How to pass CompTIA CS0-002 exam with the help of dumps?

Question # 1

A security analyst reviews the latest reports from the company's vulnerability scanner anddiscovers the following: Which of the following changes should the analyst recommend FIRST?

A. Configuring SSL ciphers to use different encryption blocks 
B. Programming changes to encode output 
C. Updating the 'mod_status' module 
D. Disabling HTTP connection debugging commands 

Show Answer

Question # 2

A security analyst is researching an incident and uncovers several details that may link toother incidents. The security analyst wants to determine if other incidents are related to thecurrent incident Which of the followinq threat research methodoloqies would be MOSTappropriate for the analyst to use?

A. Reputation data 
B. CVSS score 
C. Risk assessment 
D. Behavioral analysis 

Show Answer

Question # 3

An organization recently discovered some inconsistencies in the motherboards it receivedfrom a vendor. The organization's security team then provided guidance on how to ensurethe authenticity of the motherboards it received from vendors.Which of the following would be the BEST recommendation for the security analyst toprovide'?

A. The organization should evaluate current NDAs to ensure enforceability of legal actions. 
B. The organization should maintain the relationship with the vendor and enforcevulnerability scans. 
C. The organization should ensure all motherboards are equipped with a TPM. 
D. The organization should use a certified, trusted vendor as part of the supply chain. 

Show Answer

Question # 4

Which of the following data security controls would work BEST to prevent real Pll frombeing used in an organization's test cloud environment?

A. Digital rights management 
B. Encryption 
C. Access control 
D. Data loss prevention 
E. Data masking 

Show Answer

Question # 5

A security analyst received an alert from the SIEM indicating numerous login attempts fromusers outside their usual geographic zones, all of which were initiated through the webbased mail server. The logs indicate all domain accounts experienced two login attemptsduring the same time frame.Which of the following is the MOST likely cause of this issue?

A. A password-spraying attack was performed against the organization. 
B. A DDoS attack was performed against the organization. 
C. This was normal shift work activity; the SIEM's AI is learning. 
D. A credentialed external vulnerability scan was performed. 

Show Answer

Question # 6

As part of a review of incident response plans, which of the following is MOST important foran organization to understand when establishing the breach notification period?

A. Organizational policies 
B. Vendor requirements and contracts 
C. Service-level agreements 
D. Legal requirements 

Show Answer

Question # 7

D18912E1457D5D1DDCBD40AB3BF70D5DA security analyst scanned an internal company subnet and discovered a host with thefollowing Nmap output. Based on the output of this Nmap scan, which of the following should the analystinvestigate FIRST?

A. Port 22 
B. Port 135 
C. Port 445 
D. Port 3389 

Show Answer

Question # 8

Which of the following policies would state an employee should not disable securitysafeguards, such as host firewalls and antivirus on company systems?

A. Code of conduct policy 
B. Account management policy 
C. Password policy 
D. Acceptable use policy 

Show Answer

Question # 9

An analyst is investigating an anomalous event reported by the SOC. After reviewing thesystem logs the analyst identifies an unexpected addition of a user with root-level privilegeson the endpoint. Which of the following data sources will BEST help the analyst todetermine whether this event constitutes an incident?

A. Patching logs 
B. Threat feed 
C. Backup logs 
D. Change requests 
E. Data classification matrix 

Show Answer

Question # 10

A cybersecurity analyst is dissecting an intrusion down to the specific techniques andwants to organize them in a logical manner. Which of the following frameworks wouldBEST apply in this situation?

A. Pyramid of Pain 
B. MITRE ATT&CK 
C. Diamond Model of Intrusion Analysts 
D. CVSS v3.0 

Show Answer

Question # 11

A security analyst is investigating an incident that appears to have started with SOLinjection against a publicly available web application. Which of the following is the FIRSTstep the analyst should take to prevent future attacks?

A. Modify the IDS rules to have a signature for SQL injection. 
B. Take the server offline to prevent continued SQL injection attacks. 
C. Create a WAF rule In block mode for SQL injection 
D. Ask the developers to implement parameterized SQL queries. 

