Nuevo Comptia CYSA+ CS0-002 Preguntas del examen [2022] para aprobar con éxito

Posted by: Martina Comments: 0 Post Date: julio 4, 2022

Martina2022-07-04T09:26:02+00:00

La certificación del analista de seguridad cibernética de CompTia (CYSA+) es la certificación popular de CompTIA, que una certificación de la fuerza laboral de TI que aplica análisis de comportamiento a redes y dispositivos para prevenir, detectar y combatir amenazas de seguridad cibernética a través de un monitoreo continuo de seguridad. Se requiere aprobar el examen CS0-002 con éxito. Tenemos nuevas preguntas del examen CS0-002 en línea con las últimas preguntas y respuestas, que podrían ser los mejores materiales de aprendizaje para la preparación. No solo las preguntas de examen Comptia CYSA+ CS0-002, también tenemos las preguntas de demostración gratuitas de CS0-002, lo que ayudará a obtener más al respecto y puede tomar fácilmente la decisión correcta de comprar las preguntas del examen NS0-527 de ReAlexam. es o no.

Page 1 of 10

1. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

Gather information from providers, including datacenter specifications and copies of audit reports.

Identify SLA requirements for monitoring and logging.

Consult with senior management for recommendations.

Perform a proof of concept to identify possible solutions.

2. SIMULATION

You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of the servers and recommend changes if you find they are not.

The company's hardening guidelines indicate the following:

• TLS 1.2 is the only version of TLS running.

• Apache 2.4.18 or greater should be used.

• Only default ports should be used.

INSTRUCTIONS

Using the supplied data, record the status of compliance with the company's guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for issues based ONLY on the hardening guidelines provided.

3. A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now.

The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:

Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

Remediate by going to the web config file, searching for the enforce HTTP validation setting, and manually updating to the correct setting.

Accept this risk for now because this is a “high” severity, but testing will require more than the four days available, and the system ATO needs to be competed.

Ignore it. This is false positive, and the organization needs to focus its efforts on other findings.

Ensure HTTP validation is enabled by rebooting the server.

4. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.

Remove the servers reported to have high and medium vulnerabilities.

Tag the computers with critical findings as a business risk acceptance.

Manually patch the computers on the network, as recommended on the CVE website.

Harden the hosts on the network, as recommended by the NIST framework.

Resolve the monthly job issues and test them before applying them to the production network.

5. A security architect is reviewing the options for performing input validation on incoming web form submissions.

Which of the following should the architect as the MOST secure and manageable option?

Client-side whitelisting

Server-side whitelisting

Server-side blacklisting

Client-side blacklisting

6. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

Compatibility mode

Secure boot mode

Native mode

Fast boot mode

7. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

Agile

Waterfall

SDLC

Dynamic code analysis

8. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

The clients' authentication tokens were impersonated and replayed.

The clients' usernames and passwords were transmitted in cleartext.

An XSS scripting attack was carried out on the server.

A SQL injection attack was carried out on the server.

9. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

ICMP is being blocked by a firewall.

The routing tables for ping and hping3 were different.

The original ping command needed root permission to execute.

hping3 is returning a false positive.

10. As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information.

Which of the following BEST describes this test?

Walk through

Full interruption

Simulation

Parallel

Page 2 of 10

11. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

sha256sum ~/Desktop/file.pdf

file ~/Desktop/file.pdf

strings ~/Desktop/file.pdf | grep "<script"

cat < ~/Desktop/file.pdf | grep -i .exe

12. A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised.

When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

Malware is attempting to beacon to 128.50.100.3.

The system is running a DoS attack against ajgidwle.com.

The system is scanning ajgidwle.com for PI

Data is being exfiltrated over DN

13. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

DLP

Encryption

Test data

NDA

14. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

Post of the company blog

Corporate-hosted encrypted email

VoIP phone call

Summary sent by certified mail

Externally hosted instant message

15. A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

Apply the required patches to remediate the vulnerability.

Escalate the incident to senior management for guidance.

Disable all privileged user accounts on the network.

Temporarily block the attacking IP address.

16. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

Deidentification

Encoding

Encryption

Watermarking

17. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

Carving

Disk imaging

Packet analysis

Memory dump

Hashing

18. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows

Which of the following MOST likely occurred?

