Weekend Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CompTIA CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Exam Practice Test

Page: 1 / 37
Total 372 questions

CompTIA CySA+ Certification Exam (CS0-002) Questions and Answers

Question 1

Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

Options:

A.

There is a longer period of time to assess the environment.

B.

The testing is outside the contractual scope

C.

There is a shorter period of time to assess the environment

D.

No status reports are included with the assessment.

Question 2

An intrusion detection analyst reported an inbound connection originating from an unknown IP address recorded on the VPN server for multiple internal hosts. During an investigation, a security analyst determines there were no identifiers associated with the hosts. Which of the following should the security analyst enforce to obtain the best information?

Options:

A.

Update the organization's IP table.

B.

Enable user access logging.

C.

Shut down all VPN connections.

D.

Create rules for the Active Directory.

Question 3

An analyst is coordinating with the management team and collecting several terabytes of data to analyze using advanced mathematical techniques in order to find patterns and correlations in events and activities. Which of the following describes what the analyst is doing?

Options:

A.

Data visualization

B.

SOAR

C.

Machine learning

D.

SCAP

Question 4

A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with acKvare. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?

Options:

A.

Blacklist the hash in the next-generation antivirus system.

B.

Manually delete the file from each of the workstations.

C.

Remove administrative rights from all developer workstations.

D.

Block the download of the fie via the web proxy

Question 5

A security analyst recently observed evidence of an attack against a company's web server. The analyst investigated the issue but was unable to find an exploit that adequately explained the observations.

Which of the following is the MOST likely cause of this issue?

Options:

A.

The security analyst needs updated forensic analysis tools.

B.

The security analyst needs more training on threat hunting and research.

C.

The security analyst has potentially found a zero-day vulnerability that has been exploited.

D.

The security analyst has encountered a polymorphic piece of malware.

Question 6

A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. Which of the following contains the most useful information to produce this script?

Options:

A.

API documentation

B.

Protocol analysis captures

C.

MITRE ATT&CK reports

D.

OpenloC files

Question 7

An employee observes degraded system performance on a Windows workstation. While attempting to access documents, the employee notices the file icons appear abnormal and the file extensions have been changed. The employee instantly shuts down the machine and alerts a supervisor.

Which of the following forensic evidence will be lost as a result of these actions?

Options:

A.

All user actions prior to shutting down the machine

B.

All information stored in the machine's local database

C.

All cached items that are queued to be written to the registry

D.

Volatile artifacts in the system's memory

Question 8

Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?

Options:

A.

Enable secure boot in the hardware and reload the operating system.

B.

Reconfigure the system's MBR and enable NTFS.

C.

Set I-JEFI to legacy mode and enable security features.

D.

Convert the legacy partition table to UEFI and repair the operating system.

Question 9

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

Options:

A.

Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C.

Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

Question 10

A security analyst is reviewing vulnerability scans from an organization's internet-facing web services. The following is from an output file called ssl-test_webapps.comptia.org:

Question # 10

Question # 10

Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

Options:

A.

TLS_RSA_WITH_DES_CBC_SHA 56

B.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)

C.

TLS_RSA_K1TH_A£S_256_CBC_SHA 256

D.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

Question 11

A new government regulation requires that organizations only retain the minimum amount of data on a person to perform the organization's necessary activities. Which of the following techniques would help an organization comply with this new regulation?

Options:

A.

Storing the highest-risk data in a separate and secured environment

B.

Limiting access to data on a need-to-know basis

C.

Deidentlfying a data subject throughout the organization's applications

D.

Having a privacy expert peer review source code before deployment

Question 12

A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements?

Options:

A.

Legal counsel

B.

Chief Security Officer

C.

Human resources

D.

Law enforcement

Question 13

The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

Options:

A.

MFA

B.

CASB

C.

SSO

D.

RBAC

Question 14

A security analyst scans the company's external IP range and receives the following results from one of the hosts:

Question # 14

Which of the following best represents the security concern?

Options:

A.

A remote communications port is exposed.

B.

The FTP port should be using TCP only.

C.

Microsoft RDP is accepting connections on TCP.

D.

The company's DNS server is exposed to everyone.

Question 15

While conoXicting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Question # 15

Based on the Prowler report, which of the following is the BEST recommendation?

Options:

A.

Delete Cloud Dev access key 1

B.

