CompTIA Cybersecurity Analyst (CySA+) CS0-002 Exam Dumps (V14.02) Updated Materials For Preparation

Eleanor2024-10-14T15:25:09+00:00

By Eleanor CompTIA, CompTIA CySA+

ITPrepare gives you the most updated CS0-002 exam dumps (V14.02) to help you prepare for the CompTIA Cybersecurity Analyst (CySA+) certification exam well. Don’t waste your money preparing to take the CompTIA Cybersecurity Analyst (CySA+) CS0-002 exam by using the latest CS0-002 exam dumps PDF from ITPrepare. You can expect to score the best and highest marks in your CS0-002 exam. Choosing the CS0-002 exam dumps pdf file is a great way to study in preparation for the CompTIA Cybersecurity Analyst (CySA+) exam.

CompTIA Cybersecurity Analyst (CySA+) CS0-002 FREE Exam Dumps Demo

Page 1 of 10

1. Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

Self-encrypting drive

Bus encryption

TPM

HSM

2. An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint .

Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

Patching logs

Threat feed

Backup logs

Change requests

Data classification matrix

3. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.

Which of the following is the FIRST step the analyst should take?

Create a full disk image of the server's hard drive to look for the file containing the malware.

Run a manual antivirus scan on the machine to look for known malicious software.

Take a memory snapshot of the machine to capture volatile information stored in memory.

Start packet capturing to look for traffic that could be indicative of command and control from the miner.

4. Which of the following should be found within an organization's acceptable use policy?

Passwords must be eight characters in length and contain at least one special character.

Customer data must be handled properly, stored on company servers, and encrypted when possible

Administrator accounts must be audited monthly, and inactive accounts should be removed.

Consequences of violating the policy could include discipline up to and including termination.

5. A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of domains and IPs and became infected with malware .

Which of the following is the MOST appropriate action to take in the situation?

implement an IPS signature for the malware and update the blacklisting for the associated domains and IPs

Implement an IPS signature for the malware and another signature request to Nock all the associated domains and IPs

Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains

Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains

6. An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach.

Given the following output:

Which of the following should be the focus of the investigation?

webserver.org-dmz.org

sftp.org-dmz.org

83hht23.org-int.org

ftps.bluemed.net

7. After receiving reports latency, a security analyst performs an Nmap scan and observes the following output:

Which of the following suggests the system that produced output was compromised?

Secure shell is operating of compromise on this system.

There are no indicators of compromise on this system.

MySQL services is identified on a standard PostgreSQL port.

Standard HTP is open on the system and should be closed.

8. A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output.

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

strace /proc/1301

rpm -V openash-server

/bin/la -1 /proc/1301/exe

kill -9 1301

9. Which of the following MOST accurately describes an HSM?

An HSM is a low-cost solution for encryption.

An HSM can be networked based or a removable USB

An HSM is slower at encrypting than software

An HSM is explicitly used for MFA

10. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

Use Burp Suite to capture packets to the SCADA device's I

Use tcpdump to capture packets from the SCADA device I

Use Wireshark to capture packets between SCADA devices and the management system.

Use Nmap to capture packets from the management system to the SCADA devices.

Page 2 of 10

11. A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment.

Which of the following is the BEST solution?

Virtualize the system and decommission the physical machine.

Remove it from the network and require air gapping.

Only allow access to the system via a jumpbox

Implement MFA on the specific system.

12. A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization.

The security analysis BEST response would be to coordinate with the legal department and:

the public relations department

senior leadership

law enforcement

the human resources department

13. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

Sanitization policy

Data sovereignty

Encryption policy

Retention standards

14. An analyst has been asked to provide feedback regarding the control required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls .

Which of the following should the analyst provide an assessment of?

Tokenization of sensitive data

Establishment o' data classifications

Reporting on data retention and purging activities

Formal identification of data ownership

Execution of NDAs

15. During a cyber incident, which of the following is the BEST course of action?

Switch to using a pre-approved, secure, third-party communication system.

Keep the entire company informed to ensure transparency and integrity during the incident.

Restrict customer communication until the severity of the breach is confirmed.