Show Answer

Question # 12

An organization's network administrator uncovered a rogue device on the network that isemulating the charactenstics of a switch. The device is trunking protocols and insertingtagging vathe flow of traffic at the data link layerWhich of the following BEST describes this attack?

A. VLAN hopping 
B. Injection attack 
C. Spoofing 
D. DNS pharming 

Show Answer

Question # 13

While investigating an incident in a company's SIEM console, a security analyst foundhundreds of failed SSH login attempts, which all occurred in rapid succession. The failedattempts were followed by a successful login on the root user Company policy allowssystems administrators to manage their systems only from the company's internal networkusing their assigned corporate logins. Which of the following are the BEST actions theanalyst can take to stop any further compromise? (Select TWO).

A Configure /etc/sshd_config to deny root logins and restart the SSHD service.
B. Add a rule on the network IPS to block SSH user sessions
C. Configure /etc/passwd to deny root logins and restart the SSHD service.
D. Reset the passwords for all accounts on the affected system.
E. Add a rule on the perimeter firewall to block the source IP address.
F. Add a rule on the affected system to block access to port TCP/22.

Show Answer

Question # 14

An application server runs slowly and then triggers a high CPU alert. After investigating, asecurity analyst finds an unauthorized program is running on the server. The analystreviews the application log below. Which of the following conclusions is supported by the application log?

A. An attacker was attempting to perform a buffer overflow attack to execute a payload inmemory. 
B. An attacker was attempting to perform an XSS attack via a vulnerable third-party library. 
C. An attacker was attempting to download files via a remote command executionvulnerability
D. An attacker was attempting to perform a DoS attack against the server. 

Show Answer

Question # 15

Which of the following is the BEST security practice to prevent ActiveX controls fromrunning malicious code on a user's web application?

A. Configuring a firewall to block traffic on ports that use ActiveX controls 
B. Adjusting the web-browser settings to block ActiveX controls 
C. Installing network-based IPS to block malicious ActiveX code 
D. Deploying HIPS to block malicious ActiveX code 

Show Answer

Question # 16

While reviewing a cyber-risk assessment, an analyst notes there are concerns related to FPGA usage. Which of the following statements would BEST convince the analyst'ssupervisor to use additional controls?

A. FPGAs are vulnerable to malware installation and require additional protections for theircodebase. 
B. FPGAs are expensive to produce. Anti-counterierting safeguards are needed. 
C. FPGAs are expensive and can only be programmed once. Code deployment safeguardsare needed. 
D. FPGAs have an inflexible architecture. Additional training for developers is needed 

Show Answer

Question # 17

A small marketing firm uses many SaaS applications that hold sensitive information Thefirm has discovered terminated employees are retaining access to systems for many weeksafter their end date. Which of the following would BEST resolve the issue of lingeringaccess?

A. Configure federated authentication with SSO on cloud provider systems. 
B. Perform weekly manual reviews on system access to uncover any issues. 
C. Implement MFA on cloud-based systems. 
D. Set up a privileged access management tool that can fully manage privileged accountaccess. 

Show Answer

Question # 18

A company's security officer needs to implement geographical IP blocks for nation-stateactors from a foreign country On which of the following should the blocks be implemented'?

A. Web content filter 
B. Access control list 
C. Network access control 
D. Data loss prevention 

Show Answer

Question # 19

A security analyst needs to obtain the footprint of the network. The footprint must identifythe following information;• TCP and UDP services running on a targeted system• Types of operating systems and versions• Specific applications and versionsWhich of the following tools should the analyst use to obtain the data?

A. ZAP 
B. Nmap 
C. Prowler 
D. Reaver 

Show Answer

Question # 20

An information security analyst on a threat-hunting team Is working with administrators tocreate a hypothesis related to an internally developed web application The workinghypothesis is as follows:• Due to the nature of the industry, the application hosts sensitive data associated withmany clients and Is a significant target• The platform Is most likely vulnerable to poor patching and Inadequate server hardening,which expose vulnerable services.• The application is likely to be targeted with SQL injection attacks due to the large numberof reporting capabilities within the application.As a result, the systems administrator upgrades outdated service applications andvalidates the endpoint configuration against an industry benchmark. The analyst suggestsdevelopers receive additional training on implementing identity and access management,and also implements a WAF to protect against SOL injection attacks Which of the followingBEST represents the technique in use?

