The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for coordinating global domain name systems, IP address allocation, and internet identifiers. While ICANN plays an important role in maintaining the stability and governance of the internet infrastructure, it does not focus on developing tools, methodologies, or best practices specifically related to web application security.
B is incorrect: PCI DSS (Payment Card Industry Data Security Standard) is a compliance framework designed to protect payment card data. It provides requirements and controls for organizations that store, process, or transmit cardholder data. While it includes security guidance relevant to web applications handling payment information, PCI DSS is primarily a regulatory compliance standard rather than an open community producing tools and methodologies for general web application security development.
C is correct: OWASP (Open Worldwide Application Security Project) is an open community dedicated to improving the security of software, particularly web applications. It produces widely recognized resources such as the OWASP Top Ten, security testing methodologies, secure development guidelines, and numerous tools and documentation for developers. CASP+ materials highlight OWASP as a key resource for developers seeking best practices and security guidance for building and maintaining secure web applications.
D is incorrect: The Cloud Security Alliance (CSA) focuses on security best practices for cloud computing environments. It provides frameworks, research, and guidance related to cloud governance, cloud service security, and cloud architecture. While CSA contributes valuable information about cloud security, it does not specifically focus on tools and methodologies for web application security development in the same way OWASP does.
E is incorrect: The National Institute of Standards and Technology (NIST) publishes extensive security standards, frameworks, and guidelines such as the NIST Cybersecurity Framework and SP 800-series publications. Although NIST provides valuable high-level security guidance and standards, it is not an online developer community dedicated to producing web application security tools and practical methodologies like OWASP.
Correct AnswerC
A is incorrect: Free-form message support is not the primary security concern associated with the Distributed Network Protocol (DNP3). The protocol defines structured communication formats for supervisory control and data acquisition (SCADA) and operational technology (OT) environments. The main security issues historically associated with DNP3 relate to the lack of built-in security features rather than message formatting flexibility.
B is incorrect: DNP3 function codes are standardized as part of the protocol specification and are designed to support communication between master stations and field devices in industrial control systems. The presence of standardized function codes ensures interoperability between devices and does not represent the core security weakness of the protocol.
C is correct: A major security concern with early implementations of DNP3 is that authentication mechanisms were not originally included in the protocol. As a result, communications between control systems and field devices could be susceptible to spoofing, command injection, or unauthorized control actions if attackers gain network access. Later enhancements introduced secure authentication extensions to address these weaknesses. CASP+ materials highlight that many legacy OT protocols, including DNP3, were originally designed without strong authentication or encryption, creating security risks in modern connected environments.
D is incorrect: Being an open protocol does not inherently create a security vulnerability. Many widely used secure technologies are open standards. The security risk with DNP3 is not related to its openness but rather to the historical lack of built-in authentication and encryption mechanisms in earlier implementations of the protocol.
Correct AnswerC
A is incorrect: Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time. It determines how frequently backups must occur to ensure that data can be restored to an acceptable state after a disruption. The issue described in the scenario relates to computational resources being insufficient to restore services during a disaster recovery test, not the amount of recoverable data. Therefore, adjusting the RPO would not address the resource exhaustion problem encountered during restoration.
B is incorrect: Recovery Time Objective (RTO) defines the maximum acceptable amount of time a system or service can remain unavailable after a disruption. It focuses on how quickly systems must be restored to operational status. Although RTO influences recovery planning and resource allocation, the issue described concerns which services should be prioritized during restoration when resources are limited. Changing the RTO alone would not resolve the problem of computational resources running out before all critical services were restored.
C is correct: Mission-essential functions identify the most critical business processes and supporting systems that must be restored first to maintain organizational operations during a disaster. These functions are determined during the business impact analysis and guide prioritization during recovery efforts. The scenario indicates that restoration reached 70% before computational resources were exhausted, suggesting that the prioritization of critical services may not have been properly defined or aligned with available resources. Modifying the identification and prioritization of mission-essential functions ensures that the most critical services are restored within the available resources during disaster recovery operations.
D is incorrect: Recovery service level refers to the expected level of service provided after systems are restored following an outage. It typically relates to service-level agreements and operational performance targets after recovery has occurred. The scenario focuses on the inability to complete restoration due to insufficient computational resources during the recovery process, rather than the level of service delivered after recovery. Consequently, adjusting the recovery service level would not directly prevent the issue described.
Correct AnswerB
A is incorrect: Risk appetite defines the amount and type of risk an organization is willing to accept in pursuit of its objectives. It guides high-level risk management decisions and strategic planning. The scenario focuses on managing dormant user accounts and ensuring access is only retained by users who actively require it. This operational access control practice is unrelated to determining acceptable organizational risk levels.
