March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CS0-002 Exam Dumps - CompTIA CySA+ Certification Exam (CS0-002)

Question # 4

When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

A.

Deidentification

B.

Hashing

C.

Masking

D.

Salting

Full Access
Question # 5

A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop.

Which of the following processes will the security analyst Identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

A.

Chrome.exe

B.

Word.exe

C.

Explorer.exe

D.

mstsc.exe

E.

taskmgr.exe

Full Access
Question # 6

A security analyst needs to recommend a solution that will allow users at a company to access cloud-based SaaS services but also prevent them from uploading and exflltrating data. Which of the following solutions should the security analyst recommend?

A.

CASB

B.

MFA

C.

VPN

D.

VPS

E.

DLP

Full Access
Question # 7

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

  • There must be one primary server or service per device.
  • Only default port should be used
  • Non- secure protocols should be disabled.
  • The corporate internet presence should be placed in a protected subnet

Instructions :

  • Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

  • ip address of each device
  • The primary server or service each device
  • The protocols that should be disabled based on the hardening guidelines

Full Access
Question # 8

A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 9

A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?

A.

Ensure the hardware appliance has the ability to encrypt the data before disposing of it.

B.

Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.

C.

Return the hardware appliance to the vendor, as the vendor is responsible for disposal.

D.

Establish guidelines for the handling of sensitive information.

Full Access
Question # 10

A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

A.

CASB

B.

VPC

C.

Federation

D.

VPN

Full Access
Question # 11

A cyber-security analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?

A.

Implement port security with one MAC address per network port of the switch.

B.

Deploy network address protection with DHCP and dynamic VLANs.

C.

Configure 802.1X and EAPOL across the network

D.

Implement software-defined networking and security groups for isolation

Full Access
Question # 12

A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

A.

output encoding.

B.

data protection.

C.

query parameterization.

D.

input validation.

Full Access
Question # 13

A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are most volatile and should be preserved? (Select two).

A.

Memory cache

B.

Registry file

C.

SSD storage

D.

Temporary filesystems

E.

Packet decoding

F.

Swap volume

Full Access
Question # 14

An IT security analyst has received an email alert regarding vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

A.

SCADA

B.

CAN bus

C.

Modbus

D.

loT

Full Access
Question # 15

The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

A.

Payload lengths may be used to overflow buffers enabling code execution.

B.

Encapsulated traffic may evade security monitoring and defenses

C.

This traffic exhibits a reconnaissance technique to create network footprints.

D.

The content of the traffic payload may permit VLAN hopping.

Full Access
Question # 16

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the Issue. Which of the following security solutions would resolve this issue?

A.

Privilege management

B.

Group Policy Object management

C.

Change management

D.

Asset management

Full Access
Question # 17

A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. Which of the following contains the most useful information to produce this script?

A.

API documentation

B.

Protocol analysis captures

C.

MITRE ATT&CK reports

D.

OpenloC files

Full Access
Question # 18

The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's singe internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT Department?

A.

Require the guest machines to install the corporate-owned EDR solution.

B.

Configure NAC to only allow machines on the network that are patched and have active antivirus.

C.

Place a firewall In between the corporate network and the guest network

D.

Configure the IPS with rules that will detect common malware signatures traveling from the guest network.

Full Access
Question # 19

Which of the following should a database administrator for an analytics firm implement to best protect PII from an insider threat?

A.

Data deidentification

B.

Data encryption

C.

Data auditing

D.

Data minimization

Full Access
Question # 20

A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:

Which of the following generated the above output?

A.

A port scan

B.

A TLS connection

C.

A vulnerability scan

D.

A ping sweep

Full Access
Question # 21

An application developer needs help establishing a digital certificate for a new application. Which of the following illustrates a certificate management best practice?

A.

Ensure the certificate Is applied to the certificate revocation list.

B.

Ensure the certificate key algorithm is SHA-1 compliant.

C.

Ensure the certificate is requested from a trusted CA.

D.

Ensure the developer has self-signed the certificate.

E.

Ensure the certificate key is less than 1028 bits long.

Full Access
Question # 22

While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

A.

Delete CloudDev access key 1.

B.