Limit communications to pre-authorized parties to ensure response efforts remain confidential.

16. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.

Remove the servers reported to have high and medium vulnerabilities.

Tag the computers with critical findings as a business risk acceptance.

Manually patch the computers on the network, as recommended on the CVE website.

Harden the hosts on the network, as recommended by the NIST framework.

Resolve the monthly job issues and test them before applying them to the production network.

17. A company just chose a global software company based in Europe to implement a new supply chain management solution .

Which of the following would be the MAIN concern of the company?

Violating national security policy

Packet injection

Loss of intellectual property

International labor laws

18. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process .

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

Personnel training

Vulnerability scan

Change management

Sandboxing

19. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

Agile

Waterfall

SDLC

Dynamic code analysis

20. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

Development of a hypothesis as part of threat hunting

Log correlation, monitoring, and automated reporting through a SIEM platform

Continuous compliance monitoring using SCAP dashboards

Quarterly vulnerability scanning using credentialed scans

Page 3 of 10

21. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

Conduct a wireless survey to determine if the wireless strength needs to be reduced.

22. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

An IPS signature modification for the specific IP addresses

An IDS signature modification for the specific IP addresses

A firewall rule that will block port 80 traffic

A firewall rule that will block traffic from the specific IP addresses

23. During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation.

Which of the following would cause the analyst to further review the incident?

A)

Option A

Option B

Option C

Option D

Option E

24. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization To BEST resolve the issue, the organization should implement

federated authentication

role-based access control.

manual account reviews

multifactor authentication.

25. The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with:

web servers on private networks.

HVAC control systems

smartphones

firewalls and UTM devices

26. Which of the following attacks can be prevented by using output encoding?

Server-side request forgery

Cross-site scripting

SQL injection

Command injection

Cross-site request forgery

Directory traversal

27. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

Gather information from providers, including datacenter specifications and copies of audit reports.

Identify SLA requirements for monitoring and logging.

Consult with senior management for recommendations.

Perform a proof of concept to identify possible solutions.

28. Which of the following are components of the intelligence cycle? (Select TWO.)

Collection

Normalization

Response

Analysis

Correction

Dissension

29. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

PC1

PC2

Server1

Server2

Firewall

30. A security analyst is reviewing the logs from an internal chat server.

The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:

Which of the following commands would work BEST to achieve the desired result?

grep -v chatter14 chat.log

grep -i pythonfun chat.log

grep -i javashark chat.log

grep -v javashark chat.log

grep -v pythonfun chat.log

grep -i chatter14 chat.log

Page 4 of 10

31. For machine learning to be applied effectively toward security analysis automation, it requires.

relevant training data.

a threat feed AP

a multicore, multiprocessor system.

anomalous traffic signatures.

32. An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.

Which of the following can be inferred from this activity?

10.200.2.0/24 is infected with ransomware.

10.200.2.0/24 is not routable address space.

10.200.2.5 is a rogue endpoint.

10.200.2.5 is exfiltrating dat

33. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations.

The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

To create a system baseline

To reduce the attack surface

To optimize system performance

To improve malware detection

34. An executive assistant wants to onboard a new cloud based product to help with business analytics and dashboarding.

When of the following would be the BEST integration option for the service?

Manually log in to the service and upload data files on a regular basis.

Have the internal development team script connectivity and file translate to the new service.

Create a dedicated SFTP sue and schedule transfers to ensue file transport security

Utilize the cloud products API for supported and ongoing integrations

35. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately .

Which of the following would be the BEST method of communication?

Post of the company blog

Corporate-hosted encrypted email

VoIP phone call

Summary sent by certified mail

Externally hosted instant message

36. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

Carving

Disk imaging

Packet analysis

Memory dump

Hashing

37. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

Reverse engineering

Fuzzing

Penetration testing

Network mapping

38. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

The use of infrastructure-as-code capabilities leads to an increased attack surface.

Patching the underlying application server becomes the responsibility of the client.

The application is unable to use encryption at the database level.

Insecure application programming interfaces can lead to data compromise.

39. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment.

Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules.

Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment.

Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.

40. As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy.

Based on the CISO's concerns, the assessor will MOST likely focus on:

qualitative probabilities.

quantitative probabilities.

qualitative magnitude.

quantitative magnitude.

Page 5 of 10

41. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

an 802.11ac wireless bridge to create an air gap.

a managed switch to segment the lab into a separate VLA

a firewall to isolate the lab network from all other networks.

an unmanaged switch to segment the environments from one another.

42. A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

Apply the required patches to remediate the vulnerability.

Escalate the incident to senior management for guidance.

Disable all privileged user accounts on the network.

Temporarily block the attacking IP address.

43. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

email server that automatically deletes attached executables.

IDS to match the malware sample.

proxy to block all connections to <malwaresource>.

firewall to block connection attempts to dynamic DNS hosts.

44. A team of security analysis has been alerted to potential malware activity. The initial examination indicates one of the affected workstations on beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445 .

Which of the following should be the team's NEXT step during the detection phase of this response process?

Escalate the incident to management, who will then engage the network infrastructure team to keep them informed

Depending on system critically remove each affected device from the network by disabling wired and wireless connections

Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses Identify potentially affected systems by creating a correlation

Identify potentially affected system by creating a correlation search in the SIEM based on the network traffic.

45. A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain .

Which of the following should be performed NEXT to investigate the availability issue?

Review the firewall logs.

Review syslogs from critical servers.

Perform fuzzing.

Install a WAF in front of the application server.

46. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings .

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of vulnerabilities.

Incorporate prioritization levels into the remediation process and address critical findings first.

Create classification criteria for data residing on different servers and provide remediation only for servers housing sensitive data.

Implement a change control policy that allows the security team to quickly deploy patches in the production environment to reduce the risk of any vulnerabilities found.

47. A security administrator needs to create an IDS rule to alert on FTP login attempts by root .

Which of the following rules is the BEST solution?

Option A

Option B

Option C

Option D

48. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>somebody@companyname.com</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

The clients' authentication tokens were impersonated and replayed.

The clients' usernames and passwords were transmitted in cleartext.

An XSS scripting attack was carried out on the server.

A SQL injection attack was carried out on the server.

49. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

A password-spraying attack was performed against the organization.

A DDoS attack was performed against the organization.

This was normal shift work activity; the SIEM's AI is learning.

A credentialed external vulnerability scan was performed.

50. Which of the following technologies can be used to house the entropy keys for task encryption on desktops and laptops?

Self-encrypting drive

Bus encryption

TPM

HSM

Page 6 of 10

51. A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.

Which of the following would be the BEST solution to recommend to the director?

Install a data loss prevention system, and train human resources employees on its use. Provide PII training to all employees at the company. Encrypt PII information.

Enforce encryption on all emails sent within the company. Create a PII program and policy on how to handle dat

Train all human resources employees.

Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present a plan on how PII should be handled.

Install specific equipment to create a human resources policy that protects PII dat

Train company employees on how to handle PII dat

Outsource all PII to another company. Send the human resources director to training for PII handling.

52. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

Write detection logic.

Establish a hypothesis.

Profile the threat actors and activities.

Perform a process analysis.

53. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

Known threat

Zero day

Unknown threat

Advanced persistent threat

54. A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.

Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

Attack vectors

Adversary capability

Diamond Model of Intrusion Analysis

Kill chain

Total attack surface

55. A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured .

Which of the following should the analyst do?

Shut down the computer

Capture live data using Wireshark

Take a snapshot

Determine if DNS logging is enabled.

Review the network logs.

56. A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability scan:

Which of the following is MOST likely a false positive?

ICMP timestamp request remote date disclosure

Windows SMB service enumeration via srvsvc

Anonymous FTP enabled

Unsupported web server detection

57. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

Compatibility mode

Secure boot mode

Native mode

Fast boot mode

58. 1.A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

Establish a hosted SS

Implement a CAS

Virtualize the server.

Air gap the server.

59. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

Human resources

Public relations

Marketing

Internal network operations center

60. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.

Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.

Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.

Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.

