Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Free and Premium CompTIA CS0-003 Dumps Questions Answers

Page: 1 / 27
Total 367 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Question 1

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Select two).

Options:

A.

Executive management

B.

Law enforcement

C.

Marketing

D.

Legal

E.

Product owner

F.

Systems admininstration

Buy Now
Question 2

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

Options:

A.

The firewall service account was locked out.

B.

The firewall was using a paid feed.

C.

The firewall certificate expired.

D.

The firewall failed open.

Question 3

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Options:

A.

Agree on the goals and objectives of the plan

B.

Determine the site to be used during a disaster

C Demonstrate adherence to a standard disaster recovery process

C.

Identity applications to be run during a disaster

Question 4

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

Options:

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Question 5

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Options:

A.

PCI Security Standards Council

B.

Local law enforcement

C.

Federal law enforcement

D.

Card issuer

Question 6

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Options:

A.

Take a snapshot of the compromised server and verify its integrity

B.

Restore the affected server to remove any malware

C.

Contact the appropriate government agency to investigate

D.

Research the malware strain to perform attribution

Question 7

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

Options:

A.

Change the display filter to f cp. accive. pore

B.

Change the display filter to tcg.port=20

C.

Change the display filter to f cp-daca and follow the TCP streams

D.

Navigate to the File menu and select FTP from the Export objects option

Question 8

An analyst investigated a website and produced the following:

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

Options:

A.

nmap -sS -T4 -F insecure.org

B.

nmap -o insecure.org

C.

nmap -sV -T4 -F insecure.org

D.

nmap -A insecure.org

Question 9

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 10

A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

Options:

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

Question 11

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

Options:

A.

DNS

B.

tcpdump

C.

Directory

D.

IDS

Question 12

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of- life date. Which of the following best describes a security analyst's concern?

Options:

A.

Any discovered vulnerabilities will not be remediated.

B.

An outage of machinery would cost the organization money.

C.

Support will not be available for the critical machinery

D.

There are no compensating controls in place for the OS.

Question 13

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Question 14

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?

Options:

A.

Has heat

B.

OpenVAS

C.

OWASP ZAP

D.

Nmap

Question 15

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

Options:

A.

False positive

B.

True negative

C.

False negative

D.

True positive

Question 16

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

Options:

A.

Configure the server to prefer TLS 1.3.

B.

Remove cipher suites that use CBC.

C.

Configure the server to prefer ephemeral modes for key exchange.

D.

Require client browsers to present a user certificate for mutual authentication.

E.

Configure the server to require HSTS.

F.

Remove cipher suites that use GCM.

Question 17

An organization's website was maliciously altered.

INSTRUCTIONS

Review information in each tab to select the source IP the analyst should be concerned

about, the indicator of compromise, and the two appropriate corrective actions.

Options:

Question 18

Which of the following best describes the key goal of the containment stage of an incident response process?

Options:

A.

To limit further damage from occurring

B.

To get services back up and running

C.

To communicate goals and objectives of theincidentresponse plan

D.

To prevent data follow-on actions by adversary exfiltration

Question 19

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 20

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

Options:

A.

PowerShel

B.

Ruby

C.

Python

D.

Shell script

Question 21

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:

SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;—

Which of the following controls would be best to implement?

Options:

A.

Deploy a wireless application protocol.

B.

Remove the end-of-life component.

C.

Implement proper access control.

D.

Validate user input.

Question 22

A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?

Options:

A.

SOAR

B.

API

C.

XDR

D.

REST

Question 23

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Question 24

You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not

The company's hardening guidelines indicate the following

• TLS 1 2 is the only version of TLS

running.

• Apache 2.4.18 or greater should be used.

• Only default ports should be used.

INSTRUCTIONS

using the supplied data. record the status of compliance With the company’s guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.

Part 1:

AppServ1:

AppServ2:

AppServ3:

AppServ4:

Part 2:

Options:

Question 25

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Question 26

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Options:

A.