A. Improving detection capabilities 
B. Bundling critical assets 
C. Profiling threat actors and activities 
D. Reducing the attack surface area 

Show Answer

Question # 21

Given the Nmap request below: Which of the following actions will an attacker be able to initiate directly against this host?

A. Password sniffing 
B. ARP spoofing 
C. A brute-force attack 
D. An SQL injection 

Show Answer

Question # 22

An analyst needs to provide recommendations for the AUP Which of the following is theBEST recommendation to protect the company's intellectual property? 

A. Company assets must be stored in a locked cabinet when not in use. 
B. Company assets must not be utilized for personal use or gain. 
C. Company assets should never leave the company's property. 
D. AII Internet access must be via a proxy server. 

Show Answer

Question # 23

A Chief Security Officer (CSO) is working on the communication requirements (or anorganization's incident response plan. In addition to technical response activities, which ofthe following is the main reason why communication must be addressed in an effectiveincident response program?

A. Public relations must receive information promptly in order to notify the community. 
B. Improper communications can create unnecessary complexity and delay response actions. 
C. Organizational personnel must only interact with trusted members of the lawenforcement community. 
D. Senior leadership should act as the only voice for the incident response team whenworking with forensics teams. 

Show Answer

Question # 24

A security analyst is reviewing the following DNS logs as part of security-monitoringactivities: Which of the following MOST likely occurred?

A. The attack used an algorithm to generate command and control information dynamically. 
B. The attack used encryption to obfuscate the payload and bypass detection by an IDS. 
C. The attack caused an internal host to connect to a command and control server. 
D. The attack attempted to contact www.gooqle com to verify Internet connectivity. 

Show Answer

Question # 25

A remote code-execution vulnerability was discovered in the RDP for the servers running akey-hosted application. While there is no automated check for this vulnerability from thevulnerability assessment vendor, the in-house technicians were able to evaluate manuallywhether this vulnerability was present through the use of custom scripts. This evaluationdetermined that all the hosts are vulnerable. A technician then tested the patch for thisvulnerability and found that it can cause stability issues in the key-hosted application. Theapplication is accessed through RDP to a jump host that does not run the applicationdirectly. To mitigate this vulnerability, the security operations team needs to provideremediation steps that will mitigate the vulnerability temporarily until the compatibility issueswith the patch are resolved. Which of the following will BEST allow systems to continue tooperate and mitigate the vulnerability in the short term?

A. Implement IPSec rules on the application servers through a GPO that limits RDP accessfrom only the jump host. Patch the jump host. Since it does not run the application natively,it will not affect the software's operation and functionality. Do not patch the applicationservers until the compatibility issue is resolved. 
B. Implement IPSec rules on the jump host server through a GPO that limits RDP accessfrom only the other application servers. Do not patch the jump host. Since it does not runthe application natively, it is at less risk of being compromised. Patch the applicationservers to secure them. 
C. Implement IPSec rules on the application servers through a GPO that limits RDP accessto only other application servers. Do not patch the jump host. Since it does not run theapplication natively, it is at less risk of being compromised. Patch the application servers tosecure them. 
D. Implement firewall rules on the application servers through a GPO that limits RDPaccess to only other application servers. Manually check the jump host to see if it has beencompromised. Patch the application servers to secure them. 

Show Answer

Question # 26

A company recently experienced financial fraud, which included shared passwords beingcompromised and improper levels of access being granted The company has asked asecurity analyst to helpimprove its controls.Which of the following will MOST likely help the security analyst develop better controls?

A. An evidence summarization 
B. An indicator of compromise 
C. An incident response plan 
D. A lessons-learned report 

Show Answer

Question # 27

The Cruel Executive Officer (CEO) of a large insurance company has reported phishingemails that contain malicious links are targeting the entire organza lion Which of thefollowing actions would work BEST to prevent against this type of attack?

