View CAS-005 Exam Questions

Q: 1

[Governance, Risk, and Compliance (GRC)] A security engineer is assisting a DevOps team that has the following requirements for container images: Ensure container images are hashed and use version controls. Ensure container images are up to date and scanned for vulnerabilities. Which of the following should the security engineer do to meet these requirements?

Options

Discussion

Ishaan F. Mar 3, 2026 3:28 pm

B . CI/CD pipeline gates are how you enforce image hashing, versioning, and auto scans before anything hits production. Small edge case: if the team already had strong post-deploy auditing then C might get confusing in a badly worded question, but this one specifically asks for the upfront controls.

Leo P. Mar 3, 2026 7:30 pm

Option B makes sense. Setting security and quality checks in the CI/CD pipeline is how you can automate hashing, version control, and vulnerability scanning before any containers go live. The other choices don't guarantee these checks happen upfront. Pretty sure this is what they're after but let me know if anyone sees it differently.

Sam S. Mar 2, 2026 8:57 pm

Option B. saw a similar question in a practice set. Fits what they're asking for on image controls and vulnerability checks.

Sean E. Feb 25, 2026 12:40 am

B checks all the pre-deployment boxes. CI/CD can automate image hashing, version tagging, and vulnerability scans before anything goes live. That's how you actually enforce those requirements up front, not just watch for issues after. Pretty sure B is right.

Ava Mar 1, 2026 11:47 pm

B tbh

Liam N. Feb 28, 2026 12:53 am

C , since audits and monitoring would reveal config drift or missed patches post-deployment if the CI/CD breaks.

Daniel Mar 3, 2026 2:21 pm

C/D? Not sure, both seem to cover parts of the requirements.

Vikram Feb 14, 2026 8:02 am

I don’t think C fits. B checks all the boxes-CI/CD lets you enforce hashes, versioning, and do automated vulnerability scans before deployment. Auditing after the fact (C) misses the upfront controls. Pretty sure B’s right unless I’m missing something obvious.

ChloeZ Feb 14, 2026 1:35 am

C, B is probably a trap since audits and monitoring config changes sound closer to GRC tasks.

Jack Feb 18, 2026 12:36 pm

Its C this time. Had something like this in a mock and enabling audits plus config monitoring seemed to fit the governance/control side, especially for ongoing compliance. Might not cover versioning as tightly as B but I think it handles the "ensure" part better. Not 100% though, feel free to push back.

Be respectful. No spam.

Correct Answer:

Explanation

The requirements to hash, version control, keep updated, and scan container images are all security and quality gates that should be enforced before deployment. Integrating these checks into a Continuous Integration/Continuous Deployment (CI/CD) pipeline automates this enforcement. During the CI phase, the pipeline can build the image, assign a version tag, generate a cryptographic hash (digest), and run a vulnerability scanner against it. The pipeline can be configured to fail the build if vulnerabilities are found or other quality checks are not met, preventing insecure images from ever reaching the container registry or production environment. This approach aligns with modern DevSecOps principles of "shifting security left."

Why Incorrect

A. Service meshes and Access Control Lists (ACLs) are runtime controls that manage network traffic between running containers, not security controls for the static container images themselves.

C. Auditing is a detective control that identifies non-compliance after an image has been built or deployed, rather than a preventative control that ensures requirements are met beforehand.

D. Pulling images directly from a public vendor repository and deploying them without internal validation and scanning is a highly insecure practice that bypasses essential security checks.

References

1. National Institute of Standards and Technology. (2017). SP 800-190

Application Container Security Guide. Section 3.2.2

"Vulnerability Scanning

" states

"Organizations should integrate vulnerability scanning tools into their CI/CD pipelines to ensure that images that have known vulnerabilities are not pushed to the registry." Section 3.2.1

"Image Signing

" discusses using cryptographic methods to ensure image integrity

a process also managed within the pipeline. (https://doi.org/10.6028/NIST.SP.800-190)

2. Pape

F. (2021). Lecture 10: DevSecOps. CS 161: Computer Security

University of California

Berkeley. Course materials emphasize integrating security tools like static analysis and vulnerability scanners directly into the CI/CD pipeline to automate security checks early in the development lifecycle.

3. Red Hat. (n.d.). Securing the build pipeline. Red Hat OpenShift Documentation. This official vendor documentation details the best practice of incorporating security checks

such as static code analysis and vulnerability scanning of dependencies and container images

within the CI/CD pipeline to secure the software supply chain.

Q: 2

[Governance, Risk, and Compliance (GRC)] An audit finding reveals that a legacy platform has not retained loos for more than 30 days The platform has been segmented due to its interoperability with newer technology. As a temporarysolution, the IT department changed the log retention to 120 days. Which of the following should the security engineer do to ensure the logs are being properly retained?

Options

Discussion

Morgan H. Feb 14, 2026 8:29 am

C. SIEM is purpose-built for aggregating and retaining logs, so it aligns with GRC requirements here. Pretty sure that's what real audits expect. Agree?

Piya F. Feb 28, 2026 7:41 am

C imo, SIEM handles retention and compliance best, but if the legacy system couldn't export logs out at all, none of these would actually fix it. Still, CompTIA's logic leans C I think.

MorganZ Feb 21, 2026 12:07 am

Man, another classic CompTIA SIEM question. C imo, since only a SIEM can really guarantee proper, compliant retention across old and new systems like the audit wants. Scripts and tasks are just workarounds. Disagree?

