The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerD
A is incorrect: Immediately powering off all systems may seem like a way to stop further malicious activity, but it can destroy valuable forensic evidence. Volatile data such as memory contents, active network connections, and running processes would be lost. In incident response and digital forensics, preserving evidence is a priority before taking disruptive containment actions. Therefore, abruptly shutting down systems could compromise the investigation and is not the correct next step.
B is incorrect: Involving law enforcement may become necessary when evidence suggests criminal activity. However, contacting law enforcement should occur after the organization has preserved evidence and conducted initial incident response procedures according to its policies and legal guidance. If evidence is not properly preserved beforehand, critical forensic artifacts may be lost or challenged in legal proceedings. Therefore, law enforcement engagement should not be the immediate next action.
C is incorrect: Contacting the user referenced in the log files could alert a potential suspect and may lead to destruction or alteration of evidence. Incident response and forensic investigations typically avoid notifying individuals who may be involved until evidence is properly preserved and investigators are prepared to proceed. Prematurely contacting the user could compromise the investigation. Therefore, this option is not appropriate as the next step.
D is correct: Taking a system snapshot preserves the current state of the system and captures important forensic artifacts such as system configuration, file states, and potentially memory or disk images depending on the snapshot method. Preserving evidence is a fundamental principle in incident response and digital forensics to ensure that the integrity of the data is maintained for investigation and possible legal proceedings. By capturing a snapshot, the security team ensures that evidence remains intact before further remediation or investigation activities occur. Therefore, preserving the system state through a snapshot is the most appropriate next action.
E is incorrect: Contacting the human resources department may be necessary if the investigation later determines that an employee violated organizational policies. However, at this stage the priority is preserving evidence and conducting a proper forensic investigation. HR involvement typically occurs after sufficient evidence has been collected and validated. Therefore, reaching out to HR would not be the immediate next step.
Correct AnswerB
A is incorrect: Writing a SIEM rule to alert when files are created does not directly address the risk described. The concern is unauthorized modification of an already generated file containing sensitive data. A rule that alerts on file creation would not detect subsequent alterations or tampering. While SIEM can aggregate logs and generate alerts, this specific rule would not ensure integrity monitoring of the file after it is produced.
B is correct: File Integrity Monitoring (FIM) tracks changes to files and alerts administrators when modifications occur. Implementing FIM allows the organization to monitor access and detect unauthorized modifications to sensitive files. By generating alerts when the file is accessed by IP addresses not associated with the application, the organization can detect suspicious activity and identify potential insider threats attempting to alter the data. CASP+ guidance emphasizes FIM as a method for detecting unauthorized file changes and preserving data integrity for critical systems and sensitive information.
C is incorrect: Comparing file size periodically is an unreliable method for detecting malicious modification. Attackers could modify the contents of the file without changing its overall size, allowing tampering to go undetected. Additionally, this method does not provide cryptographic validation of file integrity and lacks the monitoring and alerting capabilities associated with dedicated integrity monitoring solutions.
D is incorrect: Tuning host-based IDS rules to alert when the server is accessed from the internet focuses on network-based intrusion detection rather than protecting the integrity of files stored on the system. The scenario involves an insider threat modifying data internally, so monitoring external access would not effectively detect unauthorized changes made to the file by internal actors.
Correct AnswerC
A is incorrect: Online Certificate Status Protocol (OCSP) is used to verify the revocation status of a digital certificate in real time. It allows clients to check whether a certificate is still valid or has been revoked by the issuing certificate authority. While OCSP improves certificate validation efficiency compared to CRLs, it does not allow multiple domain names to be included in a single certificate.
B is incorrect: Certificate Revocation Lists (CRLs) are lists published by certificate authorities that contain certificates that have been revoked before their expiration date. Systems can download these lists to determine whether a certificate should no longer be trusted. CRLs relate to certificate validity management rather than supporting multiple domain names within a single certificate.
C is correct: Subject Alternative Name (SAN) is the correct answer because SAN certificates allow multiple domain names or hostnames to be included within a single digital certificate. This enables a single certificate to secure multiple websites or services, reducing the number of certificates that must be issued and managed. CASP+ materials describe SAN certificates as a method used by hosting providers to support multiple domains while minimizing certificate management overhead.
D is incorrect: Certificate Authorities (CAs) are trusted entities that issue and manage digital certificates. While a CA provides the certificates themselves, it does not inherently determine whether a certificate can support multiple domain names. The ability to include multiple domains is a feature of SAN certificates rather than a function of the CA.
Correct AnswerB
A is incorrect: DNSSEC (Domain Name System Security Extensions) protects the integrity of DNS responses by cryptographically validating that DNS records have not been tampered with during transmission. DNSSEC helps prevent attacks such as DNS spoofing or cache poisoning. However, in this scenario the DNS infrastructure is already returning correct results and shows no indicators of compromise. The problem involves users being redirected to look-alike domains caused by typosquatting rather than DNS tampering, so DNSSEC would not mitigate the issue.
B is correct: DNS filtering allows the ISP to block or redirect requests to known malicious or suspicious domains, including domains associated with typosquatting or phishing campaigns. By implementing DNS filtering, the security team can prevent customers from reaching fraudulent domains that mimic the ISP’s website and attempt to collect personal information. CASP guidance emphasizes the use of DNS-based security controls to prevent users from accessing malicious domains and phishing infrastructure.