Deploy a CASB and enable policy enforcement

B.

Configure MFA with strict access

C.

Deploy an API gateway

D.

Enable SSO to the cloud applications

Question 27

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation?

Options:

A.

Fuzzing

B.

Coding review

C.

Debugging

D.

Static analysis

Question 28

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin

to originate from the system. An investigation on the system reveals the following:

Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'

Which of the following is possibly occurring?

Options:

A.

Persistence

B.

Privilege escalation

C.

Credential harvesting

D.

Defense evasion

Question 29

A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Select two).

Options:

A.

Deploying a WAF

B.

Performing a forensic analysis

C.

Contracting a penetration test

D.

Holding a tabletop exercise

E.

Creating a bug bounty program

F.

Implementing threat modeling

Question 30

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization's communication plans?

Options:

A.

For the organization's public relations department to have a standard notification

B.

To ensure incidents are immediately reported to a regulatory agency

C.

To automate the notification to customers who were impacted by the breach

D.

To have approval from executive leadership on when communication should occur

Question 31

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?

Options:

A.

A regular expression in Bash

B.

Filters in the vi editor

C.

Variables in a PowerShell script

D.

A playbook in a SOAR tool

Question 32

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question 33

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

Options:

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Question 34

An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?

Options:

A.

The scanner is running without an agent installed.

B.

The scanner is running in active mode.

C.

The scanner is segmented improperly.

D.

The scanner is configured with a scanning window.

Question 35

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Options:

A.

Disable the user's network account and access to web resources

B.

Make a copy of the files as a backup on the server.

C.

Place a legal hold on the device and the user's network share.

D.

Make a forensic image of the device and create a SRA-I hash.

Question 36

An analyst is reviewing a dashboard from the company’s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 37

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question 38

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Question 39

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Question 40

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

Options:

A.

Nmap

B.

TCPDump

C.

SIEM

D.

EDR

Question 41

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

Options:

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Question 42

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

Options:

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Question 43

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?

Options:

A.

Timeline

B.

Evidence

C.

Impact

D.

Scope

Question 44

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

Options:

A.

Remediation level

B.

Exploit code maturity

C.

Report confidence

D.

Availability

Question 45

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question 46

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 47

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Question 48

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Question 49

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.

InLoud:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: Yes

Channing: No

B.

TSpirit:

Cobain: Yes

Grohl: Yes

Novo: Yes

Smear: No

Channing: No

C.

ENameless:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: No

Channing: No

D.

PBleach:

Cobain: Yes

Grohl: No

Novo: No

Smear: No

Channing: Yes

Question 50

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?

Options:

A.

The most recent audit report

B.

The incident response playbook

C.

The incident response plan

D.

The lessons-learned register

Question 51

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

Options:

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Question 52

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server

logs for evidence of exploitation of that particular vulnerability?

Options:

A.

/etc/ shadow

B.

curl localhost

C.

; printenv

D.

cat /proc/self/

Question 53

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Question 54

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

Options:

A.

Registry changes or anomalies

B.

Data exfiltration

C.

Unauthorized privileges

D.

File configuration changes

Question 55

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Which of the following did the consultant do?

Options:

A.

Implanted a backdoor

B.

Implemented privilege escalation

C.

Implemented clickjacking

D.

Patched the web server

Question 56

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

Options:

A.

PAM

B.

IDS

C.

PKI

D.

DLP

Question 57

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Options:

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Question 58

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Options:

A.

Reduce the administrator and privileged access accounts

B.

Employ a network-based IDS

C.

Conduct thorough incident response

D.

Enable SSO to enterprise applications

Question 59

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

Options:

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Question 60

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

Options:

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

Question 61

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Options:

A.

C2 beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Question 62

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

Options:

A.

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L

B.

CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C.

CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D.

CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Question 63

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Options:

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Question 64

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

Options:

A.