Olivia Mar 2, 2026 9:25 pm

C, not A. SIEM is what actually guarantees proper retention and auditability here, while A just schedules local saves and misses the compliance point. Happened on similar practice sets.

Jordan M. Feb 27, 2026 10:30 pm

Yeah, C makes the most sense here. SIEMs are designed to centralize and properly retain logs from all types of systems, even legacy ones, which lines up with compliance needs and audit fixes. Scripts or scheduled tasks like A or D are kind of patchwork and don't hit the "proper retention" part as well. Pretty sure CompTIA wants the SIEM solution for this.

Mason N. Feb 19, 2026 3:48 pm

C saw almost the same thing in my practice set. SIEM is what they want for retention/compliance, but if the log export isn't supported maybe A? Not totally sure but C feels right for CompTIA logic.

RyanI Feb 14, 2026 8:13 am

C , SIEM is made for compliance and log retention, plus it works with legacy stuff if needed. Official guides and labs both stress centralizing via SIEM for this type of audit fix. Pretty sure that's the CompTIA angle here.

Emma Feb 19, 2026 1:17 pm

I’d say C, since a SIEM is built for centralized log retention and that matches audit/GRC needs. Scripts like in D can break or miss things, SIEM is more reliable long term. Pretty sure that's what CompTIA wants here. Agree?

Be respectful. No spam.

Correct Answer:

Explanation

The most appropriate and robust solution to ensure logs are properly retained in an enterprise environment is to use a Security Information and Event Management (SIEM) system. A SIEM is specifically designed to collect, aggregate, normalize, and securely store logs from disparate sources, including legacy platforms. By forwarding the logs from the legacy system to the SIEM, the organization centralizes log management, overcomes the local storage limitations of the legacy platform, and ensures compliance with long-term retention policies mandated by the audit. This approach provides a scalable, secure, and searchable archive for forensic analysis and compliance reporting.

Why Incorrect

A. A scheduled task is a brittle, localized solution that lacks the centralized management, security, and analytical capabilities inherent in a proper log management infrastructure.

B. Event-based triggers are designed for alerting on specific conditions, not for comprehensive log collection, and would result in incomplete data retention for audit purposes.

D. Building a custom script and database is inefficient, costly to maintain, and less secure than using a dedicated, industry-standard SIEM platform designed for this purpose.

---

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-92

Guide to Computer Security Log Management.

Section 3.1.3

"Log Storage and Retention

" states: "Organizations should also consider using a dedicated log server for centralized log storage... Centralized log storage facilitates long-term log retention and reduces the risk of logs on individual hosts being lost..." A SIEM is a primary example of a system providing this centralized function.

2. Carnegie Mellon University

Software Engineering Institute

"Common Sense Guide to Mitigating Insider Threats

5th Edition."

Practice 17: Deploy a Log Management System

Page 111

recommends organizations to "Aggregate and centrally store logs from all relevant sources (e.g.

network devices

servers

databases

applications)." This directly supports using a central system like a SIEM to solve the problem described.

3. Al-Abassi

Karim

& Al-Ogaili

A. (2017). A Survey of SIEM Tools. In Proceedings of the International Conference on Big Data and Internet of Things (BDIoT’17). ACM

New York

USA

Article 29

pp. 1–6.

Section 2

"SIEM Architecture

" describes the fundamental components of a SIEM

highlighting the "Log collection" and "Log storage" functions. The text explains that a core purpose of a SIEM is to gather logs from various sources (agents or collectors) and store them in a central repository (database or file system) for analysis and retention.

DOI: https://doi.org/10.1145/3175828.3175857

Q: 3

[Security Architecture] A developer makes a small change to a resource allocation module on a popular social media website and causes a memory leak. During a peak utilization period, several web servers crash, causing the website to go offline. Which of the following testing techniques is the most efficient way to prevent this from reoccurring?

Options

Discussion

Jamie P. Feb 17, 2026 9:04 am

Option C fits best. Regression testing specifically checks if new code changes break existing things, like memory handling. The memory leak could’ve been caught with good regression tests. Pretty sure that's what they're looking for here, but open to other thoughts.

Skyler X. Mar 1, 2026 4:56 am

Option C, Regression testing is designed to catch issues from new code changes like this, so it's most efficient here.

FriendlyConsultant7348 Feb 15, 2026 1:51 am

C . Regression testing finds bugs after code changes, like that memory leak. Other options don’t target new issues from recent updates as directly. If anyone sees it differently let me know.

QuickTester8897 Feb 26, 2026 3:05 pm

C tbh, had something like this in a mock before. Regression testing is what catches sneaky bugs from code updates, including memory leaks. Not 100% but seems best fit for preventing repeats here.

Sofia L. Feb 26, 2026 10:58 am

Definitely C

ThoughtfulSec3260 Feb 15, 2026 5:29 pm

Its C

Aisha F. Feb 28, 2026 5:30 pm

So tired of how these questions always try to trip you up with similar-sounding test types. C

Jack Z. Feb 25, 2026 10:10 pm

Maybe C is the best pick. Regression testing is what finds bugs added by new code, like this memory leak. A (load) would stress the system, but wouldn't always reveal these code issues unless they're hit under specific test cases. Open to other takes if someone thinks load fits better.

Liam S. Feb 19, 2026 10:33 am

Probably C. Regression is aimed at catching bugs caused by recent code changes like this memory leak.

