The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Implementing a reverse proxy for remote desktopcan provide a layer of abstraction between clients and internal services and can enforce certain security controls such as TLS configuration. However, reverse proxies are typically designed for web-based protocols (HTTP/HTTPS) rather than native RDP traffic. While some specialized proxies can handle RDP, this option does not inherently provide native integration for RDP authentication controls or MFA mechanisms specifically designed for remote desktop services. Therefore, it would not be the most appropriate solution for enforcing both MFA and secure cipher usage for RDP connections.
B is incorrect: Implementing a bastion host centralizes administrative access and allows administrators to connect to internal systems through a hardened intermediary server. While a bastion host can improve security by limiting exposure and monitoring access, it does not inherently enforce MFA or secure cipher negotiation for RDP sessions unless additional components are implemented. Additionally, the requirement specifies that network-level controls such as firewall restrictions should not be relied upon, and bastion hosts typically depend on such restrictions to control connectivity. Therefore, this option does not best meet the requirements.
C is correct: Implementing a Remote Desktop Gateway server with secure cipher enforcement and OTP-based MFA is the correct solution. A Remote Desktop Gateway (RD Gateway) allows RDP connections to be tunneled securely over HTTPS while enforcing authentication and encryption policies. The gateway can be configured to require multifactor authentication (such as one-time passwords) and enforce strong TLS cipher suites for encrypted sessions. Because the RD Gateway operates at the application layer, it allows centralized control of RDP access without relying on complex network segmentation or firewall restrictions. This design directly satisfies the requirement to enforce MFA and restrict RDP connections to secure cryptographic protocols.
D is incorrect: Implementing a Group Policy Object (GPO) to enforce TLS cipher suites and limit access to VPN userswould strengthen encryption settings but would not fully meet the stated requirements. While GPO can enforce cryptographic policies, restricting RDP access to VPN users effectively relies on network-level access control, which the scenario specifically states the organization wants to avoid due to the complexity of the existing network. Additionally, this option does not inherently provide an MFA mechanism for RDP sessions. Therefore, it is not the best solution.
Correct AnswerD
A is incorrect: A Web Application Firewall (WAF) is designed to filter and monitor HTTP/HTTPS traffic between users and a web application. It protects applications from attacks such as SQL injection, cross-site scripting, and other web-layer threats. A WAF operates primarily as a preventive control, blocking malicious requests before they reach the application. While this can protect web applications, it does not intentionally attract attackers or allow security teams to study their behavior. In this scenario, the organization specifically wants to gain valuable attack information while protecting the environment, meaning the solution should allow attackers to interact with a controlled system. A WAF would block attacks rather than intentionally observe attacker behavior, making it less appropriate for the objective described.
B is incorrect: An Intrusion Detection System (IDS) monitors network or host activity and generates alerts when suspicious behavior or known attack signatures are detected. IDS technologies are valuable for identifying malicious activity and providing visibility into potential intrusions. However, they are passive monitoring controls and do not actively entice attackers or provide an isolated environment for observing attack techniques. In the scenario, attackers stop reconnaissance after identifying a vulnerable system. The company wants to leverage that behavior to gather intelligence. An IDS would only detect and alert on activity occurring in production systems, which could still place those systems at risk. Therefore, while IDS improves detection capabilities, it does not best support the goal of safely studying attacker behavior.
C is incorrect: A Security Information and Event Management (SIEM) platform aggregates logs and security events from multiple sources to provide centralized monitoring, correlation, and incident detection. SIEM solutions enable organizations to analyze historical attack patterns and identify anomalies across the enterprise environment. However, a SIEM primarily serves as a log analysis and correlation platform, not a mechanism to attract attackers or gather direct intelligence from interactive attack attempts. In this scenario, the organization already reviewed historical attack patterns and now wants to use that information operationally to observe attacker behavior in a controlled way. While SIEM would help analyze collected logs, it does not provide the controlled interaction environment needed to study attackers.
D is correct: A honeypot is a deliberately deployed system designed to appear vulnerable or valuable in order to attract attackers. Once attackers interact with the honeypot, security teams can safely observe reconnaissance methods, exploitation attempts, and attacker techniques without risking production systems. This approach both protects the real environment and generates valuable threat intelligence. CASP+ guidance recognizes honeypots as a method to deceive attackers and gather intelligence about tactics, techniques, and procedures (TTPs). By placing a susceptible system intentionally within a monitored and isolated environment, the company can encourage attackers to target it during reconnaissance and compromise attempts. This directly aligns with the scenario’s objective of protecting the environment while collecting meaningful attack data.
