CASP STUDY GUIDE - CAS-003 2025
QUESTIONS AND ANSWERS
Key risk indicators - ....ANSWER ...-Legal authorities notify a company that its
network has been compromised for the second time in two years. The investigation
shows the attackers were able to use the same vulnerability on different systems in both
attacks. Which of the following would have allowed the security team to use historical
information to protect
against the second attack?
Host-based firewall & File integrity monitor - ....ANSWER ...-A security incident
responder discovers an attacker has gained access to a network and has overwritten
key system files with backdoor software. The server was reimaged and patched offline.
Which of the
following tools should be implemented to detect similar attacks?
The SSH command is not allowing a pty session - ....ANSWER ...-A security
analyst is troubleshooting a scenario in which an operator should only be allowed to
reboot
remote hosts but not perform other activities. The analyst inspects the following portions
of different
...©️ 2025, ALL RIGHTS RESERVED 1
,configuration files:
Configuration file 1: Operator ALL=/sbin/reboot Configuration file 2:
Command="/sbin/shutdown now", no-x11-forwarding, no-pty, ssh-dss Configuration
file 3:
Operator:x:1000:1000::/home/operator:/bin/bash
Which of the following explains why an intended operator cannot perform the intended
action?
Input validation & Database activity monitoring - ....ANSWER ...-An SQL
database is no longer accessible online due to a recent security breach. An investigation
reveals
that unauthorized access to the database was possible due to an SQL injection
vulnerability. To prevent
this type of breach in the future, which of the following security controls should be put in
place before
bringing the database back online?
The analyst is blue team The employee is red team The manager is white team -
....ANSWER ...-A security analyst is reviewing logs and discovers that a company-
owned computer issued to an employee
is generating many alerts and analyst continues to review the log events and discovers
that a
non-company-owned device from a different, unknown IP address is general same
events. The analyst
...©️ 2025, ALL RIGHTS RESERVED 2
, informs the manager of these finding, and the manager explains that these activities are
already known
and . . . ongoing simulation. Given this scenario, which of the following roles are the
analyst, the employee, and the manager fillings?
Availability of application layer visualizers - ....ANSWER ...-A security analyst has
requested network engineers integrate sFlow into the SOC's overall monitoring
picture. For this to be a useful addition to the monitoring capabilities, which of the
following must be
considered by the engineering team?
. Single-tenancy PaaS - ....ANSWER ...-A team is at the beginning stages of
designing a new enterprise-wide application. The new application will
have a large
database and require a capital investment in hardware. The Chief Information Officer
(IO) has directed the
team to save money and reduce the reliance on the datacenter, and the vendor must
specialize in hosting
large databases in the cloud. Which of the following cloud-hosting options would BEST
meet these needs?
Order of volatility - ....ANSWER ...-During a security event investigation, a junior
analyst fails to create an image of a server's hard drive before
removing the drive and sending it to the forensics analyst. Later, the evidence from the
analysis is not
...©️ 2025, ALL RIGHTS RESERVED 3
QUESTIONS AND ANSWERS
Key risk indicators - ....ANSWER ...-Legal authorities notify a company that its
network has been compromised for the second time in two years. The investigation
shows the attackers were able to use the same vulnerability on different systems in both
attacks. Which of the following would have allowed the security team to use historical
information to protect
against the second attack?
Host-based firewall & File integrity monitor - ....ANSWER ...-A security incident
responder discovers an attacker has gained access to a network and has overwritten
key system files with backdoor software. The server was reimaged and patched offline.
Which of the
following tools should be implemented to detect similar attacks?
The SSH command is not allowing a pty session - ....ANSWER ...-A security
analyst is troubleshooting a scenario in which an operator should only be allowed to
reboot
remote hosts but not perform other activities. The analyst inspects the following portions
of different
...©️ 2025, ALL RIGHTS RESERVED 1
,configuration files:
Configuration file 1: Operator ALL=/sbin/reboot Configuration file 2:
Command="/sbin/shutdown now", no-x11-forwarding, no-pty, ssh-dss Configuration
file 3:
Operator:x:1000:1000::/home/operator:/bin/bash
Which of the following explains why an intended operator cannot perform the intended
action?
Input validation & Database activity monitoring - ....ANSWER ...-An SQL
database is no longer accessible online due to a recent security breach. An investigation
reveals
that unauthorized access to the database was possible due to an SQL injection
vulnerability. To prevent
this type of breach in the future, which of the following security controls should be put in
place before
bringing the database back online?
The analyst is blue team The employee is red team The manager is white team -
....ANSWER ...-A security analyst is reviewing logs and discovers that a company-
owned computer issued to an employee
is generating many alerts and analyst continues to review the log events and discovers
that a
non-company-owned device from a different, unknown IP address is general same
events. The analyst
...©️ 2025, ALL RIGHTS RESERVED 2
, informs the manager of these finding, and the manager explains that these activities are
already known
and . . . ongoing simulation. Given this scenario, which of the following roles are the
analyst, the employee, and the manager fillings?
Availability of application layer visualizers - ....ANSWER ...-A security analyst has
requested network engineers integrate sFlow into the SOC's overall monitoring
picture. For this to be a useful addition to the monitoring capabilities, which of the
following must be
considered by the engineering team?
. Single-tenancy PaaS - ....ANSWER ...-A team is at the beginning stages of
designing a new enterprise-wide application. The new application will
have a large
database and require a capital investment in hardware. The Chief Information Officer
(IO) has directed the
team to save money and reduce the reliance on the datacenter, and the vendor must
specialize in hosting
large databases in the cloud. Which of the following cloud-hosting options would BEST
meet these needs?
Order of volatility - ....ANSWER ...-During a security event investigation, a junior
analyst fails to create an image of a server's hard drive before
removing the drive and sending it to the forensics analyst. Later, the evidence from the
analysis is not
...©️ 2025, ALL RIGHTS RESERVED 3