C is incorrect: Multifactor authentication (MFA)strengthens account authentication by requiring multiple verification factors during login. While MFA helps protect accounts from unauthorized access if credentials are stolen, it does not prevent users from visiting malicious websites or being redirected to typosquatted domains. Therefore, it does not address the root cause of the problem described.
D is incorrect: Self-signed certificates are certificates that are not issued by a trusted certificate authority. Implementing self-signed certificates would not prevent typosquatting or malicious domain redirection. In fact, self-signed certificates may reduce user trust and introduce additional security warnings rather than mitigate phishing or advertising redirection attacks.
E is incorrect: Revocation of compromised certificates would be appropriate if a legitimate certificate had been stolen or misused to impersonate the ISP’s website. In this scenario, however, there is no indication that certificates have been compromised. The issue involves users navigating to similar-looking domains rather than attackers abusing legitimate certificates from the ISP. Therefore, certificate revocation would not address the threat.
Correct AnswerB
A is incorrect: Availability refers to ensuring that systems and data are accessible when needed. While availability is an important security principle, historical backups generally have less stringent availability requirements compared to production systems. The key concern in this scenario is the protection and regulatory handling of customer personally identifiable information (PII), rather than ensuring rapid access to the backups. Therefore, availability is not the most critical factor when deciding whether to move PII backups to a cloud provider.
B is correct: Data sovereignty is the most important consideration when transferring backups containing customer PII to a cloud service provider. Data sovereignty refers to the requirement that data is subject to the laws and regulations of the country where it is stored or processed. If PII is stored in a different jurisdiction, it may become subject to foreign regulations, disclosure requirements, or privacy laws. Before migrating sensitive customer data to the cloud, the organization must ensure that the storage location and provider comply with applicable legal and regulatory obligations governing personal data protection.
C is incorrect: Geography refers to the physical region where infrastructure or services are located. Although geography can influence latency and regulatory considerations, it is primarily a technical or operational factor. Data sovereignty specifically addresses the legal jurisdiction governing the stored data, which is the core concern when dealing with PII. Therefore, geography alone does not capture the full compliance implications.
D is incorrect: Vendor lock-in refers to the difficulty of migrating services or data from one provider to another due to proprietary technologies or contractual limitations. While this is an important strategic consideration when adopting cloud services, it does not represent the most critical risk when storing backups containing sensitive customer PII. Compliance with privacy and legal requirements must be addressed first.
Select all that apply
Correct AnswersA, B
A is correct: Proxy servers act as intermediaries between the user and internet services. When configured on a mobile device, a proxy can mask the user’s IP address and route traffic through another server, helping conceal user activity and adding an additional layer of privacy. In security architectures, proxies are also used for traffic inspection and content filtering. While encryption may still rely on protocols such as HTTPS or VPN tunneling, proxies support privacy by obscuring the user’s direct connection to destination services.
B is correct: Tunneling creates an encrypted pathway between the mobile device and another endpoint, commonly through technologies such as VPNs. The tunnel encapsulates network traffic and encrypts it, protecting data in transit and preventing intermediaries from viewing user activity. Tunneling also helps hide browsing activity from local networks or internet service providers. CASP materials highlight tunneling protocols as key mechanisms for securing communications across untrusted networks.
C is incorrect: Virtual Desktop Infrastructure (VDI) allows users to access a virtualized desktop environment hosted on centralized servers. Although VDI can protect data by keeping it within the enterprise environment rather than on the mobile device, it does not directly encrypt the device’s internet traffic or conceal browsing activity in the way tunneling or proxy solutions do.
D is incorrect: Mobile Device Management (MDM)platforms enforce policies and manage mobile devices within an enterprise environment. MDM solutions can configure security settings, enforce encryption, and deploy applications, but they are management frameworks rather than direct mechanisms for encrypting network connections or hiding internet activity.
E is incorrect: Remote Desktop Protocol (RDP)provides remote access to a system’s graphical interface. While RDP sessions can be encrypted, the protocol is primarily intended for remote administration or remote desktop access rather than protecting general mobile device internet browsing activity or anonymizing traffic.
F is incorrect: Containerizationisolates enterprise applications and data on mobile devices by placing them in a secure container separate from personal data. This approach protects enterprise information and enforces policy boundaries but does not directly encrypt network traffic or conceal user internet activity from networks.
Correct AnswerA
A is correct: Regional data residency controls enforce policies that ensure data is stored and processed only within designated geographic regions. These controls are commonly used to comply with privacy and data sovereignty regulations that restrict where personal or sensitive data may reside. By configuring cloud services or storage systems to restrict data placement to specific jurisdictions, organizations can ensure regulatory compliance with regional privacy laws such as GDPR or similar national regulations.
B is incorrect: Global centralized storage consolidates data into a single location regardless of jurisdiction. While this may simplify management and reduce operational complexity, it does not ensure that customer data remains within specific legal jurisdictions. In many cases, centralized storage may violate data sovereignty laws if the storage location is outside the permitted geographic region.
C is incorrect: Cross-region replication automatically copies data between multiple geographic regions to improve resilience and disaster recovery. However, enabling replication across regions could cause customer data to be stored outside the jurisdictions required by privacy regulations. This would conflict with regulatory requirements that mandate strict geographic boundaries for data storage and processing.
D is incorrect: Unrestricted SaaS synchronization allows data to be synchronized freely across multiple systems and locations without geographic restrictions. While this may improve accessibility and collaboration, it provides no control over where data is stored or processed. As a result, it could easily lead to regulatory violations when data moves into jurisdictions that do not meet required privacy or data residency standards.
