Easter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

CompTIA CySA+ Certification Beta Exam Question and Answers

CompTIA CySA+ Certification Beta Exam

Last Update May 18, 2024
Total Questions : 303

We are offering FREE CS0-003 CompTIA exam questions. All you do is to just go and sign up. Give your details, prepare CS0-003 free exam questions and then go for complete pool of CompTIA CySA+ Certification Beta Exam test questions that will help you more.

CS0-003 pdf

CS0-003 PDF

$35  $99.99
CS0-003 Engine

CS0-003 Testing Engine

$42  $119.99
CS0-003 PDF + Engine

CS0-003 PDF + Testing Engine

$56  $159.99
Questions 1

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

Options:

A.  

MOU

B.  

NDA

C.  

BIA

D.  

SLA

Discussion 0
Questions 2

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.  

Beaconing

B.  

Cross-site scripting

C.  

Buffer overflow

D.  

PHP traversal

Discussion 0
Questions 3

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.  

Lessons learned

B.  

Service-level agreement

C.  

Playbook

D.  

Affected hosts

E.  

Risk score

F.  

Education plan

Discussion 0
Questions 4

The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Options:

A.  

Perform a forced password reset.

B.  

Communicate the compromised credentials to the user.

C.  

Perform an ad hoc AV scan on the user's laptop.

D.  

Review and ensure privileges assigned to the user's account reflect least privilege.

E.  

Lower the thresholds for SOC alerting of suspected malicious activity.

Discussion 0
Questions 5

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.  

Directory traversal

B.  

Remote file inclusion

C.  

Cross-site scripting

D.  

Remote code execution

E.  

Enumeration of /etc/passwd

Discussion 0
Questions 6

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options:

A.  

Business continuity plan

B.  

Vulnerability management plan

C.  

Disaster recovery plan

D.  

Asset management plan

Discussion 0
Questions 7

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

Options:

A.  

Directory traversal

B.  

XSS

C.  

XXE

D.  

SSRF

Discussion 0
Questions 8

A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

Options:

A.  

Data masking

B.  

Hashing

C.  

Watermarking

D.  

Encoding

Discussion 0
Questions 9

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

Options:

A.  

SLA

B.  

MOU

C.  

Best-effort patching

D.  

Organizational governance

Discussion 0
Questions 10

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.  

Delivery

B.  

Command and control

C.  

Reconnaissance

D.  

Weaporization

Discussion 0
Questions 11

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Options:

A.  

Look for potential loCs in the company.

B.  

Inform customers of the vulnerability.

C.  

Remove the affected vendor resource from the ACE software.

D.  

Develop a compensating control until the issue can be fixed permanently.

Discussion 0
Questions 12

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

Options:

A.  

Transfer

B.  

Accept

C.  

Mitigate

D.  

Avoid

Discussion 0
Questions 13

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?

Options:

A.  

File debugging

B.  

Traffic analysis

C.  

Reverse engineering

D.  

Machine isolation

Discussion 0
Questions 14

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.  

SLA

B.  

LOI

C.  

MOU

D.  

KPI

Discussion 0
Questions 15

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Options:

A.  

Develop a call tree to inform impacted users

B.  

Schedule a review with all teams to discuss what occurred

C.  

Create an executive summary to update company leadership

D.  

Review regulatory compliance with public relations for official notification

Discussion 0
Questions 16

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Options:

A.  

config. ini

B.  

ntds.dit

C.  

Master boot record

D.  

Registry

Discussion 0
Questions 17

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

B)

C)

D)

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Questions 18

An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

Options:

A.  

10.101.27.98

B.  

54.73.225.17

C.  

54.74.110.26

D.  

54.74.110.228

Discussion 0
Questions 19

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of- life date. Which of the following best describes a security analyst's concern?

Options:

A.  

Any discovered vulnerabilities will not be remediated.

B.  

An outage of machinery would cost the organization money.

C.  

Support will not be available for the critical machinery

D.  

There are no compensating controls in place for the OS.

Discussion 0
Questions 20

Which of the following is the most important factor to ensure accurate incident response reporting?

Options:

A.  

A well-defined timeline of the events

B.  

A guideline for regulatory reporting

C.  

Logs from the impacted system

D.  

A well-developed executive summary

Discussion 0
Questions 21

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Options:

A.  

Conduct regular red team exercises over the application in production

B.  

Ensure that all implemented coding libraries are regularly checked

C.  

Use application security scanning as part of the pipeline for the CI/CDflow

D.  

Implement proper input validation for any data entry form

Discussion 0
Questions 22

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Select two).

Options:

A.  

Executive management

B.  

Law enforcement

C.  

Marketing

D.  

Legal

E.  

Product owner

F.  