Delete BusinessUsr access key 1.

C.

Delete access key 1.

D.

Delete access key 2.

Question 16

An analyst receives artifacts from a recent Intrusion and is able to pull a domain, IP address, email address, and software version. When of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

Options:

A.

Infrastructure

B.

Capabilities

C.

Adversary

D.

Victims

Question 17

Which of the following is MOST important when developing a threat hunting program?

Options:

A.

Understanding penetration testing techniques

B.

Understanding how to build correlation rules within a SIEM

C.

Understanding security software technologies

D.

Understanding assets and categories of assets

Question 18

After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

Options:

A.

Header analysis

B.

File carving

C.

Metadata analysis

D.

Data recovery

Question 19

A security analyst is reviewing a new Internet portal that will be used for corporate employees to obtain their pay statements. Corporate policy classifies pay statement information as confidential, and it must be protected by MFA. Which of the following would best fulfill the MFA requirement while keeping the portal accessible from the internet?

Options:

A.

Obtaining home public IP addresses of corporate employees to implement source IP restrictions and requiring a username and password

B.

Requiring the internet portal to be accessible from only the corporate SSO internet endpoint and requiring a smart card and PIN

C.

Moving the internet portal server to a DMZ that is only accessible from the corporate VPN and requiring a username and password

D.

Distributing a shared password that must be provided before the internet portal loads and requiring a username and password

Question 20

Which of the following activities is designed to handle a control

failure that leads to a breach?

Options:

A.

Risk assessment

B.

Incident management

C.

Root cause analysis

D.

Vulnerability management

Question 21

A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will best accomplish the analyst's objectives?

Options:

A.

tcpdump -w packetCapture

B.

tcpdump -a packetCapture

C.

tcpdump -n packetCapture

D.

nmap -v > packetCapture

E.

nmap -oA > packetCapture

Question 22

A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation?

Options:

A.

Enforce the existing security standards and controls.

B.

Perform a risk analysis and qualify the risk with legal.

C.

Perform research and propose a better technology.

D.

Enforce the standard permits.

Question 23

An analyst is responding 10 an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the held. Maiware was loaded on the device via the installation of a third-party software package The analyst has baselined the device Which of the following should the analyst do to BEST mitigate future attacks?

Options:

A.

Implement MDM

B.

Update the maiware catalog

C.

Patch the mobile device's OS

D.

Block third-party applications

Question 24

The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

Options:

A.

NAC

B.

IPS

C.

CASB

D.

WAF

Question 25

Which of the following can detect vulnerable third-parly libraries before code deployment?

Options:

A.

Impact analysis

B.

Dynamic analysis

C.

Static analysis

D.

Protocol analysis

Question 26

A security analyst reviews the following post-incident information to determine the origin and cause of a breach:

Question # 26

Based on this information, which of the following should the analyst record in the incident report related to the breach? (Select two).

Options:

A.

Forensic analysis Should be performed on 192.168, 1.10.

B.

An on-path attack is impersonating the gateway.

C.

IP address 43.23.10.201 should be blocked at the firewall.

D.

Host 192.168.1.210 should be disconnected from the network.

E.

The /images folder should be scanned with anti-malware.

F.

A reverse shell was used.

Question 27

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the first steps to confirm and respond to the incident? (Select two).

Options:

A.

Pause the virtual machine.

B.

Shut down the virtual machine.

C.

Take a snapshot of the virtual machine.

D.

Remove the NIC from the virtual machine.

E.

Review host hypervisor log of the virtual machine.

F.

Execute a migration of the virtual machine.

Question 28

A security analyst is investigating a reported phishing attempt that was received by many users throughout the company The text of one of the emails is shown below:

Question # 28

Office 365 User.

It looks like you account has been locked out Please click this link and follow the pfompts to restore access

Regards.

Security Team

Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but rt does log network flow data Which of the following commands will the analyst most likely execute NEXT?

Options:

A.

telnet office365.com 25

B.

tracert 122.167.40.119

C.

curl http:// accountfix-office365.com/login. php

D.

nslookup accountfix-office365.com

Question 29

A cybersecurity analyst is concerned about attacks that use advanced evasion techniques. Which of the following would best mitigate such attacks?

Options:

A.

Keeping IPS rules up to date

B.

Installing a proxy server

C.

