Access To Update CompTIA CySA+ Certification CS0-002 Dumps Questions

test2022-07-08T06:25:09+00:00

If you’re afraid about passing the CS0-002 CompTIA Cybersecurity Analyst (CySA+) Certification Exam, you don’t have to worry about it anymore. Get the most up-to-date CS0-002 Dumps Questions with 100% accurate answers. FreeTestShare has compiled the most comprehensive collection of CS0-002 questions and answers to help you pass your CompTIA CySA+ Certification Exam. We have accumulated real CompTIA CySA+ CS0-002 Dumps Questions so that you can prepare and pass the CompTIA CySA+ Certification exam on your first try.

You should try the following CS0-002 sample test to assess yourself.

Page 1 of 9

1. Which of me following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?

It automatically performs remedial configuration changes lo enterprise security services

It enables standard checklist and vulnerability analysis expressions for automaton

It establishes a continuous integration environment for software development operations

It provides validation of suspected system vulnerabilities through workflow orchestration

2. A security analyst is attempting to utilize the blowing threat intelligence for developing detection capabilities:

In which of the following phases is this APT MOST likely to leave discoverable artifacts?

Data collection/exfiltration

Defensive evasion

Lateral movement

Reconnaissance

3. A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity.

Which of the following should be done FIRST to determine the potential risk to the organization?

Establish a recovery time objective and a recovery point objective for the systems being moved

Calculate the resource requirements for moving the systems to the cloud

Determine recovery priorities for the assets being moved to the cloud-based systems

Identify the business processes that will be migrated and the criticality of each one

Perform an inventory of the servers that will be moving and assign priority to each one

4. A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

Which of the following should be done to correct the cause of the vulnerability?

Deploy a WAF in front of the application.

Implement a software repository management tool.

Install a HIPS on the server.

Instruct the developers to use input validation in the code.

5. A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in

Strict input validation

Blacklisting

SQL patching

Content filtering

Output encoding

6. Which of the following software assessment methods would be BEST for gathering data related to an application’s availability during peak times?

Security regression testing

Stress testing

Static analysis testing

Dynamic analysis testing

User acceptance testing

7. When reviewing a compromised authentication server, a security analyst discovers the following hidden file:

Further analysis shows these users never logged in to the server.

Which of the following types of attacks was used to obtain the file and what should the analyst recommend to prevent this type of attack from reoccurring?

A rogue LDAP server is installed on the system and is connecting passwords. The analyst should recommend wiping and reinstalling the server.

A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password.

A rainbow tables attack was used to compromise the accounts. The analyst should recommend that future password hashes contains a salt.

A phishing attack was used to compromise the account. The analyst should recommend users install endpoint protection to disable phishing links.

8. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

Segment the network to constrain access to administrative interfaces.

Replace the equipment that has third-party support.

Remove the legacy hardware from the network.

Install an IDS on the network between the switch and the legacy equipment.

9. A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verity that a user's data is not altered without the user's consent.

Which of the following would be an appropriate course of action?

Use a DLP product to monitor the data sets for unauthorized edits and changes.

Use encryption first and then hash the data at regular, defined times.

Automate the use of a hashing algorithm after verified users make changes to their data

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

10. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:

Which of the following lines indicates the computer may be compromised?

Line 1

Line 2

Line 3

Line 4

Line 5

Line 6

Page 2 of 9

11. A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:

Which of the following commands would work BEST to achieve the desired result?

grep -v chatter14 chat.log

grep -i pythonfun chat.log

grep -i javashark chat.log

grep -v javashark chat.log

grep -v pythonfun chat.log

grep -i chatter14 chat.log

12. Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

Data encryption

Data deidentification

Data masking

Data minimization

13. A forensic analyst took an image of a workstation that was involved in an incident To BEST ensure the image is not tampered with me analyst should use:

hashing

backup tapes

a legal hold

chain of custody.

14. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

Enforce unique session IDs for the application.

Deploy a WAF in front of the web application.

Check for and enforce the proper domain for the redirect.

Use a parameterized query to check the credentials.

Implement email filtering with anti-phishing protection.

15. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization To BEST resolve the issue, the organization should implement

federated authentication

role-based access control.

manual account reviews

multifactor authentication.