CalmAuditor5008 Feb 25, 2026 7:19 am

Why is everyone considering A? Memory leak from a code change usually gets caught by regression, not just load. Load testing might help in general but wouldn't target new bugs introduced by tiny updates. Thoughts on that?

Be respectful. No spam.

Correct Answer:

Explanation

The core issue is a functional defect (a memory leak) introduced by a "small change" to existing code. Regression testing is the specific process of re-running functional and non-functional tests to ensure that previously developed and tested software still performs correctly after a change. An effective regression test suite for a critical resource allocation module would include performance and memory profiling tests. Executing this suite after the change would have detected the memory leak before deployment, thus preventing the production failure. This makes it the most efficient and direct technique to prevent this specific problem from reoccurring.

Why Incorrect

A. Load: While a load test would have exposed this specific memory leak, regression testing is the overarching process that ensures any bug introduced by a change is caught.

B. Smoke: Smoke testing is a preliminary, high-level check to ensure basic functionality works; it is not deep enough to detect subtle resource management bugs like a memory leak.

D. Canary: Canary testing is a deployment strategy that exposes new code to a small subset of users. It mitigates production impact but does not prevent the bug from being deployed.

---

References

1. Ammann

& Offutt

J. (2016). Introduction to Software Testing (2nd ed.). Cambridge University Press. In Chapter 1

Section 1.2

"A Fault

Error

Failure Terminology

" the text defines regression testing as "the process of retesting a modified program to ensure that no new faults have been introduced as a result of the changes." This directly aligns with the scenario where a change introduced a fault.

2. Bertolino

A. (2007). Software Testing Research: Achievements

Challenges

Dreams. In 2007 Future of Software Engineering (pp. 85-103). IEEE. https://doi.org/10.1109/FOSE.2007.27. On page 91

the paper discusses regression testing as essential for software evolution

stating its goal is to "provide confidence that the changes did not break any previously working functionality."

3. National Institute of Standards and Technology (NIST). (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST Special Publication 800-218). Section 4

Practice PW.8

"Test Executable Code

" emphasizes the need to "review test plans and test results to confirm that the tests adequately address all security requirements." A comprehensive test plan

subject to regression

would include tests for resource exhaustion vulnerabilities like memory leaks.

Q: 4

[Emerging Technologies and Threats] Which of the following best explains the business requirement a healthcare provider fulfills by encrypting patient data at rest?

Options

Discussion

Alex Feb 17, 2026 11:06 pm

D . CompTIA loves tossing in that privacy plus portability combo for anything healthcare, seen similar on recent practice sets.

Zoe T. Feb 24, 2026 7:39 am

D makes sense here. Encrypting at rest is all about protecting patient privacy but also letting providers move or store data safely, which ties directly to portability (HIPAA stuff). C is more about limiting risk after a breach, but doesn't mention portability at all. Pretty sure D is what they're looking for, though open if there's another angle.

Quinn W. Feb 15, 2026 3:40 pm

Feels like D. Encrypting at rest isn't just about stopping identity theft (that's what C hints at), it's really to meet HIPAA's privacy rules and let data be portable between systems. Seen similar on practice exams, but open to debate.

Parker J. Feb 12, 2026 7:35 pm

I don’t think it’s C. Protecting from identity theft sounds good but doesn’t cover portability, which HIPAA actually cares about. D fits better for both privacy and operational needs unless I'm missing something in the question wording?

Ava Feb 20, 2026 2:45 am

HannahB Feb 18, 2026 5:37 am

D , it's mainly about protecting privacy while still letting data be portable for healthcare workflows. C is tempting but doesn't fully capture the regulatory and operational need for both privacy and portability under HIPAA. Disagree?

Ivy D. Feb 15, 2026 7:19 pm

D Encrypting at rest hits privacy and data mobility, which is what HIPAA cares about.

Neha A. Feb 17, 2026 10:36 pm

D imo. Encrypting data at rest is all about protecting patient privacy even when records get moved or stored elsewhere. Healthcare needs both privacy and data portability, especially with HIPAA in play. Pretty sure that's what they're after here, right?

Cameron F. Feb 28, 2026 6:43 am

D imo, since HIPAA wants both privacy protection and supports data portability. C is common as a trap but doesn't cover the portability that healthcare actually needs. Pretty sure that's what they're after here, unless I'm missing something subtle.

Morgan X. Feb 20, 2026 8:38 pm

A is wrong, D. Encryption at rest is about keeping patient info private (compliance with HIPAA), but still letting the data be portable if needed across devices or systems. C just misses the portability angle, I think.

Be respectful. No spam.

Correct Answer:

Explanation

The primary business requirement for a healthcare provider encrypting patient data at rest is to comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's Security Rule mandates the protection of electronic Protected Health Information (ePHI) confidentiality. Encryption is a key technical safeguard that achieves this. This control is crucial for supporting data portability—the ability to store and move data on laptops, backup media, or cloud services—without compromising patient privacy. If a device containing encrypted data is lost or stolen, the information remains secure, thus fulfilling the dual business requirement of protecting privacy while enabling necessary data mobility for healthcare operations.

Why Incorrect

A. Securing data transfer between hospitals addresses data in transit, which is protected by different controls (e.g., TLS), not encryption at rest.

B. Providing for non-repudiation data is about ensuring the integrity and origin of data, typically using digital signatures or secure audit logs, not encryption at rest.