B is correct: The principle of least privilege requires that users be granted only the access necessary to perform their job functions and no more. Periodically reviewing accounts and disabling those that are inactive helps ensure that unnecessary access privileges are removed. Dormant accounts represent a security risk because they can be exploited by attackers without being immediately noticed. By requiring users to actively confirm their need for access and disabling accounts that remain unused, the organization is enforcing least privilege by minimizing unnecessary permissions.
C is incorrect: Just-in-time (JIT) access provides temporary privileges to users only when those privileges are required and removes them when the task is completed. This approach limits the exposure window for privileged access. The policy described in the scenario focuses on identifying inactive users and disabling their accounts after a period of inactivity rather than granting temporary access on demand. Therefore, it does not represent JIT access.
D is incorrect: Job rotation is a personnel security control that requires employees to periodically change job roles or responsibilities. This practice helps detect fraud, reduce the likelihood of collusion, and ensure multiple employees understand critical processes. The policy described deals with monitoring account usage and disabling inactive accounts, which is unrelated to employee role rotation.
E is incorrect: Identity and access management (IAM) is a broad framework that encompasses authentication, authorization, identity lifecycle management, and access governance. While the described policy is part of an IAM program, the specific security principle being enforced is least privilege, which ensures that only necessary access is maintained. Therefore, IAM is too general to best describe the practice highlighted in the scenario.
Correct AnswerB
A is incorrect: Remediation refers to actions taken to remove the root cause of an incident and eliminate vulnerabilities that allowed the compromise to occur. This may include patching systems, removing malware, rebuilding affected hosts, or implementing additional security controls. Remediation activities typically occur after the threat has been contained, ensuring that the attack cannot continue spreading within the environment. In the scenario, the SOC has identified the malicious file and the origin of the attack, but there is no indication that the spread of the incident has been stopped yet. Because containment must occur before remediation to prevent further damage, remediation is not the immediate next step.
B is correct: Containment is the correct next step in the incident response lifecycle after identification and analysis of the threat. Once the SOC has determined the source of the attack and the malicious artifact involved, the priority becomes preventing further damage by isolating affected systems, blocking malicious communication, or disabling compromised accounts. Containment ensures that the incident does not spread further across the environment while investigators prepare for eradication and remediation activities. Incident response frameworks emphasize that once the attack vector and origin are identified, containment actions should be executed quickly to limit operational impact and preserve evidence for investigation.
C is incorrect: Response is not typically a distinct phase in formal incident response frameworks. Standard incident response models include phases such as preparation, detection/analysis, containment, eradication/remediation, and recovery. The term “response” is often used generically to describe the entire incident handling process rather than representing a specific operational stage. Because the scenario specifically asks for the next step of the incident response plan after identifying the malicious file and origin, the structured phase that follows identification is containment. Therefore, “response” is too vague and does not correspond to a defined stage in the incident response lifecycle.
D is incorrect: Recovery occurs after containment and eradication activities have removed the threat from the environment. During recovery, systems are restored to normal operation, services are brought back online, and monitoring is increased to ensure that no residual malicious activity remains. Recovery may involve restoring systems from backups, validating system integrity, and confirming that vulnerabilities have been addressed. In the scenario, the SOC has only identified the malicious file and the source of the attack; the systems are still unresponsive and potentially compromised. Therefore, recovery cannot begin until the threat has first been contained and removed.
Select all that apply
Correct AnswersA, C
A is correct: Full disk encryption (FDE) protects all data stored on the laptop by encrypting the entire storage device. If the laptop is lost or stolen while traveling, the data cannot be accessed without the proper authentication credentials. This control directly protects sensitive financial information stored locally on the device and is widely considered a best practice for protecting data at rest on portable devices.
B is incorrect: Backing up the file to an encrypted flash drive provides redundancy but does not necessarily protect the file on the laptop itself during travel. While encryption of removable media is beneficial for data protection, this option primarily addresses data availability rather than ensuring the confidentiality of the file stored on the laptop. Additionally, storing sensitive data on removable media may introduce additional risk if the device is lost or mishandled.
C is correct: Applying an Access Control List (ACL) that restricts access to specific authorized users ensures that only designated accounts can open or modify the file. This control protects the confidentiality of the sensitive spreadsheet by enforcing authorization at the file level. When combined with other controls such as disk encryption, ACLs provide layered protection against unauthorized access by other users on the system.