Applying network segmentation

D.

Updating the antivirus software

Question 30

Ensuring that all areas of security have the proper controls is a primary reason why organizations use:

Options:

A.

frameworks.

B.

directors and officers.

C.

incident response plans.

D.

engineering rigor.

Question 31

An organization is adopting loT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far. leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?

Options:

A.

Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.

B.

Apply all firmware updates as soon as they are released to mitigate the risk of compromise.

C.

Determine an annual patch cadence to ensure all patching occurs at the same time.

D.

Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Question 32

An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?

Options:

A.

Perform an assessment of the firmware to determine any malicious modifications.

B.

Conduct a trade study to determine if the additional risk constitutes further action.

C.

Coordinate a supply chain assessment to ensure hardware authenticity.

D.

Work with IT to replace the devices with the known-altered motherboards.

Question 33

An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Options:

A.

The human resources department

B.

Customers

C.

Company leadership

D.

The legal team

Question 34

Which of the following is a vulnerability associated with the Modbus protocol?

Options:

A.

Weak encryption

B.

Denial of service

C.

Unchecked user input

D.

Lack of authentication

Question 35

A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?

Options:

A.

The use of infrastructure-as-code capabilities leads to an increased attack surface.

B.

Patching the underlying application server becomes the responsibility of the client.

C.

The application is unable to use encryption at the database level.

D.

Insecure application programming interfaces can lead to data compromise.

Question 36

A product security analyst has been assigned to evaluate and validate a new products security capabilities Part of the evaluation involves reviewing design changes at specific intervals tor security deficiencies recommending changes and checking for changes at the next checkpoint Which of the following BEST defines the activity being conducted?

Options:

A.

User acceptance testing

B.

Stress testing

C.

Code review

D.

Security regression testing

Question 37

Which of the following BEST describes HSM?

Options:

A.

A computing device that manages cryptography, decrypts traffic, and maintains library calls

B.

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

C.

A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions

D.

A computing device that manages algorithms, performs entropy functions, and maintains digital signatures

Question 38

Which of the following is a reason to use a nsk-based cybersecunty framework?

Options:

A.

A risk-based approach always requires quantifying each cyber nsk faced by an organization

B.

A risk-based approach better allocates an organization's resources against cyberthreats and vulnerabilities

C.

A risk-based approach is driven by regulatory compliance and es required for most organizations

D.

A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-based processes

Question 39

The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.

Which of the following BEST describes what the CIS wants to purchase?

Options:

A.

Asset tagging

B.

SIEM

C.

File integrity monitor

D.

DLP

Question 40

An incident response plan requires systems that contain critical data to be triaged first in the event of a compromise. Which of the following types of data would most likely be classified as critical?

Options:

A.

Encrypted data

B.

data

C.

Masked data

D.

Marketing data

Question 41

Which of the following are considered PII by themselves? (Select TWO).

Options:

A.

Government ID

B.

Job title

C.

Employment start date

D.

Birth certificate

E.

Employer address

F.

Mother's maiden name

Question 42

A company wants to ensure a third party does not take intellectual property and build a competing product. Which of the following is a non-technical data and privacy control that would best protect the company?

Options:

A.

Data encryption

B.

A non-disclosure agreement

C.

Purpose limitation

D.

Digital rights management

Question 43

While going through successful malware cleanup logs, an analyst notices an old worm that has been replicating itself across the company's network Reinfection of the malware can be prevented with a patch; however, most of the affected systems cannot be patched because the patch would make the system unstable. Which of the following should the analyst recommend to best prevent propagation of the malware throughout the network?

Options:

A.

Segmenting the network to include all legacy systems

B.

Placing vulnerable devices behind a firewall

C.

Scanning the entire network for malware weekly

D.

Patching systems when possible and monitoring the rest of them

Question 44

A company has alerted planning the implemented a vulnerability management procedure. However, to security maturity level is low, so there are some prerequisites to complete before risk calculation and prioritization. Which of the following should be completed FIRST?

Options:

A.

A business Impact analysis

B.

A system assessment

C.

Communication of the risk factors

D.

A risk identification process

Question 45

A security analyst is reviewing the following server statistics:

Question # 45

Which of the following Is MOST likely occurring?

Options:

A.

Race condition

B.

Privilege escalation

C.

Resource exhaustion

D.

