New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Exam Practice Test

Demo: 111 questions
Total 372 questions

CompTIA CySA+ Certification Exam (CS0-002) Questions and Answers

Question 1

A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported and patches are no longer available The company is not prepared to cease its use of these workstations Which of the following would be the BEST method to protect these workstations from threats?

Options:

A.

Deploy whitelisting to the identified workstations to limit the attack surface

B.

Determine the system process centrality and document it

C.

Isolate the workstations and air gap them when it is feasible

D.

Increase security monitoring on the workstations

Question 2

The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

Options:

A.

Payload lengths may be used to overflow buffers enabling code execution.

B.

Encapsulated traffic may evade security monitoring and defenses

C.

This traffic exhibits a reconnaissance technique to create network footprints.

D.

The content of the traffic payload may permit VLAN hopping.

Question 3

The Chief information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue

Options:

A.

Induce digital signatures on messages originating within the company.

B.

Require users authenticate to the SMTP server

C.

Implement DKIM to perform authentication that will prevent this Issue.

D.

Set up an email analysis solution that looks for known malicious Iinks within the email.

Question 4

While reviewing abnormal user activity, a security analyst notices a user has the following fileshare activities:

Which of the following should the analyst do first?

Options:

A.

Initiate the security incident response process for unauthorized access.

B.

Shut down the servers while the access is investigated.

C.

Remove the user's access for all fileshares.

D.

Lock the user account until the access can be explained.

Question 5

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

Options:

A.

Release the email for delivery due to its importance.

B.

Immediately contact a purchasing agent to expedite.

C.

Delete the email and block the sender.

D.

Purchase the gift cards and submit an expense report.

Question 6

A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow;

Which of the following controls must be in place to prevent this vulnerability?

Options:

A.

Convert all integer numbers in strings to handle the memory buffer correctly.

B.

Implement float numbers instead of integers to prevent integer overflows.

C.

Use built-in functions from libraries to check and handle long numbers properly.

D.

Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.

Question 7

Which of the following is MOST important when developing a threat hunting program?

Options:

A.

Understanding penetration testing techniques

B.

Understanding how to build correlation rules within a SIEM

C.

Understanding security software technologies

D.

Understanding assets and categories of assets

Question 8

A security analyst is reviewing the following Internet usage trend report:

Which of the following usernames should the security analyst investigate further?

Options:

A.

User1

B.

User 2

C.

User 3

D.

User 4

Question 9

A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:

$ sudo nc —1 —v —e maildaemon.py 25 > caplog.txt

Which of the following solutions did the analyst implement?

Options:

A.

Log correlation

B.

Crontab mail script

C.

Sinkhole

D.

Honeypot

Question 10

A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SPI Pnor to the deployment, the analyst should conduct:

Options:

A.

a tabletop exercise

B.

a business impact analysis

C.

a PCI assessment

D.

an application stress test.

Question 11

During a forensic investigation, a security analyst reviews some Session Initiation Protocol packets that came from a suspicious IP address. Law enforcement requires access to a VoIP call

that originated from the suspicious IP address. Which of the following should the analyst use to accomplish this task?

Options:

A.

Wireshark

B.

iptables

C.

Tcpdump

D.

Netflow

Question 12

A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity?

Options:

A.

Create an IPS rule to block the subnet.

B.

Sinkhole the IP address.

C.

Create a firewall rule to block the IP address.

D.

Close all unnecessary open ports.

Question 13

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the first steps to confirm and respond to the incident? (Select two).

Options:

A.

Pause the virtual machine.

B.

Shut down the virtual machine.

C.

Take a snapshot of the virtual machine.

D.

Remove the NIC from the virtual machine.

E.

Review host hypervisor log of the virtual machine.

F.

Execute a migration of the virtual machine.

Question 14

Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

Options:

A.

The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.

B.

The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.

C.

The disclosure section should include the names and contact information of key employees who are needed for incident resolution

D.

The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening m the future.

