Year End Sale - Special Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 44314956B5

Good News !!! CS0-001 CompTIA CySA+ Certification Exam is now Stable and Pass

CS0-001 CompTIA CySA+ Certification Exam Question and Answers

CompTIA CySA+ Certification Exam

Last Update 13 hours ago
Total Questions : 455

CS0-001 Exam is stable now with all latest questions are added 13 hours ago. Just download our Full package and start your journey with CompTIA CySA+ Certification Exam certification. All these CompTIA Exam CS0-001 questions are real and verified by our Experts in the related industry fields.

CS0-001 PDF

CS0-001 PDF (Printable)
$54
$119.99

CS0-001 Testing Engine

CS0-001 PDF (Printable)
$63
$139.99

CS0-001 PDF + Testing Engine

CS0-001 PDF (Printable)
$79.65
$176.99
Question # 1

An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive?

Options:

A.  

Reports indicate that findings are informational.

B.  

Any items labeled ‘low’ are considered informational only.

C.  

The scan result version is different from the automated asset inventory.

D.  

‘HTTPS’ entries indicate the web page is encrypted securely.

Discussion 0
Question # 2

A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem?

Options:

A.  

The access point is blocking access by MAC address. Disable MAC address filtering.

B.  

The network is not available. Escalate the issue to network support.

C.  

Expired DNS entries on users’ devices. Request the affected users perform a DNS flush.

D.  

The access point is a rogue device. Follow incident response procedures.

Discussion 0
Question # 3

An analyst has informed the Chief Executive Officer (CEO) of a company that a security breach has Just occurred The risk manager was unaware and caught off-guard when the CEO asked for further information. Which of the following should be Implemented to ensure the risk manager Is knowledgeable of any future breaches?

Options:

A.  

Incident management

B.  

Lessons learned report

C.  

Chain of custody management

D.  

Change control process

Discussion 0
Question # 4

A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now. The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:

Question # 4

Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

Options:

A.  

Remediate by going to the web config file, searching for the enforce HTTP validation setting, and manually updating to the correct setting.

B.  

Accept this risk for now because this is a “high” severity, but testing will require more than the four days available, and the system ATO needs to be competed.

C.  

Ignore it. This is false positive, and the organization needs to focus its efforts on other findings.

D.  

Ensure HTTP validation is enabled by rebooting the server.

Discussion 0
Question # 5

A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.)

Options:

A.  

Validate the folder and file directory listings on both.

B.  

Check the hash value between the image and the original.

C.  

Boot up the image and the original systems to compare.

D.  

Connect a write blocker to the imaging device.

E.  

Copy the data to a disk of the same size and manufacturer.

Discussion 0
Question # 6

A company allows employees to work remotely. The security administration is configuring services that will allow remote help desk personnel to work secure outside the company’s headquarters. Which of the following presents the BEST solution to meet this goal?

Options:

A.  

Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources.

B.  

Open port 3389 on the firewall to the server to allow users to connect remotely.

C.  

Set up a jump box for all help desk personnel to remotely access system resources.

D.  

Use the company’s existing web server for remote access and configure over port 8080.

Discussion 0
Question # 7

During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate:

Options:

A.  

malware scans.

B.  

secure communications.

C.  

chain of custody forms.

D.  

decryption tools.

Discussion 0
Question # 8

An organization has two environments: development and production. Development is where applications are developed with unit testing. The development environment has many configuration differences from the production environment. All applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability management process?

Options:

A.  

Create a third environment between development and production that mirrors production and tests all changes before deployment to the users

B.  

Refine testing in the development environment to include fuzzing and user acceptance testing so applications are more stable before they migrate to production

C.  

Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate users to the alternate production environment

D.  

Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities

Discussion 0
Question # 9

Company A’s security policy states that only PKI authentication should be used for all SSH accounts. A security analyst from Company A is reviewing the following auth.log and configuration settings:

Question # 9

Which of the following changes should be made to the following sshd_config file to establish compliance with the policy?

Options:

A.  

Change PermitRootLogin no to #PermitRootLogin yes

B.  

Change ChallengeResponseAuthentication yes to ChallangeResponseAuthentication no

C.  

Change PubkeyAuthentication yes to #PubkeyAuthentication yes

D.  