A. Turn on full behavioral analysis to avert an infection 
B. Implement an EOR mail module that will rewrite and analyze email links. 
C. Reconfigure the EDR solution to perform real-time scanning of all files 
D. Ensure EDR signatures are updated every day to avert infection. 
E. Modify the EDR solution to use heuristic analysis techniques for malware. 

Show Answer

Question # 28

A security analyst is reviewing the following requirements (or new time clocks that will beinstalled in a shipping warehouse:• The clocks must be configured so they do not respond to ARP broadcasts.• The server must be configured with static ARP entries for each clock.Which of the following types of attacks will this configuration mitigate?

A. Spoofing 
B. Overflows 
C. Rootkits 
D. Sniffing 

Show Answer

Question # 29

A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons- learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newestvariant of ransomware. Which of the following actions should be taken to BEST mitigate theeffects of this type of threat in the future?

A. Enabling application blacklisting 
B. Enabling sandboxing technology 
C. Purchasing cyber insurance 
D. Installing a firewall between the workstations and Internet 

Show Answer

Question # 30

An organization that uses SPF has been notified emails sent via its authorized third-partypartner are getting rejected A security analyst reviews the DNS entry and sees thefollowing:v=spfl ip4:180.10.6.5 ip4: 180.10.6.10 include: robusmail.com -allThe organization's primary mail server IP is 180.10 6.6, and the secondary mail server IP is180.10.6.5. The organization's third-party mail provider is "Robust Mail" with the domainname robustmail.com.Which of the following is the MOST likely reason for the rejected emails?

A. The wrong domain name is in the SPF record. 
B. The primary and secondary email server IP addresses are out of sequence. 
C. SPF version 1 does not support third-party providers 
D. An incorrect IP version is being used. 

Show Answer

Question # 31

hich of the following is the BEST way to share incident-related artifacts to provide nonrepudiation?

A. Secure email 
B. Encrypted USB drives 
C. Cloud containers 
D. Network folders 

Show Answer

Question # 32

An organisation is assessing risks so it can prioritize its mitigation actions. Following arethe risks and their probability and impact: Which of the following is the order of priority for risk mitigation from highest to lowest?

A. A, B, C, D 
B. A, D, B, C 
C. B, C, A, D 
D. C, B, D, A 
E. D, A, C, B 

Show Answer

Question # 33

A company recently experienced multiple DNS DDoS attacks, and the information securityanalyst must provide a DDoS solution to deploy in the company's datacenter Which of thefollowing would BEST prevent future attacks?

A. Configure a sinkhole on the router. 
B. Buy a UTM to block the number of requests. 
C. Route the queries on the DNS server to 127.0.0.1. 
D. Call the Internet service provider to block the attack. 

Show Answer

Question # 34

An analyst is reviewing the following code output of a vulnerability scan: Which of the following types of vulnerabilities does this MOST likely represent?

A. A insecure direct object reference vulnerability 
B. An HTTP response split vulnerability 
C. A credential bypass vulnerability 
D. A XSS vulnerability 

Show Answer

Question # 35

A security analyst needs to develop a brief that will include the latest incidents and theattack phases of the incidents. The goal is to support threat intelligence and identifywhether or not the incidents are linked.Which of the following methods would be MOST appropriate to use?

A. An adversary capability model 
B. The MITRE ATT&CK framework 
C. The Cyber Kill Chain 
D. The Diamond Model of Intrusion Analysis 

Show Answer

Question # 36

A security analyst is reviewing the network security monitoring logs listed below:Which of the following is the analyst MOST likely observing? (Select TWO).

A. 10.1.1.128 sent malicious requests, and the alert is a false positive. 
B. 10.1.1.129 sent potential malicious requests to the web server. 
C. 10.1.1.129 sent non-malicious requests, and the alert is a false positive. 
D. 10.1.1.128 sent potential malicious traffic to the web server. 
E. 10.1.1 .129 successfully exploited a vulnerability on the web server. 

