CompTIA CAS-005 Exam Questions

Comprehensive and Detailed

The hijacked administrator account was used across multiple ASNs (indicating different network locations) in a short time, despite MFA and SSO. This suggests a stolen session or token misuse. Let's analyze:

A . Token theft detection with lockouts:Useful for detecting stolen SSO tokens, but it's reactive and may not prevent initial misuse across networks.

B . Context-based authentication:This adds real-time checks (e.g., geolocation, IP changes) to verify login attempts. Given the rapid ASN changes, this proactively mitigates the issue by challenging suspicious logins, aligning with CAS-005's focus on adaptive security.

C . Decentralize accounts:This removes SSO, increasing complexity and weakening MFA enforcement, which isn't practical or secure.

The scenario describes a sophisticated attack where the threat actor used steganography within LDAP to exfiltrate data. Given that thehardware and OS firmware were validated and found uncompromised, the attack vector likely exploited a network communication channel. To mitigate such risks, enforcing allow lists for authorized network ports and protocols is the most effective strategy.

Here's why this option is optimal:

Port and Protocol Restrictions: By creating an allow list, the organization can restrict communications to only those ports and protocols that are necessary for legitimate business operations. This reduces the attack surface by preventing unauthorized or unusual traffic.

Network Segmentation: Enforcing such rules helps in segmenting the network and ensuring that only approved communications occur, which is critical in preventing data exfiltration methods like steganography.

Preventing Unauthorized Access: Allow lists ensure that only predefined, trusted connections are allowed, blocking potential paths that attackers could use to infiltrate or exfiltrate data.

Other options, while beneficial in different contexts, are not directly addressing the network communication threat:

B . Measuring and attesting to the entire boot chain: While this improves system integrity, it doesn't directly mitigate the risk of data exfiltration through network channels.

C . Rolling thecryptographic keys used for hardware security modules: This is useful for securing data and communications but doesn't directly address the specific method of exfiltration described.

D . Using code signing to verify the source of OS updates: Ensures updates are from legitimate sources, but it doesn't mitigate the risk of network-based data exfiltration.

CompTIA SecurityX Study Guide

NIST Special Publication 800-41, 'Guidelines on Firewalls and Firewall Policy'

CIS Controls Version 8, Control 9: Limitation and Control of Network Ports, Protocols, and Services

The best solution to harden a three-tier environment (web, database, and application servers) is to implement microsegmentation on the server VLANs. Here's why:

Enhanced Security: Microsegmentation creates granular security zones within the data center, allowing for more precise control over east-west traffic between servers. This helps prevent lateral movement by attackers who may gain access to one part of the network.

Isolation of Tiers: By segmenting the web, database, and application servers, the organization can apply specific security policies and controls to each segment, reducing the risk of cross-tier attacks.

Compliance and Best Practices: Microsegmentation aligns with best practices for network security and helps meet compliance requirements by ensuring that sensitive data and systems are properly isolated and protected.

CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl

NIST Special Publication 800-125: Guide to Security for Full Virtualization Technologies

CIS Controls: Control 12 - Boundary Defense

Comprehensive and Detailed

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There's no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis

MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise

Implementing digital signatures ensures the integrity and authenticity of software binaries. When a binary is digitally signed, any tampering with the file (e.g., replacing it with amalicious version) would invalidate the signature. This allows systems to verify the origin and integrity of binaries before execution, preventing the execution of unauthorized or compromised binaries.

A . Improving patching processes: While important, this does not directly address the issue of verifying the integrity of binaries.

B . Implementing digital signatures: This ensures that only valid, untampered binaries are executed, preventing attackers from substituting legitimate binaries with malicious ones.

C . Performing manual updates via USB ports: This is not practical and does not scale well, especially in large environments.

D . Allowing only files from internal sources: This reduces the risk but does not provide a mechanism to verify the integrity of binaries.

CompTIA Security+ Study Guide

NIST SP 800-57, 'Recommendation for Key Management'

OWASP (Open Web Application Security Project) guidelines on code signing