The file was altered to accept payments without charging the cards

The file was altered to avoid logging credit card information

The file was altered to verify the card numbers are valid.

The file was altered to harvest credit card numbers

19. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be.

placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.

bridged between the IT and operational technology networks to allow authenticated access.

placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

20. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

Reverse engineering

Fuzzing

Penetration testing

Network mapping

Page 3 of 10

21. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

SSO

DLP

WAF

VDI

22. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

The use of infrastructure-as-code capabilities leads to an increased attack surface.

Patching the underlying application server becomes the responsibility of the client.

The application is unable to use encryption at the database level.

Insecure application programming interfaces can lead to data compromise.

23. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.

Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.

Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.

Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.

24. A security analyst needs to reduce the overall attack surface.

Which of the following infrastructure changes should the analyst recommend?

Implement a honeypot.

Air gap sensitive systems.

Increase the network segmentation.

Implement a cloud-based architecture.

25. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

Single sign-on

Mandatory access control

Multifactor authentication

Federation

Privileged access management

26. A security analyst is reviewing the following log from an email security service.

Which of the following BEST describes the reason why the email was blocked?

The To address is invalid.

The email originated from the www.spamfilter.org UR

The IP address and the remote server name are the same.

The IP address was blacklisted.

The From address is invalid.

27. An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message In addition to retraining the employee, which of the following would prevent this from happening in the future?

Implement outgoing filter rules to quarantine messages that contain card data

Configure the outgoing mail filter to allow attachments only to addresses on the whitelist

Remove all external recipients from the employee's address book

Set the outgoing mail filter to strip spreadsheet attachments from all messages.

28. Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective?

Unauthorized, unintentional, benign

Unauthorized, intentional, malicious

Authorized, intentional, malicious

Authorized, unintentional, benign

29. An organization suspects it has had a breach, and it is trying to determine the potential impact.

The organization knows the following:

✑ . The source of the breach is linked to an IP located in a foreign country.

✑ . The breach is isolated to the research and development servers.

✑ . The hash values of the data before and after the breach are unchanged.

✑ . The affected servers were regularly patched, and a recent scan showed no vulnerabilities.

Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.)

The confidentiality of the data is unaffected.

The threat is an AP

The source IP of the threat has been spoofed.

The integrity of the data is unaffected.

The threat is an insider.

30. A security analyst received an email with the following key:

Xj3XJ3LLc

A second security analyst received an email with following key:

3XJ3xjcLLC

The security manager has informed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance.

This is an example of:

dual control

private key encryption

separation of duties

public key encryption

two-factor authentication

Page 4 of 10

31. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

File fingerprinting

Decomposition of malware

Risk evaluation

Sandboxing

32. A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain.

Which of the following should be performed NEXT to investigate the availability issue?

Review the firewall logs.

Review syslogs from critical servers.

Perform fuzzing.

Install a WAF in front of the application server.

33. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

A password-spraying attack was performed against the organization.

A DDoS attack was performed against the organization.

This was normal shift work activity; the SIEM's AI is learning.

A credentialed external vulnerability scan was performed.

34. A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures.

The analyst observes the following plugin output:

Antivirus is installed on the remote host:

Installation path: C:Program FilesAVProductWin32

Product Engine: 14.12.101

Engine Version: 3.5.71

Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.

The engine version is out of date. The oldest supported version from the vendor is 4.2.11.

The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

This is a false positive, and the scanning plugin needs to be updated by the vendor.

This is a true negative, and the new computers have the correct version of the software.

This is a true positive, and the new computers were imaged with an old version of the software.

This is a false negative, and the new computers need to be updated by the desktop team.

35. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

An IPS signature modification for the specific IP addresses

An IDS signature modification for the specific IP addresses

A firewall rule that will block port 80 traffic

A firewall rule that will block traffic from the specific IP addresses

36. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

an 802.11ac wireless bridge to create an air gap.

a managed switch to segment the lab into a separate VLA

a firewall to isolate the lab network from all other networks.

an unmanaged switch to segment the environments from one another.

37. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

HKEY_USERS<user SID>SoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_USERS<user SID>SoftwareMicrosoftWindowsexplorerMountPoints2

HKEY_USERS<user SID>SoftwareMicrosoftInternet ExplorerTyped URLs

HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogSystemiusb3hub

38. Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise.