C. Reducing liability from identity theft is a beneficial outcome of encryption, but the fundamental business requirement is the proactive protection of patient privacy as mandated by law.

References

1. U.S. Department of Health & Human Services (HHS). "Summary of the HIPAA Security Rule." The rule's purpose is to "protect the privacy of individuals’ health information" while allowing "the flow of health information needed to provide and promote high quality health care." This directly aligns with protecting privacy while supporting portability. The Technical Safeguards section (§ 164.312(a)(2)(iv)) identifies encryption as a key addressable implementation specification for protecting ePHI. (Source: HHS.gov)

2. National Institute of Standards and Technology (NIST). Special Publication 800-66 Revision 2: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Section 3.3.1

"Access Control Standard

" discusses how encryption can be used to protect ePHI on various media

stating

"Encryption can be an effective tool in protecting the confidentiality of ePHI on a variety of media

including when it is being transmitted over a network or stored on a portable device." This highlights the link between encryption at rest and secure portability.

3. Johns Hopkins University. Information Security Policies and Standards

Policy: Encryption. Section 4.1 requires the encryption of all portable devices and media that store sensitive or confidential information

including PHI. This university policy reflects the industry-standard interpretation of the business and regulatory requirement to protect portable data through encryption. (Source: it.jhu.edu/policies)

Q: 5

[Emerging Technologies and Threats] A security engineer wants to reduce the attack surface of a public-facing containerized application Which of the following will best reduce the application's privilege escalation attack surface?

Options

Discussion

QuietAnalyst3919 Feb 16, 2026 2:11 pm

A , D is tempting for network isolation but the real privilege escalation fix is making sure the app doesn't run as root. A does that, so that's what I'd pick. Seen similar trap on practice exams.

Mason Feb 17, 2026 8:28 am

A tbh, seen similar in exam reports about Docker privilege issues.

Aisha A. Feb 24, 2026 12:03 pm

Honestly sick of seeing these vague "best way" privilege escalation questions. Probably D, since network isolation plus a load balancer with ACLs stops lateral movement cold.

SteadySec6607 Feb 27, 2026 7:32 am

D makes the most sense to me for reducing privilege escalation. By isolating the container in a separate network and putting ACLs on the load balancer, external access is tightly controlled so attackers can't easily escalate out or reach other segments. Not 100% sure since I could see an argument for A, but D feels like the right approach here. Agree?

Alex L. Feb 25, 2026 8:24 pm

Its A, had something like this in a mock. Setting non-root user in the Dockerfile is key here.

Logan N. Feb 23, 2026 9:25 am

Leo K. Feb 23, 2026 1:40 pm

A. not C. The trap is thinking remediation controls actually stop escalation, but reducing container privileges hits the root cause here.

Owen Y. Mar 1, 2026 6:42 pm

Feels like this is same as a common exam questions. on a practice exam, pretty sure it's A. Limiting the container to a non-root user cuts down privilege escalation risk. Anyone see it differently?

Riley M. Feb 27, 2026 1:01 am

Its A, running containers as non-root limits privilege escalation. Pretty standard hardening step for Docker. Anyone see a catch here?

Ivy Mar 1, 2026 11:16 pm

Had something like this in a mock and the answer was A.

Be respectful. No spam.

Q: 6

[Governance, Risk, and Compliance (GRC)] A compliance officer isfacilitating abusiness impact analysis (BIA)and wantsbusiness unit leadersto collect meaningful dat a. Several business unit leaders want more information about the types of data the officer needs. Which of the following data types would be the most beneficial for the compliance officer?(Select two)

Options

Discussion

Leo O. Feb 13, 2026 4:30 pm

Why is this even a question for BIA, seems obvious it's C and F.

Amelia L. Feb 16, 2026 2:48 am

Probably C and F here. BIA needs you to identify your critical processes and measure the impact or costs if they go down. B (contract obligations) seems tempting but that's more for compliance audits than the actual impact analysis. Anyone see it different?

Luke Feb 28, 2026 4:35 pm

C/F. BIA's always about figuring out your critical processes and what downtime will cost you, so C and F are the data types that actually help drive decisions here. B (contract obligations) feels compliance focused but it's less helpful for the impact analysis side. Someone disagree?

Mia U. Feb 23, 2026 3:50 pm

C F tbh, B is a compliance trap here, costs and critical processes are core for BIAs.

Chris P. Feb 17, 2026 12:49 am

C and F, that's what the official CASP+ guide covers for BIAs. You see those in practice sets too, pretty standard.

Jamie Mar 2, 2026 7:22 pm

C and F, that matches what I’ve seen in official study guides about BIAs. Critical processes (F) tell you what’s essential to keep running, and costs associated with downtime (C) help quantify impact for the business. Practice questions and labs focus on these two data types a lot. Pretty sure these are the best picks here, but open to other thoughts if someone’s used a different source.

Nathan G. Feb 27, 2026 7:32 pm

I don't think it's C and F. I'd pick B and F since contract obligations seem important for a compliance officer’s impact analysis, not just the costs. Pretty sure B is a common trap but still seems valid to me. Anyone got another take?

Nathan M. Mar 1, 2026 11:39 pm

Its C and F. B looks tempting because of the compliance angle, but for BIA you really need those impact and process details.