Correct AnswerA
A is correct: A. Implement iterative software releases. This is the correct answer because iterative development allows software to be released in incremental versions while additional development and testing continue. In this model, an initial functional version of the CRM platform can be deployed to users while future enhancements, bug fixes, and additional features are developed in subsequent iterations. This approach supports tight deadlines and vendor dependencies because it enables the organization to deliver value earlier while maintaining ongoing improvements. Iterative releases are commonly used in agile and modern software delivery environments where functionality evolves through successive updates.
B is incorrect: B. Revise the scope of the project to use a waterfall approach. The waterfall methodology follows a linear and sequential development lifecycle, where each phase must be completed before the next begins. Typically, development, testing, and deployment occur in strict order, and the product is released only after all phases are completed. In the scenario, the company needs to begin releasing the CRM platform while continuing development and testing. Waterfall would delay deployment until the entire project is completed, making it unsuitable for meeting the immediate rollout deadline.
C is incorrect: C. Change the scope of the project to use the spiral development methodology. The spiral model combines iterative development with risk analysis and is often used for complex or high-risk projects. Although it includes iterative elements, the spiral methodology focuses heavily on risk evaluation and formal development cycles rather than rapid incremental releases to users. It is typically used for large-scale or high-risk engineering projects rather than fast-paced delivery environments. Therefore, while iterative in nature, it does not best address the requirement for quickly releasing functional components while continuing development.
D is incorrect: D. Perform continuous integration. Continuous integration (CI) is a development practice where developers frequently merge code changes into a shared repository, followed by automated builds and tests. While CI improves development efficiency and code quality, it is not a release strategy. CI helps ensure that code changes are tested and integrated continuously but does not inherently provide incremental product releases to end users. Therefore, CI alone would not allow the company to begin releasing the CRM platform while continuing development of future features.
Correct AnswerC
A is incorrect: This option describes a traditional processing model where data is decrypted on the server before processing. Once data is decrypted, it is exposed in plaintext within the processing environment, meaning the server or administrators could potentially access the sensitive information. Homomorphic encryption specifically avoids this by allowing computation without decrypting the data, so this option does not reflect the defining characteristic of homomorphic encryption.
B is incorrect: Maintaining confidentiality at rest and in transit is typically achieved through standard encryption methods such as TLS for data in transit and disk or database encryption for data at rest. However, these approaches still require data to be decrypted before processing. Homomorphic encryption is specifically designed to protect data while it is being processed, not just during storage or transmission.
C is correct: Homomorphic encryption enables computation on encrypted data without decrypting it first. CASP+ cryptography guidance explains that this approach is particularly useful when sending sensitive information to external computing resources, such as cloud service providers, where the organization does not fully trust the environment. The data remains encrypted while computations are performed, and only the final result is decrypted by the data owner. This makes it ideal for cloud-based processing scenarios where confidentiality must be preserved during computation.
D is incorrect: Storing proprietary data across multiple nodes in a private cloud relates more to distributed storage or redundancy mechanisms such as clustering or sharding. These approaches focus on availability and access control rather than enabling computation on encrypted data. Homomorphic encryption is specifically designed for secure computation on encrypted datasets, not for distributed storage protection.
Correct AnswerB
A is incorrect: Reverse proxy authentication provides an authentication layer between users and backend services by verifying identity before allowing access to an application. While this control can protect applications exposed to external clients and enforce authentication policies, it does not control communication between internal workloads once a service has been compromised. In the scenario, the attacker has already gained access to a containerized service and is attempting lateral movement across workloads. Because reverse proxies primarily protect north–south traffic rather than east–west traffic between workloads, they do not effectively prevent lateral movement in this situation.
B is correct: Microsegmentation between workloads is the correct answer because it enforces granular network and policy-based isolation between services, containers, or workloads. In a Zero Trust architecture, microsegmentation applies least-privilege communication rules so that workloads can only communicate with explicitly authorized services. If an attacker compromises a container, microsegmentation prevents the attacker from freely pivoting to other workloads. This significantly limits lateral movement and reduces the blast radius of a compromise within containerized or cloud-native environments. Security architecture guidance emphasizes microsegmentation as a key mechanism for enforcing Zero Trust principles within internal network traffic.
C is incorrect: DNS filtering blocks or restricts access to known malicious domains by analyzing domain name resolution requests. It is useful for preventing systems from communicating with external command-and-control infrastructure or malicious websites. However, DNS filtering focuses primarily on outbound communication to external domains and does not restrict direct communication between internal workloads within the same environment. Therefore, it does not effectively prevent lateral movement inside the environment.
D is incorrect: Network address translation (NAT)translates private IP addresses to public addresses for communication with external networks. While NAT can hide internal network structures from external systems, it does not enforce security segmentation between internal workloads. Once an attacker gains access to a compromised container or service within the network, NAT does not prevent that workload from communicating with other internal resources. As a result, NAT does not provide effective protection against lateral movement between workloads.
