CAS-005 Exam Dumps : CompTIA SecurityX Certification Exam

The best answer is D. Host-based encryption . The strongest clue is that the company has proprietary information on its hard drives and consultants must travel with company-managed devices because BYOD is prohibited. That makes protection of data at rest on the endpoint the primary concern. Host-based encryption protects the contents of the drive if a laptop is lost, stolen, or physically accessed during travel. CompTIA’s SecurityX certification emphasizes building secure solutions across complex environments and supporting resilient enterprise protection, which includes securing endpoints and sensitive data stored on them.

Why the other options are not best:

A. Virtual hardware does not directly protect the data on the hard drive if the device is lost or stolen. B. Measured boot helps validate platform integrity at startup, but it does not primarily protect confidential data at rest. C. Secure enclave can protect certain secrets and key material, but it is narrower than full host-based encryption for an entire laptop drive. Because the requirement is specifically about proprietary data on traveling endpoints, full device or host-based encryption is the most beneficial control.

To prevent unauthorized applications from running, the company needs a mechanism to explicitly define and enforce which applications are allowed to execute. " Permit listing " (often referred to as " whitelisting " in security contexts) is the most effective solution here. It involves creating a list of approved applications, and only those on the list are permitted to run, blocking all others by default. This directly addresses the root cause—users installing unapproved software—by restricting execution to only authorized programs.

Option A (Signing):Code signing ensures the authenticity and integrity of software by verifying it comes from a trusted source and hasn’t been tampered with. While useful, it doesn’t inherently prevent unauthorized applications from running unless combined with a policy like whitelisting.

Option B (Access control):Access control governs who can access systems or resources but doesn’t specifically restrict which applications can execute. It’s too broad for this scenario.

Option C (HIPS):A Host-based Intrusion Prevention System (HIPS) can detect and block malicious behavior, but it’s reactive and relies on signatures or heuristics, not a proactive allow-only approach.

Option D (Permit listing):This is the best fit, as it proactively enforces a policy where only explicitly authorized applications can run, preventing malware introduced by unauthorized software.