Question 15

A company's Chief Information Security Officer [CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session. Which of the following is the best technique to address the ClSO's concerns?

Options:

A.

Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

B.

Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.

C.

Place a legal hold on the files Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes.

D.

Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

Question 16

A network appliance manufacturer is building a new generation of devices and would like to include chipset security improvements. The management team wants the security team to implement a method to prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset. Which of the following would meet this objective?

Options:

A.

UEFI

B.

A hardware security module

C.

eFUSE

D.

Certificate signed updates

Question 17

A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

Options:

A.

A control that demonstrates that all systems authenticate using the approved authentication method

B.

A control that demonstrates that access to a system is only allowed by using SSH

C.

A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment

D.

A control that demonstrates that the network security policy is reviewed and updated yearly

Question 18

Which of the following can detect vulnerable third-parly libraries before code deployment?

Options:

A.

Impact analysis

B.

Dynamic analysis

C.

Static analysis

D.

Protocol analysis

Question 19

A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are most volatile and should be preserved? (Select two).

Options:

A.

Memory cache

B.

Registry file

C.

SSD storage

D.

Temporary filesystems

E.

Packet decoding

F.

Swap volume

Question 20

A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability scan was completed:

Which of the following options can the analyst conclude based on the provided output?

Options:

A.

The scanning vendor used robots to make the scanning job faster

B.

The scanning job was successfully completed, and no vulnerabilities were detected

C.

The scanning job did not successfully complete due to an out of scope error

D.

The scanner executed a crawl process to discover pages to be assessed

Question 21

Which of the following is an advantage of SOAR over SIEM?

Options:

A.

SOAR is much less expensive.

B.

SOAR reduces the amount of human intervention required.

C.

SOAR can aggregate data from many sources.

D.

SOAR uses more robust encryption protocols.

Question 22

A current, validated DLP solution Is now in place because of a previous data breach However, a new data breach has taken place The following symptoms were observed shorty after a recent sales meeting:

* Sensitive corporate documents appeared on the dark web.

* Unusually large packets of data were being sent out.

Which of the following is most likely occurring?

Options:

A.

Documents are not tagged properly to restrict sharing.

B.

An insider threat is exfiltration data.

C.

The DLP solution is not configured for unsecured web traffic

D.

File audits are not enabled on CASB.

Question 23

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

Options:

A.

APTs' passion for social justice will make them ongoing and motivated attackers.

B.

APTs utilize methods and technologies differently than other threats

C.

APTs are primarily focused on financial gam and are widely available over the internet.

D.

APTs lack sophisticated methods, but their dedication makes them persistent.

Question 24

A help desk technician inadvertently sent the credentials of the company's CRM n clear text to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident According to the incident response procedure, which of the following should the security team do NEXT?

Options:

A.

Contact the CRM vendor.

B.

Prepare an incident summary report.

C.

Perform postmortem data correlation.

D.

Update the incident response plan.

Question 25

Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?

Options:

A.

Logging and monitoring are not needed in a public cloud environment

B.

Logging and monitoring are done by the data owners

C.

Logging and monitoring duties are specified in the SLA and contract

D.

Logging and monitoring are done by the service provider

Question 26

A security analyst needs to recommend the best approach to test a new application that simulates abnormal user behavior to find software bugs. Which of the following would best accomplish this task?

Options:

A.

A static analysis to find libraries with flaws handling user inputs

B.

A dynamic analysis using a dictionary to simulate user inputs

C.

Reverse engineering to circumvent software protections

D.

Fuzzing tools with polymorphic methods

Question 27

A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the most appropriate product category for this purpose?

Options:

A.

SCAP

B.

SOAR

C.

UEBA

D.

WAF

Question 28

The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?

Options:

A.

A Linux-based system and mandatory training on Linux for all BYOD users

B.

A firewalled environment for client devices and a secure VDl for BYOO users

C.

A standardized anti-malware platform and a unified operating system vendor

D.

802.1X lo enforce company policy on BYOD user hardware

Question 29

When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

Options:

A.