Delete BusinessUsr access key 1.

C.

Delete access key 1.

D.

Delete access key 2.

Full Access
Question # 23

A security analyst needs to determine the best method for securing access to a top-secret datacenter Along with an access card and PIN code, which of the following additional authentication methods would be BEST to enhance the datacenter's security?

A.

Physical key

B.

Retinal scan

C.

Passphrase

D.

Fingerprint

Full Access
Question # 24

Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

A.

There is a longer period of time to assess the environment.

B.

The testing is outside the contractual scope

C.

There is a shorter period of time to assess the environment

D.

No status reports are included with the assessment.

Full Access
Question # 25

A company's application development has been outsourced to a third-party development team. Based on the SLA. The development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?

A.

Input validation

B.

Security regression testing

C.

Application fuzzing

D.

User acceptance testing

E.

Stress testing

Full Access
Question # 26

Which of the following is the most effective approach to minimize the occurrence of vulnerabilities introduced by unintentional misconfigurations in the cloud?

A.

Requiring security training certification before granting access to staff

B.

Migrating all resources to a private cloud deployment

C.

Restricting changes to the deployment of validated laC templates

D.

Reducing laaS deployments by fostering serverless architectures

Full Access
Question # 27

The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion An analyst was asked to submit sensitive network design details for review The forensic specialist recommended electronic delivery for efficiency but email was not an approved communication channel to send network details Which of the following BEST explains the importance of using a secure method of communication during incident response?

A.

To prevent adversaries from intercepting response and recovery details

B.

To ensure intellectual property remains on company servers

C.

To have a backup plan in case email access is disabled

D.

To ensure the management team has access to all the details that are being exchanged

Full Access
Question # 28

An analyst receives artifacts from a recent Intrusion and is able to pull a domain, IP address, email address, and software version. When of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

A.

Infrastructure

B.

Capabilities

C.

Adversary

D.

Victims

Full Access
Question # 29

The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

A.

NAC

B.

IPS

C.

CASB

D.

WAF

Full Access
Question # 30

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

Which of the following describes what has occurred?

A.

The host attempted to download an application from utoftor.com.

B.

The host downloaded an application from utoftor.com.

C.

The host attempted to make a secure connection to utoftor.com.

D.

The host rejected the connection from utoftor.com.

Full Access
Question # 31

An organization completed an internal assessment of its policies and procedures. The audit team identified a deficiency in the policies and procedures for PH. Which of the following should be the first step to secure the organization's Pll?

A.

Complete Pll training within the organization.

B.

Contact all Pll data owners within the organization.

C.

Identify what type of Pll is on the network.

D.

Formalize current Pll documentation.

Full Access
Question # 32

A manufacturing company uses a third-party service provider lor Tier 1 security support One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

A.

Implement a secure supply chain program with governance

B.

Implement blacklisting for IP addresses from outside the country

C.

Implement strong authentication controls for all contractors

D.

Implement user behavior analytics for key staff members

Full Access
Question # 33

An analyst is performing a BIA and needs to consider measures and metrics. Which of the following would help the analyst achieve this objective? (Select two).

A.

Time to reimage the server

B.

Minimum data backup volume

C.

Disaster recovery plan for non-critical services

D.

Maximum downtime before impact is unacceptable

E.

Time required to inform stakeholders about outage

F.

Total time accepted for business process outage

Full Access
Question # 34

A company notices unknown devices connecting to the internal network and would like to implement a solution to block all non-corporate managed machines. Which of the following solutions would be best to accomplish this goal?

A.

WPA2 for W1F1 networks

B.

NAC with 802.1X implementation

C.

Extensible Authentication Protocol

D.

RADIUS with challenge/response

Full Access
Question # 35

A security analyst notices the following proxy log entries:

Which of the following is the user attempting to do based on the log entries?

A.

Use a DoS attack on external hosts.

B.

Exfiltrate data.

C.

Scan the network.

D.

Relay email.

Full Access
Question # 36

An intrusion detection analyst reported an inbound connection originating from an unknown IP address recorded on the VPN server for multiple internal hosts. During an investigation, a security analyst determines there were no identifiers associated with the hosts. Which of the following should the security analyst enforce to obtain the best information?