Sara P. Feb 14, 2026 8:23 am

C/F tbh. Critical processes and downtime costs are the main data points you want for a BIA, since that's how you measure impact. The compliance reference might throw you but I'm pretty sure it's still C and F.

Rowan B. Mar 3, 2026 9:31 am

C/F? The question mixes compliance and BIA, so part of me thinks B could be in play, but critical processes and downtime costs (C, F) usually drive the impact analysis. Not 100% sure though, open to being convinced otherwise.

Be respectful. No spam.

Correct Answer:

C, F

Explanation

A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations. The two most fundamental data types required from business unit leaders are the identification of critical processes (F) and the quantification of the costs associated with downtime (C) for those processes. Identifying critical processes is the foundational step, establishing what the BIA will analyze. Quantifying the financial and operational costs of a disruption (e.g., lost revenue, penalties, reputational damage) is the core of the "impact" analysis, which is essential for prioritizing recovery efforts and defining Recovery Time Objectives (RTOs).

Why Incorrect

A. Inventory details: This is a component of asset management or a technical risk assessment, not a primary input from business leaders for a BIA, which focuses on processes and impact.

B. Applicable contract obligations: While important, these obligations (like SLAs) are a component of the overall impact, which is more comprehensively captured by the total costs associated with downtime.

D. Network diagrams: These are technical artifacts used in the subsequent disaster recovery planning phase to design solutions, not a primary business-level input for the BIA itself.

E. Contingency plans: These are an output of the business continuity process. They are created after the BIA has been completed to address the identified risks and impacts.

References

1. NIST Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems.

Section 3.2

Business Impact Analysis (BIA)

Step 1 (Page 16): "The first BIA step is to identify the organization’s mission/business processes and determine their recovery criticality." This directly supports the selection of F. Critical processes.

Section 3.2

Business Impact Analysis (BIA)

Step 2 (Page 17): This step involves identifying outage impacts. The guide states

"Impacts may include... financial

loss of revenue..." This directly supports the collection of data on C. Costs associated with downtime.

2. Herbane

B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History

52(6)

978-1002.

Page 985: The article describes the BIA process as involving the identification of "the critical processes which are essential for survival" and assessing "the business impact of a failure of these processes

which is usually measured in financial terms." This supports both F. Critical processes and C. Costs associated with downtime as central to the BIA. DOI: https://doi.org/10.1080/00076791.2010.511185

3. University of Illinois at Urbana-Champaign

CS 461/ECE 422: Computer Security I

Lecture 23: Business Continuity.

Slide 6

"Business Impact Analysis": The lecture material defines the BIA as the process to "Identify critical business functions" and "Determine tangible and intangible impact of the loss of that function." Tangible impacts are explicitly listed as financial losses

directly corresponding to F. Critical processes and C. Costs associated with downtime.

Q: 7

[Security Architecture] A senior security engineer flags the following log file snippet as having likely facilitated an attacker’s lateral movement in a recent breach: qry_source: 19.27.214.22 TCP/53 qry_dest: 199.105.22.13 TCP/53 qry_type: AXFR | in comptia.org ------------ directoryserver1 A 10.80.8.10 ------------directoryserver2 A 10.80.8.11 ------------ directoryserver3 A 10.80.8.12 ------------ internal-dns A 10.80.9.1 ----------- www-int A 10.80.9.3 ------------ fshare A 10.80.9.4 ------------ sip A 10.80.9.5 ------------ msn-crit-apcs A 10.81.22.33 Which of the following solutions, if implemented, would mitigate the risk of this issue reoccurring?

Options

Discussion

Nathan Feb 28, 2026 9:16 pm

Option A. Disabling DNS zone transfers is what stops external AXFR attempts cold. Others help, but only A addresses the specific risk from the log. Pretty sure that's what CompTIA wants here, but let me know if you read it different.

Nathan K. Feb 24, 2026 10:21 pm

Not convinced D would actually stop the AXFR issue, isn't that more about who can query for records, not who can pull zone transfers? The log points straight to a zone transfer being abused. A seems more direct for preventing this. Anyone see a use case where D would be better?

Jason S. Feb 22, 2026 5:03 pm

I don't think it's B. A is better here since disabling DNS zone transfers directly blocks AXFR, which is the real problem in the log. B might help, but authorized servers could still need TCP/53 for legit reasons. Open to being proven wrong though.

ChloeI Mar 4, 2026 8:53 am

Disabling DNS zone transfers is the move here, so A. AXFR is the giveaway, and turning off zone transfers stops that kind of info leak directly. Pretty sure that's what they're after in the question, but open to other takes.

Ryan S. Feb 24, 2026 4:37 am

C/D? Disabling zone transfers seems like a trap here, I think DNS masking (C) might hide internal details better. D also feels reasonable since restricting queries limits outside exposure. Not 100% but C or D looks right if you want to actually block info leaks.

Sanjay F. Feb 19, 2026 5:22 am

A since disabling DNS zone transfers stops AXFR attacks directly. D's a trap here, it doesn't address zone transfers themselves.

AveryS Feb 17, 2026 2:40 pm

A is the way to go since disabling DNS zone transfers stops AXFR requests cold, which is how attackers can grab the whole zone file. D does lock things down but doesn't specifically fix the root issue. I think A fits best here, open to pushback.

Sean L. Feb 23, 2026 12:21 pm

Option D Limiting DNS queries to internal clients should stop outside parties from getting this info, right?

