The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Cloud Access Security Brokers (CASB) provide visibility and control over cloud application usage, enforcing policies for SaaS access, data protection, and user behavior. While CASBs can inspect cloud traffic and enforce security policies for cloud services, they are not designed primarily to detect fake websites, inspect traffic across arbitrary ports, or provide deep network-level inspection with multi-engine threat detection. Therefore, a CASB does not meet all the listed requirements.
B is incorrect: Web filtering focuses on controlling access to websites based on categories, reputation databases, or policy rules. It can block access to known malicious or phishing websites, but it does not typically provide deep packet inspection across both standard and non-standard ports or integrate multiple detection engines with centralized security reporting. As a result, web filtering alone does not fully address all the capabilities required.
C is correct: Next-Generation Firewalls (NGFWs) are the correct answer because they provide advanced network security capabilities including deep packet inspection, SSL/TLS decryption for traffic inspection, application awareness across standard and non-standard ports, and integration with multiple detection engines such as intrusion prevention systems, anti-malware scanning, and threat intelligence feeds. NGFWs also provide centralized logging and reporting for security monitoring. CASP+ materials highlight NGFWs as comprehensive network security platforms capable of identifying malicious websites, inspecting encrypted traffic, and applying layered detection mechanisms.
D is incorrect: Endpoint Detection and Response (EDR) focuses on monitoring endpoint activity, detecting suspicious behavior on hosts, and supporting incident response investigations. While EDR solutions are valuable for detecting threats on endpoint systems, they do not inspect network traffic or block malicious websites at the network level. Because the requirements involve inspecting encrypted traffic and blocking malicious web destinations across the network, EDR alone would not meet the objectives.
Correct AnswerD
A is incorrect: Port 135 is typically used by Microsoft RPC services and is associated with technologies such as DCOM communication. While some OPC implementations rely on DCOM, the question specifically focuses on communication with a Modbus server, and Modbus does not operate on port 135. Therefore, restricting inbound traffic to this port would not support Modbus communication and would not meet the operational requirement.
B is incorrect: Port 102 is commonly associated with the Siemens S7 protocol rather than Modbus. Since the requirement involves communication with a Modbus server controlling electrical relays, configuring traffic for port 102 would not support the correct protocol communication. Consequently, this option does not align with the Modbus protocol requirements.
C is incorrect: Port 5000 is not the standard port used for Modbus communications. While custom applications may occasionally use nonstandard ports, Modbus TCP communications are conventionally performed on a specific well-known port. Implementing restrictions on port 5000 would therefore not reliably support standard Modbus operations and would likely disrupt the intended communication.
D is correct: Port 502 is the standard TCP port used by the Modbus protocol for industrial control system communications. Because Modbus lacks built-in authentication and security features, network-level controls such as strict firewall rules are often implemented to restrict which systems can communicate with the Modbus server. Allowing only the OPC server to initiate inbound connections to the Modbus server on port 502 ensures the required communication while minimizing exposure to other systems. This approach satisfies both requirements: enabling interoperability and limiting operational disruptions while improving security.
Correct AnswerD
A is incorrect: Lockout of a privileged access account would affect authentication after the operating system has loaded and a user attempts to log in with elevated credentials. In the scenario, the laptop fails to boot before the operating system loads, and the issue is resolved using a recovery PIN. This indicates the problem occurs during the pre-boot authentication stage rather than with user account access controls. Therefore, privileged account lockout is unrelated to the described situation.
B is incorrect: Duration of the BitLocker lockout period would apply if multiple incorrect authentication attempts caused BitLocker to temporarily lock access. However, the scenario does not mention repeated failed attempts or a lockout timer. Instead, the system required a recovery PIN before the operating system could load, suggesting the device entered recovery mode due to a hardware or authentication validation issue rather than a lockout duration.
C is incorrect: Failure of Kerberos time drift synchronization would affect authentication processes between a client and a domain controller once the operating system and network services are running. Kerberos relies on synchronized system clocks to validate tickets, but this occurs after the system boots and attempts network authentication. Because the problem occurred before the operating system loaded, Kerberos synchronization is not relevant to the boot failure.