A.

Update the organization's IP table.

B.

Enable user access logging.

C.

Shut down all VPN connections.

D.

Create rules for the Active Directory.

Full Access
Question # 37

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Full Access
Question # 38

A security analyst works for a biotechnology lab that is planning to release details about a new cancer treatment. The analyst has been instructed to tune the SIEM softvare and IPS in preparation for the

announcement. For which of the following concerns will the analyst most likely be monitoring?

A.

Intellectual property loss

B.

PII loss

C.

Financial information loss

D.

PHI loss

Full Access
Question # 39

A security analyst is concerned about sensitive data living on company file servers following a zero-day attack that nearly resulted in a breach of millions of customer records. The after action report indicates a lack of controls around the file servers that contain sensitive data. Which of the following DLP considerations would best help the analyst to classify and address the sensitive data on the file servers?

A.

Implement a CASB device and connect the SaaS applications.

B.

Deploy network DLP appliances pointed to all file servers.

C.

Use data-at-rest scans to locate and identify sensitive data.

D.

Install endpoint DLP agents on all computing resources.

Full Access
Question # 40

An analyst is working on a method to allow secure access to a highly sensi-tive server. The solution must allow named individuals remote access to data contained on the box and must limit access to a single IP address. Which of the following solutions would best meet these requirements?

A.

Jump box

B.

Software-defined networking

C.

VLAN

D.

ACL

Full Access
Question # 41

A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible TTP combinations might warrant further investigation? (Select TWO).

A.

Requests identified by a threat intelligence service with a bad reputation

B.

Requests sent from the same IP address using different user agents

C.

Requests blocked by the web server per the input sanitization

D.

Failed log-in attempts against the web application

E.

Requests sent by NICs with outdated firmware

F.

Existence of HTTP/501 status codes generated to the same IP address

Full Access
Question # 42

A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also see that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?

A.

IDS signatures

B.

Data loss prevention

C.

Port security

D.

Sinkholing

Full Access
Question # 43

To prioritize the morning's work, an analyst is reviewing security alerts that have not yet been investigated. Which of the following assets should be investigated FIRST?

A.

The workstation of a developer who is installing software on a web server

B.

A new test web server that is in the process of initial installation

C.

An accounting supervisor's laptop that is connected to the VPN

D.

The laptop of the vice president that is on the corporate LAN

Full Access
Question # 44

A help desk technician inadvertently sent the credentials of the company's CRM n clear text to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident According to the incident response procedure, which of the following should the security team do NEXT?

A.

Contact the CRM vendor.

B.

Prepare an incident summary report.

C.

Perform postmortem data correlation.

D.

Update the incident response plan.

Full Access
Question # 45

During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

A.

Set the web page to redirect to an application support page when a bad password is entered.

B.

Disable error messaging for authentication

C.

Recognize that error messaging does not provide confirmation of the correct element of authentication

D.

Avoid using password-based authentication for the application

Full Access
Question # 46

An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to at the use of the cloud hosted hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability?

A.

Sandbox the virtual machine.

B.

Implement an MFA solution.

C.

Update lo the secure hypervisor version.

D.

Implement dedicated hardware for each customer.

Full Access
Question # 47

A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

• Bursts of network utilization occur approximately every seven days.

• The content being transferred appears to be encrypted or obfuscated.

• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

• Single file sizes are 10GB.

Which of the following describes the most likely cause of the issue?

A.

Memory consumption

B.

Non-standard port usage

C.

Data exfiltration

D.

System update

E.

Botnet participant

Full Access
Question # 48

After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:

Which of the following it the BEST solution to mitigate this type of attack?

A.

Implement a better level of user input filters and content sanitization.

B.

Property configure XML handlers so they do not process sent parameters coming from user inputs.

C.

Use parameterized Queries to avoid user inputs horn being processed by the server.

D.

Escape user inputs using character encoding conjoined with whitelisting

Full Access
Question # 49

A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?

A.

Perform static code analysis.

B.

Require application fuzzing.

C.

Enforce input validation.

D.

Perform a code review.