Systems admininstration

Discussion 0
Questions 23

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

Options:

A.  

Business continuity plan

B.  

Lessons learned

C.  

Forensic analysis

D.  

Incident response plan

Discussion 0
Questions 24

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Options:

A.  

Agree on the goals and objectives of the plan

B.  

Determine the site to be used during a disaster

C Demonstrate adherence to a standard disaster recovery process

C.  

Identity applications to be run during a disaster

Discussion 0
Questions 25

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Options:

A.  

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

B.  

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C.  

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

D.  

Notify the SOC manager for awareness after confirmation that the activity was intentional

Discussion 0
Questions 26

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.  

Creating a playbook denoting specific SLAs and containment actions per incident type

B.  

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.  

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.  

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Discussion 0
Questions 27

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

Which of the following hosts should be patched first, based on the metrics?

Options:

A.  

host01

B.  

host02

C.  

host03

D.  

host04

Discussion 0
Questions 28

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

Options:

A.  

Document the incident and any findings related to the attack for future reference.

B.  

Interview employees responsible for managing the affected systems.

C.  

Review the log files that record all events related to client applications and user access.

D.  

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Discussion 0
Questions 29

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

Options:

A.  

Hacklivist

B.  

Advanced persistent threat

C.  

Insider threat

D.  

Script kiddie

Discussion 0
Questions 30

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Options:

A.  

Clone the virtual server for forensic analysis

B.  

Log in to the affected server and begin analysis of the logs

C.  

Restore from the last known-good backup to confirm there was no loss of connectivity

D.  

Shut down the affected server immediately

Discussion 0
Questions 31

A security analyst needs to mitigate a known, exploited vulnerability related not

tack vector that embeds software through the USB interface. Which of the following should the analyst do first?

Options:

A.  

Conduct security awareness training on the risks of using unknown and unencrypted USBs.

B.  

Write a removable media policy that explains that USBs cannot be connected to a company asset.

C.  

Check configurations to determine whether USB ports are enabled on company assets.

D.  

Review logs to see whether this exploitable vulnerability has already impacted the company.

Discussion 0
Questions 32

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.  

25 minutes

B.  

40 minutes

C.  

45 minutes

D.  

2 hours

Discussion 0
Questions 33

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.  

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.  

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.  

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.  

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Discussion 0
Questions 34

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

Options:

A.  

Block the attacks using firewall rules.

B.  

Deploy an IPS in the perimeter network.

C.  

Roll out a CDN.

D.  

Implement a load balancer.

Discussion 0
Questions 35

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

Options:

A.  

Passive network foot printing

B.  

OS fingerprinting

C.  

Service port identification

D.  

Application versioning

Discussion 0
Questions 36

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

Options:

A.  

Mean time between failures

B.  

Mean time to detect

C.  

Mean time to remediate

D.  

Mean time to contain

Discussion 0
Questions 37

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

Options:

A.  

STRIDE

B.  

Diamond Model of Intrusion Analysis

C.  

Cyber Kill Chain

D.  

MITRE ATT&CK

Discussion 0
Questions 38

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

Options:

A.  

PowerShel

B.  

Ruby

C.  

Python

D.  

Shell script

Discussion 0
Questions 39

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.  

Disable administrative accounts for any operations.

B.  

Implement MFA requirements for all internal resources.

C.  

Harden systems by disabling or removing unnecessary services.

D.  

Implement controls to block execution of untrusted applications.

Discussion 0
Questions 40

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.  

Leave the proxy as is.

B.  

Decomission the proxy.

C.  

Migrate the proxy to the cloud.

D.  

Patch the proxy

Discussion 0
Questions 41

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

Options:

A.  

Implementing multifactor authentication on the server OS

B.  

Hashing user passwords on the web application

C.  

Performing input validation before allowing submission

D.  

Segmenting the network between the users and the web server

Discussion 0
Questions 42

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

Options:

A.  

OSSTMM

B.  

Diamond Model Of Intrusion Analysis

C.  

OWASP

D.  

MITRE ATT&CK

Discussion 0
Questions 43

Which of the following would likely be used to update a dashboard that integrates…..

Options:

A.  

Webhooks

B.  

Extensible Markup Language

C.  

Threat feed combination

D.  

JavaScript Object Notation

Discussion 0
Questions 44

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.  

Limit user creation to administrators only.

B.  

Limit layout creation to administrators only.

C.  

Set the directory trx_addons to read only for all users.

D.  

Set the directory v2 to read only for all users.

Discussion 0
Questions 45

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

Options:

A.  

Back up the configuration file for alt network devices

B.  

Record and validate each connection

C.  

Create a full diagram of the network infrastructure

D.  

Take photos of the impacted items

Discussion 0
Questions 46

The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

Options:

A.  