QuickAuditor4517 Feb 20, 2026 4:16 pm

A tbh, unless that environment needs legit internal zone transfers that weren't mentioned here.

Riley Z. Feb 13, 2026 11:29 am

Pretty sure it's A. Disabling DNS zone transfers actually prevents AXFR, which is how attackers map out the internal environment. D tempts you but it doesn't stop zone transfers from authorized but compromised clients. If I'm missing something let me know.

Be respectful. No spam.

Correct Answer:

Explanation

The log snippet indicates a successful DNS zone transfer (qrytype: AXFR) was executed from an external IP address (19.27.214.22). This type of query allows an attacker to download the entire DNS zone file, revealing the internal network topology, hostnames, and IP addresses of sensitive servers (e.g., directoryserver1, msn-crit-apcs). This information is invaluable for reconnaissance and subsequent lateral movement. The most direct and effective mitigation is to configure the DNS server to disable or strictly control zone transfers, permitting them only from the IP addresses of authorized secondary DNS servers and denying all others.

Why Incorrect

B. Restricting DNS traffic to UDP/53: This is incorrect because while most standard queries use UDP, zone transfers and large responses legitimately require TCP. Blocking TCP/53 entirely would break necessary DNS functions.

C. Implementing DNS masking on internal servers: This is incorrect because while split-horizon DNS is a good practice, it does not prevent the zone transfer itself. A misconfigured server could still allow the transfer of the internal zone view.

D. Permitting only clients from internal networks to query DNS: This is incorrect as it would block all legitimate external queries for public resources (e.g., the company website), rendering public-facing services inaccessible to the internet.

---

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-81-2

Secure Domain Name System (DNS) Deployment Guide. Section 3.3.1

"Restrict Zone Transfers

" states

"Zone transfers should be restricted to prevent unauthorized users from obtaining a copy of a zone’s contents... DNS servers should be configured to allow zone transfers only to explicitly authorized servers." This directly supports disabling open zone transfers. (Page 16).

2. Internet Systems Consortium (ISC)

BIND 9.18.24 Administrator Reference Manual. The documentation for the allow-transfer option specifies its use for creating an access control list (ACL) of hosts permitted to receive zone transfers. The default is to allow transfers to all hosts

which is insecure. The manual guides administrators to restrict this to only known

trusted secondary servers. (Section: "The allow-transfer option").

3. University of California

Berkeley. CS 161: Computer Security

Lecture 18: Network Security II. Course materials discuss DNS security vulnerabilities

explicitly identifying zone transfers (AXFR) as a method for attackers to map an entire internal network. The recommended countermeasure is to configure DNS servers to restrict zone transfers to only authorized secondary name servers.

Q: 8

[Security Assessments and Testing] During a vulnerability assessment, a scan reveals the following finding: Windows Server 2016 Missing hotfix KB87728 - CVSS 3.1 Score: 8.1 [High] - Affected host 172.16.15.2 Later in the review process, the remediation team marks the finding as a false positive. Which of the following is the best way toavoid this issue on future scans?

Options

Discussion

Olivia Z. Mar 1, 2026 1:51 pm

Makes sense to go with B here. Authenticated scans actually check the server’s config and patch levels directly, so they cut down on those annoying false positives. Not 100 percent but pretty sure this is what fixes the issue.

Chloe E. Feb 21, 2026 7:58 am

Its B, authenticated scan. Banner-grabbing (C) is a trap here since it can still miss patch info. Seen this on other exams.

Grace B. Feb 19, 2026 8:28 pm

B is right since authenticated scans get actual registry and patch info, not just what the banner says. That’s how you avoid those false positives with missing hotfixes. I’m pretty sure that’s the intent here, but let me know if you see it different.

Quinn Feb 19, 2026 7:21 pm

B works because authenticated scans actually check the host directly instead of relying on network info, so they almost always catch patch status right. False positives from missing hotfixes drop a lot with this method. Pretty sure that's what the exam is looking for here, but open if someone saw otherwise.

Sean W. Feb 17, 2026 9:41 pm

Probably B here. Authenticated scans actually log in and check if the hotfix is present, so less guessing compared to unauthenticated methods. Option C sounds tempting but still leaves more room for error. Happens a lot in network-based scans from what I've seen. Open to other ideas if anyone had a different exam scenario.

Jason V. Feb 24, 2026 2:55 am

B tbh. Authenticated scans really cut down on false positives since they check patch status directly instead of guessing from banners. This lines up with what the official study guides and labs say, but happy to hear other views if someone’s seen it play out differently.

Vikram X. Feb 20, 2026 9:11 pm

C , improved fingerprinting feels like it could reduce these scan errors. Option B might be a trap here.

IshaanW Mar 2, 2026 12:47 am

C vs B, sensor fingerprinting can help but not as reliable as creds for patch checks.

Ben G. Feb 15, 2026 4:00 pm

Its B. Authenticated scans actually log in to the server and check installed patches directly, so they almost always cut down on false positives. C is tempting but advanced fingerprinting still relies on guessing from banners. Pretty sure about B unless I’m missing something.

Nora T. Feb 17, 2026 11:12 am

Definitely B. Authenticated scans dig into the actual patch info so false positives are way less likely. Agree?

Be respectful. No spam.