Change #AuthorizedKeysFile sh/.ssh/authorized_keys to AuthorizedKeysFile sh/.ssh/authorized_keys

E.  

Change PassworAuthentication yes to PasswordAuthentication no

Discussion 0
Question # 10

Organizational policies require vulnerability remediation on severity 7 or greater within one week. Anything with a severity less than 7 must be remediated within 30 days. The organization also requires security teams to investigate the details of a vulnerability before performing any remediation. If the investigation determines the finding is a false positive, no remediation is performed and the vulnerability scanner configuration is updates to omit the false positive from future scans:

The organization has three Apache web servers:

Question # 10

The results of a recent vulnerability scan are shown below:

Question # 10

The team performs some investigation and finds a statement from Apache:

Question # 10

Which of the following actions should the security team perform?

Options:

A.  

Ignore the false positive on 192.168.1.22

B.  

Remediate 192.168.1.20 within 30 days

C.  

Remediate 192.168.1.22 within 30 days

D.  

Investigate the false negative on 192.168.1.20

Discussion 0
Question # 11

The Chief Information Security Officer (CISO) has asked the security analyst to examine abnormally high processor utilization on a key server. The output below is from the company’s research and development (R&D) server.

Question # 11

Which of the following actions should the security analyst take FIRST?

Options:

A.  

Initiate an investigation

B.  

Isolate the R&D server

C.  

Reimage the server

D.  

Determine availability

Discussion 0
Question # 12

A datacenter manager just received an SMS alert that a server cage was accessed using an authorized code. The manager does not recall receiving a notification by email for any scheduled maintenance on servers In the cage. Which of the following Is the FIRST step the manager should take?

Options:

A.  

Check the change management logs at the earliest convenience to determine if the change was authorized.

B.  

Remote access the server and change the password to prevent the Intruder from accessing the system.

C.  

Request a firewall administrator to Implement an ACL to contain any potential damage.

D.  

Call the security guard to investigate the situation.

Discussion 0
Question # 13

When reviewing the system logs, the cybersecurity analyst noticed a suspicious log entry:

wmic /node: HRDepartment1 computersystem get username

Which of the following combinations describes what occurred, and what action should be taken in this situation?

Options:

A.  

A rogue user has queried for users logged in remotely. Disable local access to network shares.

B.  

A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command.

C.  

A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt.

D.  

A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.

Discussion 0
Question # 14

A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation?

Options:

A.  

Fuzzing

B.  

Input validation

C.  

Change control

D.  

Sandboxing

Discussion 0
Question # 15

A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

Options:

A.  

Nikto

B.  

Aircrak-ng

C.  

Nessus

D.  

tcpdump

Discussion 0
Question # 16

Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate?

Options:

A.  

ICS/SCADA systems are not supported by the CVE publications.

B.  

ICS/SCADA systems rarely have full security functionality.

C.  

ICS/SCADA systems do not allow remote connections.

D.  

ICS/SCADA systems use encrypted traffic to communicate between devices.

Discussion 0
Question # 17

A cybersecurity analyst is hired to review the security measures implemented within the domain controllers of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against domain controllers that run on a Windows platform. The first remediation step implemented by the cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT remediation step the cybersecurity analyst needs to implement?

Options:

A.  

Disable the ability to store a LAN manager hash.

B.  

Deploy a vulnerability scanner tool.

C.  

Install a different antivirus software.

D.  

Perform more frequent port scanning.

E.  

Move administrator accounts to a new security group.

Discussion 0
Question # 18

A security analyst with an international response team is working to isolate a worldwide distribution of ransomware. The analyst is working with international governing bodies to distribute advanced intrusion detection routines for this variant of ransomware. Which of the following is the MOST important step with which the security analyst should comply?

Options:

A.  

Security operations privacy law

B.  

Export restrictions

C.  

Non-disclosure agreements

D.  

Incident response forms

Discussion 0
Question # 19

A security engineer has been asked to reduce the attack surface on an organization’s production environment. To limit access, direct VPN access to all systems must be terminated, and users must utilize multifactor authentication to access a constrained VPN connection and then pivot to other production systems form a bastion host. The MOST appropriate way to implement the stated requirement is through the use of a:

Options:

A.  

sinkhole.