Page 7 of 10

61. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

Single sign-on

Mandatory access control

Multifactor authentication

Federation

Privileged access management

62. An organization has not had an incident for several month. The Chief information Security Officer (CISO) wants to move to proactive stance for security investigations .

Which of the following would BEST meet that goal?

Root-cause analysis

Active response

Advanced antivirus

Information-sharing community

Threat hunting

63. A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt .

Which of the following Nmap commands would BEST accomplish this goal?

nmap -iL webserverlist.txt -sC -p 443 -oX webserverlist.xml

nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml

nmap -iL webserverlist.txt -F -p 443 -oX webserverlist.xml

nmap --takefile webserverlist.txt --outputfileasXML webserverlist.xml Cscanports 443

64. A security architect is reviewing the options for performing input validation on incoming web form submissions .

Which of the following should the architect as the MOST secure and manageable option?

Client-side whitelisting

Server-side whitelisting

Server-side blacklisting

Client-side blacklisting

65. An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.

Which of the following is MOST likely to be a false positive?

OpenSSH/OpenSSL Package Random Number Generator Weakness

Apache HTTP Server Byte Range DoS

GDI+ Remote Code Execution Vulnerability (MS08-052)

HTTP TRACE / TRACK Methods Allowed (002-1208)

SSL Certificate Expiry

66. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise .

Which of the following describes the type of vulnerability that was MOST likely expiated?

Insider threat

Buffer overflow

Advanced persistent threat

Zero day

67. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group .

Which of the following models would BEST apply to the situation?

Intelligence cycle

Diamond Model of Intrusion Analysis

Kill chain

MITRE ATT&CK

68. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

Social media accounts attributed to the threat actor

Custom malware attributed to the threat actor from prior attacks

Email addresses and phone numbers tied to the threat actor

Network assets used in previous attacks attributed to the threat actor

IP addresses used by the threat actor for command and control

69. An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures .

Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

A simulated breach scenario involving the incident response team

Completion of annual information security awareness training by all employees

Tabletop activities involving business continuity team members

Completion of lessons-learned documentation by the computer security incident response team

External and internal penetration testing by a third party

70. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

Limit the permissions to prevent other employees from accessing data owned by the business unit.

Segment the servers and systems used by the business unit from the rest of the network.

Deploy patches to all servers and workstations across the entire organization.

Implement full-disk encryption on the laptops used by employees of the payment-processing team.

Page 8 of 10

71. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful .

Which of the following should the security analyst perform NEXT?

Begin blocking all IP addresses within that subnet.

Determine the attack vector and total attack surface.

Begin a kill chain analysis to determine the impact.

Conduct threat research on the IP addresses

72. A security analyst needs to reduce the overall attack surface.

Which of the following infrastructure changes should the analyst recommend?

Implement a honeypot.

Air gap sensitive systems.

Increase the network segmentation.

Implement a cloud-based architecture.

73. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.

INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

74. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

Data custodian

Data owner

Data processor

Senior management

75. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer datA. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

DLP

Encryption

Test data

NDA

76. A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised.

Which of the following would provide the BEST results?

Baseline configuration assessment

Uncredentialed scan

Network ping sweep

External penetration test

77. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

Deidentification

Encoding

Encryption

Watermarking

78. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

SSO

DLP

WAF

VDI

79. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

FaaS

RTOS

SoC

GPS

CAN bus

80. A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security.

To BEST complete this task, the analyst should place the:

firewall behind the VPN server

VPN server parallel to the firewall

VPN server behind the firewall

VPN on the firewall

Page 9 of 10

81. A security analyst has discovered trial developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the Internet .

Which of the following changes should the security analyst make to BEST protect the environment?

Create a security rule that blocks Internet access in the development VPC

Place a jumpbox m between the developers' workstations and the development VPC

Remove the administrator profile from the developer user group in identity and access management

Create an alert that is triggered when a developer installs an application on a server

82. A security analyst is reviewing the following log from an email security service.

Which of the following BEST describes the reason why the email was blocked?

The To address is invalid.

The email originated from the www.spamfilter.org UR

The IP address and the remote server name are the same.

The IP address was blacklisted.