Deidentification

B.

Hashing

C.

Masking

D.

Salting

Question 30

A Chief Information Security Officer has requested a security measure be put in place to redirect certain traffic on the network. Which of the following would best resolve this issue?

Options:

A.

Sinkholing

B.

Blocklisting

C.

Geoblocking

D.

Sandboxing

Question 31

An information security analyst is compiling data from a recent penetration test and reviews the following output:

The analyst wants to obtain more information about the web-based services that are running on the target. Which of the following commands would most likely provide the needed information?

Options:

A.

ping -t 10.79.95.173,rdns.datacenter.com

B.

telnet 10.79.95.17.17 443

C.

ftpd 10.79.95.173.rdns.datacenters.com 443

D.

tracert 10.79,,95,173

Question 32

Which of the following organizational initiatives would be MOST impacted by data severighty issues?

Options:

A.

Moving to a cloud-based environment

B.

Migrating to locally hosted virtual servers

C.

Implementing non-repudiation controls

D.

Encrypting local database queries

Question 33

A security analyst notices the following proxy log entries:

Which of the following is the user attempting to do based on the log entries?

Options:

A.

Use a DoS attack on external hosts.

B.

Exfiltrate data.

C.

Scan the network.

D.

Relay email.

Question 34

A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?

Options:

A.

Ensure the hardware appliance has the ability to encrypt the data before disposing of it.

B.

Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.

C.

Return the hardware appliance to the vendor, as the vendor is responsible for disposal.

D.

Establish guidelines for the handling of sensitive information.

Question 35

A forensic analyst is conducting an investigation on a compromised server Which of the following should the analyst do first to preserve evidence''

Options:

A.

Restore damaged data from the backup media

B.

Create a system timeline

C.

Monitor user access to compromised systems

D.

Back up all log files and audit trails

Question 36

An analyst Is reviewing a web developer's workstation for potential compromise. While examining the workstation's hosts file, the analyst observes the following:

Which of the following hosts file entries should the analyst use for further investigation?

Options:

A.

::1

B.

127.0.0.1

C.

192.168.3.249

D.

198.51.100.5

Question 37

An analyst is responding to an incident within a cloud infrastructure Based on the logs and traffic analysis, the analyst thinks a container has been compromised Which of the following should Ihe analyst do FIRST?

Options:

A.

Perform threat hunting in other areas of the cloud infrastructure

B.

Contact law enforcement to report the incident

C.

Perform a root cause analysis on the container and the service logs

D.

Isolate the container from production using a predefined policy template

Question 38

Which of the following is a reason to use a nsk-based cybersecunty framework?

Options:

A.

A risk-based approach always requires quantifying each cyber nsk faced by an organization

B.

A risk-based approach better allocates an organization's resources against cyberthreats and vulnerabilities

C.

A risk-based approach is driven by regulatory compliance and es required for most organizations

D.

A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-based processes

Question 39

A security analyst is reviewing a firewall usage report that contains traffic generated over the last 30 minutes in order to locate unusual traffic patterns:

Which of the following source IP addresses does the analyst need to investigate further?

Options:

A.

10.18.76.179

B.

10.50.180.49

C.

192.168.48.147

D.

192.168.100.5

Question 40

A threat intelligence group issued a warning to its members regarding an observed increase in attacks performed by a specific threat actor and the related loCs. Which is of the following is (he best method to operationalize these loCs to detect future attacks?

Options:

A.

Analyzing samples of associated malware

B.

Publishing an internal executive threat report

C.

Executing an adversary emulation exercise

D.

Integrating the company's SIEM platform

Question 41

A company notices unknown devices connecting to the internal network and would like to implement a solution to block all non-corporate managed machines. Which of the following solutions would be best to accomplish this goal?

Options:

A.

WPA2 for W1F1 networks

B.

NAC with 802.1X implementation

C.

Extensible Authentication Protocol

D.

