SecurityX CAS-005 CompTIA Study Notes

HMAC (Hash-based Message Authentication Code)ensures the integrity and authentication of API requests without exposing static or hard-coded private keys. It uses a secret key and a hash function, preventing replay attacks and tampering. VPNs secure the transport layer, MFA protects user accounts (not API-to-database communications), and DSA is a signature algorithm but does not address hard-coding risk directly.

Theregulated lab environment (Yes)shares the same VLAN (10.2.0.0/22) withusers, creatingzone traversalrisk from unregulated zones to sensitive datanetworks.

This allows pivoting and lateral movement from non-regulated user devices into regulated lab environments — a classiczone boundary violation.

Zone traversal should be mitigated with segmentation and firewall enforcement.

FromCAS-005, Domain 2: Risk Management and Mitigation Strategies:

“Zone traversal occurs when segmentation boundaries are misconfigured or merged, leading to regulatory and risk compliance failures.”

User and Entity Behavior Analytics (UEBA) is the best solution to help the company overcome challenges associated with suspicious activity that cannot be categorized by traditional detection tools. UEBA uses advanced analytics to establish baselines of normal behavior for users and entities within the network. It then identifies deviations from these baselines, which may indicate malicious activity. This approach is particularly effective for detecting unknown threats and sophisticated attacks that do not match known indicators of compromise (IoCs).

The best answer is C. To block malicious radio connections . The agency is preventing the government-issued endpoint itself from directly attaching to foreign cellular networks while roaming. That reduces the exposure of the endpoint to hostile or untrusted cellular infrastructure, including rogue or malicious radio environments. Requiring the use of agency-issued hotspots keeps the endpoint off direct cellular attachment and places the radio exposure on a controlled intermediary device instead. In CompTIA SecurityX CAS-005, one of the core expected skills is to “utilize cryptographic technologies and techniques while evaluating the impact of emerging trends… on information security” and to design secure solutions across complex environments. This question fits that theme of managing risk from modern communications technologies through architecture and control choices.

Why the other options are less accurate:

A is too specific because the scenario is broader than SIM hijacking; disabling direct cellular service on the endpoint is not solely about SIM theft. B is less accurate because the hotspot still depends on a carrier, so this does not fully eliminate over-the-air carrier-related risks. D is possible as a radio-security concern, but the question is framed more broadly around disallowing direct endpoint cellular connections altogether, so malicious radio connections is the more complete rationale. E is incorrect because directed electromagnetic interference is not what mobile hotspots are primarily designed to mitigate in this context.