Full Access
Question # 50

An organization wants to collect loCs from multiple geographic regions so it can sell the information to its customers. Which of the following should the organization deploy to accomplish this task?

A.

A honeypot

B.

A bastion host

C.

A proxy server

D.

A Jumpbox

Full Access
Question # 51

A security analyst is reviewing WAF alerts and sees the following request:

Which of the following BEST describes the attack?

A.

SQL injection

B.

LDAP injection

C.

Command injection

D.

Denial of service

Full Access
Question # 52

Company A is m the process of merging with Company B As part of the merger, connectivity between the ERP systems must be established so portent financial information can be shared between the two entitles. Which of the following will establish a more automated approach to secure data transfers between the two entities?

A.

Set up an FTP server that both companies can access and export the required financial data to a folder.

B.

Set up a VPN between Company A and Company B. granting access only lo the ERPs within the connection

C.

Set up a PKI between Company A and Company B and Intermediate shared certificates between the two entities

D.

Create static NATs on each entity's firewalls that map lo the ERP systems and use native ERP authentication to allow access.

Full Access
Question # 53

While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

A.

An attempt was made to access a remote workstation.

B.

The PsExec services failed to execute.

C.

A remote shell failed to open.

D.

A user was trying to download a password file from a remote system.

Full Access
Question # 54

A manager asks a security analyst lo provide the web-browsing history of an employee. Which of the following should the analyst do first?

A.

Obtain permission to perform the search.

B.

Obtain the web-browsing history from the proxy.

C.

Obtain the employee's network ID to form the query.

D.

Download the browsing history, encrypt it. and hash it

Full Access
Question # 55

A code review reveals a web application is using lime-based cookies for session management. This is a security concern because lime-based cookies are easy to:

A.

parameterize.

B.

decode.

C.

guess.

D.

decrypt.

Full Access
Question # 56

An analyst Is reviewing a web developer's workstation for potential compromise. While examining the workstation's hosts file, the analyst observes the following:

Which of the following hosts file entries should the analyst use for further investigation?

A.

::1

B.

127.0.0.1

C.

192.168.3.249

D.

198.51.100.5

Full Access
Question # 57

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

A.

APTs' passion for social justice will make them ongoing and motivated attackers.

B.

APTs utilize methods and technologies differently than other threats

C.

APTs are primarily focused on financial gam and are widely available over the internet.

D.

APTs lack sophisticated methods, but their dedication makes them persistent.

Full Access
Question # 58

Given the Nmap request below:

Which of the following actions will an attacker be able to initiate directly against this host?

A.

Password sniffing

B.

ARP spoofing

C.

A brute-force attack

D.

An SQL injection

Full Access
Question # 59

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

A.

SMB use domain SID to enumerate users

B.

SYN scanner

C.

SSL certificate cannot be trusted

D.

Scan not performed with admin privileges

Full Access
Question # 60

During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1 ,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy?

A.

$200

B.

$800

C.

$5,000

D.

$20,000

Full Access
Question # 61

An organization has the following risk mitigation policies

• Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000

• Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

A.

A, C, D, B

B.

B, C, D, A

C.

C, B, A, D

D.

C. D, A, B

E.

D, C, B, A

Full Access
Question # 62

Which of the following SCAP standards provides standardization tor measuring and describing the seventy of security-related software flaws?

A.

OVAL

B.

CVSS

C.

CVE

D.

CCE

Full Access
Question # 63

A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:

Which of the following technologies would MOST likely be used to prevent this phishing attempt?

A.

DNSSEC

B.

DMARC

C.

STP

D.

S/IMAP

Full Access
Question # 64

An application must pass a vulnerability assessment to move to the next gate. Consequently, any security issues that are found must be remediated prior to the next gate. Which of the following best describes the method for end-to-end vulnerability assessment?

A.

Security regression testing

B.

Static analysis

C.

Dynamic analysis

D.

Stress testing

Full Access
Question # 65

Which of the following can detect vulnerable third-parly libraries before code deployment?

A.

Impact analysis

B.

Dynamic analysis

C.

Static analysis

D.

Protocol analysis

Full Access
Question # 66

A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the fallowing types of testing docs This describe?

A.