RADIUS with challenge/response

Question 42

An application developer needs help establishing a digital certificate for a new application. Which of the following illustrates a certificate management best practice?

Options:

A.

Ensure the certificate Is applied to the certificate revocation list.

B.

Ensure the certificate key algorithm is SHA-1 compliant.

C.

Ensure the certificate is requested from a trusted CA.

D.

Ensure the developer has self-signed the certificate.

E.

Ensure the certificate key is less than 1028 bits long.

Question 43

A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 44

A security analyst is concerned about sensitive data living on company file servers following a zero-day attack that nearly resulted in a breach of millions of customer records. The after action report indicates a lack of controls around the file servers that contain sensitive data. Which of the following DLP considerations would best help the analyst to classify and address the sensitive data on the file servers?

Options:

A.

Implement a CASB device and connect the SaaS applications.

B.

Deploy network DLP appliances pointed to all file servers.

C.

Use data-at-rest scans to locate and identify sensitive data.

D.

Install endpoint DLP agents on all computing resources.

Question 45

Which of the following is the BEST way to gather patch information on a specific server?

Options:

A.

Event Viewer

B.

Custom script

C.

SCAP software

D.

CI/CD

Question 46

Which of following allows Secure Boot to be enabled?

Options:

A.

eFuse

B.

UEFI

C.

MSM

D.

PAM

Question 47

After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:

Which of the following it the BEST solution to mitigate this type of attack?

Options:

A.

Implement a better level of user input filters and content sanitization.

B.

Property configure XML handlers so they do not process sent parameters coming from user inputs.

C.

Use parameterized Queries to avoid user inputs horn being processed by the server.

D.

Escape user inputs using character encoding conjoined with whitelisting

Question 48

A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?

Options:

A.

Data masking procedures

B.

Enhanced encryption functions

C.

Regular business impact analysis functions

D.

Geographic access requirements

Question 49

A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

Options:

A.

Directory traversal

B.

SQL injection

C.

Buffer overflow

D.

Cross-site scripting

Question 50

A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with acKvare. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?

Options:

A.

Blacklist the hash in the next-generation antivirus system.

B.

Manually delete the file from each of the workstations.

C.

Remove administrative rights from all developer workstations.

D.

Block the download of the fie via the web proxy

Question 51

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

Which of the following describes what has occurred?

Options:

A.

The host attempted to download an application from utoftor.com.

B.

The host downloaded an application from utoftor.com.

C.

The host attempted to make a secure connection to utoftor.com.

D.

The host rejected the connection from utoftor.com.

Question 52

An organizational policy requires one person to input accounts payable and another to do accounts receivable. A separate control requires one person to write a check and another person to sign all checks greater than $5,000 and to get an additional signature for checks greater than $10,000. Which of the following controls has the organization implemented?

Options:

A.

Segregation of duties

B.

Job rotation

C.

Non-repudiaton

D.

Dual control

Question 53

Which of the following best explains why it is important for companies to implement both privacy and security policies?

Options:

A.

Private data is insecure by design, so different programs ensure both policies are addressed.

B.

Security policies will automatically ensure the data complies with privacy regulations.

C.

Privacy policies will satisfy all regulations to secure consumer and sensitive company data.

D.

Both policies have some overlap, but the differences can have regulatory consequences.

Question 54

Which of the following are important reasons for performing proactive threat-hunting activities7 (Select two).

Options:

A.

To ensure all alerts are fully investigated

B.

To test incident response capabilities

C.

To uncover unknown threats

D.

To allow alerting rules to be more specific

E.

To create a new security baseline

F.

To improve user awareness about security threats

Question 55

During an Incident, it Is determined that a customer database containing email addresses, first names, and last names was exfiltrated. Which ot the following should the security analyst do NEXT?

Options:

A.

Consult with the legal department for regulatory impact.

B.

Encrypt the database with available tools.

C.

Email the customers to inform them of the breach.

D.

Follow the incident communications process.

Question 56

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

Options:

A.

Require users to sign NDAs

B.