D is incorrect: Storing the file in the user profile directory does not provide meaningful security protection. While it may organize user data within a personal directory structure, it does not enforce strong access restrictions or protect the data if the device is compromised or stolen. Therefore, this approach does not significantly improve the security of the confidential financial information.
E is incorrect: Denying access to everyone using an ACL would prevent even the authorized user from accessing the file. While it would technically block unauthorized access, it would also make the file unusable for legitimate purposes. Security controls must balance protection with usability, so this option is not an appropriate solution.
F is incorrect: Enabling access logging records when a file is accessed and by whom, providing auditing and monitoring capabilities. However, logging alone does not prevent unauthorized access or protect the file if the laptop is lost or stolen. It is useful for detection and forensic analysis but does not directly secure the confidential data during travel.
Correct AnswerA
A is correct: A. Reviewing video from IP cameras within the facility.This is the correct answer because the environment is described as completely air-gapped and closed, meaning there is no network connectivity to external systems. If anomalous external files appear on a critical server in such an environment, the most plausible explanation is physical access or insider activity, such as a user transferring files via removable media (USB drives or external storage). Reviewing facility surveillance footage from IP cameras can reveal who physically accessed the server or nearby workstations, which is highly relevant in an air-gapped environment where attacks often require physical interaction. This aligns with investigative practices that combine cybersecurity evidence with physical security monitoring to identify insider threats or unauthorized personnel.
B is incorrect: B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts. In a completely air-gapped system, there is no external perimeter network in the traditional sense because the system is isolated from external networks. SIEM connectors already collect logs from network infrastructure, security appliances, and endpoints according to the scenario description. Reconfiguring connectors to gather additional perimeter logs would not meaningfully help identify the source of the anomalous files because the attack vector is unlikely to be network-based in an air-gapped environment. Therefore, this action would not be the most effective investigative process.
C is incorrect: C. Implementing integrity checks on endpoint computing devices. File integrity monitoring and endpoint integrity checks can detect changes to system files and help identify unauthorized modifications in the future. However, the scenario indicates that anomalous files have already been uploaded, and the organization is attempting to identify the attacker responsible for the action. While integrity monitoring can provide valuable alerts moving forward, it would not necessarily reveal the identity of the individual responsible for the current incident. Consequently, it is less effective for exposing the attacker in this specific situation.
D is incorrect: D. Looking for privileged credential reuse on the network.Privileged credential misuse can be an indicator of malicious activity in typical enterprise environments. However, the scenario specifically highlights an air-gapped environment where external file introduction strongly suggests physical access rather than credential compromise over the network. Credential reuse analysis might help identify abnormal administrative activity but would not necessarily expose how external files were introduced into an isolated system. As a result, it is less likely than physical surveillance review to identify the attacker responsible for the incident.
Correct AnswerC
A is incorrect: Reverse engineering involves analyzing compiled software or binaries to understand how they function internally. Security professionals use this technique to study malware behavior, identify vulnerabilities, or determine how malicious code operates. It often requires specialized skills and tools such as disassemblers or debuggers to inspect code execution and logic. Although reverse engineering may eventually be used to analyze malware in detail, it is not the best initial method for safely reviewing suspicious email attachments. Directly analyzing the code could expose the analyst’s system to risk if the file executes malicious actions. Therefore, it is not the most appropriate first step for reviewing unknown attachments received through phishing or suspicious emails.
B is incorrect: Protocol analysis involves examining network communications to understand how systems exchange data. Security analysts may use packet capture tools and network monitoring systems to analyze protocols, detect anomalies, and identify malicious network traffic patterns. This method is commonly used during network forensics or intrusion detection. However, protocol analysis focuses on network traffic, not on the behavior of file attachments themselves. Suspicious email attachments are files that may contain malware, macros, or malicious executables, and reviewing them requires a method that safely executes or inspects the file. Therefore, protocol analysis does not directly address the problem described in the scenario.
C is correct: This is the correct answer. Sandboxing is a security technique that allows suspicious files to be executed in an isolated, controlled environment where their behavior can be safely observed without risking the production network or analyst workstation. Email security gateways and malware analysis platforms commonly use sandboxes to detonate attachments and monitor activities such as file system changes, registry modifications, network connections, or attempts to download additional payloads. CASP+ security operations guidance highlights sandboxing as a safe method to analyze potentially malicious files because it isolates the execution environment and prevents malware from affecting enterprise systems. By observing how the attachment behaves in the sandbox, the analyst can determine whether the file is malicious while maintaining the integrity of the organization’s systems.