Show Answer

Question # 37

A company's security administrator needs to automate several security processes relatedto testing for the existence of changes within the environment Conditionally otherprocesses will need to be created based on input from prior processesWhich of the following is the BEST method for accomplishing this task?

A. Machine learning and process monitoring 
B. API integration and data enrichment 
C. Workflow orchestration and scripting 
D. Continuous integration and configuration management 

Show Answer

Question # 38

A user reports the system is behaving oddly following the installation of an approved thirdparty software application. The application executable was sourced from an internalrepository Which of the following will ensure the application is valid?

A. Ask the user to refresh the existing definition file for the antivirus software 
B. Perform a malware scan on the file in the internal repository 
C. Hash the application's installation file and compare it to the hash provided by the vendor 
D. Remove the user's system from the network to avoid collateral contamination 

Show Answer

Question # 39

Clients are unable to access a company’s API to obtain pricing data. An analyst discoverssources other thanclients are scraping the API for data, which is causing the servers to exceed availableresources. Which of thefollowing would be BEST to protect the availability of the APIs?

A. IP whitelisting 
B. Certificate-based authentication 
C. Virtual private network 
D. Web application firewall 

Show Answer

Question # 40

Which of the following is MOST closely related to the concept of privacy?

A. An individual's control over personal information 
B. A policy implementing strong identity management processes 
C. A system's ability to protect the confidentiality of sensitive information 
D. The implementation of confidentiality, integrity, and availability 

Show Answer

Question # 41

Which of the following sources would a security analyst rely on to provide relevant andtimely threat information concerning the financial services industry?

A. Information sharing and analysis membership 
B. Open-source intelligence, such as social media and blogs 
C. Real-time and automated firewall rules subscriptions 
D. Common vulnerability and exposure bulletins 

Show Answer

Question # 42

A large insurance company wants to outsource its claim-handling operations to anoverseas third-party organization Which of the following would BEST help to reduce thechance of highly sensitive data leaking?

A. Configure a VPN between the third party organization and the internal company network 
B. Set up a VDI that the third party must use to interact with company systems. 
C. Use MFA to protect confidential company information from being leaked. 
D. Implement NAC to ensure connecting systems have malware protection 
E. Create jump boxes that are used by the third-party organization so it does not connectdirectly. 

Show Answer

Question # 43

A forensic analyst took an image of a workstation that was involved in an incident To BESTensure the image is not tampered with me analyst should use:

A. hashing 
B. backup tapes 
C. a legal hold 
D. chain of custody. 

Show Answer

Question # 44

Employees of a large financial company are continuously being Infected by strands ofmalware that are not detected by EDR tools. When of the following Is the BEST securitycontrol to implement to reduce corporate risk while allowing employees to exchange files atclient sites?

A. MFA on the workstations 
B. Additional host firewall rules 
C. VDI environment 
D. Hard drive encryption 
E. Network access control 
F. Network segmentation 

Show Answer

Question # 45

A user reports a malware alert to the help desk A technician verifies the alert, determinesthe workstation is classified as a low-severity device, and uses network controls to blockaccess The technician then assigns the ticket to a security analyst who will complete theeradication and recovery processes. Which of the following should the security analyst doNEXT?

A. Document the procedures and walk through the incident training guide. 
B. Sanitize the workstation and verify countermeasures are restored 
C. Reverse engineer the malware to determine its purpose and risk to the organization. 
D. Isolate the workstation and issue a new computer to the user. 

Show Answer

Question # 46

An organization is upgrading its network and all of its workstations The project will occur inphases, with infrastructure upgrades each month and workstation installs every other week.The schedule should accommodate the enterprise-wide changes, while minimizing theimpact to the network. Which of the following schedules BEST addresses theserequirements?

A. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans 
B. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans
C. Monthly host discovery scans; biweekly vulnerability scans, monthly topology scans 
D. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans 

Show Answer

Question # 47

An organization is upgrading its network and all of its workstations The project will occur inphases, with infrastructure upgrades each month and workstation installs every other week.The schedule should accommodate the enterprise-wide changes, while minimizing theimpact to the network. Which of the following schedules BEST addresses theserequirements?

A. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans 
B. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans
C. Monthly host discovery scans; biweekly vulnerability scans, monthly topology scans 
D. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans 

Show Answer

Question # 48

A company's legal department is concerned that its incident response plan does not coverthe countless ways security incidents can occur They have asked a security analyst to helptailor the response plan to provide broad coverage for many situations. Which of thefollowing is the BEST way to achieve this goal?

A. Focus on incidents that may require law enforcement support. 
B. Focus on common attack vectors first. 
C. Focus on incidents that have a high chance of reputation harm. 
D. Focus on incidents that affect critical systems. 

Show Answer

Question # 49

When reviewing a compromised authentication server, a security analyst discovers thefollowing hidden file: Further analysis shows these users never logged in to the server. Which of the followingtypes of attacks was used to obtain the file and what should the analyst recommend toprevent this type of attack from reoccurring?

A. A rogue LDAP server is installed on the system and is connecting passwords. Theanalyst should recommend wiping and reinstalling the server. 
B. A password spraying attack was used to compromise the passwords. The analystshould recommend that all users receive a unique password. 
C. A rainbow tables attack was used to compromise the accounts. The analyst shouldrecommend that future password hashes contains a salt. 
D. A phishing attack was used to compromise the account. The analyst should recommendusers install endpoint protection to disable phishing links. 

Show Answer

Question # 50

Which of the following BEST describes the primary role ol a risk assessment as it relates tocompliance with risk-based frameworks?

A. It demonstrates the organization's mitigation of risks associated with internal threats. 
B. It serves as the basis for control selection. 
C. It prescribes technical control requirements. 
D. It is an input to the business impact assessment. 

Show Answer

Question # 51

While conducting a network infrastructure review, a security analyst discovers a laptop thatis plugged into a core switch and hidden behind a desk.The analyst sees the following on the laptop's screen: Which of the following is the BEST action for the security analyst to take?

A. Initiate a scan of devices on the network to find password-cracking tools. 
B. Disconnect the laptop and ask the users jsmith and progers to log out. 
C. Force all users in the domain to change their passwords at the next login. 
D. Take the FILE-SHARE-A server offline and scan it for viruses. 

Show Answer

Question # 52

A security analyst is generating a list of recommendations for the company's insecure API.Which of the following is the BEST parameter mitigation rec

A. Implement parameterized queries. 
B. Use effective authentication and authorization methods. 
C. Validate all incoming data. 
D. Use TLs for all data exchanges. 

Show Answer

Question # 53

Because some clients have reported unauthorized activity on their accounts, a securityanalyst is reviewing network packet captures from the company's API server. A portion of acapture file is shown below:POST /services/v1_0/Public/Members.svc/soaphttp://schemas.s/soap/envelope/">http://tempuri.org/">http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 10061001 0 192.168.1.22POST /services/v1_0/Public/Members.svc/soap<<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>somebody@companyname.com</a:Username></request></Login></s:Body></s:Envelope>192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89POST /services/v1_0/Public/Members.svc/soaphttp://schemas.xmlsoap.org/soap/envelope/">tion+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1003 1011 307192.168.1.22POST /services/v1_0/Public/Members.svc/soaphttp://schemas.xmlsoap.org/soap/envelope/">n+xmlns="http://tempuri.org/"> http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66- - api.somesite.com 200 0 1378 1209 48 192.168.4.89Which of the following MOST likely explains how the clients' accounts were compromised?

A. The clients' authentication tokens were impersonated and replayed. 
B. The clients' usernames and passwords were transmitted in cleartext. 
C. An XSS scripting attack was carried out on the server. 
D. A SQL injection attack was carried out on the server. 

Show Answer

Question # 54

An organization has several systems that require specific logons Over the past few months,the security analyst has noticed numerous failed logon attempts followed by passwordresets. Which of the following should the analyst do to reduce the occurrence of legitimatefailed logons and password resets?

A. Use SSO across all applications 
B. Perform a manual privilege review 
C. Adjust the current monitoring and logging rules 
D. Implement multifactor authentication 

Show Answer

Question # 55

Following a recent security breach, a company decides to investigate account usage toensure privileged accounts are only being utilized during typical business hours. During theinvestigation, a security analyst determines an account was consistently utilized in themiddle of the night.Which of the following actions should the analyst take NEXT?