An output of characters > and " as the parameters used m the attempt

B.  

The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned

C.  

The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe

D.  

The vulnerable parameter and characters > and " with a reflected XSS attempt

Discussion 0
Questions 47

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?

Options:

A.  

RFI

B.  

LFI

C.  

CSRF

D.  

XSS

Discussion 0
Questions 48

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

Options:

A.  

The risk would not change because network firewalls are in use.

B.  

The risk would decrease because RDP is blocked by the firewall.

C.  

The risk would decrease because a web application firewall is in place.

D.  

The risk would increase because the host is external facing.

Discussion 0
Questions 49

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.  

TO provide metrics and test continuity controls

B.  

To verify the roles of the incident response team

C.  

To provide recommendations for handling vulnerabilities

D.  

To perform tests against implemented security controls

Discussion 0
Questions 50

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

Options:

A.  

A local red team member is enumerating the local RFC1918 segment to enumerate hosts.

B.  

A threat actor has a foothold on the network and is sending out control beacons.

C.  

An administrator executed a new database replication process without notifying the SO

C.  

D.  

An insider threat actor is running Responder on the local segment, creating traffic replication.

Discussion 0
Questions 51

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

Options:

A.  

21

B.  

22

C.  

23

D.  

636

E.  

1723

F.  

3389

Discussion 0
Questions 52

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

Options:

A.  

Risk register

B.  

Vulnerability assessment

C.  

Penetration test

D.  

Compliance report

Discussion 0
Questions 53

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.  

Detection by MITRE ATT&CK framework.

B.  

Detection or prevention of reconnaissance activities.

C.  

Examination of its actions and objectives.

D.  

Forensic analysis for legal action of the actions taken

Discussion 0
Questions 54

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.  

Implementation

B.  

Testing

C.  

Rollback

D.  

Validation

Discussion 0
Questions 55

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.  

Information sharing organization

B.  

Blogs/forums

C.  

Cybersecuritv incident response team

D.  

Deep/dark web

Discussion 0
Questions 56

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

Options:

A.  

SIEM

B.  

XDR

C.  

SOAR

D.  

EDR

Discussion 0
Questions 57

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

Options:

A.  

To satisfy regulatory requirements for incident reporting

B.  

To hold other departments accountable

C.  

To identify areas of improvement in the incident response process

D.  

To highlight the notable practices of the organization's incident response team

Discussion 0
Questions 58

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

Options:

Discussion 0
Questions 59

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.  

SQL injection

B.  

LFI

C.  

XSS

D.  

CSRF

Discussion 0
Questions 60

A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

Options:

A.  

Help desk

B.  

Law enforcement

C.  

Legal department

D.  

Board member

Discussion 0
Questions 61

A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

Options:

A.  

Deploy a WAF to the front of the application.

B.  

Replace the current MD5 with SHA-256.

C.  

Deploy an antivirus application on the hosting system.

D.  

Replace the MD5 with digital signatures.

Discussion 0
Questions 62

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

Options:

A.  

Generate a hash value and make a backup image.

B.  

Encrypt the device to ensure confidentiality of the data.

C.  

Protect the device with a complex password.

D.  

Perform a memory scan dump to collect residual data.

Discussion 0
Questions 63

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

Options:

A.  

Orange team

B.  

Blue team

C.  

Red team

D.  

Purple team

Discussion 0
Questions 64

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this

requirement?

Options:

A.  

SIEM

B.  

CASB

C.  

SOAR

D.  

EDR

Discussion 0
Questions 65

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.  

Corrective controls

B.  

Compensating controls

C.  

Operational controls

D.  

Administrative controls

Discussion 0
Questions 66

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.  

Preparation

B.  

Validation

C.  

Containment

D.  

Eradication

Discussion 0
Questions 67

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

Options:

A.  

High GPU utilization

B.  

Bandwidth consumption

C.  

Unauthorized changes

D.  

Unusual traffic spikes

Discussion 0
Questions 68

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

Options:

A.  

A mean time to remediate of 30 days

B.  

A mean time to detect of 45 days

C.  

A mean time to respond of 15 days

D.  

Third-party application testing

Discussion 0
Questions 69

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is

taking place?

Options:

A.  

Data exfiltration

B.  

Rogue device

C.  

Scanning

D.  

Beaconing

Discussion 0
Questions 70

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

Options:

A.  

Turn on all systems, scan for infection, and back up data to a USB storage device.

B.  

Identify and remove the software installed on the impacted systems in the department.

C.  

Explain that malware cannot truly be removed and then reimage the devices.

D.  

Log on to the impacted systems with an administrator account that has privileges to perform backups.

E.  

Segment the entire department from the network and review each computer offline.