Acceptance testing

B.

Stress testing

C.

Regression testing

D.

Penetration testing

Full Access
Question # 67

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

A.

Release the email for delivery due to its importance.

B.

Immediately contact a purchasing agent to expedite.

C.

Delete the email and block the sender.

D.

Purchase the gift cards and submit an expense report.

Full Access
Question # 68

During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the next step the analyst should take?

A.

Validate the binaries' hashes from a trusted source.

B.

Use file integrity monitoring to validate the digital signature

C.

Run an antivirus against the binaries to check for malware.

D.

Only allow binaries on the approve list to execute.

Full Access
Question # 69

A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

A.

A control that demonstrates that all systems authenticate using the approved authentication method

B.

A control that demonstrates that access to a system is only allowed by using SSH

C.

A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment

D.

A control that demonstrates that the network security policy is reviewed and updated yearly

Full Access
Question # 70

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

A.

Configure the DLP transport rules to provide deep content analysis.

B.

Put employees' personal email accounts on the mail server on a blocklist.

C.

Set up IPS to scan for outbound emails containing names and contact information.

D.

Use Group Policy to prevent users from copying and pasting information into emails.

E.

Move outbound emails containing names and contact information to a sandbox for further examination.

Full Access
Question # 71

Which of the following ICS network protocols has no inherent security functions on TCP port 502?

A.

CIP

B.

DHCP

C.

SSH

D.

Modbus

Full Access
Question # 72

An analyst is reviewing the output from some recent network enumeration activities. The following entry relates to a target on the network:

Based on the above output, which Of the following tools or techniques is MOST likely being used?

A.

Web application firewall

B.

Port triggering

C.

Intrusion prevention system

D.

Port isolation

E.

Port address translation

Full Access
Question # 73

A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

Which of the following is the BEST action for the security analyst to take after analyzing the trends?

A.

Review the system configurations to determine if port 445 needs to be open.

B.

Assume there are new instances of Apache in the environment.

C.

Investigate why the number of open SSH ports varied during the six months.

D.

Raise a concern to a supervisor regarding possible malicious use Of port 8443.

Full Access
Question # 74

After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

A.

Header analysis

B.

File carving

C.

Metadata analysis

D.

Data recovery

Full Access
Question # 75

A company wants to ensure a third party does not take intellectual property and build a competing product. Which of the following is a non-technical data and privacy control that would best protect the company?

A.

Data encryption

B.

A non-disclosure agreement

C.

Purpose limitation

D.

Digital rights management

Full Access
Question # 76

An organization is focused on restructuring its data governance programs and an analyst has been Tasked with surveying sensitive data within the organization. Which of the following is the MOST accurate method for the security analyst to complete this assignment?

A.

Perform an enterprise-wide discovery scan.

B.

Consult with an internal data custodian.

C.

Review enterprise-wide asset Inventory.

D.

Create a survey and distribute it to data owners.

Full Access
Question # 77

Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

A.

Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.

B.

Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom toots for embedded devices.

C.

Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices

D.

Trusted firmware updates provide organizations with secure code signing, distribution, installation. and attestation for embedded devices.

Full Access
Question # 78

A security is reviewing a vulnerability scan report and notes the following finding:

As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

A.

Patch or reimage the device to complete the recovery

B.

Restart the antiviruses running processes

C.

Isolate the host from the network to prevent exposure

D.

Confirm the workstation's signatures against the most current signatures.

Full Access
Question # 79

An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which following actions would help during the forensic analysis of the mobile device? (Select TWO).

A.

Resetting the phone to factory settings

B.

Rebooting the phone and installing the latest security updates

C.

Documenting the respective chain of custody

D.

Uninstalling any potentially unwanted programs

E.

Performing a memory dump of the mobile device for analysis

F.

Unlocking the device by blowing the eFuse

Full Access
Question # 80

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

A.

22

B.

80

C.

443

D.

1433

Full Access
Question # 81

A cybersecurity analyst routinely checks logs, querying for login attempts. While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

A.

Users 4 and 5 are using their credentials to transfer files to multiple servers.

B.

Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

C.

An unauthorized user is using login credentials in a script.

D.