Create a data minimization plan.

C.

Add access control requirements.

D.

Implement a data loss prevention solution.

Question 57

An incident response plan requires systems that contain critical data to be triaged first in the event of a compromise. Which of the following types of data would most likely be classified as critical?

Options:

A.

Encrypted data

B.

data

C.

Masked data

D.

Marketing data

Question 58

A new variant of malware is spreading on the company network using TCP 443 to contact its command-and-control server The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

Options:

A.

Implement a sinkhole with a high entropy level

B.

Disable TCP/53 at the parameter firewall

C.

Block TCP/443 at the edge router

D.

Configure the DNS forwarders to use recursion

Question 59

A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

Which of the following is the BEST action for the security analyst to take after analyzing the trends?

Options:

A.

Review the system configurations to determine if port 445 needs to be open.

B.

Assume there are new instances of Apache in the environment.

C.

Investigate why the number of open SSH ports varied during the six months.

D.

Raise a concern to a supervisor regarding possible malicious use Of port 8443.

Question 60

An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Options:

A.

The human resources department

B.

Customers

C.

Company leadership

D.

The legal team

Question 61

An organization is concerned about the security posture of vendors with access to its facilities and systems. The organization wants to implement a vendor review process to ensure \hi> policies implemented by vendors are in line with its own. Which of the following will provide the highest assurance of compliance?

Options:

A.

An in-house red-team report

B.

A vendor self-assessment report

C.

An independent third-party audit report

D.

Internal and external scans from an approved third-party vulnerability vendor

Question 62

A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

Options:

A.

Submit a change request to have the system patched

B.

Evaluate the risk and criticality to determine it further action is necessary

C.

Notify a manager of the breach and initiate emergency procedures.

D.

Remove the application from production and Inform the users.

Question 63

An internally developed file-monitoring system identified the following except as causing a program to crash often:

Which of the following should a security analyst recommend to fix the issue?

Options:

A.

Open the access.log file ri read/write mode.

B.

Replace the strcpv function.

C.

Perform input samtizaton

D.

Increase the size of the file data buffer

Question 64

A technician working at company.com received the following email:

After looking at the above communication, which of the following should the technician recommend to the security team to prevent exposure of sensitive information and reduce the risk of corporate data being stored on non-corporate assets?

Options:

A.

Forwarding of corporate email should be disallowed by the company.

B.

A VPN should be used to allow technicians to troubleshoot computer issues securely.

C.

An email banner should be implemented to identify emails coming from external sources.

D.

A rule should be placed on the DLP to flag employee IDs and serial numbers.

Question 65

A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run next to further analyze the compromised system?

Options:

A.

gbd /proc/1301

B.

rpm -V openssh-server

C.

/bin/Is -1 /proc/1301/exe

D.

kill -9 1301

Question 66

A company needs to expand Its development group due to an influx of new feature requirements (rom Its customers. To do so quickly, the company is using Junior-level developers to fill in as needed. The company has found a number of vulnerabilities that have a direct correlation to the code contributed by the junior-level developers. Which of the following controls would best help to reduce the number of software vulnerabilities Introduced by this situation?

Options:

A.

Requiring senior-level developers to review code written by junior-level developers

B.

Hiring senior-level developers only

C.

Allowing only senior-level developers to write code for new features

D.

Using authorized source code repositories only

Question 67

A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the following solutions will best remedy the vulnerability?

Options:

A.

Prepared statements

B.

Server-side input validation

C.

Client-side input encoding

D.

Disabled JavaScript filtering

Question 68

Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

Options:

A.

There is a longer period of time to assess the environment.

B.

The testing is outside the contractual scope

C.

There is a shorter period of time to assess the environment

D.

No status reports are included with the assessment.

Question 69

A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

• Bursts of network utilization occur approximately every seven days.

• The content being transferred appears to be encrypted or obfuscated.

• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

• Single file sizes are 10GB.

Which of the following describes the most likely cause of the issue?

Options:

A.

Memory consumption

B.