Correct AnswerC
A is incorrect: Symmetric encryptionuses a single shared secret key for both encryption and decryption of data. It is commonly used to protect data at rest or in transit because of its efficiency and performance advantages. However, symmetric encryption by itself does not provide a mechanism for distributing or spreading encrypted data across multiple storage locations. It focuses only on encrypting data rather than dispersing it across different storage systems. Therefore, it does not specifically address the requirement of adding encryption across multiple data storages.
B is incorrect: Homomorphic encryption allows computations to be performed on encrypted data without decrypting it first. This technique enables secure processing of sensitive information in environments where the processing system cannot be fully trusted. While homomorphic encryption is useful for protecting data during computation, it does not inherently distribute or split encrypted data across multiple storage locations. Its primary purpose is secure processing rather than storage distribution or dispersion.
C is correct: Data dispersion is the correct answer because it is a technique that divides data into multiple fragments and distributes those fragments across different storage locations or systems. Before distribution, the data is typically encrypted or encoded so that no single storage location contains enough information to reconstruct the original data. This approach improves both security and availability, since compromising one storage node does not reveal the full dataset and multiple fragments are required to reconstruct the data. Cloud service providers often use data dispersion to enhance protection across distributed storage infrastructures.
D is incorrect: Bit splitting refers to dividing data at the bit level and storing parts separately. While similar in concept to dispersion, it is not commonly referenced as a standard technology used by cloud service providers for distributed encrypted storage architectures. Bit splitting alone does not necessarily include the redundancy, encryption, and reconstruction mechanisms associated with modern cloud storage protection methods. Therefore, it does not best represent the technology described in the scenario.
Correct AnswerA
A is correct: Ladder logic is the most relevant programming language for programmable logic controllers (PLCs). It is a graphical programming language specifically designed for industrial control systems and automation environments. Ladder logic represents control logic using symbols that resemble electrical relay circuits, making it intuitive for engineers and technicians familiar with industrial electrical systems. CASP+ materials identify ladder logic as a core programming method used in PLC-based operational technology (OT) environments such as manufacturing systems, industrial automation, and supervisory control and data acquisition (SCADA) systems.
B is incorrect: Rust is a modern systems programming language focused on memory safety and performance. While it is increasingly used for secure system-level software development, it is not typically used in PLC programming or industrial control systems. PLCs rely on specialized languages defined by industrial automation standards rather than general-purpose programming languages such as Rust.
C is incorrect: C is widely used for embedded systems and firmware development and may appear in some industrial device implementations. However, PLC programming environments generally rely on standardized industrial languages such as ladder logic, structured text, or function block diagrams rather than traditional compiled languages like C. Therefore, C is not the most relevant language when discussing PLC programming practices.
D is incorrect: Python is a general-purpose scripting language commonly used for automation, scripting, and data processing. While it may interact with OT environments through management systems or analytics tools, Python is not a native PLC programming language used for developing control logic inside PLC devices.
E is incorrect: Java is primarily used for enterprise applications, web services, and large-scale software systems. It is not used to develop control programs for PLCs within industrial automation environments. PLCs rely on specialized industrial programming languages tailored for deterministic control systems rather than enterprise application languages like Java.
Select all that apply
Correct AnswersD, E
A is incorrect: Keyloggers capture keystrokes regardless of how many characters are entered.Whether the system asks for the full password or only selected characters, a keylogger would still record what the user types. Requesting specific characters does not inherently increase the likelihood of successful keylogging. Therefore, the presence of this prompt does not demonstrate a unique vulnerability related to keylogging.
B is incorrect: Salting relates to password hashing storage practices, where a random value is added to the password before hashing to protect against rainbow table attacks. The login process asking for certain characters of the password does not provide evidence regarding how the password hash is stored or whether salting is implemented. Therefore, this behavior does not demonstrate that salting is absent or that the system is vulnerable to rainbow table attacks.
C is incorrect: Encoding versus encryption is unrelated to this login mechanism. Encoding simply transforms data into another format for compatibility, while encryption protects confidentiality through cryptographic methods. The request for specific password characters does not indicate that the password is encoded or encrypted, nor does it reveal the storage method used by the system. Consequently, this option does not accurately describe the security concern.
D is correct: If only specific characters are requested, an attacker attempting to guess the password may only need to determine those requested positions rather than the entire password. For example, if the login request asks for the 3rd, 8th, and 11th characters, the attacker only needs to brute-force those characters rather than all 12. This significantly reduces the complexity of the attack for that authentication attempt and can weaken overall authentication security if implemented improperly.