Correct Answer:

Explanation

The scenario describes a false positive where a vulnerability scanner incorrectly reported a missing hotfix. This type of error commonly occurs during unauthenticated (network-based) scans, which infer system state from network banners and service responses without logging into the host. An authenticated scan uses credentials to log into the target system, allowing it to directly inspect the registry, file versions, and installed software lists. This provides a highly accurate assessment of the system's patch level, significantly reducing or eliminating false positives related to missing patches.

Why Incorrect

A. Getting an up-to-date list of assets from the CMDB: This improves scan coverage by ensuring all assets are targeted, but it does not improve the accuracy of the scan results on an individual asset.

C. Configuring the sensor with an advanced policy for fingerprinting servers: While advanced fingerprinting can better identify an OS, it is still an unauthenticated inference method and is less accurate for patch verification than a direct, authenticated check.

D. Coordinating the scan execution with the remediation team early in the process: This is a process improvement for managing remediation efforts but does not change the technical accuracy of the scan itself, which is the root cause of the false positive.

---

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-115

Technical Guide to Information Security Testing and Assessment.

Section 5.3.1

"Authenticated Scans": This section explicitly states

"Authenticated scans are much less likely to produce false positives because they do not have to rely on inference to determine the security posture of a host... For example

an authenticated scan can read the registry of a Windows host to determine which patches have been installed." This directly supports the choice of authenticated scanning to avoid false positives for missing patches.

2. Carnegie Mellon University

Software Engineering Institute (SEI)

Defining a Strategy for Vulnerability Disclosure.

Section: "Vulnerability Scanning": Courseware and technical reports from institutions like the SEI often differentiate between scanning methods. They explain that credentialed (authenticated) scans provide "ground truth" by accessing the host's configuration directly

whereas uncredentialed scans are prone to errors from inferential analysis

leading to false positives. This aligns with the reasoning that authenticated scans are the solution. (Reference: General principle taught in advanced cybersecurity coursework).

3. SANS Institute

Penetration Testing and Vulnerability Analysis.

Reading Room Whitepaper

"Credentialed versus Non-Credentialed Vulnerability Scanning": SANS publications consistently highlight the superior accuracy of credentialed scans. They detail how these scans can access detailed version information and configuration files

which is impossible for non-credentialed scans

thereby preventing incorrect findings like the one described in the question.

Q: 9

[Security Architecture] Which of the following supports the process of collecting a large pool of behavioral observations to inform decision-making?

Options

Discussion

SharpLearner2040 Feb 21, 2026 1:18 am

Option C. since Big Data is what actually enables collecting massive behavioral datasets, not D unless you're processing them.

Alex Feb 21, 2026 4:41 am

Option C. Matches what's in the official objectives and study guide.

Ben Feb 18, 2026 1:42 am

Isn't D more about analyzing after you've collected? Collecting a huge dataset points to C, while D would be the trap here.

Morgan B. Mar 2, 2026 11:17 am

Why not D here? Machine learning relies on big datasets to improve decisions, so isn't that close?

Emma Feb 17, 2026 6:19 pm

C , saw similar wording on a practice set.

Maya Mar 3, 2026 5:16 pm

C over D, since the trap is thinking machine learning (D) does the collecting, but really Big Data (C) gives you the pool to work with. Pretty sure that's what they're after here.

Arjun P. Feb 19, 2026 8:43 pm

Its C, fits the "collecting" part best. D looks tempting but not for just gathering data.

NehaD Feb 17, 2026 9:44 pm

Guessing C here. Machine learning (D) is tempting since it's about analysis, but Big Data is more about collecting tons of raw behavioral data before you even process it. Not totally confident, open to being wrong.

CameronY Feb 23, 2026 10:46 am

Yeah, C is right here.

Meera J. Feb 19, 2026 12:24 am

D makes sense to me. Machine learning uses lots of behavioral data to make decisions, so it kinda fits the question. Not totally sure though since "collecting" is mentioned, but I’d still pick D here.

Be respectful. No spam.

Correct Answer:

Explanation

Big Data refers to the technologies and strategies used to manage and analyze extremely large and complex datasets that cannot be handled by traditional data-processing tools. The process described—collecting a "large pool of behavioral observations"—directly corresponds to the core characteristics of Big Data, often defined by Volume (large pool), Variety (behavioral observations), and Velocity. The ultimate goal of Big Data analytics is to extract valuable insights from this data to "inform decision-making," making it the most fitting answer for the described process.

Why Incorrect

A. Linear regression: This is a specific statistical algorithm used for predictive modeling. It is a tool for analysis, not the overarching process of collecting and managing massive datasets.

B. Distributed consensus: This is a fault-tolerance protocol used in distributed systems (e.g., blockchain) to ensure all nodes agree on a single data value, which is unrelated to behavioral data collection.

D. Machine learning: This is a field of AI that involves algorithms that learn from data. While machine learning is used to analyze Big Data, the term "Big Data" itself describes the paradigm of collecting and managing the large data pool.

---

References

1. National Institute of Standards and Technology (NIST). (2022). NIST Big Data Interoperability Framework: Volume 1

Definitions (NIST Special Publication 1500-1r2). Section 2.2

"Big Data Definition

" states

"Big Data is a term used to describe the large amount of data in the networked

digitized

sensor-laden

information-driven world... The value of Big Data is the potential to analyze it to make better decisions." This directly aligns with the question's premise.