D is correct: Failure of TPM authentication is the most likely cause. BitLocker commonly uses the Trusted Platform Module (TPM) to verify system integrity during the pre-boot process. If the TPM detects a change in hardware, firmware, or boot configuration—or cannot validate the stored keys—the system may enter recovery mode and require a recovery PIN or key to unlock the encrypted drive. Since the administrator provided a recovery PIN that allowed the user to boot the system successfully, this strongly indicates that TPM-based BitLocker authentication failed during the boot process.
Select all that apply
Correct AnswersB, D
A is incorrect: Password crackers are tools used during penetration testing or security auditing to attempt to recover passwords from hashed or encrypted formats. While they may demonstrate weaknesses in password policies or authentication mechanisms, the output typically focuses on credential compromise rather than providing a comprehensive overview of system vulnerabilities or overall security posture. Therefore, password cracking results are not the most appropriate inputs for populating a risk register used for risk management decisions.
B is correct: SCAP scanners use the Security Content Automation Protocol to evaluate systems against standardized security benchmarks and vulnerability definitions such as CVE, CCE, and OVAL. The results provide structured compliance and vulnerability data that can be used to identify misconfigurations, missing patches, and security control weaknesses. Because SCAP outputs provide standardized, measurable security posture information aligned with risk management frameworks, they are highly valuable inputs when determining risk levels and documenting findings in a risk register.
C is incorrect: Network traffic analyzers capture and analyze network packets to observe communications, detect anomalies, and troubleshoot network issues. Although this information may support incident investigations or operational monitoring, it does not directly provide a comprehensive assessment of system vulnerabilities or security posture required for formal risk evaluation within a risk register.
D is correct: Vulnerability scanners automatically identify known vulnerabilities, missing patches, and misconfigurations across systems and applications. The output includes severity ratings, vulnerability descriptions, and affected assets, which provide direct insight into the organization’s current security weaknesses. These results are commonly used in risk assessments because they help quantify exposure and prioritize remediation efforts, making them a key input for determining the organization’s security posture.
E is incorrect: Port scanners identify open ports and services running on hosts within a network. While this information can help identify potential attack surfaces, the output alone does not provide sufficient context about vulnerabilities, exploitability, or risk severity. Therefore, it provides limited insight compared to comprehensive vulnerability or compliance scanning tools used in risk management processes.
F is incorrect: Protocol analyzers examine network protocols and traffic patterns to diagnose network problems or analyze communications. Although useful for troubleshooting and forensic investigations, they do not provide the structured vulnerability or compliance information required to determine the overall security posture for risk register entries.
Correct AnswerC
A is incorrect: Deobfuscation refers to techniques used to analyze or reverse intentionally obscured code or data, often in malware analysis. While deobfuscation can help analysts understand malicious scripts or encoded payloads after they are discovered, it does not directly enable an IDS to inspect encrypted HTTPS traffic in transit. Since the scenario involves encrypted network traffic that prevented the IDS from detecting malicious activity, deobfuscation alone would not provide the capability needed to inspect the traffic.
B is incorrect: Protocol decoding allows security tools to understand the structure and fields of specific network protocols so they can analyze the traffic more effectively. However, if the traffic is encrypted with HTTPS, the IDS cannot decode the protocol payload without first decrypting the encrypted session. Protocol decoding therefore does not solve the fundamental problem that the IDS cannot see inside encrypted traffic streams. Consequently, it would not allow detection of attacks hidden within HTTPS sessions.
C is correct: An inspection proxy (often referred to as SSL/TLS inspection or a secure web proxy) decrypts HTTPS traffic, inspects the contents for malicious activity, and then re-encrypts the traffic before forwarding it to the destination. This process enables security devices such as IDS/IPS systems to analyze traffic that would otherwise be encrypted and invisible to inspection tools. In this scenario, the IDS failed to detect malicious activity because the traffic was encrypted. Implementing an inspection proxy would allow the organization to decrypt and inspect HTTPS traffic, enabling detection of malicious content or commands embedded in encrypted communications. Therefore, this is the most appropriate detection mechanism.
D is incorrect: Digital rights management (DRM) is used to control access and usage of digital content such as media files or proprietary documents. It helps enforce licensing restrictions and prevent unauthorized distribution or copying of digital assets. DRM technologies are unrelated to network traffic inspection or intrusion detection capabilities. As a result, DRM would not help detect malicious traffic hidden within HTTPS communications.
Correct AnswerC
A is incorrect: Monitoring for sign-up emails may occasionally reveal when employees register for cloud services using corporate email accounts. However, this approach is unreliable because users may register using personal email addresses or alternative credentials. Additionally, it provides limited visibility into actual usage patterns or ongoing activity with cloud services. Because shadow IT often involves unauthorized applications accessed through browsers or external networks, relying solely on sign-up emails would not provide comprehensive discovery capabilities.
B is incorrect: Centralizing Web Application Firewall (WAF) deployment helps protect web applications by filtering and monitoring HTTP traffic to identify malicious requests or application-layer attacks. While a WAF strengthens application security, it does not provide visibility into employees accessing unauthorized cloud services. WAFs focus on protecting hosted applications rather than monitoring outbound user activity toward external SaaS platforms. Therefore, this option would not effectively identify shadow IT usage.
C is correct: Deploying a reverse proxy combined with web filtering software enables the organization to monitor and control outbound web traffic from users to external services. By routing user web traffic through a proxy, security teams can inspect requests, log accessed domains, and identify unauthorized SaaS platforms being used by employees. Web filtering tools can categorize cloud services and help detect shadow IT activity across the organization. This provides comprehensive visibility into cloud service usage and is one of the most effective techniques for discovering unauthorized cloud applications.
D is incorrect: Attack surface analysis focuses on identifying externally exposed systems, services, and infrastructure that could be targeted by attackers. This type of analysis evaluates an organization’s publicly accessible assets to determine potential vulnerabilities. However, the scenario concerns internal users accessing unauthorized cloud services rather than external exposure of company systems. Because shadow IT relates to user behavior and unauthorized service adoption, attack surface analysis would not effectively identify these activities.
Correct AnswerC
A is incorrect: A decrypting RSA attack using obsolete or weakened encryption refers to cryptographic attacks against RSA implementations, often exploiting outdated encryption standards or insufficient key sizes. These attacks typically focus on breaking encryption to reveal sensitive information in transit. The scenario describes long-term data exfiltration using legitimate encrypted channels rather than an attempt to break encryption. Therefore, the activity does not match the characteristics of a cryptographic attack against RSA.
B is incorrect: A zero-day attack refers to the exploitation of a previously unknown vulnerability that has no available patch or mitigation at the time of exploitation. Zero-day attacks typically focus on gaining unauthorized access by exploiting software flaws. The scenario instead describes a long-running activity involving data transfers to remote sites over several months. The emphasis is on persistent exfiltration rather than exploiting a newly discovered vulnerability, making this option less accurate.
C is correct: An advanced persistent threat (APT) describes a sophisticated and long-term attack in which an adversary gains unauthorized access to a system and remains undetected for an extended period while conducting activities such as surveillance or data exfiltration. The key indicators in the scenario include the sustained activity over several months, the use of encrypted communication channels, and the gradual transfer of files to external remote locations. These characteristics strongly align with the behavior of an APT, which typically operates covertly and persistently before eventually ceasing activity once objectives are achieved.
D is incorrect: An on-path attack (previously known as a man-in-the-middle attack) involves intercepting or modifying communications between two parties without their knowledge. This type of attack focuses on manipulating or eavesdropping on active communications between endpoints. The scenario does not indicate interception or alteration of communication between legitimate parties; instead, it describes systems directly sending files to remote sites over time. Therefore, the activity does not align with the characteristics of an on-path attack.
Correct AnswerB
A is incorrect: Cable test results provide diagnostics for physical network connections, verifying cable integrity, signal quality, or connectivity issues. These tests are useful for troubleshooting physical network infrastructure but provide no visibility into cloud resource provisioning or administrative actions within cloud environments. Therefore, they cannot help detect unauthorized cloud resource creation.