Non-standard port usage

C.

Data exfiltration

D.

System update

E.

Botnet participant

Question 70

A company is building a new fabrication plant and designing its production lines based on the products it manufactures and the networks to support them. The security engineer has the following requirements:

• Each production line must be secured using a single posture.

• Each production line must only communicate with the other lines in a least privilege method.

• Access to each production line from the rest of the network must be strictly controlled.

To best provide the protection that meets these requirements, each product line should be:

Options:

A.

logically segmented and firewalled to control inbound and outbound connectivity.

B.

air gapped and firewalled to manage connectivity.

C.

air gapped but connected to one another by data diodes.

D.

logically segmented and then air gapped to specifically limit traffic.

Question 71

As part of the senior leadership team's ongoing nsk management activities the Chief Information Security Officer has tasked a security analyst with coordinating the right training and testing methodology to respond to new business initiatives or significant changes to existing ones The management team wants to examine a new business process that would use existing infrastructure to process and store sensitive data Which of the following would be appropnate for the security analyst to coordinate?

Options:

A.

A black-box penetration testing engagement

B.

A tabletop exercise

C.

Threat modeling

D.

A business impact analysis

Question 72

A user reports a malware alert to the help desk. A technician verities the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do next?

Options:

A.

Document the procedures and walk through the incident training guide.

B.

Reverse engineer the malware to determine its purpose and risk to the organization.

C.

Sanitize the workstation and verify countermeasures are restored.

D.

Isolate the workstation and issue a new computer to the user.

Question 73

A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will best accomplish the analyst's objectives?

Options:

A.

tcpdump -w packetCapture

B.

tcpdump -a packetCapture

C.

tcpdump -n packetCapture

D.

nmap -v > packetCapture

E.

nmap -oA > packetCapture

Question 74

An organization is required to be able to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams. The organization would also like to be able to leverage the intelligence to enrich security event data. Which of the following functions would most likely help the security analyst meet the organization's requirements?

Options:

A.

Vulnerability management

B.

Risk management

C.

Detection and monitoring

D.

Incident response

Question 75

A security analyst needs to automate the incident response process for malware infections. When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Which of the following is the best way for the analyst to automate alert generation?

Options:

A.

Deploy a signature-based IDS

B.

Install a UEBA-capable antivirus

C.

Implement email protection with SPF

D.

Create a custom rule on a SIEM

Question 76

A cybersecunty analyst needs to harden a server that is currently being used as a web server The server needs to be accessible when entenng www company com into the browser Additionally web pages require frequent updates which are performed by a remote contractor Given the following output:

Which of the following should the cybersecunty analyst recommend to harden the server? (Select TWO).

Options:

A.

Uninstall the DNS service

B.

Perform a vulnerability scan

C.

Change the server's IP to a private IP address

D.

Disable the Telnet service

E.

Block port 80 with the host-based firewall

F.

Change the SSH port to a non-standard port

Question 77

A new government regulation requires that organizations only retain the minimum amount of data on a person to perform the organization's necessary activities. Which of the following techniques would help an organization comply with this new regulation?

Options:

A.

Storing the highest-risk data in a separate and secured environment

B.

Limiting access to data on a need-to-know basis

C.

Deidentlfying a data subject throughout the organization's applications

D.

Having a privacy expert peer review source code before deployment

Question 78

An organization has specific technical nsk mitigation configurations that must be implemented before a new server can be approved for production Several critical servers were recently deployed with the antivirus missing unnecessary ports disabled and insufficient password complexity Which of the following should the analyst recommend to prevent a recurrence of this risk exposure?

Options:

A.

Perform password-cracking attempts on all devices going into production

B.

Perform an Nmap scan on all devices before they are released to production

C.

Perform antivirus scans on all devices before they are approved for production

D.

Perform automated security controls testing of expected configurations pnor to production

Question 79

During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the next step the analyst should take?

Options:

A.

Validate the binaries' hashes from a trusted source.

B.