A bot is running a brute-force attack in an attempt to log in to the domain.

Full Access
Question # 82

A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?

A.

The use of infrastructure-as-code capabilities leads to an increased attack surface.

B.

Patching the underlying application server becomes the responsibility of the client.

C.

The application is unable to use encryption at the database level.

D.

Insecure application programming interfaces can lead to data compromise.

Full Access
Question # 83

While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

this finding, which of the following would be most appropriate for the analyst to recommend to the network engineer?

A.

Reconfigure the device to support only connections leveraging TLSv1.2.

B.

Obtain a new self-signed certificate and select AES as the hashing algorithm.

C.

Replace the existing certificate with a certificate that uses only MD5 for signing.

D.

Use only signed certificates with cryptographically secure certificate sources.

Full Access
Question # 84

A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

A.

Nessus

B.

Nikto

C.

Fuzzer

D.

Wireshark

E.

Prowler

Full Access
Question # 85

An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:

• Successful administrator login reporting priority - high

• Failed administrator login reporting priority - medium

• Failed temporary elevated permissions - low

• Successful temporary elevated permissions - non-reportable

A security analyst is reviewing server syslogs and sees the following:

Which of the following events is the HIGHEST reporting priority?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 86

The Chief information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue

A.

Induce digital signatures on messages originating within the company.

B.

Require users authenticate to the SMTP server

C.

Implement DKIM to perform authentication that will prevent this Issue.

D.

Set up an email analysis solution that looks for known malicious Iinks within the email.

Full Access
Question # 87

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

A.

Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C.

Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

Full Access
Question # 88

A security analyst is reviewing the following server statistics:

Which of the following Is MOST likely occurring?

A.

Race condition

B.

Privilege escalation

C.

Resource exhaustion

D.

VM escape

Full Access
Question # 89

An organization wants to implement a privileged access management solution to belter manage the use of emergency and privileged service accounts Which of the following would BEST satisfy the organization's goal?

A.

Access control lists

B.

Discretionary access controls

C.

Policy-based access controls

D.

Credential vaulting

Full Access
Question # 90

An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts A security analyst has created a script to snapshot the system configuration each day. Following iss one of the scripts:

This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 91

A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

A.

The whitelist

B.

The DNS

C.

The blocklist

D.

The IDS signature

Full Access
Question # 92

A network appliance manufacturer is building a new generation of devices and would like to include chipset security improvements. The management team wants the security team to implement a method to prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset. Which of the following would meet this objective?

A.

UEFI

B.

A hardware security module

C.

eFUSE

D.

Certificate signed updates

Full Access
Question # 93

A social media company is planning an acquisition. Prior to the purchase, the Chief Security Officer (CSO) would like a full report to gain a better understanding of the prospective company's cybersecurity posture and to identify risks in the supply chain. Which of the following will best support the CSO's objective?

A.

Third-party assessment

B.

Memorandum of understanding

C.

Non-disclosure agreement

D.

Software source authenticity

Full Access
Question # 94

Which of the following is the best reason why organizations need operational security controls?

A.

To supplement areas that other controls cannot address

B.

To limit physical access to areas that contain sensitive data

C.

To assess compliance automatically against a secure baseline

D.

To prevent disclosure by potential insider threats

Full Access
Question # 95

An organization has a policy that requires dedicated user accounts to run programs that need elevated privileges. Users must be part of a group that allows elevated permissions. While reviewing security logs, an analyst sees the following:

Which of the following hosts violates the organizational policies?

A.

pacer

B.

ford

C.

gremlin

D.

lincoln

Full Access
Question # 96

A new variant of malware is spreading on the company network using TCP 443 to contact its command-and-control server The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

A.

Implement a sinkhole with a high entropy level

B.

Disable TCP/53 at the parameter firewall

C.

Block TCP/443 at the edge router

D.

Configure the DNS forwarders to use recursion

Full Access
Question # 97

A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

A.

Implement UEM on an systems and deploy security software.

B.

Implement DLP on all workstations and block company data from being sent outside the company

C.

Implement a CASB and prevent certain types of data from being downloaded to a workstation

D.

Implement centralized monitoring and logging for an company systems.