A. Initiate the incident response plan. 
B. Disable the privileged account 
C. Report the discrepancy to human resources. 
D. Review the activity with the user. 

Show Answer

Question # 56

A company's blocklist has outgrown the current technologies in place. The ACLS are atmaximum, and the IPS signatures only allow a certainamount of space for domains to be added, creating the need for multiple signatures.Which of the following configuration changes to the existing controls would be the MOSTappropriate to improve performance?

A. Create an IDS for the current blocklist to determine which domains are showing activityand may need to be removed. 
B. Implement a host-file based solution that will use a list of all domains to deny for allmachines on the network 
C. Review the current blocklist to determine which domains can be removed from the listand then update the ACLs and IPS signatures. 
D. Review the current blocklist and prioritize it based on the level of threat severity. Add thedomains with the highest severity to the blocklist and remove the lower-severity threatsfrom it. 

Show Answer

Question # 57

An analyst needs to provide a recommendation that will allow a custom-developedapplication to have full access to the system's processors and peripherals but still becontained securely from other applications that will be developed. Which of the following isthe BEST technology for the analyst to recommend?

A. Software-based drive encryption 
B. Hardware security module 
C. Unified Extensible Firmware Interface 
D. Trusted execution environment 

Show Answer

Question # 58

A remote code execution vulnerability was discovered in the RDP. An organizationcurrently uses RDP for remote access to a portion of its VDI environment. The analystverified network-levelauthentication is enabledWhich of the following is the BEST remediation for this vulnerability?

A. Verify the latest endpoint-protection signature is in place. 
B. Verify the corresponding patch for the vulnerability is installed^ 
C. Verify the system logs do not contain indicator of compromise. 
D. Verify the threat intelligence feed is updated with the latest solutions 

Show Answer

Question # 59

A security analyst for a large pharmaceutical company was given credentials from a threatintelligence resources organisation for Internal users, which contain usernames and validpasswords for company accounts. Which of the following is the FIRST action the analystshould take as part of security operations monitoring?

A. Run scheduled antivirus scans on all employees' machines to look for maliciousprocesses. 
B. Reimage the machines of all users within the group in case of a malware infection. 
C. Change all the user passwords to ensure the malicious actors cannot use them. 
D. Search the event logs for event identifiers that indicate Mimikatz was used. 

Show Answer

Question # 60

An employee was found to have performed fraudulent activities. The employee wasdismissed, and the employee's laptop was sent to the IT service desk to undergo a datasanitization procedure. However, the security analyst responsible for the investigationwants to avoid data sanitization. Which of the following can the security analyst use tojustify the request?

A. Data retention 
B. Evidence retention 
C. GDPR 
D. Data correlation procedure 

Show Answer

Question # 61

An organization's Chief Information Security Officer (CISO) has asked department leadersto coordinate on communication plans that can be enacted in response to differentcybersecurity incident triggersWhich of the following is a benefit of having these communication plans?

A. They can help to prevent the inadvertent release of damaging information outside theorganization. 
B. They can quickly inform the public relations team to begin coordinating with the mediaas soon as a breach is detected. 
C. They can help to keep the organization's senior leadership informed about the status ofpatching during the recovery phase. 
D. They can help to limit the spread of worms by coordinating with help desk personnelearlier in the recovery phase. 

Show Answer

Question # 62

A security analyst needs to perform a search for connections with a suspicious IP on thenetwork traffic. The company collects full packet captures at the Internet gateway andretains them for one week. Which of the following will enable the analyst to obtain theBEST results?

A. grep -a <suspicious ip> internet.pcap 
B. tcpdump-n-rinternet.pcaphost<suspicious ip> 
C. strings internet.pcap | grep <suspicious ip> 
D. npcapd internet.pcap | grep <suspicious ip> 

Show Answer

Question # 63

A security engineer is reviewing security products that identify malicious actions by usersas part of a company's insider threat program. Which of the following is the MOSTappropriate product category for this purpose?