2. Gandomi

& Haider

M. (2015). Beyond the hype: Big data concepts

methods

and analytics. International Journal of Information Management

35(2)

137-144. https://doi.org/10.1016/j.ijinfomgt.2014.10.007. The paper defines Big Data analytics as "the process of collecting

organizing and analyzing large sets of data... to discover patterns and other useful information" (p. 137)

distinguishing the data collection/management (Big Data) from the analysis techniques (e.g.

machine learning).

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2016). Course 15.071 The Analytics Edge

Lecture 1: Introduction to Analytics. The lecture materials differentiate between the data itself (Big Data) and the methods used to analyze it

such as regression and machine learning

positioning Big Data as the foundational resource for these analytical processes.

Q: 10

[Security Operations] An organization found a significant vulnerability associated with a commonly used package in a variety of operating systems. The organization develops a registry of software dependencies to facilitate incident response activities. As part of the registry, the organization creates hashes of packages that have been formally vetted. Which of the following attack vectors does this registry address?

Options

Discussion

Owen Feb 24, 2026 6:53 am

A. C is tempting but the registry with vetted hashes is really about stopping supply chain risk, not side channels.

Zoe I. Feb 18, 2026 11:43 pm

Don't think it's B. Option C makes more sense to me here because side-channel analysis can look at how software interacts, and keeping hashes helps track changes. I saw similar advice in some official guides. Disagree?

Ravi P. Feb 20, 2026 5:31 pm

D , since on-path could be caught if the hash registry checks for transit changes.

Noah R. Feb 12, 2026 11:05 pm

Makes sense to me, A. The hash registry mainly blocks supply chain attacks.

MeeraT Mar 1, 2026 6:29 am

D , because if the registry is mainly checking hashes at download time, that helps stop on-path package tampering.

Ben U. Feb 14, 2026 9:08 am

I picked D since a registry with hashes could help spot tampering while packages move over the network. If someone messes with a package in transit, the hash won’t match after download. Might be missing something on supply chain specifics but I thought on-path fit better here.

Grace Feb 13, 2026 5:42 pm

Wouldn't the hashes of vetted packages mainly help with identifying compromised or malicious dependencies? That seems like supply chain to me, since on-path (D) is more about interception during transit, not package integrity. Am I missing a scenario where another option would fit?

Jack B. Feb 23, 2026 7:39 am

SkepticalConsultant5801 Mar 2, 2026 2:22 pm

Nah, pretty sure it's A. The registry with hashes is specifically designed to detect if a compromised or altered package gets slipped in via the supply chain. C looks tempting but side-channel attacks aren't mitigated by hashed dependencies-those are more about physical or process leaks. Let me know if you see it differently.

Drew Mar 1, 2026 4:53 am

I see why you'd think C but D looks closer to me since on-path attacks mess with data in transit, and verified hashes could catch tampering. Might be missing something here.

Be respectful. No spam.

Correct Answer:

Explanation

The practice described—creating a registry of software dependencies and hashing vetted packages—is a direct countermeasure against supply chain attacks. A software supply chain attack involves compromising a third-party component, such as a library or package, which is then incorporated into the target organization's systems. By maintaining a registry (a form of Software Bill of Materials or SBOM) and using hashes for integrity checking, the organization can verify that the software components they use are the authentic, vetted versions. This helps detect unauthorized modifications and facilitates rapid incident response by quickly identifying all systems that use a compromised or vulnerable package.

Why Incorrect

B. Cipher substitution attack: This is a cryptographic attack targeting weaknesses in ciphers, which is unrelated to managing the integrity of software dependencies.

C. Side-channel analysis: This attack exploits information leaked from a system's physical implementation (e.g., power consumption), not vulnerabilities within its software components.

D. On-path attack: This attack intercepts network traffic. While it could be a vector to deliver a malicious package, the registry addresses the package's integrity, which is a supply chain concern.

E. Pass-the-hash attack: This is an authentication attack that uses a stolen credential hash to access network resources and is unrelated to software package management.

---

References

1. National Telecommunications and Information Administration (NTIA). (2021). The Minimum Elements For a Software Bill of Materials (SBOM).

Section: "What is an SBOM?" (Page 4): "A Software Bill of Materials (SBOM) is a nested inventory

a list of ingredients that make up software components... SBOMs are particularly useful in vulnerability management. When a vulnerability in a particular component is discovered

an SBOM allows an organization to easily determine if they are impacted and take action." This directly supports the scenario's use of a dependency registry for incident response.

2. National Institute of Standards and Technology (NIST). (2022). SP 800-161 Rev. 1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

Section 2.3.2

"Threats" (Page 13): This section details threats to the supply chain

including the "installation of malicious or counterfeit hardware or software." The use of hashes to verify vetted packages

as described in the question

is a direct control against this threat.

3. Parno

& Jackson

C. (2022). 6.858 Computer Systems Security

Fall 2022 Lecture 15: Web Security. MIT OpenCourseWare.

Slide 47

"Software supply chain attacks": This lecture material defines supply chain attacks as compromising upstream dependencies (e.g.

libraries) that are then used by downstream developers. The scenario's focus on a "commonly used package" aligns perfectly with this definition.

4. National Institute of Standards and Technology (NIST). (n.d.). Glossary: Pass the hash. Computer Security Resource Center.

The glossary defines pass-the-hash as a technique where an "adversary steals a hashed user credential and

without cracking it

reuses it to trick an authentication system into creating a new authenticated session on the same network." This confirms its irrelevance to the scenario.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE