Winter Special Discount 60% Offer - Ends in 0d 00h 00m 00s - Coupon code: brite60

ExamsBrite Dumps

CompTIA CySA+ Certification Exam (CS0-002) Question and Answers

CompTIA CySA+ Certification Exam (CS0-002)

Last Update Dec 13, 2024
Total Questions : 372

We are offering FREE CS0-002 CompTIA exam questions. All you do is to just go and sign up. Give your details, prepare CS0-002 free exam questions and then go for complete pool of CompTIA CySA+ Certification Exam (CS0-002) test questions that will help you more.

CS0-002 pdf

CS0-002 PDF

$42  $104.99
CS0-002 Engine

CS0-002 Testing Engine

$50  $124.99
CS0-002 PDF + Engine

CS0-002 PDF + Testing Engine

$66  $164.99
Questions 1

A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:

Which of the following technologies would MOST likely be used to prevent this phishing attempt?

Options:

A.  

DNSSEC

B.  

DMARC

C.  

STP

D.  

S/IMAP

Discussion 0
Questions 2

A security analyst is reviewing a firewall usage report that contains traffic generated over the last 30 minutes in order to locate unusual traffic patterns:

Which of the following source IP addresses does the analyst need to investigate further?

Options:

A.  

10.18.76.179

B.  

10.50.180.49

C.  

192.168.48.147

D.  

192.168.100.5

Discussion 0
Questions 3

Which of the following organizational initiatives would be MOST impacted by data severighty issues?

Options:

A.  

Moving to a cloud-based environment

B.  

Migrating to locally hosted virtual servers

C.  

Implementing non-repudiation controls

D.  

Encrypting local database queries

Discussion 0
Questions 4

An organization is adopting loT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far. leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?

Options:

A.  

Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.

B.  

Apply all firmware updates as soon as they are released to mitigate the risk of compromise.

C.  

Determine an annual patch cadence to ensure all patching occurs at the same time.

D.  

Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Discussion 0
Questions 5

A company is required to monitor for unauthorized changes to baselines on all assets to comply with industry regulations. Two of the remote units did not recover after scans were performed on the assets. An analyst needs to recommend a solution to prevent recurrence. Which of the following is the best way to satisfy the regulatory requirement without impacting the availability to similar assets and creating an unsustainable process?

Options:

A.  

Manually review the baselines daily and document the results in a change history log

B.  

Document exceptions with compensating controls to demonstrate the risk mitigation efforts.

C.  

Implement a new scanning technology to satisfy the monitoring requirement and train the team.

D.  

Purchase new remote units from other vendors with a proven ability to support scanning requirements.

Discussion 0
Questions 6

An analyst is reviewing email headers to determine if an email has been sent from a legitimate sender. The organization uses SPF to validate email origination. Which of the following most likely indicates an invalid originator?

Options:

A.  

Received-SPF: neutral

B.  

Received-SPF: none

C.  

Received-SPF softfail

D.  

Received-SPF: error

Discussion 0
Questions 7

While reviewing abnormal user activity, a security analyst notices a user has the following fileshare activities:

Which of the following should the analyst do first?

Options:

A.  

Initiate the security incident response process for unauthorized access.

B.  

Shut down the servers while the access is investigated.

C.  

Remove the user's access for all fileshares.

D.  

Lock the user account until the access can be explained.

Discussion 0
Questions 8

A security analyst is reviewing a new Internet portal that will be used for corporate employees to obtain their pay statements. Corporate policy classifies pay statement information as confidential, and it must be protected by MFA. Which of the following would best fulfill the MFA requirement while keeping the portal accessible from the internet?

Options:

A.  

Obtaining home public IP addresses of corporate employees to implement source IP restrictions and requiring a username and password

B.  

Requiring the internet portal to be accessible from only the corporate SSO internet endpoint and requiring a smart card and PIN

C.  

Moving the internet portal server to a DMZ that is only accessible from the corporate VPN and requiring a username and password

D.  

Distributing a shared password that must be provided before the internet portal loads and requiring a username and password

Discussion 0
Questions 9

Which of the following BEST explains the function of a managerial control?

Options:

A.  

To help design and implement the security planning, program development, and maintenance of the security life cycle

B.  

To guide the development of training, education, security awareness programs, and system maintenance

C.  

To create data classification, risk assessments, security control reviews, and contingency planning

D.  

To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails

Discussion 0
Questions 10

Company A is m the process of merging with Company B As part of the merger, connectivity between the ERP systems must be established so portent financial information can be shared between the two entitles. Which of the following will establish a more automated approach to secure data transfers between the two entities?

Options:

A.  

Set up an FTP server that both companies can access and export the required financial data to a folder.

B.  

Set up a VPN between Company A and Company

B.  

granting access only lo the ERPs within the connection

C.  

Set up a PKI between Company A and Company B and Intermediate shared certificates between the two entities

D.  

Create static NATs on each entity's firewalls that map lo the ERP systems and use native ERP authentication to allow access.

Discussion 0
Questions 11

A security analyst is evaluating the following support ticket:

Issue: Marketing campaigns are being filtered by the customer's email servers.

Description: Our marketing partner cannot send emails using our email address. The following log messages were collected from multiple customers:

• The SPF result is PermError.

• The SPF result is SoftFail or Fail.

• The 550 SPF check failed.

Which of the following should the analyst do next?

Options:

A.  

Ask the marketing partner's ISP to disable the DKIM setting.

B.  

Request approval to disable DMARC on the company's ISP.

C.  

Ask the customers to disable SPF validation.

D.  

Request a configuration change on the company's public DNS.

Discussion 0
Questions 12

The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

Options:

A.  

Payload lengths may be used to overflow buffers enabling code execution.

B.  

Encapsulated traffic may evade security monitoring and defenses

C.  

This traffic exhibits a reconnaissance technique to create network footprints.

D.  

The content of the traffic payload may permit VLAN hopping.

Discussion 0
Questions 13

A new variant of malware is spreading on the company network using TCP 443 to contact its command-and-control server The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

Options:

A.  

Implement a sinkhole with a high entropy level

B.  

Disable TCP/53 at the parameter firewall

C.  

Block TCP/443 at the edge router

D.  

Configure the DNS forwarders to use recursion

Discussion 0
Questions 14

A manager asks a security analyst lo provide the web-browsing history of an employee. Which of the following should the analyst do first?

Options:

A.  

Obtain permission to perform the search.

B.  

Obtain the web-browsing history from the proxy.

C.  

Obtain the employee's network ID to form the query.

D.  

Download the browsing history, encrypt it. and hash it

Discussion 0
Questions 15

An application must pass a vulnerability assessment to move to the next gate. Consequently, any security issues that are found must be remediated prior to the next gate. Which of the following best describes the method for end-to-end vulnerability assessment?

Options:

A.  

Security regression testing

B.  

Static analysis

C.  

Dynamic analysis

D.  

Stress testing

Discussion 0
Questions 16

A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team is initiating?

Options:

A.  

Static analysis

B.  

Stress testing

C.  

Code review

D.  

User acceptance testing

Discussion 0
Questions 17

An IT security analyst has received an email alert regarding vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

Options:

A.  

SCADA

B.  

CAN bus

C.  

Modbus

D.  

loT

Discussion 0
Questions 18

Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?

Options:

A.  

To identify weaknesses in an organization's security posture

B.  

To identify likely attack scenarios within an organization

C.  

To build a business security plan for an organization

D.  

To build a network segmentation strategy

Discussion 0
Questions 19

While observing several host machines, a security analyst notices a program is overwriting data to a buffer. Which of the following controls will best mitigate this issue?

Options:

A.  

Data execution prevention

B.  

Output encoding

C.  

Prepared statements

D.  

Parameterized queries

Discussion 0
Questions 20

Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?

Options:

A.  

Remote code execution

B.  

Buffer overflow

C.  

Unauthenticated commands

D.  

Certificate spoofing

Discussion 0
Questions 21

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

Which of the following describes what has occurred?

Options:

A.  

The host attempted to download an application from utoftor.com.

B.  

The host downloaded an application from utoftor.com.

C.  

The host attempted to make a secure connection to utoftor.com.

D.  

The host rejected the connection from utoftor.com.

Discussion 0
Questions 22

A company’s Chief Information Security Officer (CISO) published an Internet usage policy that prohibits employees from accessing unauthorized websites. The IT department whitelisted websites used for business needs. The CISO wants the security analyst to recommend a solution that would improve security and support employee morale. Which of the following security recommendations would allow employees to browse non-business-related websites?

Options:

A.  

Implement a virtual machine alternative.

B.  

Develop a new secured browser.

C.  

Configure a personal business VLAN.

D.  

Install kiosks throughout the building.

Discussion 0
Questions 23

An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response Which of the following would best meet the organization's needs'?

Options:

A.  

MaaS

B.  

SIEM

C.  

SOAR

D.  

CI/CD

Discussion 0
Questions 24

An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts A security analyst has created a script to snapshot the system configuration each day. Following iss one of the scripts:

This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

A)

B)

C)

D)

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Questions 25

An organization has the following risk mitigation policy:

Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.

All other prioritization will be based on risk value.

The organization has identified the following risks:

Which of the following is the order of priority for risk mitigation from highest to lowest?

Options:

A.  

A, B, D, C

B.  

A, B, C, D

C.  

D, A, B, C

D.  

D, A, C, B

Discussion 0
Questions 26

A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

A)

B)

C)

D)

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Questions 27

A security analyst is reviewing the following DNS logs as part of security-monitoring activities:

FROM 192.168.1.20 A www.google.com 67.43.45.22

FROM 192.168.1.20 AAAA www.google.com 2006:67:AD:1FAB::102

FROM 192.168.1.43 A www.mail.com 193.56.221.99

FROM 192.168.1.2 A www.company.com 241.23.22.11

FROM 192.168.1.211 A www.uewiryfajfchfaerwfj.co 32.56.32.122

FROM 192.168.1.106 A www.whatsmyip.com 102.45.33.53

FROM 192.168.1.93 ARAA www.nbc.com 2002:10:976::1

FROM 192.168.1.78 A www.comptia.org 122.10.31.87

Which of the following most likely occurred?

Options:

A.  

The attack used an algorithm to generate command and control information dynamically.

B.  

The attack attempted to contact www.google.com to verify internet connectivity.

C.  

The attack used encryption to obfuscate the payload and bypass detection by an IDS.

D.  

The attack caused an internal host to connect to a command and control server.

Discussion 0
Questions 28

Which of the following are the most likely reasons to include reporting processes when updating an incident response plan after a breach? (Select two).

Options:

A.  

To use the SLA to determine when to deliver the report

B.  

To meet regulatory requirements for timely reporting

C.  

To limit reputation damage caused by the breach

D.  

To remediate vulnerabilities that led to the breach

E.  

To isolate potential insider threats

F.  

To provide secure network design changes

Discussion 0
Questions 29

An analyst is performing a BIA and needs to consider measures and metrics. Which of the following would help the analyst achieve this objective? (Select two).

Options:

A.  

Time to reimage the server

B.  

Minimum data backup volume

C.  

Disaster recovery plan for non-critical services

D.  

Maximum downtime before impact is unacceptable

E.  

Time required to inform stakeholders about outage

F.  

Total time accepted for business process outage

Discussion 0
Questions 30

An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?

Options:

A.  

Perform an assessment of the firmware to determine any malicious modifications.

B.  

Conduct a trade study to determine if the additional risk constitutes further action.

C.  

Coordinate a supply chain assessment to ensure hardware authenticity.

D.  

Work with IT to replace the devices with the known-altered motherboards.

Discussion 0
Questions 31

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

Options:

A.  

Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B.  

Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C.  

Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D.  

Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

Discussion 0
Questions 32

A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct Business overseas must have their mobile devices checked for malicious software or evidence of tempering upon their return. The information security department oversees the process, and no executive has had a device compromised. The Chief information Security Officer wants to Implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?

Options:

A.  

Implement a mobile device wiping solution for use if a device is lost or stolen.

B.  

Install a DLP solution to track data now

C.  

Install an encryption solution on all mobile devices.

D.  

Train employees to report a lost or stolen laptop to the security department immediately

Discussion 0
Questions 33

An analyst is reviewing registry keys for signs of possible compromise. The analyst observes the following entries:

Which of the following entries should the analyst investigate first?

Options:

A.  

IAStorIcon

B.  

Quickset

C.  

SecurityHeaIth

D.  

calc

E.  

Word

Discussion 0
Questions 34

Which of the following describes the mam difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications?

Options:

A.  

Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot.

B.  

Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.

C.  

Unsupervised algorithms are not suitable for IDS systems, white supervised algorithms are

D.  

Unsupervised algorithms produce more false positives. Than supervised algorithms.

Discussion 0
Questions 35

After running the cat file01.bin | hexdump -c command, a security analyst reviews the following output snippet:

00000000 ff d8 ft e0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......|

Which of the following digital-forensics techniques is the analyst using?

Options:

A.  

Reviewing the file hash

B.  

Debugging the binary file

C.  

Implementing file carving

D.  

Verifying the file type

E.  

Utilizing reverse engineering

Discussion 0
Questions 36

Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security posture?

Options:

A.  

Move the legacy systems behind a WAR

B.  

Implement an air gap for the legacy systems.

C.  

Place the legacy systems in the perimeter network.

D.  

Implement a VPN between the legacy systems and the local network.

Discussion 0
Questions 37

A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity?

Options:

A.  

Create an IPS rule to block the subnet.

B.  

Sinkhole the IP address.

C.  

Create a firewall rule to block the IP address.

D.  

Close all unnecessary open ports.

Discussion 0
Questions 38

The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's singe internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT Department?

Options:

A.  

Require the guest machines to install the corporate-owned EDR solution.

B.  

Configure NAC to only allow machines on the network that are patched and have active antivirus.

C.  

Place a firewall In between the corporate network and the guest network

D.  

Configure the IPS with rules that will detect common malware signatures traveling from the guest network.

Discussion 0
Questions 39

Which of the following is an advantage of continuous monitoring as a way to help protect an enterprise?

Options:

A.  

Continuous monitoring leverages open-source tools, thereby reducing cost to the organization.

B.  

Continuous monitoring responds to active Intrusions without requiring human assistance.

C.  

Continuous monitoring blocks malicious activity by connecting to real-lime threat feeds.

D.  

Continuous monitoring uses automation to identify threats and alerts in real time

Discussion 0
Questions 40

A consultant evaluating multiple threat intelligence leads to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface?

Options:

A.  

Ask for external scans from industry peers, look at the open ports, and compare Information with the client.

B.  

Discuss potential tools the client can purchase lo reduce the livelihood of an attack.

C.  

Look at attacks against similar industry peers and assess the probability of the same attacks happening.

D.  

Meet with the senior management team to determine if funding is available for recommended solutions.

Discussion 0
Questions 41

A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

Options:

A.  

Manual validation

B.  

Penetration testing

C.  

A known-environment assessment

D.  

Credentialed scanning

Discussion 0
Questions 42

A forensics investigator is analyzing a compromised workstation. The investigator has cloned the hard drive and needs to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive that was collected as evidence. Which of the following should the investigator do?

Options:

A.  

Insert the hard drive on a test computer and boot the computer.

B.  

Record the serial numbers of both hard drives.

C.  

Compare the file-directory "sting of both hard drives.

D.  

Run a hash against the source and the destination.

Discussion 0
Questions 43

Which of the following describes the difference between intentional and unintentional insider threats'?

Options:

A.  

Their access levels will be different

B.  

The risk factor will be the same

C.  

Their behavior will be different

D.  

The rate of occurrence will be the same

Discussion 0
Questions 44

A security analyst is running a tool against an executable of an unknown source. The Input supplied by the tool to the executable program and the output from the executable are shown below:

Which of the following should the analyst report after viewing this Information?

Options:

A.  

A dynamic library that is needed by the executable a missing

B.  

Input can be crafted to trigger an Infection attack in the executable

C.  

The toot caused a buffer overflow in the executable's memory

D.  

The executable attempted to execute a malicious command

Discussion 0
Questions 45

Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which of the following identity and access management solutions would help to mitigate this risk?

Options:

A.  

Multifactor authentication

B.  

Manual access reviews

C.  

Endpoint detection and response

D.  

Role-based access control

Discussion 0
Questions 46

While investigating reports or issues with a web server, a security analyst attempts to log in remotely and recedes the following message:

The analyst accesses the server console, and the following console messages are displayed:

The analyst is also unable to log in on the console. While reviewing network captures for the server, the analyst sees many packets with the following signature:

Which of the following is the BEST step for the analyst to lake next in this situation?

Options:

A.  

Load the network captures into a protocol analyzer to further investigate the communication with 128.30.100.23, as this may be a botnet command server

B.  

After ensuring network captures from the server are saved isolate the server from the network take a memory snapshot, reboot and log in to do further analysis.

C.  

Corporate data is being exfilltrated from the server Reboot the server and log in to see if it contains any sensitive data.

D.  

Cryptomining malware is running on the server and utilizing an CPU and memory. Reboot the server and disable any cron Jobs or startup scripts that start the mining software.

Discussion 0
Questions 47

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:

Which of the following is the MOST likely solution to the listed vulnerability?

Options:

A.  

Enable the browser's XSS filter.

B.  

Enable Windows XSS protection

C.  

Enable the browser's protected pages mode

D.  

Enable server-side XSS protection

Discussion 0
Questions 48

A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the following solutions will best remedy the vulnerability?

Options:

A.  

Prepared statements

B.  

Server-side input validation

C.  

Client-side input encoding

D.  

Disabled JavaScript filtering

Discussion 0
Questions 49

A threat intelligence group issued a warning to its members regarding an observed increase in attacks performed by a specific threat actor and the related loCs. Which is of the following is (he best method to operationalize these loCs to detect future attacks?

Options:

A.  

Analyzing samples of associated malware

B.  

Publishing an internal executive threat report

C.  

Executing an adversary emulation exercise

D.  

Integrating the company's SIEM platform

Discussion 0
Questions 50

During an investigation, an analyst discovers the following rule in an executive's email client:

The executive is not aware of this rule. Which of the following should the analyst do first to evaluate the potential impact of this security incident?

Options:

A.  

Check the server logs to evaluate which emails were sent to .

B.  

Use the SIEM to correlate logging events from the email server and the domain server.

C.  

Remove the rule from the email client and change the password.

D.  

Recommend that the management team implement SPF and DKIM.

Discussion 0
Questions 51

When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

Options:

A.  

Deidentification

B.  

Hashing

C.  

Masking

D.  

Salting

Discussion 0
Questions 52

A security operations manager wants some recommendations for improving security monitoring. The security team currently uses past events to create an IOC list for monitoring.

Which of the following is the best suggestion for improving monitoring capabilities?

Options:

A.  

Update the IPS and IDS with the latest rule sets from the provider.

B.  

Create an automated script to update the IPS and IDS rule sets.

C.  

Use an automated subscription to select threat feeds for IDS.

D.  

Implement an automated malware solution on the IPS.

Discussion 0
Questions 53

A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?

Options:

A.  

Add client addresses to the blocklist.

B.  

Update the DLP rules and metadata.

C.  

Sanitize the marketing material.

D.  

Update the insider threat procedures.

Discussion 0
Questions 54

A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will best accomplish the analyst's objectives?

Options:

A.  

tcpdump -w packetCapture

B.  

tcpdump -a packetCapture

C.  

tcpdump -n packetCapture

D.  

nmap -v > packetCapture

E.  

nmap -oA > packetCapture

Discussion 0
Questions 55

A company notices unknown devices connecting to the internal network and would like to implement a solution to block all non-corporate managed machines. Which of the following solutions would be best to accomplish this goal?

Options:

A.  

WPA2 for W1F1 networks

B.  

NAC with 802.1X implementation

C.  

Extensible Authentication Protocol

D.  

RADIUS with challenge/response

Discussion 0
Questions 56

A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no following should the analyst review FIRST?

Options:

A.  

The DNS configuration

B.  

Privileged accounts

C.  

The IDS rule set

D.  

The firewall ACL

Discussion 0
Questions 57

A small organization has proprietary software that is used internally. The system has not been wen maintained and cannot be updated with the rest or the environment. Which of the following is the BEST solution?

Options:

A.  

virtualize the system and decommission the physical machine.

B.  

Remove it from the network and require air gapping.

C.  

Implement privileged access management for identity access.

D.  

Implement MFA on the specific system.

Discussion 0
Questions 58

A company wants to configure the environment to allow passive network monitonng. To avoid disrupting the sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's request?

Options:

A.  

Port bridging

B.  

Tunnel all mode

C.  

Full-duplex mode

D.  

Port mirroring

E.  

Promiscuous mode

Discussion 0
Questions 59

A security analyst is logged on to a jump server to audit the system configuration and status. The organization's policies for access to and configuration of the jump server include the following:

• No network access is allowed to the internet.

• SSH is only for management of the server.

• Users must utilize their own accounts, with no direct login as an administrator.

• Unnecessary services must be disabled.

The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

Options:

A.  

Unnecessary services must be disabled.

B.  

SSH is only for management of the server.

C.  

No network access is allowed to the internet.

D.  

Users must utilize their own accounts, with no direct login as an administrator.

Discussion 0
Questions 60

Which of the following types of controls defines placing an ACL on a file folder?

Options:

A.  

Technical control

B.  

Confidentiality control

C.  

Managerial control

D.  

Operational control

Discussion 0
Questions 61

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the Issue. Which of the following security solutions would resolve this issue?

Options:

A.  

Privilege management

B.  

Group Policy Object management

C.  

Change management

D.  

Asset management

Discussion 0
Questions 62

Which of the following best explains why it is important for companies to implement both privacy and security policies?

Options:

A.  

Private data is insecure by design, so different programs ensure both policies are addressed.

B.  

Security policies will automatically ensure the data complies with privacy regulations.

C.  

Privacy policies will satisfy all regulations to secure consumer and sensitive company data.

D.  

Both policies have some overlap, but the differences can have regulatory consequences.

Discussion 0
Questions 63

A help desk technician inadvertently sent the credentials of the company's CRM n clear text to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident According to the incident response procedure, which of the following should the security team do NEXT?

Options:

A.  

Contact the CRM vendor.

B.  

Prepare an incident summary report.

C.  

Perform postmortem data correlation.

D.  

Update the incident response plan.

Discussion 0
Questions 64

A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further in investigation?

Options:

A.  

Data carving

B.  

Timeline construction

C.  

File cloning

D.  

Reverse engineering

Discussion 0
Questions 65

During a routine review of service restarts a security analyst observes the following in a server log:

Which of the following is the GREATEST security concern?

Options:

A.  

The daemon's binary was AChanged

B.  

Four consecutive days of monitoring are skipped in the tog

C.  

The process identifiers for the running service change

D.  

The PIDs are continuously changing

Discussion 0
Questions 66

During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1 ,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy?

Options:

A.  

$200

B.  

$800

C.  

$5,000

D.  

$20,000

Discussion 0
Questions 67

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the first steps to confirm and respond to the incident? (Select two).

Options:

A.  

Pause the virtual machine.

B.  

Shut down the virtual machine.

C.  

Take a snapshot of the virtual machine.

D.  

Remove the NIC from the virtual machine.

E.  

Review host hypervisor log of the virtual machine.

F.  

Execute a migration of the virtual machine.

Discussion 0
Questions 68

An analyst is reviewing the following output as part of an incident:

Which of the Wowing is MOST likely happening?

Options:

A.  

The hosts are part of a reflective denial -of -service attack.

B.  

Information is leaking from the memory of host 10.20 30.40

C.  

Sensitive data is being exfilltrated by host 192.168.1.10.

D.  

Host 291.168.1.10 is performing firewall port knocking.

Discussion 0
Questions 69

A company wants to run a leaner team and needs to deploy a threat management system with minimal human Interaction. Which of the following is the server component of the threat management system that can accomplish this goal?

Options:

A.  

STIX

B.  

OpenlOC

C.  

CVSS

D.  

TAXll

Discussion 0
Questions 70

Given the output below:

#nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 --script http-* -oA server.out 192.168.220.42 Which of the following is being performed?

Options:

A.  

Cross-site scripting

B.  

Local file inclusion attack

C.  

Log4] check

D.  

Web server enumeration

Discussion 0
Questions 71

Which of the following should a database administrator for an analytics firm implement to best protect PII from an insider threat?

Options:

A.  

Data deidentification

B.  

Data encryption

C.  

Data auditing

D.  

Data minimization

Discussion 0
Questions 72

A security analyst is concerned about sensitive data living on company file servers following a zero-day attack that nearly resulted in a breach of millions of customer records. The after action report indicates a lack of controls around the file servers that contain sensitive data. Which of the following DLP considerations would best help the analyst to classify and address the sensitive data on the file servers?

Options:

A.  

Implement a CASB device and connect the SaaS applications.

B.  

Deploy network DLP appliances pointed to all file servers.

C.  

Use data-at-rest scans to locate and identify sensitive data.

D.  

Install endpoint DLP agents on all computing resources.

Discussion 0
Questions 73

When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:

Which of the following can the analyst conclude from viewing the log file?

Options:

A.  

The comptia user knows the sudo password.

B.  

The comptia user executed the sudo su command.

C.  

The comptia user knows the root password.

D.  

The comptia user added himself or herself to the /etc/sudoers file.

Discussion 0
Questions 74

A company is setting up a small, remote office to support five to ten employees. The company's home office is in a different city, where the company uses a cloud service provider for its business applications and a local server to host its data. To provide shared access from the remote office to the local server and the business applications, which of the following would be the easiest and most secure solution?

Options:

A.  

Use a VPC to host the company's data and keep the current solution for the business applications.

B.  

Use a new server for the remote office to host the data and keep the current solution for the business applications.

C.  

Use a VDI for the home office and keep the current solution for the business applications.

D.  

Use a VPN to access the company's data in the home office and keep the current solution for the business applications.

Discussion 0
Questions 75

A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations Which of the following steps in the intelligence cycle is the security analyst performing?

Options:

A.  

Analysis and production

B.  

Processing and exploitation

C.  

Dissemination and evaluation

D.  

Data collection

E.  

Planning and direction

Discussion 0
Questions 76

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action?

Options:

A.  

Automate the use of a hashing algorithm after verified users make changes to their data.

B.  

Use encryption first and then hash the data at regular, defined times.

C.  

Use a DLP product to monitor the data sets for unauthorized edits and changes.

D.  

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Discussion 0
Questions 77

During routine monitoring a security analyst identified the following enterpnse network traffic:

Packet capture output:

Which of the following BEST describes what the security analyst observed?

Options:

A.  

66.187.224.210 set up a DNS hijack with 192.168.12.21.

B.  

192.168.12.21 made a TCP connection to 66 187 224 210

C.  

192.168.12.21 made a TCP connection to 209 132 177 50

D.  

209.132.177.50 set up a TCP reset attack to 192 168 12 21

Discussion 0
Questions 78

A security analyst is reviewing WAF alerts and sees the following request:

Which of the following BEST describes the attack?

Options:

A.  

SQL injection

B.  

LDAP injection

C.  

Command injection

D.  

Denial of service

Discussion 0
Questions 79

An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary. A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?

Options:

A.  

<100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ' su vi httpd.conf' failed for joe

B.  

<100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ' sudo vi users.txt success

C.  

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi syslog.conf failed for jos

D.  

<100> 2020-01-10T19:34..002z financeserver su 201 32001 = BOM ' su vi success

E.  

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi httpd.conf' success

Discussion 0
Questions 80

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

Options:

A.  

Stack counting

B.  

Searching

C.  

Clustering

D.  

Grouping

Discussion 0
Questions 81

The security team decides to meet informally to discuss and test the response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform?

Options:

A.  

Tabletop exercise

B.  

Red-team attack

C.  

System assessment implementation

D.  

Blue-team training

E.  

White-team engagement

Discussion 0
Questions 82

A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported and patches are no longer available The company is not prepared to cease its use of these workstations Which of the following would be the BEST method to protect these workstations from threats?

Options:

A.  

Deploy whitelisting to the identified workstations to limit the attack surface

B.  

Determine the system process centrality and document it

C.  

Isolate the workstations and air gap them when it is feasible

D.  

Increase security monitoring on the workstations

Discussion 0
Questions 83

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

Options:

A.  

22

B.  

80

C.  

443

D.  

1433

Discussion 0
Questions 84

An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time. Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

Options:

A.  

Requiring the use of the corporate VPN

B.  

Requiring the screen to be locked after five minutes of inactivity

C.  

Requiring the laptop to be locked in a cabinet when not in use

D.  

Requiring full disk encryption

Discussion 0
Questions 85

Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

Options:

A.  

There is a longer period of time to assess the environment.

B.  

The testing is outside the contractual scope

C.  

There is a shorter period of time to assess the environment

D.  

No status reports are included with the assessment.

Discussion 0
Questions 86

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

Options:

A.  

SMB use domain SID to enumerate users

B.  

SYN scanner

C.  

SSL certificate cannot be trusted

D.  

Scan not performed with admin privileges

Discussion 0
Questions 87

The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

Options:

A.  

NAC

B.  

IPS

C.  

CASB

D.  

WAF

Discussion 0
Questions 88

An organization has the following policies:

*Services must run on standard ports.

*Unneeded services must be disabled.

The organization has the following servers:

*192.168.10.1 - web server

*192.168.10.2 - database server

A security analyst runs a scan on the servers and sees the following output:

Which of the following actions should the analyst take?

Options:

A.  

Disable HTTPS on 192.168.10.1.

B.  

Disable IIS on 192.168.10.1.

C.  

Disable DNS on 192.168.10.2.

D.  

Disable MSSQL on 192.168.10.2.

E.  

Disable SSH on both servers.

Discussion 0
Questions 89

An analyst determines a security incident has occurred Which of the following is the most appropnate NEXT step in an incident response plan?

Options:

A.  

Consult the malware analysis process

B.  

Consult the disaster recovery plan

C.  

Consult the data classification process

D.  

Consult the communications plan

Discussion 0
Questions 90

An information security analyst is compiling data from a recent penetration test and reviews the following output:

The analyst wants to obtain more information about the web-based services that are running on the target. Which of the following commands would most likely provide the needed information?

Options:

A.  

ping -t 10.79.95.173,rdns.datacenter.com

B.  

telnet 10.79.95.17.17 443

C.  

ftpd 10.79.95.173.rdns.datacenters.com 443

D.  

tracert 10.79,,95,173

Discussion 0
Questions 91

A Chief Information Secunty Officer has asked for a list of hosts that have critical and high-seventy findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

Options:

A.  

Nessus

B.  

Nikto

C.  

Fuzzer

D.  

Wireshark

E.  

Prowler

Discussion 0
Questions 92

An organization has the following risk mitigation policies

• Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000

• Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

Options:

A.  

A, C, D, B

B.  

B, C, D, A

C.  

C, B, A, D

D.  

C. D, A, B

E.  

D, C, B, A

Discussion 0
Questions 93

A cybersecurity analyst routinely checks logs, querying for login attempts. While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

Options:

A.  

Users 4 and 5 are using their credentials to transfer files to multiple servers.

B.  

Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

C.  

An unauthorized user is using login credentials in a script.

D.  

A bot is running a brute-force attack in an attempt to log in to the domain.

Discussion 0
Questions 94

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

Options:

A.  

Require users to sign NDAs

B.  

Create a data minimization plan.

C.  

Add access control requirements.

D.  

Implement a data loss prevention solution.

Discussion 0
Questions 95

A technician working at company.com received the following email:

After looking at the above communication, which of the following should the technician recommend to the security team to prevent exposure of sensitive information and reduce the risk of corporate data being stored on non-corporate assets?

Options:

A.  

Forwarding of corporate email should be disallowed by the company.

B.  

A VPN should be used to allow technicians to troubleshoot computer issues securely.

C.  

An email banner should be implemented to identify emails coming from external sources.

D.  

A rule should be placed on the DLP to flag employee IDs and serial numbers.

Discussion 0
Questions 96

Which of the following data exfiltration discoveries would most likely require communicating a breach to regulatory agencies?