B.  

multitenant platform.

C.  

single-tenant platform.

D.  

jump box

Discussion 0
Question # 20

Which of the allowing is a best practice with regard to interacting with the media during an incident?

Options:

A.  

Allow any senior management level personnel with knowledge of the incident to discuss it.

B.  

Designate a single port of contact and at least one backup for contact with the media.

C.  

Stipulate that incidents are not to be discussed with the media at any time during the incident.

D.  

Release financial information on the impact of damages caused by the incident.

Discussion 0
Question # 21

A company has received several reports that some or its user accounts were compromised, and Its website Is flagged as Insecure by major search engines. The security analyst reviews the relevant application logs to determine where the problem might be located:

Question # 21

Given the above log Information, which of the following would be the BEST recommendation for the security analyst to give?

Options:

A.  

The networking team should update the WAF to block directory traversal.

B.  

The development team should implement input sanitation on all web forms.

C.  

The server administration team should scan for malware on the server.

D.  

The security team should update the IPS to prevent network enumeration.

Discussion 0
Question # 22

A cyber incident response team finds a vulnerability on a company website that allowed an attacker to inject malicious code into its web application. There have been numerous unsuspecting users visiting the infected page, and the malicious code executed on the victim’s browser has led to stolen cookies, hijacked sessions, malware execution, and bypassed access control. Which of the following exploits is the attacker conducting on the company’s website?

Options:

A.  

Logic bomb

B.  

Rootkit

C.  

Privilege escalation

D.  

Cross-site scripting

Discussion 0
Question # 23

Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Choose three.)

Options:

A.  

Multifactor authentication

B.  

Network segmentation

C.  

Single sign-on

D.  

Encryption

E.  

Complexity policy

F.  

Biometrics

G.  

Obfuscation

Discussion 0
Question # 24

The primary difference in concern between remediating identified vulnerabilities found in general-purpose IT network servers and that of SCADA systems is that:

Options:

A.  

change and configuration management processes do not address SCADA systems.

B.  

doing so has a greater chance of causing operational impact in SCADA systems.

C.  

SCADA systems cannot be rebooted to have changes to take effect.

D.  

patch installation on SCADA systems cannot be verified.

Discussion 0
Question # 25

There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis.

Which of the following should the security analyst implement during production hours to identify critical threats and vulnerabilities?

Options:

A.  

Asset inventory of all critical devices

B.  

Vulnerability scanning frequency that does not interrupt workflow

C.  

Daily automated reports of exploited devices

D.  

Scanning of all types of data regardless of sensitivity levels

Discussion 0
Question # 26

A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following:

Question # 26

Which of the following mitigation techniques is MOST effective against the above attack?

Options:

A.  

The company should contact the upstream ISP and ask that RFC1918 traffic be dropped.

B.  

The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router.

C.  

The company should implement the following ACL at their gateway firewall:DENY IP HOST 192.168.1.1 170.43.30.0/24.

D.  

The company should enable the DoS resource starvation protection feature of the gateway NIPS.

Discussion 0
Question # 27

A security analyst performs various types of vulnerability scans.

Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Question # 27

Options:

Discussion 0
Question # 28

After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing issues for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment?

Options:

A.  

Cross training

B.  

Succession planning

C.  

Automated reporting

D.  

Separation of duties

Discussion 0
Question # 29

An analyst is troubleshooting a PC that is experiencing high processor and memory consumption. Investigation reveals the following processes are running on the system:

  • lsass.exe
  • csrss.exe
  • wordpad.exe
  • notepad.exe

Which of the following tools should the analyst utilize to determine the rogue process?

Options:

A.  

Ping 127.0.0.1.

B.  

Use grep to search.

C.  

Use Netstat.

D.  

Use Nessus.

Discussion 0
Question # 30

Following a recent security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this considered to be?

Options:

A.  

Threat intelligence

B.  

Threat information

C.  

Threat data

D.  

Advanced persistent threats

Discussion 0
Question # 31

Which of the following has the GREATEST impact to the data retention policies of an organization?

Options:

A.  

The CIA classification matrix assigned to each piece of data

B.  

The level of sensitivity of the data established by the data owner

C.  

The regulatory requirements concerning the data set

D.  