VM escape

Question 46

A security analyst performed a targeted system vulnerability scan to obtain critical information. After the output result, the analyst used the OVAL XML language to review and calculate the discovered risk. Which of the following types of scans did the security analyst perform?

Options:

A.

Active

B.

Network map

C.

Passive

D.

External

Question 47

A security analyst notices the following proxy log entries:

Question # 47

Which of the following is the user attempting to do based on the log entries?

Options:

A.

Use a DoS attack on external hosts.

B.

Exfiltrate data.

C.

Scan the network.

D.

Relay email.

Question 48

The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's singe internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT Department?

Options:

A.

Require the guest machines to install the corporate-owned EDR solution.

B.

Configure NAC to only allow machines on the network that are patched and have active antivirus.

C.

Place a firewall In between the corporate network and the guest network

D.

Configure the IPS with rules that will detect common malware signatures traveling from the guest network.

Question 49

White reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with po mcai propaganda. Which of the following BEST Describes this type of actor?

Options:

A.

Hacktivist

B.

Nation-state

C.

insider threat

D.

Organized crime

Question 50

During the onboarding process for a new vendor, a security analyst obtains a copy of the vendor's latest penetration test summary:

Question # 50

Performed by: Vendor Red Team Last performed: 14 days ago

Which of the following recommendations should the analyst make first?

Options:

A.

Perform a more recent penetration test.

B.

Continue vendor onboarding.

C.

Disclose details regarding the findings.

D.

Have a neutral third party perform a penetration test.

Question 51

Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

Options:

A.

The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.

B.

The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.

C.

The disclosure section should include the names and contact information of key employees who are needed for incident resolution

D.

The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening m the future.

Question 52

An analyst is performing a BIA and needs to consider measures and metrics. Which of the following would help the analyst achieve this objective? (Select two).

Options:

A.

Time to reimage the server

B.

Minimum data backup volume

C.

Disaster recovery plan for non-critical services

D.

Maximum downtime before impact is unacceptable

E.

Time required to inform stakeholders about outage

F.

Total time accepted for business process outage

Question 53

A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several hours. The administrator runs the task list

/ v command and receives the following output:

Question # 53

Which of the following should a security analyst recognize as an indicator of compromise?

Options:

A.

dwm.exe being executed under the user context

B.

The high usage of vscode. exe * 32

C.

The abnormal behavior of paint.exe

D.

svchost.exe being executed as SYSTEM

Question 54

A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of Incident in the future?

Options:

A.

Implement a UTM instead of a stateful firewall and enable gateway antivirus.

B.

Back up the workstations to facilitate recovery and create a gold Image.

C.

Establish a ransomware awareness program and implement secure and verifiable backups.

D.

Virtualize all the endpoints with dairy snapshots of the virtual machines.

Question 55

Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security posture?

Options:

A.

Move the legacy systems behind a WAR

B.

Implement an air gap for the legacy systems.

C.

Place the legacy systems in the perimeter network.

D.

Implement a VPN between the legacy systems and the local network.

Question 56

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?

Options:

A.

Generate hashes for each file from the hard drive.

B.

Create a chain of custody document.

C.

Determine a timeline of events using correct time synchronization.

D.

Keep the cloned hard drive in a safe place.

Question 57

While reviewing system logs, a network administrator discovers the following entry:

Question # 57

Which of the following occurred?

Options:

A.

An attempt was made to access a remote workstation.

B.

The PsExec services failed to execute.

C.

A remote shell failed to open.

D.

A user was trying to download a password file from a remote system.

Question 58

Question # 58

Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

Options:

A.

TLS_RSA_WITH_DES_CBC_SHA 56

B.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)

C.

TLS_RSA_WITH_AES_256_CBC_SHA 256

D.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

Question 59

A manufacturing company uses a third-party service provider lor Tier 1 security support One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

Options:

A.

Implement a secure supply chain program with governance

B.

Implement blacklisting for IP addresses from outside the country

C.

Implement strong authentication controls for all contractors

D.

Implement user behavior analytics for key staff members

Question 60

A new prototype for a company's flagship product was leaked on the internet As a result, the management team has locked out all USB drives Optical drive writers are not present on company computers The sales team has been granted an exception to share sales presentation files with third parties Which of the following would allow the IT team to determine which devices are USB enabled?