Discussion 0
Questions 71

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.  

Hard disk

B.  

Primary boot partition

C.  

Malicious tiles

D.  

Routing table

E.  

Static IP address

Discussion 0
Questions 72

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

Options:

A.  

Running regular penetration tests to identify and address new vulnerabilities

B.  

Conducting regular security awareness training of employees to prevent social engineering attacks

C.  

Deploying an additional layer of access controls to verify authorized individuals

D.  

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Discussion 0
Questions 73

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

Options:

A.  

TO ensure the report is legally acceptable in case it needs to be presented in court

B.  

To present a lessons-learned analysis for the incident response team

C.  

To ensure the evidence can be used in a postmortem analysis

D.  

To prevent the possible loss of a data source for further root cause analysis

Discussion 0
Questions 74

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Options:

A.  

Reduce the administrator and privileged access accounts

B.  

Employ a network-based IDS

C.  

Conduct thorough incident response

D.  

Enable SSO to enterprise applications

Discussion 0
Questions 75

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Options:

A.  

Beaconinq

B.  

Domain Name System hijacking

C.  

Social engineering attack

D.  

On-path attack

E.  

Obfuscated links

F.  

Address Resolution Protocol poisoning

Discussion 0
Questions 76

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

Options:

A.  

Remediation level

B.  

Exploit code maturity

C.  

Report confidence

D.  

Availability

Discussion 0
Questions 77

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.  

RFI

B.  

LFI

C.  

CSRF

D.  

XSS

Discussion 0
Questions 78

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.  

The root cause analysis ensures that proper timelines were documented.

B.  

The root cause analysis allows the incident to be properly documented for reporting.

C.  

The root cause analysis develops recommendations to improve the process.

D.  

The root cause analysis identifies the contributing items that facilitated the event

Discussion 0
Questions 79

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Options:

A.  

External

B.  

Agent-based

C.  

Non-credentialed

D.  

Credentialed

Discussion 0
Questions 80

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

Options:

A.  

Transfer

B.  

Mitigate

C.  

Accept

D.  

Avoid

Discussion 0
Questions 81

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

Options:

A.  

Potential precursor to an attack

B.  

Unauthorized peer-to-peer communication

C.  

Rogue device on the network

D.  

System updates

Discussion 0
Questions 82

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Options:

A.  

Isolate Joe's PC from the network

B.  

Reimage the PC based on standard operating procedures

C.  

Initiate a remote wipe of Joe's PC using mobile device management

D.  

Perform no action until HR or legal counsel advises on next steps

Discussion 0
Questions 83

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

Options:

A.  

A fake antivirus program was installed by the user.

B.  

A network drive was added to allow exfiltration of data

C.  

A new program has been set to execute on system start

D.  

The host firewall on 192.168.1.10 was disabled.

Discussion 0
Questions 84

A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network printers began to print pages that contained unreadable text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent vulnerability scans?

Options:

A.  

Perform non-credentialed scans.

B.  

Ignore embedded web server ports.

C.  

Create a tailored scan for the printer subnet.

D.  

Increase the threshold length of the scan timeout.

Discussion 0
Questions 85

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.  

A user is required to exploit this vulnerability.

B.  

The vulnerability is network based.

C.  

The vulnerability does not affect confidentiality.

D.  

The complexity to exploit the vulnerability is high.

Discussion 0
Questions 86

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Which of the following log entries provides evidence of the attempted exploit?

Options:

A.  

Log entry 1

B.  

Log entry 2

C.  

Log entry 3

D.  

Log entry 4

Discussion 0
Questions 87

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

Options:

A.  

Offline storage

B.  

Evidence collection

C.  

Integrity validation

D.  

Legal hold

Discussion 0
Questions 88

A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

Options:

A.  

Acquire a copy of taskhw.exe from the impacted host

B.  

Scan the enterprise to identify other systems with taskhw.exe present

C.  

Perform a public search for malware reports on taskhw.exe.

D.  

Change the account that runs the -caskhw. exe scheduled task

Discussion 0
Questions 89

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

Options:

A.  

Configure the server to prefer TLS 1.3.

B.  

Remove cipher suites that use CBC.

C.  

Configure the server to prefer ephemeral modes for key exchange.

D.  

Require client browsers to present a user certificate for mutual authentication.

E.  

Configure the server to require HSTS.

F.  

Remove cipher suites that use GCM.

Discussion 0
Questions 90

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Options:

A.  

Instruct the firewall engineer that a rule needs to be added to block this external server.

B.  

Escalate the event to an incident and notify the SOC manager of the activity.

C.  

Notify the incident response team that a DDoS attack is occurring.

D.  

Identify the IP/hostname for the requests and look at the related activity.

Discussion 0