The technical constraints of the technology used to store the data

Discussion 0
Question # 32

Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual traffic patterns on a file server that contains financial information. Routine scans are not detecting the signature of any known exploits or malware. The following entry is seen in the ftp server logs:

tftp –I 10.1.1.1 GET fourthquarterreport.xls

Which of the following is the BEST course of action?

Options:

A.  

Continue to monitor the situation using tools to scan for known exploits.

B.  

Implement an ACL on the perimeter firewall to prevent data exfiltration.

C.  

Follow the incident response procedure associate with the loss of business critical data.

D.  

Determine if any credit card information is contained on the server containing the financials.

Discussion 0
Question # 33

A threat intelligence analyst who works for a financial services firm received this report:

“There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called “LockMaster” by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector.”

The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO).

Options:

A.  

Advise the firewall engineer to implement a block on the domain

B.  

Visit the domain and begin a threat assessment

C.  

Produce a threat intelligence message to be disseminated to the company

D.  

Advise the security architects to enable full-disk encryption to protect the MBR

E.  

Advise the security analysts to add an alert in the SIEM on the string “LockMaster”

F.  

Format the MBR as a precaution

Discussion 0
Question # 34

A new policy requires the security team to perform web application and OS vulnerability scans. All of the company’s web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company’s web application, while at the same time reducing false positives?

Options:

A.  

The vulnerability scanner should be configured to perform authenticated scans.

B.  

The vulnerability scanner should be installed on the web server.

C.  

The vulnerability scanner should implement OS and network service detection.

D.  

The vulnerability scanner should scan for known and unknown vulnerabilities.

Discussion 0
Question # 35

Given the following output from a Linux machine:

file2cable –i eth0 -f file.pcap

Which of the following BEST describes what a security analyst is trying to accomplish?

Options:

A.  

The analyst is attempting to measure bandwidth utilization on interface eth0.

B.  

The analyst is attempting to capture traffic on interface eth0.

C.  

The analyst is attempting to replay captured data from a PCAP file.

D.  

The analyst is attempting to capture traffic for a PCAP file.

E.  

The analyst is attempting to use a protocol analyzer to monitor network traffic.

Discussion 0
Question # 36

A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor’s laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario?

Options:

A.  

Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources.

B.  

Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server.

C.  

Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic.

D.  

Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location.

E.  

Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.

Discussion 0
Question # 37

During a web application vulnerability scan, it was discovered that the application would display inappropriate data after certain key phrases were entered into a webform connected to a SQL database server. Which of the following should be used to reduce the likelihood of this type of attack returning sensitive data?

Options:

A.  

Static code analysis

B.  

Peer review code

C.  

Input validation

D.  

Application fuzzing

Discussion 0
Question # 38

A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention (DLP) system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss? (Select THREE).

Options:

A.  

Prevent users from accessing personal email and file-sharing sites via web proxy

B.  

Prevent flash drives from connecting to USB ports using Group Policy

C.  

Prevent users from copying data from workstation to workstation

D.  

Prevent users from using roaming profiles when changing workstations

E.  

Prevent Internet access on laptops unless connected to the network in the office or via VPN

F.  

Prevent users from being able to use the copy and paste functions

Discussion 0
Question # 39

An investigation showed a worm was introduced from an engineer’s laptop. It was determined the company does not provide engineers with company-owned laptops, which would be subject to company policy and technical controls.

Which of the following would be the MOST secure control implement?

Options:

A.  

Deploy HIDS on all engineer-provided laptops, and put a new router in the management network.

B.  

Implement role-based group policies on the management network for client access.

C.  

Utilize a jump box that is only allowed to connect to clients from the management network.

D.  

Deploy a company-wide approved engineering workstation for management access.

Discussion 0
Question # 40

Various devices are connecting and authenticating to a single evil twin within the network. Which of the following are MOST likely being targeted?

Options:

A.  

Mobile devices

B.  

All endpoints

C.  

VPNs

D.  

Network infrastructure

E.  

Wired SCADA devices

Discussion 0
Question # 41

Nmap scan results on a set of IP addresses returned one or more lines beginning with “cpe:/o:” followed by a company name, product name, and version. Which of the following would this string help an administrator to identify?

Options:

A.  