B is correct: Cloud control plane audit logs record administrative and API actions performed within a cloud environment, including the creation, modification, and deletion of resources such as virtual machines, storage accounts, and network configurations. These logs provide a detailed audit trail of who performed an action, when it occurred, and what changes were made. CASP cloud security guidance highlights audit logging of control plane activities as a critical mechanism for detecting unauthorized or suspicious resource provisioning and administrative activity in cloud environments.
C is incorrect: Monitor EDID datarefers to Extended Display Identification Data used by display devices to communicate capabilities such as resolution and refresh rate to connected systems. This information is relevant for hardware display compatibility and configuration but has no role in cloud security monitoring or detecting unauthorized resource creation.
D is incorrect: Printer queue length measures the number of print jobs waiting to be processed by a printer. This metric may be used for operational monitoring of printing services but has no connection to cloud infrastructure management or detection of unauthorized cloud resource provisioning.
Correct AnswerA
A is correct: When a system must operate outside established security policy due to operational constraints, organizations should formally document the deviation through a policy exception process. In this scenario, outdated protocols are required for compatibility with client systems, and compensating controls—such as FIM, EDR, and a next-generation firewall—have already been implemented to reduce risk exposure. The next appropriate step in governance is to formally record the exception, document the risk and compensating controls, and obtain appropriate approval through the organization’s risk management process. This ensures transparency, accountability, and proper risk acceptance by leadership.
B is incorrect: Setting a target date for disabling the outdated protocols assumes that the internal organization can remediate the issue independently. However, the scenario clearly states that the protocols are required for compatibility with client-owned systems and the client cannot update those systems at this time. Establishing an internal remediation deadline would not resolve the dependency and may disrupt business operations. Therefore, this action would not appropriately address the situation.
C is incorrect: Revising the security policy to allow outdated protocols would weaken the organization’s overall security posture and undermine the purpose of having standardized security requirements. Policies are intended to establish baseline protections for the entire organization. Modifying the policy to accommodate a single compatibility issue would create unnecessary risk across the environment. Instead, organizations handle such circumstances through formal policy exceptions rather than changing the policy itself.
D is incorrect: Requiring the application owner to sign a responsibility agreement may create internal accountability, but it does not represent a formal risk management process. Risk acceptance and policy exceptions should be documented and approved through established governance mechanisms, typically involving risk management and executive approval. Simply shifting responsibility to the application owner would not properly address the policy violation or document the exception appropriately.
Correct AnswerA
A is correct: A tabletop exercise is a discussion-based simulation used to walk stakeholders through a hypothetical cybersecurity or disaster scenario. Participants review roles, responsibilities, decision-making processes, and response procedures while identifying gaps in incident response plans. Organizations often hire third-party consultants to facilitate these exercises in order to simulate realistic attack scenarios and evaluate preparedness across technical and management teams. Because the purpose described is to identify security gaps and prepare stakeholders for a potential incident, a tabletop exercise best matches the scenario.
B is incorrect: A walk-through review typically involves reviewing documentation, procedures, or system configurations step-by-step to ensure processes are understood and correctly implemented. While this method can help validate operational procedures, it does not simulate incident conditions or actively test stakeholder responses. The scenario specifically describes a simulated cybersecurity incident designed to test readiness, which aligns more closely with a tabletop exercise rather than a procedural review.
C is incorrect: Lessons learned occur after an incident or exercise has been completed and analyzed. During this phase, organizations document what worked well, what failed, and which improvements should be implemented for future response efforts. Since the scenario describes conducting the simulation itself rather than reviewing results after the fact, lessons learned would occur later in the process rather than representing the activity described.
D is incorrect: A business impact analysis (BIA) evaluates the potential operational and financial consequences of disruptions to critical business functions. BIAs are typically conducted as part of business continuity planning to identify critical systems, recovery priorities, and acceptable downtime. Although BIAs help organizations understand risk and impact, they do not involve simulating a cybersecurity incident or testing stakeholder response capabilities. Therefore, a BIA does not match the activity described in the scenario.