The From address is invalid.

83. A cybersecurity analyst is supposing an incident response effort via threat intelligence .

Which of the following is the analyst MOST likely executing?

Requirements analysis and collection planning

Containment and eradication

Recovery and post-incident review

Indicator enrichment and research pivoting

84. A security analyst receives an alert that highly sensitive information has left the company's network Upon investigation, the analyst discovers an outside IP range has had connections from three servers more than 100 times m the past month. The affected servers are virtual machines.

Which of the following is the BEST course of action?

Shut down the servers as soon as possible, move them to a clean environment, restart, run a vulnerability scanner to find weaknesses determine the root cause, remediate, and report

Report the data exfiltration to management take the affected servers offline, conduct an antivirus scan, remediate all threats found, and return the servers to service.

Disconnect the affected servers from the network, use the virtual machine console to access the systems, determine which information has left the network, find the security weakness, and remediate

Determine if any other servers have been affected, snapshot any servers found, determine the vector that was used to allow the data exfiltration. fix any vulnerabilities, remediate, and report.

85. During an investigation, an incident responder intends to recover multiple pieces of digital media.

Before removing the media, the responder should initiate:

malware scans.

secure communications.

chain of custody forms.

decryption tools.

86. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

Secure email

Encrypted USB drives

Cloud containers

Network folders

87. A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised .

Which of the following is the value of this risk?

$75.000

$300.000

$1.425 million

$1.5 million

88. An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations .

Which of the following would BEST meet that goal?

Root-cause analysis

Active response

Advanced antivirus

Information-sharing community

Threat hunting

89. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures .

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

A simulated breach scenario evolving the incident response team

Completion of annual information security awareness training by ail employees

Tabtetop activities involving business continuity team members

Completion of lessons-learned documentation by the computer security incident response team

External and internal penetration testing by a third party

90. Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective?

Unauthorized, unintentional, benign

Unauthorized, intentional, malicious

Authorized, intentional, malicious

Authorized, unintentional, benign

Page 10 of 10

91. An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.

Which of the following should the analyst do NEXT?

Decompile each binary to derive the source code.

Perform a factory reset on the affected mobile device.

Compute SHA-256 hashes for each binary.

Encrypt the binaries using an authenticated AES-256 mode of operation.

Inspect the permissions manifests within each application.

92. Which of the following is the MOST important objective of a post-incident review?

Capture lessons learned and improve incident response processes

Develop a process for containment and continue improvement efforts

Identify new technologies and strategies to remediate

Identify a new management strategy

93. Which of the following technologies can be used to store digital certificates and is typically used in high-security implementations where integrity is paramount?

HSM

eFuse

UEFI

Self-encrypting drive

94. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

Segment the network to constrain access to administrative interfaces.

Replace the equipment that has third-party support.

Remove the legacy hardware from the network.

Install an IDS on the network between the switch and the legacy equipment.

95. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

Parameterized queries

Session management

Input validation

Output encoding

Data protection

Authentication

96. Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

Reverse engineering

Application log collectors

Workflow orchestration

API integration

Scripting

97. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

Which of the following would BEST accomplish this goal?

Continuous integration and deployment

Automation and orchestration

Static and dynamic analysis

Information sharing and analysis

98. An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company.

Which of the following technical controls would BEST accomplish this goal?

DLP

Encryption

Data masking

SPF

99. A large software company wants to move «s source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business management determines the recovery time objective needs to be within one hour .

Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

Establish an alternate site with active replication to other regions

Configure a duplicate environment in the same region and load balance between both instances

Set up every cloud component with duplicated copies and auto scaling turned on

Create a duplicate copy on premises that can be used for failover in a disaster situation

100. A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.

When conducting the scan, the analyst received the following code snippet of results:

Which of the following describes the output of this scan?

The analyst has discovered a False Positive, and the status code is incorrect providing an OK message.

The analyst has discovered a True Positive, and the status code is correct providing a file not found error message.

The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden message.

The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.

CompTIA Cybersecurity Analyst (CySA+) CS0-002 Exam Dumps (V14.02) Updated Materials For Preparation