Options:

A.

Asset tagging

B.

Device encryption

C.

Data loss prevention

D.

SIEMIogs

Question 61

An organization is concerned about the security posture of vendors with access to its facilities and systems. The organization wants to implement a vendor review process to ensure \hi> policies implemented by vendors are in line with its own. Which of the following will provide the highest assurance of compliance?

Options:

A.

An in-house red-team report

B.

A vendor self-assessment report

C.

An independent third-party audit report

D.

Internal and external scans from an approved third-party vulnerability vendor

Question 62

An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

Options:

A.

SCADA

B.

CAN bus

C.

Modbus

D.

IoT

Question 63

An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time. Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

Options:

A.

Requiring the use of the corporate VPN

B.

Requiring the screen to be locked after five minutes of inactivity

C.

Requiring the laptop to be locked in a cabinet when not in use

D.

Requiring full disk encryption

Question 64

An organization has specific technical nsk mitigation configurations that must be implemented before a new server can be approved for production Several critical servers were recently deployed with the antivirus missing unnecessary ports disabled and insufficient password complexity Which of the following should the analyst recommend to prevent a recurrence of this risk exposure?

Options:

A.

Perform password-cracking attempts on all devices going into production

B.

Perform an Nmap scan on all devices before they are released to production

C.

Perform antivirus scans on all devices before they are approved for production

D.

Perform automated security controls testing of expected configurations pnor to production

Question 65

A company is required to monitor for unauthorized changes to baselines on all assets to comply with industry regulations. Two of the remote units did not recover after scans were performed on the assets. An analyst needs to recommend a solution to prevent recurrence. Which of the following is the best way to satisfy the regulatory requirement without impacting the availability to similar assets and creating an unsustainable process?

Options:

A.

Manually review the baselines daily and document the results in a change history log

B.

Document exceptions with compensating controls to demonstrate the risk mitigation efforts.

C.

Implement a new scanning technology to satisfy the monitoring requirement and train the team.

D.

Purchase new remote units from other vendors with a proven ability to support scanning requirements.

Question 66

The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?

Options:

A.

A Linux-based system and mandatory training on Linux for all BYOD users

B.

A firewalled environment for client devices and a secure VDl for BYOO users

C.

A standardized anti-malware platform and a unified operating system vendor

D.

802.1X lo enforce company policy on BYOD user hardware

Question 67

A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Options:

A.

Web-application vulnerability scan

B.

Static analysis

C.

Packet inspection

D.

Penetration test

Question 68

A manufacturing company has joined the information sharing and analysis center for its sector. As a benefit, the company will receive structured loC data contributed by other members. Which of the following best describes the utility of this data?

Options:

A.

Other members will have visibility into Instances o' positive loC identification within me manufacturing company's corporate network.

B.

The manufacturing company will have access to relevant malware samples from all other manufacturing sector members.

C.

Other members will automatically adjust their security postures lo defend the manufacturing company's processes.

D.

The manufacturing company can automatically generate security configurations for all of Its Infrastructure.

Question 69

While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

Question # 69this finding, which of the following would be most appropriate for the analyst to recommend to the network engineer?

Options:

A.

Reconfigure the device to support only connections leveraging TLSv1.2.

B.

Obtain a new self-signed certificate and select AES as the hashing algorithm.

C.

Replace the existing certificate with a certificate that uses only MD5 for signing.

D.

Use only signed certificates with cryptographically secure certificate sources.

Question 70

Which of the following SCAP standards provides standardization tor measuring and describing the seventy of security-related software flaws?

Options:

A.

OVAL

B.

CVSS

C.

CVE

D.

CCE

Question 71

A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the fallowing types of testing docs This describe?

Options:

A.

Acceptance testing

B.

Stress testing

C.

Regression testing

D.

Penetration testing

Question 72

An organization has the following policies:

*Services must run on standard ports.

*Unneeded services must be disabled.

The organization has the following servers:

*192.168.10.1 - web server

*192.168.10.2 - database server

A security analyst runs a scan on the servers and sees the following output:

Question # 72

Which of the following actions should the analyst take?

Options:

A.

Disable HTTPS on 192.168.10.1.

B.

Disable IIS on 192.168.10.1.

C.

Disable DNS on 192.168.10.2.

D.

Disable MSSQL on 192.168.10.2.

