The Common Vulnerability Scoring System (CVSS) v3.1 uses three metric groups to calculate overall scores:Base,Temporal, andEnvironmental.

Base (E):Mandatory metrics assessing exploitability (e.g., attack vector) and impact (confidentiality, integrity, availability).

Temporal (A):Optional metrics reflecting the current state of the vulnerability (e.g., exploit availability, remediation level).

Environmental (F):Optional metrics tailoring the score to the organization’s context (e.g., security requirements).

B, C, D (Availability, Integrity, Confidentiality):These are subcomponents of the Base Impact metrics, not standalone groups.

G (Impact):A categorywithin Base, not a group.

H (Attack vector):A single Base metric, not a group.

Addressing misconfigurations and vulnerabilities in third-party hardware requires a comprehensive approach to manage risks throughout the supply chain. Implementing a proper supply chain risk management (SCRM) program is the most effective solution as it encompasses the following:

Holistic Approach: SCRM considers the entire lifecycle ofthe product, from initial design through to delivery and deployment. This ensures that risks are identified and managed at every stage.

Vendor Management: It includes thorough vetting of suppliers and ongoing assessments of their security practices, which can identify and mitigate vulnerabilities early.

Regular Audits and Assessments: A robust SCRM program involves regular audits and assessments, both internally and with suppliers, to ensure compliance with security standards and best practices.

Collaboration and Communication: Ensures that there is effective communication and collaboration between the company and its suppliers, leading to faster identification and resolution of issues.

Other options, while beneficial, do not provide the same comprehensive risk management:

A. Performing vulnerability tests on each device delivered by the providers: While useful, this is reactive and only addresses issues after they have been delivered.

B. Performing regular red-team exercises on the vendor production line: This can identify vulnerabilities but is not as comprehensive as a full SCRM program.

C. Implementing a monitoring process for the integration between the application and the vendor appliance: This is important but only covers the integration phase, not the entire supply chain.

The logs indicate multiple failed login attempts for user10, who may have been part of the staff reduction 60 days prior. If user10 ' s account was removed, and their home directory deleted, any applications or services relying on files or configurations within that directory would fail. This scenario is common when service accounts are not properly identified and preserved during staff reductions.

Ensuring that service accounts are documented and maintained separately from user accounts is essential to prevent unintended disruptions to applications and services.

Post-Quantum Cryptography (PQC) preparation is critical to protect data against future quantum computing attacks that could break current cryptographic algorithms (e.g., RSA, ECC). According to the CompTIA SecurityX CAS-005 study guide (Domain 3: Cybersecurity Technology, 3.3), quantum computers with sufficient computational power could perform calculations (e.g., Shor’s algorithm) to decrypt data protected by traditional algorithms. PQC focuses on developing algorithms resistant to such increases in computational resources, ensuring long-term data security.

Option B:Key stretching is a technique to strengthen passwords, not related to PQC.

Option C:PQC algorithms often have higher computational costs, not improved performance.

Option D:Asymmetric encryption is not ideal for large data sets, and PQC is not specifically about this use case.

Option A:This accurately describes PQC’s purpose to safeguard data against quantum-driven decryption.

Dynamic Application Security Testing (DAST) is crucial for identifying and addressing security vulnerabilities during the software development life cycle (SDLC). Ensuring that DAST scans are routinely scheduled helps in maintaining a secure development process.

Why Routine DAST Scans?

Continuous Security Assessment: Regular DAST scans help in identifying vulnerabilities in real-time, ensuring they are addressed promptly.

Compliance: Routine scans ensure that the development process complies with security standards and regulations.

Proactive Threat Mitigation: Regular scans help in early detection and mitigation of potential security threats, reducing the risk of breaches.

Integration into SDLC: Ensures security is embedded within the development process, promoting a security-first approach.

Other options, while relevant, do not directly address the continuous assessment and proactive identification of threats:

A. If developers are unable to promote to production: This is more of an operational issue than a security assessment.

B. If DAST code is being stored to a single code repository: This concerns code management rather than security testing frequency.

D. If role-based training is deployed: While important, training alone does not ensure continuous security assessment.

Input sanitation is a critical process in cybersecurity that involvesvalidating and cleaning data provided by users to prevent malicious inputs from causing harm. In the context of AI concerns:

A. Model inversion involves an attacker inferring sensitive data from model outputs, typically requiring sophisticated methods beyond just manipulating input data.

B. Prompt Injection is a form of attack where an adversary provides malicious input to manipulate the behavior of AI models, particularly those dealing with natural language processing (NLP). Input sanitation directly addresses this by ensuring that inputs are cleaned and validated to remove potentially harmful commands or instructions that could alter the AI ' s behavior.

C. Data poisoning involves injecting malicious data into the training set to compromise the model. While input sanitation can help by filtering out bad data, data poisoning is typically addressed through robust data validation and monitoring during the model training phase, rather than real-time input sanitation.

D. Non-explainable model refers to the lack of transparency in how AI models make decisions. This concern is not addressed by input sanitation, as it relates more to model design and interpretability techniques.

Input sanitation is most relevant and effective for preventing Prompt Injection attacks, where the integrity of user inputs directly impacts the performance and security of AI models.

Useruser-cis showinganomalous behavior across multiple machines, attempting to run administrative tools such as cmd.exe and appwiz.CPL, which are commonly used by attackers for system modification. The activity pattern suggests a lateral movement attempt, potentially indicating a compromised account.

user-a (A)anduser-b (B)attempted to run applications but only on one machine, suggesting less likelihood of compromise.

user-d (D)was blocked running cmd.com, but user-c’s pattern is more consistent with an attack technique.

The first action is to implement continuous and context-based authentication and authorization (A). Traditional authentication validates users only at login, which creates gaps during active sessions. Continuous authentication ensures validation throughout the data access workflow, incorporating contextual factors like device state, geolocation, and behavioral analysis. This directly aligns with audit findings requiring protection by role, identity validation, and action tracking.

Option B improves onboarding and monitoring but does not enforce continuous access control. Option C improves identity federation but does not provide session-by-session validation. Option D secures APIs but is too narrow for organization-wide identity workflows.

CAS-005 stresses Zero Trust and context-aware IAM, making continuous authentication and authorization the top priority.