Scenario: Theorganization is using customer-managed encryption keys in the cloud, which is more expensive than using the cloud provider ' s free managed keys. The CISO needs to find a way to reduce costs without significantly weakening the security posture.

Analyzing the Answer Choices:

A. Utilize an on-premises HSM to locally manage keys: While on-premises HSMs offer strong security, they introduce additional costs and complexity (procurement, maintenance, etc.). This option is unlikely to reduce costs compared to cloud-based key management.

B. Adjust the configuration for cloud provider keys on data that is classified as public: This is the most practical and cost-effective approach. Data classified as public doesn ' t require the same level of protection as sensitive data. Using the cloud provider ' s free managed keys for public data can significantly reduce costs without compromising security, as the data is intended to be publicly accessible anyway.

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There ' s no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

To mitigate the issue of excessive permissions and privilege creep, the best solutions are:

Implementing a Role-Based Access Policy:

Role-Based Access Control (RBAC): This policy ensures that access permissions are granted based on the user ' s role within the organization, aligning with the principle of least privilege. Users are only granted access necessary for their role, reducing the risk of excessive permissions.

Enriching data to compare domains requires actionable visibility. Let’s analyze:

A. Cron job:Automates updates but doesn’t analyze in the SIEM.

B. Parser:Processes logs but doesn’t provide comparison insights.

C. Filter query:Excludes matches, opposite of enrichment.

To design resilience in an enterprise system that can survive environmental catastrophes, recover within 24 hours, and be resilient to active exploitation, the best strategy is to allocate fully redundant and geographically distributed standby sites. Here’s why:

Geographical Redundancy: Having geographically distributed standby sites ensures that if one site is affected by an environmental catastrophe, the other sites can take over, providing continuity of operations.

Full Redundancy: Fully redundant sites mean that all critical systems and data are replicated, enabling quick recovery in the event of a critical loss of availability.

Resilience to Exploitation: Distributing resources across multiple sites reduces the risk of a single point of failure and increases resilience against targeted attacks.

The best answer is C. Enabling network segmentation controls . The most obvious security weakness shown in the configuration is the interface address 10.12.14.1/8 , which places the device in an extremely broad network range instead of a tightly bounded segment. From a SecurityX perspective, the strongest improvement is to reduce unnecessary trust exposure by applying segmentation and tighter network boundaries. CompTIA’s official SecurityX objectives explicitly call out “Network architecture: segmentation, microsegmentation, virtual local area networks (VLANs), virtual routing and forwarding (VRF), software-defined networking (SDN)” and also emphasize “Security boundaries: secure zones, access control lists (ACLs), virtual private network (VPN)” under Security Architecture.

Why the other options are not the best choice:

A may improve cryptographic strength, but the configuration already shows SSH and HTTPS , so encrypted management access is already present. B is not the best answer because no unencrypted terminal service such as Telnet is shown in the configuration. D is generally useful operationally, but automatic patching and rebooting is not the main architectural weakness indicated by the config excerpt. The clearest risk visible in the router snippet is inadequate network scoping and boundary control, which points to segmentation as the best improvement.