Which of the following techniques were used in this scenario?

Enumeration and OS fingerprinting

Email harvesting and host scanning

Social media profiling and phishing

Network and host scanning

39. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

Human resources

Public relations

Marketing

Internal network operations center

40. A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.

Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

Attack vectors

Adversary capability

Diamond Model of Intrusion Analysis

Kill chain

Total attack surface

Page 5 of 10

41. A malicious hacker wants to gather guest credentials on a hotel 802.11 network.

Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

Nikto

Aircrak-ng

Nessus

tcpdump

42. An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.

Which of the following can be inferred from this activity?

10.200.2.0/24 is infected with ransomware.

10.200.2.0/24 is not routable address space.

10.200.2.5 is a rogue endpoint.

10.200.2.5 is exfiltrating dat

43. A system administrator is doing network reconnaissance of a company’s external network to determine the vulnerability of various services that are running.

Sending some sample traffic to the external host, the administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

SSH

HTTP

SMB

HTTPS

44. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?

Add TXT @ "v=spf1 mx include:_spf.compti

org −all" to the DNS record.

Add TXT @ "v=spf1 mx include:_spf.compti

org −all" to the email server.

Add TXT @ "v=spf1 mx include:_spf.compti

org +all" to the domain controller.

Add TXT @ "v=spf1 mx include:_spf.compti

org +all" to the web server.

45. A security team wants to make SaaS solutions accessible from only the corporate campus.

Which of the following would BEST accomplish this goal?

Geofencing

IP restrictions

Reverse proxy

Single sign-on

46. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

Known threat

Zero day

Unknown threat

Advanced persistent threat

47. A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.

Which of the following is the main concern a security analyst should have with this arrangement?

Making multiple trips between development sites increases the chance of physical damage to the FPGAs.

Moving the FPGAs between development sites will lessen the time that is available for security testing.

Development phases occurring at multiple sites may produce change management issues.

FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

48. A security administrator needs to create an IDS rule to alert on FTP login attempts by root.

Which of the following rules is the BEST solution?

Option A

Option B

Option C

Option D

49. A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.

Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)

Executing vendor compliance assessments against the organization's security controls

Executing NDAs prior to sharing critical data with third parties

Soliciting third-party audit reports on an annual basis

Maintaining and reviewing the organizational risk assessment on a quarterly basis

Completing a business impact assessment for all critical service providers

Utilizing DLP capabilities at both the endpoint and perimeter levels

50. Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.

Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.

Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.

Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway.

Page 6 of 10

51. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

Data custodian

Data owner

Data processor

Senior management

52. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment.

Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules.

Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment.

Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.

53. A company just chose a global software company based in Europe to implement a new supply chain management solution.

Which of the following would be the MAIN concern of the company?

Violating national security policy

Packet injection

Loss of intellectual property

International labor laws

54. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

Which of the following would BEST accomplish this goal?

Continuous integration and deployment

Automation and orchestration

Static and dynamic analysis

Information sharing and analysis

55. A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.

Which of the following BEST describes this attack?

Injection attack

Memory corruption

Denial of service

Array attack

56. An information security analyst is compiling data from a recent penetration test and reviews the following output:

The analyst wants to obtain more information about the web-based services that are running on the target.

Which of the following commands would MOST likely provide the needed information?

ping -t 10.79.95.173.rdns.datacenters.com

telnet 10.79.95.173 443

ftpd 10.79.95.173.rdns.datacenters.com 443

tracert 10.79.95.173

57. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.

Which of the following is the FIRST step the analyst should take?

Create a full disk image of the server's hard drive to look for the file containing the malware.

Run a manual antivirus scan on the machine to look for known malicious software.

Take a memory snapshot of the machine to capture volatile information stored in memory.

Start packet capturing to look for traffic that could be indicative of command and control from the miner.

58. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:

To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

DST 138.10.2.5.

DST 138.10.25.5.

DST 172.10.3.5.

DST 172.10.45.5.

DST 175.35.20.5.

59. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

email server that automatically deletes attached executables.

IDS to match the malware sample.

proxy to block all connections to <malwaresource>.

firewall to block connection attempts to dynamic DNS hosts.

60. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

Enforce unique session IDs for the application.

Deploy a WAF in front of the web application.

Check for and enforce the proper domain for the redirect.

Use a parameterized query to check the credentials.

Implement email filtering with anti-phishing protection.

Page 7 of 10

61. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

Development of a hypothesis as part of threat hunting

Log correlation, monitoring, and automated reporting through a SIEM platform

Continuous compliance monitoring using SCAP dashboards

Quarterly vulnerability scanning using credentialed scans

62. A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

Audit access permissions for all employees to ensure least privilege.

Force a password reset for the impacted employees and revoke any tokens.

Configure SSO to prevent passwords from going outside the local network.

Set up privileged access management to ensure auditing is enabled.

63. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

Social media accounts attributed to the threat actor

Custom malware attributed to the threat actor from prior attacks

Email addresses and phone numbers tied to the threat actor

Network assets used in previous attacks attributed to the threat actor

IP addresses used by the threat actor for command and control

64. A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.

Which of the following would be the BEST solution to recommend to the director?

Install a data loss prevention system, and train human resources employees on its use. Provide PII training to all employees at the company. Encrypt PII information.

Enforce encryption on all emails sent within the company. Create a PII program and policy on how to handle data. Train all human resources employees.

Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present a plan on how PII should be handled.

Install specific equipment to create a human resources policy that protects PII data. Train company employees on how to handle PII data. Outsource all PII to another company. Send the human resources director to training for PII handling.

65. A security analyst has received reports of very slow, intermittent access to a public-facing corporate server.

Suspecting the system may be compromised, the analyst runs the following commands:

Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.

Examine the server logs for further indicators of compromise of a web application.

Run kill -9 1325 to bring the load average down so the server is usable again.

Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

66. A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability scan:

Which of the following is MOST likely a false positive?

ICMP timestamp request remote date disclosure

Windows SMB service enumeration via srvsvc

Anonymous FTP enabled

Unsupported web server detection

67. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

Risk exception

Risk avoidance

Risk tolerance

Risk acceptance

68. 1.An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

FaaS

RTOS

SoC

GPS

CAN bus

69. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

Sanitization policy

Data sovereignty

Encryption policy

Retention standards

70. It is important to parameterize queries to prevent:

the execution of unauthorized actions against a database.

a memory overflow that executes code with elevated privileges.

the esrtablishment of a web shell that would allow unauthorized access.

the queries from using an outdated library with security vulnerabilities.

Page 8 of 10

71. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:

Which of the following lines indicates the computer may be compromised?

Line 1

Line 2

Line 3

Line 4

Line 5

Line 6

72. An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.

Which of the following is MOST likely to be a false positive?

OpenSSH/OpenSSL Package Random Number Generator Weakness

Apache HTTP Server Byte Range DoS

GDI+ Remote Code Execution Vulnerability (MS08-052)

HTTP TRACE / TRACK Methods Allowed (002-1208)

SSL Certificate Expiry

73. Which of the following should be found within an organization's acceptable use policy?

Passwords must be eight characters in length and contain at least one special character.

Customer data must be handled properly, stored on company servers, and encrypted when possible

Administrator accounts must be audited monthly, and inactive accounts should be removed.

Consequences of violating the policy could include discipline up to and including termination.

74. An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

Copies of prior audits that did not identify the servers as an issue

Project plans relating to the replacement of the servers that were approved by management

Minutes from meetings in which risk assessment activities addressing the servers were discussed

ACLs from perimeter firewalls showing blocked access to the servers

Copies of change orders relating to the vulnerable servers

75. During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect.

Which of the following is the BEST place to acquire evidence to perform data carving?

The system memory

The hard drive

Network packets

The Windows Registry

76. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.

INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

77. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

To create a system baseline

To reduce the attack surface

To optimize system performance

To improve malware detection

78. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

Parameterized queries

Session management

Input validation

Output encoding

Data protection

Authentication

79. For machine learning to be applied effectively toward security analysis automation, it requires .

relevant training data.

a threat feed AP

a multicore, multiprocessor system.

anomalous traffic signatures.

80. A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

Which of the following should be done to correct the cause of the vulnerability?

Deploy a WAF in front of the application.

Implement a software repository management tool.

Install a HIPS on the server.

Instruct the developers to use input validation in the code.

Page 9 of 10

81. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

Conduct a wireless survey to determine if the wireless strength needs to be reduced.

82. A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server.

Tool A reported the following:

Tool B reported the following:

Which of the following BEST describes the method used by each tool? (Choose two.)