16. A security analyst is generating a list of recommendations for the company's insecure API.

Which of the following is the BEST parameter mitigation rec

Implement parameterized queries.

Use effective authentication and authorization methods.

Validate all incoming data.

Use TLs for all data exchanges.

17. A software development team asked a security analyst to review some code for security vulnerabilities.

Which of the following would BEST assist the security analyst while performing this task?

Static analysis

Dynamic analysis

Regression testing

User acceptance testing

18. A proposed network architecture requires systems to be separated from each other logically based on defined risk levels.

Which of the following explains the reason why an architect would set up the network this way?

To complicate the network and frustrate a potential malicious attacker

To reduce the number of IP addresses that are used on the network

To reduce the attack surface of those systems by segmenting the network based on risk

To create a design that simplifies the supporting network

19. After a breach involving the exfiltration of a large amount of sensitive data a security analyst is reviewing the following firewall logs to determine how the breach occurred:

Which of the following IP addresses does the analyst need to investigate further?

192.168.1.1

192.168.1.10

192.168.1.12

192.168.1.193

20. A SIEM analyst receives an alert containing the following URL:

Which of the following BEST describes the attack?

Password spraying

Buffer overflow

insecure object access

Directory traversal

Page 3 of 9

21. A Chief Executive Officer (CEO) is concerned about the company’s intellectual property being leaked to competitors. The security team performed an extensive review but did not find any indication of an outside breach. The data sets are currently encrypted using the Triple Data Encryption Algorithm.

Which of the following courses of action is appropriate?

Limit all access to the sensitive data based on geographic access requirements with strict role-based access controls.

Enable data masking and reencrypt the data sets using AES-256.

Ensure the data is correctly classified and labeled, and that DLP rules are appropriate to prevent disclosure.

Use data tokenization on sensitive fields, reencrypt the data sets using AES-256, and then create an MD5 hash.

22. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

Secure email

Encrypted USB drives

Cloud containers

Network folders

23. A system administrator is doing network reconnaissance of a company’s external network to determine the vulnerability of various services that are running.

Sending some sample traffic to the external host, the administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

SSH

HTTP

SMB

HTTPS

24. A security analyst is reviewing a suspected phishing campaign that has targeted an organisation. The organization has enabled a few email security technologies in the last year: however, the analyst believes the security features are not working.

The analyst runs the following command:

> dig domain._domainkey.comptia.orq TXT

Which of the following email protection technologies is the analyst MOST likely validating?

SPF

DNSSEC

DMARC

DKIM

25. A team of security analysis has been alerted to potential malware activity. The initial examination indicates one of the affected workstations on beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445.

Which of the following should be the team's NEXT step during the detection phase of this response process?

Escalate the incident to management, who will then engage the network infrastructure team to keep them informed

Depending on system critically remove each affected device from the network by disabling wired and wireless connections

Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses Identify potentially affected systems by creating a correlation

Identify potentially affected system by creating a correlation search in the SIEM based on the network traffic.

26. A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentially protection.

Which of the following is the BEST technical security control to mitigate this risk?

Switch to RADIUS technology

Switch to TACACS+ technology.

Switch to 802 IX technology

Switch to the WPA2 protocol.

27. A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch.

Which of the following BEST describes the reason for the analyst's immediate action?

A known exploit was discovered.

There is an insider threat.

Nation-state hackers are targeting the region.

A new zero-day threat needs to be addressed.

A new vulnerability was discovered by a vendor.

28. As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?

Organizational policies

Vendor requirements and contracts

Service-level agreements

Legal requirements

29. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

Social media accounts attributed to the threat actor

Custom malware attributed to the threat actor from prior attacks

Email addresses and phone numbers tied to the threat actor

Network assets used in previous attacks attributed to the threat actor

IP addresses used by the threat actor for command and control

30. A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised.

Which of the following is the value of this risk?

$75.000

$300.000

$1.425 million

$1.5 million

Page 4 of 9

31. Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network?

Open threat exchange

H-ISAC

Dark web chatter

Dental forums

32. A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO) asking the employee to perform a wife transfer Analysis of the email shows the message came from an external source and is fraudulent.

Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails?