D is incorrect: Fuzz testing is a software testing technique that involves sending random or malformed inputs to an application to discover vulnerabilities such as buffer overflows or improper input validation. Security engineers use fuzzing to identify weaknesses in software implementations before attackers can exploit them. While fuzz testing is useful for identifying vulnerabilities in applications or protocols, it is not intended for analyzing suspicious email attachments. The scenario involves determining whether a file attachment contains malicious content, which requires behavior analysis rather than input mutation testing. Therefore, fuzz testing does not address the analyst’s immediate objective.
E is incorrect: Steganography is a technique used to conceal information within other files, such as hiding data within images, audio files, or other media formats. Attackers sometimes use steganography to hide malicious payloads or command-and-control instructions inside seemingly harmless files. Security analysts may investigate steganographic techniques when attempting to uncover hidden data within suspicious files. However, steganography describes a method attackers might use, not a primary analysis technique for reviewing attachments safely. While steganographic analysis could be part of a deeper investigation, the best general approach for safely examining suspicious attachments is to execute them in a controlled sandbox environment. Therefore, this option is not the most appropriate answer.
Correct AnswerD
A is incorrect: Deep learning is a subset of machine learning that uses neural networks with multiple layers to analyze complex data patterns. It is typically used in areas such as image recognition, natural language processing, and predictive analytics. While deep learning may be used to analyze biometric data, it is not itself the authentication mechanism being described in the scenario.
B is incorrect: Machine learning refers to algorithms that allow systems to learn from data and improve predictions or decisions over time. Although machine learning may assist with behavioral analysis or biometric recognition technologies, it is not directly associated with replacing traditional passwords using authentication mechanisms like biometrics, badges, or tokens.
C is incorrect: Nanotechnology involves manipulating matter at the nanoscale to develop advanced materials, electronics, and medical technologies. This field is unrelated to authentication methods used to control access to systems or facilities. Therefore, nanotechnology does not align with the authentication mechanisms described.
D is correct: Passwordless authentication is the correct answer because it replaces traditional passwords with alternative authentication factors such as biometrics, proximity badges, or hardware tokens. These technologies verify user identity without requiring memorized credentials, improving security and usability while reducing risks associated with password theft, reuse, or phishing. CASP+ materials highlight passwordless authentication as an approach that uses hardware tokens and biometric verification to authenticate users without relying on passwords.
E is incorrect: Biometric impersonation refers to attempts by attackers to mimic or bypass biometric systems, such as using fake fingerprints or facial replicas. This is an attack technique rather than a legitimate authentication technology. Therefore, it does not represent the intended implementation described in the scenario.
Select all that apply
Correct AnswersA, F
A is correct: Deploying a WAF signature can help mitigate exploitation attempts by detecting and blocking malicious TLS heartbeat requests associated with the Heartbleed vulnerability. A web application firewall can serve as a compensating control while permanent remediation is implemented. CASP+ guidance emphasizes layered defense strategies where perimeter protections such as WAF rules can help reduce exposure to known exploit patterns, especially for externally facing web applications.
B is incorrect: Fixing the PHP code would not address the Heartbleed vulnerability because the vulnerability does not exist in the application code itself. Heartbleed is a flaw in the OpenSSL cryptographic library that affects TLS heartbeat functionality. Since the vulnerability resides in the underlying cryptographic library rather than in the PHP application logic, modifying the PHP code would not resolve the issue.
C is incorrect: Changing the web server from HTTPS to HTTP would remove encrypted communication entirely, exposing sensitive customer data in plaintext and introducing significant confidentiality risks. CASP+ security architecture principles emphasize maintaining encrypted communications for web services handling sensitive information. Therefore, disabling HTTPS would weaken security rather than mitigate the vulnerability.
D is incorrect: SSLv3 is an older and insecure protocol that has known vulnerabilities such as POODLE. Enabling SSLv3 would significantly weaken the security posture of the web application and would not address the Heartbleed issue, which is related to OpenSSL’s TLS heartbeat implementation rather than the specific SSL/TLS protocol version.
E is incorrect: Changing the programming language from PHP to ColdFusion does not address the root cause of the vulnerability. Heartbleed affects the OpenSSL cryptographic library used by the server rather than the language used to develop the application. Rewriting the application would not resolve the underlying cryptographic library vulnerability.
F is correct: Updating the OpenSSL library is the primary remediation for the Heartbleed vulnerability. The vulnerability exists in specific versions of OpenSSL where the TLS heartbeat extension allows attackers to read portions of server memory. CASP+ materials emphasize that patching or upgrading vulnerable cryptographic libraries is necessary to eliminate the flaw and restore secure TLS communications. Updating OpenSSL removes the vulnerability from the underlying cryptographic implementation used by the web application.