Tool A is agent based.

Tool A used fuzzing logic to test vulnerabilities.

Tool A is unauthenticated.

Tool B utilized machine learning technology.

Tool B is agent based.

Tool B is unauthenticated.

83. A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.

When conducting the scan, the analyst received the following code snippet of results:

Which of the following describes the output of this scan?

The analyst has discovered a False Positive, and the status code is incorrect providing an OK message.

The analyst has discovered a True Positive, and the status code is correct providing a file not found error message.

The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden message.

The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.

84. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings.

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of vulnerabilities.

Incorporate prioritization levels into the remediation process and address critical findings first.

Create classification criteria for data residing on different servers and provide remediation only for servers housing sensitive data.

Implement a change control policy that allows the security team to quickly deploy patches in the production environment to reduce the risk of any vulnerabilities found.

85. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

Secure email

Encrypted USB drives

Cloud containers

Network folders

86. Which of the following types of policies is used to regulate data storage on the network?

Password

Acceptable use

Account management

Retention

87. An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.

Which of the following should the analyst do NEXT?

Decompile each binary to derive the source code.

Perform a factory reset on the affected mobile device.

Compute SHA-256 hashes for each binary.

Encrypt the binaries using an authenticated AES-256 mode of operation.

Inspect the permissions manifests within each application.

88. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

PC1

PC2

Server1

Server2

Firewall

89. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

Use Burp Suite to capture packets to the SCADA device's I

Use tcpdump to capture packets from the SCADA device I

Use Wireshark to capture packets between SCADA devices and the management system.

Use Nmap to capture packets from the management system to the SCADA devices.

90. A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

Establish a hosted SS

Implement a CAS

Virtualize the server.

Air gap the server.

Page 10 of 10

91. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process.

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

Personnel training

Vulnerability scan

Change management

Sandboxing

92. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

Limit the permissions to prevent other employees from accessing data owned by the business unit.

Segment the servers and systems used by the business unit from the rest of the network.

Deploy patches to all servers and workstations across the entire organization.

Implement full-disk encryption on the laptops used by employees of the payment-processing team.

93. During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate:

malware scans.

secure communications.

chain of custody forms.

decryption tools.

94. Ann, a user, reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite having plenty of space recently. Ann claims she not downloaded anything.

The security team obtains the laptop and begins to investigate, noting the following:

✑ File access auditing is turned off.

✑ When clearing up disk space to make the laptop functional, files that appear to be cached web pages are immediately created in a temporary directory, filling up the available drive space.

✑ All processes running appear to be legitimate processes for this user and machine.

✑ Network traffic spikes when the space is cleared on the laptop.

✑ No browser is open.

Which of the following initial actions and tools would provide the BEST approach to determining what is happening?

Delete the temporary files, run an Nmap scan, and utilize Burp Suite.

Disable the network connection, check Sysinternals Process Explorer, and review netstat output.

Perform a hard power down of the laptop, take a dd image, and analyze with FT

Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.

95. A security analyst has a sample of malicious software and needs to know what the sample does?. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

White box testing

Fuzzing

Sandboxing

Static code analysis

96. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

Purpose limitation

Sovereignty

Data minimization

Retention

97. During a cyber incident, which of the following is the BEST course of action?

Switch to using a pre-approved, secure, third-party communication system.

Keep the entire company informed to ensure transparency and integrity during the incident.

Restrict customer communication until the severity of the breach is confirmed.

Limit communications to pre-authorized parties to ensure response efforts remain confidential.

98. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

Segment the network to constrain access to administrative interfaces.

Replace the equipment that has third-party support.

Remove the legacy hardware from the network.

Install an IDS on the network between the switch and the legacy equipment.

99. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

Write detection logic.

Establish a hypothesis.

Profile the threat actors and activities.

Perform a process analysis.

100. A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:

Which of the following commands would work BEST to achieve the desired result?

grep -v chatter14 chat.log

grep -i pythonfun chat.log

grep -i javashark chat.log

grep -v javashark chat.log

grep -v pythonfun chat.log

grep -i chatter14 chat.log

Nuevo Comptia CYSA+ CS0-002 Preguntas del examen [2022] para aprobar con éxito

Author

Deja una respuesta Cancelar la respuesta