Full Access
Question # 98

A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

A.

Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.

B.

Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed

C.

Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist.

D.

Review the current blocklist to determine which domains can be removed from the list and then update the ACLs

Full Access
Question # 99

A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow;

Which of the following controls must be in place to prevent this vulnerability?

A.

Convert all integer numbers in strings to handle the memory buffer correctly.

B.

Implement float numbers instead of integers to prevent integer overflows.

C.

Use built-in functions from libraries to check and handle long numbers properly.

D.

Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.

Full Access
Question # 100

A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?

A.

Data masking procedures

B.

Enhanced encryption functions

C.

Regular business impact analysis functions

D.

Geographic access requirements

Full Access
Question # 101

During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:

• The development team used a new software language that was not supported by the security team's automated assessment tools.

• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.

• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)

A.

Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed

B.

Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically

C.

Contact the human resources department to hire new security team members who are already familiar with the new language

D.

Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems

E.

Instruct only the development team to document the remediation steps for this vulnerability

F.

Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider

Full Access
Question # 102

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Full Access
Question # 103

An organization has the following policies:

*Services must run on standard ports.

*Unneeded services must be disabled.

The organization has the following servers:

*192.168.10.1 - web server

*192.168.10.2 - database server

A security analyst runs a scan on the servers and sees the following output:

Which of the following actions should the analyst take?

A.

Disable HTTPS on 192.168.10.1.

B.

Disable IIS on 192.168.10.1.

C.

Disable DNS on 192.168.10.2.

D.

Disable MSSQL on 192.168.10.2.

E.

Disable SSH on both servers.

Full Access
Question # 104

Which of the following would best protect sensitive data If a device is stolen?

A.

Remote wipe of drive

B.

Self-encrypting drive

C.

Password-protected hard drive

D.

Bus encryption

Full Access
Question # 105

During a routine review of service restarts a security analyst observes the following in a server log:

Which of the following is the GREATEST security concern?

A.

The daemon's binary was AChanged

B.

Four consecutive days of monitoring are skipped in the tog

C.

The process identifiers for the running service change

D.

The PIDs are continuously changing

Full Access
Question # 106

Several operator workstations are exhibiting unusual behavior, including applications loading slowly, temporary files being overwritten, and reboot notifications to apply antivirus signatures. During an investigation, an analyst finds evidence of Bitcoin mining. Which of the following is the first step the analyst should take to prevent further spread of the mining operation?

A.

Reboot each host that is exhibiting the behaviors.

B.

Enable the host-based firewalls to prevent further activity.

C.

Quarantine all the impacted hosts for forensic analysis.

D.

Notify users to turn off all affected devices.

Full Access
Question # 107

While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certAcate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Select TWO)

A.

On a private VLAN

B.

Full disk encrypted

C.

Powered off

D.

Backed up hourly

E.

VPN accessible only

F.

Air gapped

Full Access
Question # 108

A company is aiming to test a new incident response plan. The management team has made it clear that the initial test should have no impact on the environment. The company has limited

resources to support testing. Which of the following exercises would be the best approach?

A.

Tabletop scenarios

B.

Capture the flag

C.

Red team vs. blue team

D.

Unknown-environment penetration test

Full Access
Question # 109

A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

A.

Implement a secure supply chain program with governance.

B.

Implement blacklisting lor IP addresses from outside the county.

C.

Implement strong authentication controls for at contractors.

D.

Implement user behavior analytics tor key staff members.

Full Access
Question # 110

An application has been updated to fix a vulnerability. Which of the following would ensure that previously patched vulnerabilities have not been reintroduced?

A.

Stress testing

B.

Regression testing

C.

Code review

D.

Peer review

Full Access
Question # 111

A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct Business overseas must have their mobile devices checked for malicious software or evidence of tempering upon their return. The information security department oversees the process, and no executive has had a device compromised. The Chief information Security Officer wants to Implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?

A.

Implement a mobile device wiping solution for use if a device is lost or stolen.

B.

Install a DLP solution to track data now

C.

Install an encryption solution on all mobile devices.

D.

Train employees to report a lost or stolen laptop to the security department immediately

Full Access