E.

Disable SSH on both servers.

Question 73

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:

Question # 73

Which of the following is the MOST likely solution to the listed vulnerability?

Options:

A.

Enable the browser's XSS filter.

B.

Enable Windows XSS protection

C.

Enable the browser's protected pages mode

D.

Enable server-side XSS protection

Question 74

A cybersecurity analyst is supporting an Incident response effort via threat Intelligence Which of the following is the analyst most likely executing?

Options:

A.

Requirements analysis and collection planning

B.

Containment and eradication

C.

Recovery and post-incident review

D.

Indicator enrichment and research pivoting

Question 75

A threat feed disclosed a list of files to be used as an loC for a zero-day vulnerability. A cybersecurity analyst decided to include a custom lookup for these files on the endpoint's log-in script as a mechanism to:

Options:

A.

automate malware signature creation.

B.

close the threat intelligence cycle loop.

C.

generate a STIX object for the TAXII server

D.

improve existing detection capabilities.

Question 76

A security analyst is running a tool against an executable of an unknown source. The Input supplied by the tool to the executable program and the output from the executable are shown below:

Question # 76

Which of the following should the analyst report after viewing this Information?

Options:

A.

A dynamic library that is needed by the executable a missing

B.

Input can be crafted to trigger an Infection attack in the executable

C.

The toot caused a buffer overflow in the executable's memory

D.

The executable attempted to execute a malicious command

Question 77

A security analyst is reviewing the network security monitoring logs listed below:

Question # 77

Which of the following is the analyst most likely observing? (Select two).

Options:

A.

10.1.1.128 sent potential malicious traffic to the web server.

B.

10.1.1.128 sent malicious requests, and the alert is a false positive

C.

10.1.1.129 successfully exploited a vulnerability on the web server

D.

10.1.1.129 sent potential malicious requests to the web server

E.

10.1.1.129 can determine mat port 443 is being used

F.

10.1.1.130 can potentially obtain information about the PHP version

Question 78

A forensic analyst is conducting an investigation on a compromised server Which of the following should the analyst do first to preserve evidence''

Options:

A.

Restore damaged data from the backup media

B.

Create a system timeline

C.

Monitor user access to compromised systems

D.

Back up all log files and audit trails

Question 79

An analyst is reviewing the following output as part of an incident:

Question # 79

Which of the Wowing is MOST likely happening?

Options:

A.

The hosts are part of a reflective denial -of -service attack.

B.

Information is leaking from the memory of host 10.20 30.40

C.

Sensitive data is being exfilltrated by host 192.168.1.10.

D.

Host 291.168.1.10 is performing firewall port knocking.

Question 80

A company is building a new fabrication plant and designing its production lines based on the products it manufactures and the networks to support them. The security engineer has the following requirements:

• Each production line must be secured using a single posture.

• Each production line must only communicate with the other lines in a least privilege method.

• Access to each production line from the rest of the network must be strictly controlled.

To best provide the protection that meets these requirements, each product line should be:

Options:

A.

logically segmented and firewalled to control inbound and outbound connectivity.

B.

air gapped and firewalled to manage connectivity.

C.

air gapped but connected to one another by data diodes.

D.

logically segmented and then air gapped to specifically limit traffic.

Question 81

When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

Options:

A.

Deidentification

B.

Hashing

C.

Masking

D.

Salting

Question 82

An analyst is responding to an incident within a cloud infrastructure Based on the logs and traffic analysis, the analyst thinks a container has been compromised Which of the following should Ihe analyst do FIRST?

Options:

A.

Perform threat hunting in other areas of the cloud infrastructure

B.

Contact law enforcement to report the incident

C.

Perform a root cause analysis on the container and the service logs

D.

Isolate the container from production using a predefined policy template

Question 83

An incident response team is responding to a breach of multiple systems that contain Pll and PHI Disclosure of the incident to external entities should be based on:

Options:

A.

the responder's discretion.

B.

the public relations policy.

C.

the communication plan.

D.

the senior management team's guidance.

Question 84

Due to continued support of legacy applications, an organization's enterprise password complexity rules are inadequate for its required security posture. Which of the following is the BEST compensating control to help reduce authentication compromises?

Options:

A.

Smart cards

B.

Multifactor authentication

C.

Biometrics

D.