Implementing a sandboxing solution for viewing emails and attachments

Limiting email from the finance department to recipients on a pre-approved whitelist

Configuring email client settings to display all messages in plaintext when read

Adding a banner to incoming messages that identifies the messages as external

33. An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment One of the primary concerns is exfiltration of data by malicious insiders.

Which of the following controls is the MOST appropriate to mitigate risks?

Data deduplication

OS fingerprinting

Digital watermarking

Data loss prevention

34. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful.

Which of the following should the security analyst perform NEXT?

Begin blocking all IP addresses within that subnet.

Determine the attack vector and total attack surface.

Begin a kill chain analysis to determine the impact.

Conduct threat research on the IP addresses

35. A security analyst is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS.

Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise'?

Run an anti-malware scan on the system to detect and eradicate the current threat

Start a network capture on the system to look into the DNS requests to validate command and control traffic.

Shut down the system to prevent further degradation of the company network

Reimage the machine to remove the threat completely and get back to a normal running state.

Isolate the system on the network to ensure it cannot access other systems while evaluation is underway.

36. A security analyst needs to identify possible threats to a complex system a client is developing.

Which of the following methodologies would BEST address this task?

Open Source Security Information Management (OSSIM)

Software Assurance Maturity Model (SAMM)

Open Web Application Security Project (OWASP)

Spoofing, Tampering. Repudiation, Information disclosure. Denial of service, Elevation of privileges (STRIDE)

37. A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable.

Which of the following is the MOST likely cause of this issue?

The malware is being executed with administrative privileges.

The antivirus does not have the mltware's signature.

The malware detects and prevents its own execution in a virtual environment.

The malware is fileless and exists only in physical memory.

38. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

email server that automatically deletes attached executables.

IDS to match the malware sample.

proxy to block all connections to <malwaresource>.

firewall to block connection attempts to dynamic DNS hosts.

39. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

sha256sum ~/Desktop/file.pdf

file ~/Desktop/file.pdf

strings ~/Desktop/file.pdf | grep "<script"

cat < ~/Desktop/file.pdf | grep -i .exe

40. While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk.

The analyst sees the following on the laptop's screen:

Which of the following is the BEST action for the security analyst to take?

Initiate a scan of devices on the network to find password-cracking tools.

Disconnect the laptop and ask the users jsmith and progers to log out.

Force all users in the domain to change their passwords at the next login.

Take the FILE-SHARE-A server offline and scan it for viruses.

Page 5 of 9

41. A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

Directory traversal

SQL injection

Buffer overflow

Cross-site scripting

42. Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night.

Which of the following actions should the analyst take NEXT?

Initiate the incident response plan.

Disable the privileged account

Report the discrepancy to human resources.

Review the activity with the user.

43. A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives.

Which of the following would be BEST for the analyst to configure to achieve this objective?

A TXT record on the name server for SPF

DNSSEC keys to secure replication

Domain Keys identified Man

A sandbox to check incoming mad

44. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

File fingerprinting

Decomposition of malware

Risk evaluation

Sandboxing

45. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

A password-spraying attack was performed against the organization.

A DDoS attack was performed against the organization.

This was normal shift work activity; the SIEM's AI is learning.

A credentialed external vulnerability scan was performed.

46. During a cyber incident, which of the following is the BEST course of action?

Switch to using a pre-approved, secure, third-party communication system.

Keep the entire company informed to ensure transparency and integrity during the incident.

Restrict customer communication until the severity of the breach is confirmed.

Limit communications to pre-authorized parties to ensure response efforts remain confidential.

47. An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary.

A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?

<100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ' su vi httpd.conf' failed for joe

<100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ' sudo vi users.txt success

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi syslog.conf failed for jos

<100> 2020-01-10T19:34.002z financeserver su 201 32001 = BOM ' su vi success

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi httpd.conf' success

48. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise.

Which of the following describes the type of vulnerability that was MOST likely expiated?

Insider threat

Buffer overflow

Advanced persistent threat

Zero day

49. A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons- learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware.

Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?

Enabling application blacklisting

Enabling sandboxing technology

Purchasing cyber insurance

Installing a firewall between the workstations and Internet

50. A security analyst needs to reduce the overall attack surface.

Which of the following infrastructure changes should the analyst recommend?

Implement a honeypot.

Air gap sensitive systems.

Increase the network segmentation.