Operating system

B.  

Running services

C.  

Installed software

D.  

Installed hardware

Discussion 0
Question # 42

A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters. Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application?

Options:

A.  

A compensating control

B.  

Altering the password policy

C.  

Creating new account management procedures

D.  

Encrypting authentication traffic

Discussion 0
Question # 43

A cybersecurity analyst is reviewing the following outputs:

Question # 43

Which of the following can the analyst infer from the above output?

Options:

A.  

The remote host is redirecting port 80 to port 8080.

B.  

The remote host is running a service on port 8080.

C.  

The remote host’s firewall is dropping packets for port 80.

D.  

The remote host is running a web server on port 80.

Discussion 0
Question # 44

Following a data compromise, a cybersecurity analyst noticed the following executed query:

SELECT * from Users WHERE name = rick OR 1=1

Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack? (Select TWO).

Options:

A.  

Cookie encryption

B.  

XSS attack

C.  

Parameter validation

D.  

Character blacklist

E.  

Malicious code execution

F.  

SQL injection

Discussion 0
Question # 45

A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice?

Options:

A.  

Install agents on the endpoints to perform the scan

B.  

Provide each endpoint with vulnerability scanner credentials

C.  

Encrypt all of the traffic between the scanner and the endpoint

D.  

Deploy scanners with administrator privileges on each endpoint

Discussion 0
Question # 46

Given the following access log:

Question # 46

Which of the following accurately describes what this log displays?

Options:

A.  

A vulnerability in jQuery

B.  

Application integration with an externally hosted database

C.  

A vulnerability scan performed from the Internet

D.  

A vulnerability in Javascript

Discussion 0
Question # 47

An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirement? (Select three.)

Options:

A.  

3DES

B.  

AES

C.  

IDEA

D.  

PKCS

E.  

PGP

F.  

SSL/TLS

G.  

TEMPEST

Discussion 0
Question # 48

As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW. Which of the following types of information should be considered based on information traditionally found in the SOW? (Select two.)

Options:

A.  

Timing of the scan

B.  

Contents of the executive summary report

C.  

Excluded hosts

D.  

Maintenance windows

E.  

IPS configuration

F.  

Incident response policies

Discussion 0
Question # 49

A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors.

The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client.

Which of the following should the company implement?

Options:

A.  

Port security

B.  

WPA2

C.  

Mandatory Access Control

D.  

Network Intrusion Prevention

Discussion 0
Question # 50

A threat intelligence analyst who works for a technology firm received this report from a vendor.

“There has been an intellectual property theft campaign executed against organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector.”

Which of the following combinations suggests how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity?

Options:

A.  

Polymorphic malware and secure code analysis

B.  

Insider threat and indicator analysis

C.  

APT and behavioral analysis

D.  

Ransomware and encryption

Discussion 0
Question # 51

Which of the following BEST describes the offensive participants in a tabletop exercise?

Options:

A.  

Red team

B.  

Blue team

C.  

System administrators

D.  

Security analysts

E.  

Operations team

Discussion 0
Question # 52

A technician receives a report that a user’s workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the user’s VoIP phone is routed directly under the rolling chair and has been smashed flat over time.

Which of the following is the most likely cause of this issue?

Options:

A.  

Cross-talk

B.  

Electromagnetic interference

C.  

Excessive collisions

D.  

Split pairs

Discussion 0
Question # 53

A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer?

Options:

A.  

The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody.

B.  

Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance.

C.  

An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non-compromised recourse.

D.  

The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation.

Discussion 0
Question # 54

A security analyst is reviewing the following log after enabling key-based authentication.

Question # 54

Given the above information, which of the following steps should be performed NEXT to secure the system?

Options:

A.  

Disable anonymous SSH logins.

B.  

Disable password authentication for SSH.

C.  

Disable SSHv1.

D.  

Disable remote root SSH logins.

Discussion 0
Question # 55

An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation?

Options:

A.  

Zero-day attack

B.  

Known malware attack

C.  

Session hijack

D.  

Cookie stealing

Discussion 0
Question # 56

Creating a lessons learned report following an incident will help an analyst to communicate which of the following information? (Select TWO)

Options:

A.  