21

B.

22

C.

23

D.

636

E.

1723

F.

3389

Question 65

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

Options:

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor's application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Question 66

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

Options:

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Question 67

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 68

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Question 69

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Options:

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Question 70

A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

Options:

A.

Help desk

B.

Law enforcement

C.

Legal department

D.

Board member

Question 71

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Options:

A.

PCI DSS

B.

COBIT

C.

ISO 27001

D.

ITIL

Question 72

A company is in the process of implementing a vulnerability management program. no-lich of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

Options:

A.

Non-credentialed scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Credentialed scanning

Question 73

An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?

Options:

A.

Static testing

B.

Vulnerability testing

C.

Dynamic testing

D.

Penetration testing

Question 74

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

Options:

A.

Implement data encryption and close the data so only the company has access.

B.

Ensure permissions are limited in the investigation team and encrypt the data.

C.

Implement data encryption and create a standardized procedure for deleting data that is no longer needed.

D.

Ensure that permissions are open only to the company.

Question 75

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Options:

A.

Isolate Joe's PC from the network

B.

Reimage the PC based on standard operating procedures

C.

Initiate a remote wipe of Joe's PC using mobile device management

D.

Perform no action until HR or legal counsel advises on next steps

Question 76

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to The site 's standard VPN logon page is

Which of the following is most likely true?

Options:

A.

This is a normal password change URL.

B.

The security operations center is performing a routine password audit.

C.

A new VPN gateway has been deployed

D.

A social engineering attack is underway

Question 77

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

Options:

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Question 78

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

Options:

A.

Proprietary systems

B.

Legacy systems

C.

Unsupported operating systems

D.

Lack of maintenance windows

Question 79

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

Options:

A.

CDN

B.

Vulnerability scanner

C.

DNS

D.

Web server

Question 80

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options:

A.

Delivery

B.

Reconnaissance

C.

Exploitation

D.

Weaponizatign

Question 81

The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.

Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.

STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

Options:

Question 82

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

Options:

A.

Back up the configuration file for alt network devices

B.

Record and validate each connection

C.

Create a full diagram of the network infrastructure

D.

Take photos of the impacted items

Question 83

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

Options:

A.

Block the attacks using firewall rules.

B.

Deploy an IPS in the perimeter network.

C.

Roll out a CDN.

D.

Implement a load balancer.

Question 84

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Question 85

A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

Options:

A.

brown

B.

grey

C.

blane

D.

sullivan

Question 86

Which of the following statements best describes the MITRE ATT&CK framework?

Options:

A.

It provides a comprehensive method to test the security of applications.

B.

It provides threat intelligence sharing and development of action and mitigation strategies.

C.

It helps identify and stop enemy activity by highlighting the areas where an attacker functions.

D.

It tracks and understands threats and is an open-source project that evolves.

E.

It breaks down intrusions into a clearly defined sequence of phases.

Question 87

Which of the following does "federation" most likely refer to within the context of identity and access management?

Options:

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one's identity with the attributes and associated applications the user has access to

Question 88

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

Options:

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Question 89

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Question 90

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Question 91

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

Options:

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Question 92

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Question 93

A security analyst reviews the following results of a Nikto scan:

Which of the following should the security administrator investigate next?

Options:

A.

tiki

B.

phpList

C.

shtml.exe

D.

sshome

Question 94

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Question 95

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Question 96

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

Options:

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Question 97

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options:

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Question 98

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Question 99

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

Options:

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Question 100

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Question 101

Which of the following explains the importance of a timeline when providing an incident response report?

Options:

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Question 102

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Options:

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Question 103

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

Options:

A.

Data enrichment

B.

Security control plane

C.

Threat feed combination

D.

Single pane of glass

Question 104

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Question 105

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Options:

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Question 106

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

Options:

A.

Testing

B.

Implementation

C.

Validation

D.

Rollback

Page: 1 / 27
Total 367 questions