E is correct: To verify individual characters from arbitrary positions, the system must have the ability to compare each character independently. This implies that the password is stored in a reversible format (such as cleartext or encrypted but decryptable) rather than being stored as a one-way hash. Secure password storage practices normally use salted hashes, which do not allow the system to retrieve or compare individual characters. If the system can request specific characters, it strongly suggests the password can be read or reconstructed internally, which is a significant security risk.
F is incorrect: Passwords do not necessarily need to be in cleartext during transit simply because specific characters are requested. Secure transport mechanisms such as TLS can protect the data while it is transmitted between the user and the server. Therefore, this login design does not prove that the password is exposed to on-path attacks. The primary concern is how the password is stored and validated internally rather than the transport mechanism used during login.
Correct AnswerA
A is correct: In the shared responsibility model for cloud services, responsibilities vary depending on the service model. With Platform as a Service (PaaS), the cloud service provider manages the underlying infrastructure such as hardware, networking, and the platform runtime. However, the organization building and delivering the SaaS application remains responsible for ensuring that the overall service it provides complies with regulatory requirements. Because the CRM company is the entity offering the SaaS product to customers, it must ensure that the solution—including the configuration and operation of the environment within the PaaS platform—meets regulatory obligations.
B is incorrect: The CRM company’s customer consumes the SaaS application but does not control or manage the infrastructure hosting the service. Customers may define security or compliance requirements in contracts or procurement processes, but they are not responsible for implementing configuration management, patch management, or lifecycle management for the infrastructure supporting the SaaS product. Therefore, the responsibility for meeting regulatory compliance does not fall on the customer.
C is incorrect: The cloud service provider (CSP) manages the physical infrastructure and the underlying platform components in a PaaS model. While the CSP is responsible for securing and maintaining the platform services they provide, they are not responsible for ensuring that the CRM company’s SaaS product meets the specific regulatory requirements demanded by the CRM company’s customers. The CSP provides compliant infrastructure capabilities, but the responsibility for regulatory compliance of the delivered service remains with the SaaS provider.
D is incorrect: Regulatory bodies define and enforce compliance requirements and standards, such as data protection or financial regulations. However, they do not implement or manage the technical controls required to meet those regulations. Instead, organizations that process regulated data must implement and maintain the required controls. Therefore, the regulatory body establishes the requirements but is not responsible for ensuring the CRM system’s infrastructure complies with them.
Correct AnswerC
A is incorrect: This is incorrect. A cache server farm located only in the New York City datacenter may improve performance for some repeated content requests, but it does not solve the core issue of global geographic distribution. Users located far from New York would still experience higher latency because requests must traverse long network distances before reaching the cache environment. It also does not inherently provide distributed DDoS absorption at the network edge. While local caching can reduce backend workload, it does not best meet the combined requirements of worldwide low latency, SSL offloading, DDoS protection, and high availability. From a CASP+ architectural perspective, this option is too centralized for a globally distributed customer-facing application.
B is incorrect: This is incorrect. A load-balanced group of reverse proxy servers with SSL acceleration would help with SSL offloading and can improve local availability and server performance. Reverse proxies can also add some defensive capability against application-layer attacks. However, if these systems are still centralized in or near the primary datacenter, they do not fully address the requirement for low latency for users in multiple remote geographic regions. This design improves front-end efficiency but remains largely dependent on the single datacenter footprint. It does not provide the same globally distributed content delivery and edge-based resiliency that a more geographically dispersed architecture would offer.
C is correct: This is correct. A content delivery network with the origin set to the organization’s datacenter is the best fit because it distributes content across geographically dispersed edge locations closer to end users, which directly supports low latency worldwide. CDNs commonly provide SSL/TLS offloading at edge nodes, reducing the processing burden on the origin web servers, and they also improve high availability by serving content from distributed infrastructure rather than relying solely on the single New York datacenter. This is also the strongest answer for DoS and DDoS protection, because a CDN can absorb and distribute malicious traffic across a large edge network before it reaches the origin. Under CompTIA exam logic, this is the most comprehensive architectural solution because it addresses all four stated requirements in one design: performance, resilience, protection, and scalability.
D is incorrect: This is incorrect. Dual Internet connections with managed DDoS prevention improve uplink redundancy and can strengthen protection against volumetric attacks aimed at the datacenter edge. However, this remains a datacenter-centric solution and does not adequately address the requirement for low latency for users around the world. The physical distance between users and the single New York origin would still introduce latency for remote mobile customers. This option helps with connectivity resilience and some aspects of attack mitigation, but it does not deliver the same globally distributed application acceleration or edge-based SSL offloading provided by a CDN. Therefore, it is not the best overall choice.