Increased password-rotation frequency

Question 85

A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?

Options:

A.

Add client addresses to the blocklist.

B.

Update the DLP rules and metadata.

C.

Sanitize the marketing material.

D.

Update the insider threat procedures.

Question 86

An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages. Which Of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?

Options:

A.

Change the passwords on the devices.

B.

Implement BIOS passwords.

C.

Remove the assets from the production network for analysis.

D.

Report the findings to the threat intel community.

Question 87

An employee contacts the SOC to report a high-severity bug that was identified in a new, internally developed web application, which went live in production last week. The SOC staff did not receive contact details or escalation procedures to follow. Which of the following stages of the SDLC

process was overlooked?

Options:

A.

Input validation

B.

Planning

C.

Implementation and integration

D.

Operations and maintenance

Question 88

A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed. Which of the following B€ST describes the result the security learn hopes to accomplish by adding these sources?

Options:

A.

Data enrichment

B.

Continuous integration

C.

Machine learning

D.

Workflow orchestration

Question 89

A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

Options:

A.

Implement UEM on an systems and deploy security software.

B.

Implement DLP on all workstations and block company data from being sent outside the company

C.

Implement a CASB and prevent certain types of data from being downloaded to a workstation

D.

Implement centralized monitoring and logging for an company systems.

Question 90

An analyst received an alert regarding an application spawning a suspicious command shell process Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

Question # 90

Which of the following was the suspicious event able to accomplish?

Options:

A.

Impair defenses.

B.

Establish persistence.

C.

Bypass file access controls.

D.

Implement beaconing.

Question 91

An organization has the following policy statements:

• AlI emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant.

•AM network activity will be logged and monitored.

• Confidential data will be tagged and tracked

• Confidential data must never be transmitted in an unencrypted form.

• Confidential data must never be stored on an unencrypted mobile device.

Which of the following is the organization enforcing?

Options:

A.

Acceptable use policy

B.

Data privacy policy

C.

Encryption policy

D.

Data management, policy

Question 92

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

Options:

A.

APTs' passion for social justice will make them ongoing and motivated attackers.

B.

APTs utilize methods and technologies differently than other threats

C.

APTs are primarily focused on financial gam and are widely available over the internet.

D.

APTs lack sophisticated methods, but their dedication makes them persistent.

Question 93

A security analyst is reviewing the following Internet usage trend report:

Question # 93

Which of the following usernames should the security analyst investigate further?

Options:

A.

User1

B.

User 2

C.

User 3

D.

User 4

Question 94

An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to at the use of the cloud hosted hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability?

Options:

A.

Sandbox the virtual machine.

B.

Implement an MFA solution.

C.

Update lo the secure hypervisor version.

D.

Implement dedicated hardware for each customer.

Question 95

A forensics investigator is analyzing a compromised workstation. The investigator has cloned the hard drive and needs to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive that was collected as evidence. Which of the following should the investigator do?

Options:

A.

Insert the hard drive on a test computer and boot the computer.

B.

Record the serial numbers of both hard drives.

C.

Compare the file-directory "sting of both hard drives.

D.

Run a hash against the source and the destination.

Question 96

A security analyst needs to recommend the best approach to test a new application that simulates abnormal user behavior to find software bugs. Which of the following would best accomplish this task?

Options:

A.

A static analysis to find libraries with flaws handling user inputs

B.

A dynamic analysis using a dictionary to simulate user inputs

C.

Reverse engineering to circumvent software protections

D.

Fuzzing tools with polymorphic methods

Question 97

Which of the following organizational initiatives would be MOST impacted by data severighty issues?

Options:

A.

Moving to a cloud-based environment

B.

Migrating to locally hosted virtual servers

C.

Implementing non-repudiation controls

D.

Encrypting local database queries

Question 98

A customer notifies a security analyst that a web application is vulnerable to information disclosure The analyst needs to indicate the seventy of the vulnerability based on its CVSS score, which the analyst needs to calculate When analyzing the vulnerability the analyst realizes that tor the attack to be successful, the Tomcat configuration file must be modified Which of the following values should the security analyst choose when evaluating the CVSS score?

Options:

A.

Network

B.

Physical

C.

Adjacent

D.