Options:

A.  

CRM data

B.  

PHI files

C.  

SIEM logs

D.  

UEBA metrics

Discussion 0
Questions 97

An organization implemented an extensive firewall access-control blocklist to prevent internal network ranges from communicating with a list of IP addresses of known command-and-control domains A security analyst wants to reduce the load on the firewall. Which of the following can the analyst implement to achieve similar protection and reduce the load on the firewall?

Options:

A.  

A DLP system

B.  

DNS sinkholing

C.  

IP address allow list

D.  

An inline IDS

Discussion 0
Questions 98

A social media company is planning an acquisition. Prior to the purchase, the Chief Security Officer (CSO) would like a full report to gain a better understanding of the prospective company's cybersecurity posture and to identify risks in the supply chain. Which of the following will best support the CSO's objective?

Options:

A.  

Third-party assessment

B.  

Memorandum of understanding

C.  

Non-disclosure agreement

D.  

Software source authenticity

Discussion 0
Questions 99

In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Options:

A.  

Fully segregate the affected servers physically in a network segment, apart from the production network.

B.  

Collect the network traffic during the day to understand if the same activity is also occurring during business hours

C.  

Check the hash signatures, comparing them with malware databases to verify if the files are infected.

D.  

Collect all the files that have changed and compare them with the previous baseline

Discussion 0
Questions 100

A security analyst is reviewing malware files without running them. Which of the following analysis types is the security analyst using?

Options:

A.  

Dynamic

B.  

Sandbox

C.  

Static

D.  

Heuristic

Discussion 0
Questions 101

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

Options:

A.  

Release the email for delivery due to its importance.

B.  

Immediately contact a purchasing agent to expedite.

C.  

Delete the email and block the sender.

D.  

Purchase the gift cards and submit an expense report.

Discussion 0
Questions 102

A security analyst needs to determine the best method for securing access to a top-secret datacenter Along with an access card and PIN code, which of the following additional authentication methods would be BEST to enhance the datacenter's security?

Options:

A.  

Physical key

B.  

Retinal scan

C.  

Passphrase

D.  

Fingerprint

Discussion 0
Questions 103

Which of following allows Secure Boot to be enabled?

Options:

A.  

eFuse

B.  

UEFI

C.  

MSM

D.  

PAM

Discussion 0
Questions 104

A security analyst reviews SIEM logs and discovers the following error event:

Which of the following environments does the analyst need to examine to continue troubleshooting the event?

Options:

A.  

Proxy server

B.  

SQL server

C.  

Windows domain controller

D.  

WAF appliance

E.  

DNS server

Discussion 0
Questions 105

A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

Options:

A.  

The whitelist

B.  

The DNS

C.  

The blocklist

D.  

The IDS signature

Discussion 0
Questions 106

A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would most likely indicate if the email is malicious?

Options:

A.  

sha256sum ~/Desktop/fi1e.pdf

B.  

/bin/;s -1 ~/Desktop/fi1e.pdf

C.  

strings ~/Desktop/fi1e.pdf | grep -i “

D.  

cat < ~/Desktop/file.pdf | grep —i .exe

Discussion 0
Questions 107

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

Options:

A.  

Develop a dashboard to track the indicators of compromise.

B.  

Develop a query to search for the indicators of compromise.

C.  

Develop a new signature to alert on the indicators of compromise.

D.  

Develop a new signature to block the indicators of compromise.

Discussion 0
Questions 108

While conoXicting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

Options:

A.  

Delete Cloud Dev access key 1

B.  

Delete BusinessUsr access key 1.

C.  

Delete access key 1.

D.  

Delete access key 2.

Discussion 0
Questions 109

A security analyst is investigating a reported phishing attempt that was received by many users throughout the company The text of one of the emails is shown below:

Office 365 User.

It looks like you account has been locked out Please click this link and follow the pfompts to restore access

Regards.

Security Team

Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but rt does log network flow data Which of the following commands will the analyst most likely execute NEXT?

Options:

A.  

telnet office365.com 25

B.  

tracert 122.167.40.119

C.  

curl http:// accountfix-office365.com/login. php

D.  

nslookup accountfix-office365.com

Discussion 0
Questions 110

Which of the following factors would determine the regulations placed on data under data sovereignty laws?

Options:

A.  

What the company intends to do with the data it owns

B.  

The company's data security policy

C.  

The type of data the company stores

D.  

The data laws of the country in which the company is located

Discussion 0
Questions 111

During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

Options:

A.  

Set the web page to redirect to an application support page when a bad password is entered.

B.  

Disable error messaging for authentication

C.  

Recognize that error messaging does not provide confirmation of the correct element of authentication

D.  

Avoid using password-based authentication for the application

Discussion 0