Root cause analysis of the incident and the impact it had on the organization

B.  

Outline of the detailed reverse engineering steps for management to review

C.  

Performance data from the impacted servers and endpoints to report to management

D.  

Enhancements to the policies and practices that will improve business responses

E.  

List of IP addresses, applications, and assets

Discussion 0
Question # 57

A security analyst received a compromised workstation. The workstation’s hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?

Options:

A.  

Make a copy of the hard drive.

B.  

Use write blockers.

C.  

Run rm –R command to create a hash.

D.  

Install it on a different machine and explore the content.

Discussion 0
Question # 58

A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform?

Options:

A.  

Use the IP addresses to search through the event logs.

B.  

Analyze the trends of the events while manually reviewing to see if any of the indicators match.

C.  

Create an advanced query that includes all of the indicators, and review any of the matches.

D.  

Scan for vulnerabilities with exploits known to have been used by an APT.

Discussion 0
Question # 59

External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped prevent this issue?

Options:

A.  

Stress testing

B.  

Regression testing

C.  

Input validation

D.  

Fuzzing

Discussion 0
Question # 60

A system administrator has reviewed the following output:

Question # 60

Which of the following can a system administrator infer from the above output?

Options:

A.  

The company email server is running a non-standard port.

B.  

The company email server has been compromised.

C.  

The company is running a vulnerable SSH server.

D.  

The company web server has been compromised.

Discussion 0
Question # 61

A cybersecurity analyst has received the laptop of a user who recently left the company. The analyst types ‘history’ into the prompt, and sees this line of code in the latest bash history:

Question # 61

This concerns the analyst because this subnet should not be known to users within the company. Which of the following describes what this code has done on the network?

Options:

A.  

Performed a ping sweep of the Class C network.

B.  

Performed a half open SYB scan on the network.

C.  

Sent 255 ping packets to each host on the network.

D.  

Sequentially sent an ICMP echo reply to the Class C network.

Discussion 0
Question # 62

When network administrators observe an increased amount of web traffic without an increased number of financial transactions, the company is MOST likely experiencing which of the following attacks?

Options:

A.  

Bluejacking

B.  

ARP cache poisoning

C.  

Phishing

D.  

DoS

Discussion 0
Question # 63

A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company’s sensitive financial management application by default. Which of the following is the BEST course of action?

Options:

A.  

Follow the incident response plan for the introduction of new accounts

B.  

Disable the user accounts

C.  

Remove the accounts’ access privileges to the sensitive application

D.  

Monitor the outbound traffic from the application for signs of data exfiltration

E.  

Confirm the accounts are valid and ensure role-based permissions are appropriate

Discussion 0
Question # 64

You suspect that multiple unrelated security events have occurred on several nodes on a corporate network. You must review all logs and correlate events when necessary to discover each security event by clicking on each node. Only select corrective actions if the logs shown a security event that needs remediation. Drag and drop the appropriate corrective actions to mitigate the specific security event occurring on each affected device.

Instructions:

The Web Server, Database Server, IDS, Development PC, Accounting PC and Marketing PC are clickable. Some actions may not be required and each actions can only be used once per node. The corrective action order is not important. If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Question # 64

Question # 64

Options:

Discussion 0
Question # 65

A vulnerability scan has returned the following information:

Question # 65

Which of the following describes the meaning of these results?

Options:

A.  

There is an unknown bug in a Lotus server with no Bugtraq I

D.  

B.  

Connecting to the host using a null session allows enumeration of share names.

C.  

Trend Micro has a known exploit that must be resolved or patched.

D.  

No CVE is present, so it is a false positive caused by Lotus running on a Windows server.

Discussion 0
Question # 66

Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network?

Options:

A.  

Incident response plan

B.  

Lessons learned report

C.  

Reverse engineering process

D.  

Chain of custody documentation

Discussion 0
Question # 67

A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement?

Options:

A.  

Self-service password reset

B.  

Single sign-on

C.  

Context-based authentication

D.  

Password complexity

Discussion 0
Question # 68

A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company’s asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization?

Options:

A.  

A manual log review from data sent to syslog

B.  

An OS fingerprinting scan across all hosts

C.  

A packet capture of data traversing the server network

D.  

A service discovery scan on the network

Discussion 0