Implement a cloud-based architecture.

Page 6 of 9

51. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

HKEY_USERS<user SID>SoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_USERS<user SID>SoftwareMicrosoftWindowsexplorerMountPoints2

HKEY_USERS<user SID>SoftwareMicrosoftInternet ExplorerTyped URLs

HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogSystemiusb3hub

52. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

Data custodian

Data owner

Data processor

Senior management

53. A general contractor has a list of contract documents containing critical business data that are stored at a public cloud provider. The organization’s security analyst recently reviewed some of the storage containers and discovered most of the containers are not encrypted.

Which of the following configurations will provide the MOST security to resolve the vulnerability?

Upgrading TLS 1.2 connections to TLS 1.3

Implementing AES-256 encryption on the containers

Enabling SHA-256 hashing on the containers

Implementing the Triple Data Encryption Algorithm at the file level

54. A security analyst is reviewing the following DNS logs as part of security-monitoring activities:

Which of the following MOST likely occurred?

The attack used an algorithm to generate command and control information dynamically.

The attack used encryption to obfuscate the payload and bypass detection by an ID

The attack caused an internal host to connect to a command and control server.

The attack attempted to contact www.gooqle com to verify Internet connectivity.

55. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

Purpose limitation

Sovereignty

Data minimization

Retention

56. A Chief Security Officer (CSO) is working on the communication requirements (or an organization's incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?

Public relations must receive information promptly in order to notify the community.

Improper communications can create unnecessary complexity and delay response actions.

Organizational personnel must only interact with trusted members of the law enforcement community.

Senior leadership should act as the only voice for the incident response team when working with forensics teams.

57. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

Conduct a wireless survey to determine if the wireless strength needs to be reduced.

58. An organization has the following risk mitigation policy:

Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.

All other prioritization will be based on risk value.

The organization has identified the following risks:

Which of the following is the order of priority for risk mitigation from highest to lowest?

A, B, D, C

A, B, C, D

D, A, B, C

D, A, C, B

59. Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise.

Which of the following techniques were used in this scenario?

Enumeration and OS fingerprinting

Email harvesting and host scanning

Social media profiling and phishing

Network and host scanning

60. An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours.

Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

Duplicate all services in another instance and load balance between the instances.

Establish a hot site with active replication to another region within the same cloud provider.

Set up a warm disaster recovery site with the same cloud provider in a different region

Configure the systems with a cold site at another cloud provider that can be used for failover.

Page 7 of 9

61. A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client.

Which of the following is MOST likely inhibiting the remediation efforts?

The parties have an MOU between them that could prevent shutting down the systems

There is a potential disruption of the vendor-client relationship

Patches for the vulnerabilities have not been fully tested by the software vendor

There is an SLA with the client that allows very little downtime

62. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

Parameterized queries

Session management

Input validation

Output encoding

Data protection

Authentication

63. A company’s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user’s activity session.

Which of the following is the BEST technique to address the CISO’s concerns?

Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.

Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes.

Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

64. Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application?

Configuring a firewall to block traffic on ports that use ActiveX controls

Adjusting the web-browser settings to block ActiveX controls

Installing network-based IPS to block malicious ActiveX code

Deploying HIPS to block malicious ActiveX code

65. A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted. The company has asked a security analyst to help improve its controls.

Which of the following will MOST likely help the security analyst develop better controls?

An evidence summarization

An indicator of compromise

An incident response plan

A lessons-learned report

66. A company's marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third party in1marketingpartners.com

Below is the exiting SPP word:

Which of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked?

A)

Option A

Option B

Option C

Option D

67. A security analyst is running a tool against an executable of an unknown source.

The Input supplied by the tool to the executable program and the output from the executable are shown below:

Which of the following should the analyst report after viewing this Information?

A dynamic library that is needed by the executable a missing

Input can be crafted to trigger an Infection attack in the executable

The toot caused a buffer overflow in the executable's memory

The executable attempted to execute a malicious command

68. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

DLP

Encryption

Test data

NDA

69. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

Write detection logic.

Establish a hypothesis.

Profile the threat actors and activities.

Perform a process analysis.

70. During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked.

Which of the following, should the analyst use to extract human-readable content from the partition?

strings

head

fsstat

Page 8 of 9

71. The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient information.

Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure?