Use file integrity monitoring to validate the digital signature

C.

Run an antivirus against the binaries to check for malware.

D.

Only allow binaries on the approve list to execute.

Question 80

Which of the following BEST describes HSM?

Options:

A.

A computing device that manages cryptography, decrypts traffic, and maintains library calls

B.

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

C.

A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions

D.

A computing device that manages algorithms, performs entropy functions, and maintains digital signatures

Question 81

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

Options:

A.

Develop a dashboard to track the indicators of compromise.

B.

Develop a query to search for the indicators of compromise.

C.

Develop a new signature to alert on the indicators of compromise.

D.

Develop a new signature to block the indicators of compromise.

Question 82

A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?

Options:

A.

VDI

B.

SaaS

C.

CASB

D.

FaaS

Question 83

In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Options:

A.

Fully segregate the affected servers physically in a network segment, apart from the production network.

B.

Collect the network traffic during the day to understand if the same activity is also occurring during business hours

C.

Check the hash signatures, comparing them with malware databases to verify if the files are infected.

D.

Collect all the files that have changed and compare them with the previous baseline

Question 84

A security analyst recently observed evidence of an attack against a company's web server. The analyst investigated the issue but was unable to find an exploit that adequately explained the observations.

Which of the following is the MOST likely cause of this issue?

Options:

A.

The security analyst needs updated forensic analysis tools.

B.

The security analyst needs more training on threat hunting and research.

C.

The security analyst has potentially found a zero-day vulnerability that has been exploited.

D.

The security analyst has encountered a polymorphic piece of malware.

Question 85

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

Options:

A.

Stack counting

B.

Searching

C.

Clustering

D.

Grouping

Question 86

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

Options:

A.

Critical asset list

B.

Threat vector

C.

Attack profile

D.

Hypothesis

Question 87

Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

Options:

A.

vulnerability scanning.

B.

threat hunting.

C.

red learning.

D.

penetration testing.

Question 88

A cybersecurity analyst routinely checks logs, querying for login attempts. While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

Options:

A.

Users 4 and 5 are using their credentials to transfer files to multiple servers.

B.

Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

C.

An unauthorized user is using login credentials in a script.

D.

A bot is running a brute-force attack in an attempt to log in to the domain.

Question 89

A security analyst reviews SIEM logs and discovers the following error event:

Which of the following environments does the analyst need to examine to continue troubleshooting the event?

Options:

A.

Proxy server

B.

SQL server

C.

Windows domain controller

D.

WAF appliance

E.

DNS server

Question 90

A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Options:

A.

Web-application vulnerability scan

B.

Static analysis

C.

Packet inspection

D.

Penetration test

Question 91

A security analyst is reviewing WAF alerts and sees the following request:

Which of the following BEST describes the attack?

Options:

A.

SQL injection

B.

LDAP injection

C.

Command injection

D.

Denial of service

Question 92

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

Options:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Question 93

Which of the following would best protect sensitive data If a device is stolen?

Options:

A.

Remote wipe of drive

B.

Self-encrypting drive

C.

Password-protected hard drive

D.

Bus encryption

Question 94

Which of the following describes the difference between intentional and unintentional insider threats'?

Options:

A.

Their access levels will be different

B.

The risk factor will be the same

C.

Their behavior will be different

D.

The rate of occurrence will be the same

Question 95

A security is reviewing a vulnerability scan report and notes the following finding:

As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

Options:

A.

Patch or reimage the device to complete the recovery

B.

Restart the antiviruses running processes

C.

Isolate the host from the network to prevent exposure

D.

Confirm the workstation's signatures against the most current signatures.

Question 96

A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements:

• The partners' PCs must not connect directly to the laboratory network.

• The tools the partners need to access while on the laboratory network must be available to all partners

• The partners must be able to run analyses on the laboratory network, which may take hours to complete

Which of the following capabilities will MOST likely meet the security objectives of the request?

Options:

A.

Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis

B.

Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools tor analysis

C.