Local

Question 99

An organizational policy requires one person to input accounts payable and another to do accounts receivable. A separate control requires one person to write a check and another person to sign all checks greater than $5,000 and to get an additional signature for checks greater than $10,000. Which of the following controls has the organization implemented?

Options:

A.

Segregation of duties

B.

Job rotation

C.

Non-repudiaton

D.

Dual control

Question 100

A cybersecunty analyst needs to harden a server that is currently being used as a web server The server needs to be accessible when entenng www company com into the browser Additionally web pages require frequent updates which are performed by a remote contractor Given the following output:

Question # 100

Which of the following should the cybersecunty analyst recommend to harden the server? (Select TWO).

Options:

A.

Uninstall the DNS service

B.

Perform a vulnerability scan

C.

Change the server's IP to a private IP address

D.

Disable the Telnet service

E.

Block port 80 with the host-based firewall

F.

Change the SSH port to a non-standard port

Question 101

An organization has the following risk mitigation policy:

Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.

All other prioritization will be based on risk value.

The organization has identified the following risks:

Question # 101

Which of the following is the order of priority for risk mitigation from highest to lowest?

Options:

A.

A, B, D, C

B.

A, B, C, D

C.

D, A, B, C

D.

D, A, C, B

Question 102

A security analyst needs to automate the incident response process for malware infections. When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Question # 102

Which of the following is the best way for the analyst to automate alert generation?

Options:

A.

Deploy a signature-based IDS

B.

Install a UEBA-capable antivirus

C.

Implement email protection with SPF

D.

Create a custom rule on a SIEM

Question 103

An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which following actions would help during the forensic analysis of the mobile device? (Select TWO).

Options:

A.

Resetting the phone to factory settings

B.

Rebooting the phone and installing the latest security updates

C.

Documenting the respective chain of custody

D.

Uninstalling any potentially unwanted programs

E.

Performing a memory dump of the mobile device for analysis

F.

Unlocking the device by blowing the eFuse

Question 104

A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct Business overseas must have their mobile devices checked for malicious software or evidence of tempering upon their return. The information security department oversees the process, and no executive has had a device compromised. The Chief information Security Officer wants to Implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?

Options:

A.

Implement a mobile device wiping solution for use if a device is lost or stolen.

B.

Install a DLP solution to track data now

C.

Install an encryption solution on all mobile devices.

D.

Train employees to report a lost or stolen laptop to the security department immediately

Question 105

industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacks used privilege escalation to gain access to SCADA administration and access management solutions would help to mitigate this risk?

Options:

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Question 106

A security analyst discovers suspicious activity going to a high-value corporate asset. After reviewing the traffic, the security analyst identifies that

malware was successfully installed on a machine. Which of the following should be completed first?

Options:

A.

Create an IDS signature of the malware file.

B.

Create an IPS signature of the malware file.

C.

Remove the malware from the host.

D.

Contact the systems administrator.

Question 107

An organization supports a large number of remote users. Which of the following is the best option to protect the data on the remote users' laptops?

Options:

A.

Require the use of VPNs.

B.

Require employees to sign an NDA.

C.

Implement a DLP solution.

D.

Use whole disk encryption.

Question 108

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs The analyst observes the following response codes:

• 20% of the logs are 403

• 20% of the logs are 404

• 50% of the logs are 200

• 10% of the logs are other codes

The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?

Options:

A.

cat access_log Igrep " 403 "

B.

cat access_log Igrep " 200 "

C.

cat access_log Igrep " 100 "

D.

cat access_log Igrep " 4 04 "

E.

cat access_log Igrep " 204 "

Question 109

An analyst Is reviewing a web developer's workstation for potential compromise. While examining the workstation's hosts file, the analyst observes the following:

Question # 109

Which of the following hosts file entries should the analyst use for further investigation?

Options:

A.

::1

B.

127.0.0.1

C.

192.168.3.249

D.

198.51.100.5

Question 110

An internally developed file-monitoring system identified the following except as causing a program to crash often:

Question # 110

Which of the following should a security analyst recommend to fix the issue?

Options:

A.

Open the access.log file ri read/write mode.

B.

Replace the strcpv function.

C.

Perform input samtizaton

D.

Increase the size of the file data buffer

Question 111

A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

Options:

A.

Manual validation

B.

Penetration testing

C.

A known-environment assessment

D.

Credentialed scanning

Page: 1 / 37
Total 372 questions