A cloud access service broker system

NAC to ensure minimum standards are met

MFA on all workstations

Network segmentation

72. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

A simulated breach scenario evolving the incident response team

Completion of annual information security awareness training by ail employees

Tabtetop activities involving business continuity team members

Completion of lessons-learned documentation by the computer security incident response team

External and internal penetration testing by a third party

73. A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures.

The analyst observes the following plugin output:

The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

This is a false positive and the scanning plugin needs to be updated by the vendor

This is a true negative and the new computers have the correct version of the software

This is a true positive and the new computers were imaged with an old version of the software

This is a false negative and the new computers need to be updated by the desktop team

74. A security analyst implemented a solution that would analyze the attacks that the organization’s firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command.

S sudo nc -1 -v -c maildemon . py 25 caplog, txt

Which of the following solutions did the analyst implement?

Log collector

Crontab mail script

Snikhole

Honeypot

75. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

Known threat

Zero day

Unknown threat

Advanced persistent threat

76. A threat intelligence analyst has received multiple reports that are suspected to be about the same advanced persistent threat.

To which of the following steps in the intelligence cycle would this map?

Dissemination

Analysis

Feedback

Requirements

Collection

77. An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations.

Which of the following would BEST meet that goal?

Root-cause analysis

Active response

Advanced antivirus

Information-sharing community

Threat hunting

78. As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's concerns, the assessor will MOST likely focus on:

qualitative probabilities.

quantitative probabilities.

qualitative magnitude.

quantitative magnitude.

79. The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year Below is the incident register for the organization.

Which of the following should the organization consider investing in FIRST due to the potential impact of availability?

Hire a managed service provider to help with vulnerability management

Build a warm site in case of system outages

Invest in a failover and redundant system, as necessary

Hire additional staff for the IT department to assist with vulnerability management and log review

80. A security analyst is reviewing the following requirements (or new time clocks that will be installed in a shipping warehouse:

•. The clocks must be configured so they do not respond to ARP broadcasts.

•. The server must be configured with static ARP entries for each clock.

Which of the following types of attacks will this configuration mitigate?

Spoofing

Overflows

Rootkits

Sniffing

Page 9 of 9

81. A development team has asked users to conduct testing to ensure an application meets the needs of the business.

Which of the fallowing types of testing docs This describe?

Acceptance testing

Stress testing

Regression testing

Penetration testing

82. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

Reverse engineering

Fuzzing

Penetration testing

Network mapping

83. Which of the following data security controls would work BEST to prevent real Pll from being used in an organization's test cloud environment?

Digital rights management

Encryption

Access control

Data loss prevention

Data masking

84. Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

Reverse engineering

Application log collectors

Workflow orchestration

API integration

Scripting

85. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.

Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.

Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.

Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.

86. An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested m a secure, built-in device to support its solution.

Which of the following would MOST likely be required to perform the desired function?

TPM

eFuse

FPGA

HSM

UEFI

87. Portions of a legacy application are being refactored to discontinue the use of dynamic SQL.

Which of the following would be BEST to implement in the legacy application?

Multifactor authentication

Web-application firewall

SQL injection

Parameterized queries

Input validation

88. A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server.

Tool A reported the following:

Tool B reported the following:

Which of the following BEST describes the method used by each tool? (Choose two.)

Tool A is agent based.

Tool A used fuzzing logic to test vulnerabilities.

Tool A is unauthenticated.

Tool B utilized machine learning technology.

Tool B is agent based.

Tool B is unauthenticated.

89. While investigating an incident in a company's SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user Company policy allows systems administrators to manage their systems only from the company's internal network using their assigned corporate logins.

Which of the following are the BEST actions the analyst can take to stop any further compromise? (Select TWO).

Configure /etc/sshd_config to deny root logins and restart the SSHD service.

Add a rule on the network IPS to block SSH user sessions

Configure /etc/passwd to deny root logins and restart the SSHD service.

Reset the passwords for all accounts on the affected system.

Add a rule on the perimeter firewall to block the source IP address.

Add a rule on the affected system to block access to port TCP/22.

90. Which of the following attacks can be prevented by using output encoding?

Server-side request forgery

Cross-site scripting

SQL injection

Command injection

Cross-site request forgery

Directory traversal