Deployment of a firewall to allow access to the laboratory network and use of VDI In persistent mode to provide the necessary tools for analysis

D.

Deployment of a jump box to allow access to the Laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis

Question 97

An application must pass a vulnerability assessment to move to the next gate. Consequently, any security issues that are found must be remediated prior to the next gate. Which of the following best describes the method for end-to-end vulnerability assessment?

Options:

A.

Security regression testing

B.

Static analysis

C.

Dynamic analysis

D.

Stress testing

Question 98

A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

Options:

A.

Implement a secure supply chain program with governance.

B.

Implement blacklisting lor IP addresses from outside the county.

C.

Implement strong authentication controls for at contractors.

D.

Implement user behavior analytics tor key staff members.

Question 99

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests

information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst

to provide to the security manager, who would then communicate the risk factors to the senior management team? (Select TWO).

Options:

A.

Probability

B.

Adversary capability

C.

Attack vector

D.

Impact

E.

Classification

F.

Indicators of compromise

Question 100

An analyst is reviewing email headers to determine if an email has been sent from a legitimate sender. The organization uses SPF to validate email origination. Which of the following most likely indicates an invalid originator?

Options:

A.

Received-SPF: neutral

B.

Received-SPF: none

C.

Received-SPF softfail

D.

Received-SPF: error

Question 101

An organization has the following risk mitigation policy:

Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.

All other prioritization will be based on risk value.

The organization has identified the following risks:

Which of the following is the order of priority for risk mitigation from highest to lowest?

Options:

A.

A, B, D, C

B.

A, B, C, D

C.

D, A, B, C

D.

D, A, C, B

Question 102

An organization has the following policy statements:

• AlI emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant.

•AM network activity will be logged and monitored.

• Confidential data will be tagged and tracked

• Confidential data must never be transmitted in an unencrypted form.

• Confidential data must never be stored on an unencrypted mobile device.

Which of the following is the organization enforcing?

Options:

A.

Acceptable use policy

B.

Data privacy policy

C.

Encryption policy

D.

Data management, policy

Question 103

A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?

Options:

A.

Internal management review

B.

Control assessment

C.

Tabletop exercise

D.

Peer review

Question 104

A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Which of the following threats applies to this situation?

Options:

A.

Potential data loss to external users

B.

Loss of public/private key management

C.

Cloud-based authentication attack

D.

Identification and authentication failures

Question 105

During an audit several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products Which of the following would be the BEST way to locate this issue?

Options:

A.

Reduce the session timeout threshold

B.

Deploy MFA for access to the web server

C.

Implement input validation

D.

Run a static code scan

Question 106

While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

Options:

A.

Delete CloudDev access key 1.

B.

Delete BusinessUsr access key 1.

C.

Delete access key 1.

D.

Delete access key 2.

Question 107

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

Options:

A.

Configure the DLP transport rules to provide deep content analysis.

B.

Put employees' personal email accounts on the mail server on a blocklist.

C.

Set up IPS to scan for outbound emails containing names and contact information.

D.

Use Group Policy to prevent users from copying and pasting information into emails.

E.

Move outbound emails containing names and contact information to a sandbox for further examination.

Question 108

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:

Which of the following is the MOST likely solution to the listed vulnerability?

Options:

A.

Enable the browser's XSS filter.

B.

Enable Windows XSS protection

C.

Enable the browser's protected pages mode

D.

Enable server-side XSS protection

Question 109

An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to at the use of the cloud hosted hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability?

Options:

A.

Sandbox the virtual machine.

B.

Implement an MFA solution.

C.

Update lo the secure hypervisor version.

D.

Implement dedicated hardware for each customer.

Question 110

Which of the following incident response components can identify who is the llaison between multiple lines of business and the pubic?

Options:

A.

Red-team analysis

B.

Escalation process and procedures

C.

Triage and analysis

D.

Communications plan

Question 111

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

Options:

A.

22

B.

80

C.

443

D.

1433

Demo: 111 questions
Total 372 questions