A. SOAR 
B. WAF 
C. SCAP 
D. UEBA 

Show Answer

Question # 64

A security analyst receives an alert from the SIEM about a possible attack happening onthe network The analyst opens the alert and sees the IP address of the suspected serveras 192.168.54.66. which is part of the network 192 168 54 0/24. The analyst then pulls allthe command history logs from that server and sees the following Which of the following activities is MOST likely happening on the server?

A. A MUM attack 
B. Enumeration 
C. Fuzzing 
D. A vulnerability scan 

Show Answer

Question # 65

In system hardening, which of the following types of vulnerability scans would work BESTto verify the scanned device meets security policies?

A. SCAP 
B. Burp Suite 
C. OWASP ZAP 
D. Unauthenticated 

Show Answer

Question # 66

In system hardening, which of the following types of vulnerability scans would work BESTto verify the scanned device meets security policies?

A. SCAP 
B. Burp Suite 
C. OWASP ZAP 
D. Unauthenticated 

Show Answer

Question # 67

A security analyst is auditing firewall rules with the goal of scanning some known ports tocheck the firewall’s behavior and responses. The analyst executes the followingcommands.Which of the following BEST describes the firewall rule?

A. REJECT with --tcp-reset 
B. DROP 
C. LOG -log-tcp-sequence 
D. DNAt -to-destination 1.1.1.1:3000 

Show Answer

Question # 68

A cybersecurity analyst is establishing a threat hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely beused for this purpose?

A. Scrum 
B. loC feeds 
C. ISAC 
D. VSS scores 

Show Answer

Question # 69

To prioritize the morning's work, an analyst is reviewing security alerts that have not yetbeen investigated. Which of the following assets should be investigated FIRST?

A. The workstation of a developer who is installing software on a web server 
B. A new test web server that is in the process of initial installation 
C. The laptop of the vice president that is on the corporate LAN 
D. An accounting supervisor's laptop that is connected to the VPN 

Show Answer

Question # 70

The SFTP server logs show thousands of failed login attempts from hundreds of IP addresses worldwide. Which of the following controls would BEST protect the service?

A. Whitelisting authorized IP addresses 
B. Enforcing more complex password requirements 
C. Blacklisting unauthorized IP addresses 
D. Establishing a sinkhole service 

Show Answer

Question # 71

During a review of vulnerability scan results an analyst determines the results may beflawed because a control-baseline system which is used to evaluate a scanning toolseffectiveness was reported as not vulnerable Consequently, the analyst verifies the scopeof the scan included the control-baseline host which was available on the network duringthe scan. The use of a control-baseline endpoint in this scenario assists the analyst inconfirming.

A. verification of mitigation
B. false positives 
C. false negatives 
D. the criticality index 
E. hardening validation. 

Show Answer

Question # 72

A security team identified some specific known tactics and techniques to help mitigaterepeated credential access threats, such as account manipulation and brute forcing. Whichof the following frameworks or models did the security team MOST likely use to identify thetactics and techniques'?

A. Kill chain 
B. Diamond Model of Intrusion Analysis 
C. MITRE ATT&CK 
D. ITIL 

Show Answer

Question # 73

A Chief Information Security Officer (CISO) is concerned about new privacy regulationsthat apply to the company. The CISO has tasked a security analyst with finding the propercontrol functions to verity that a user's data is not altered without the user's consent Whichof the following would be an appropriate course of action?

A. Use a DLP product to monitor the data sets for unauthorized edits and changes. 
B. Use encryption first and then hash the data at regular, defined times. 
C. Automate the use of a hashing algorithm after verified users make changes to their data 
D. Replicate the data sets at regular intervals and continuously compare the copies forunauthorized changes. 

Show Answer

Question # 74

An analyst wants to identify hosts that are connecting to the external FTP servers andwhat, if any, passwords are being used. Which of the following commands should theanalyst use?

A. tcpdump –X dst port 21 
B. ftp ftp.server –p 21 
C. nmap –o ftp.server –p 21 
D. telnet ftp.server 21 

Show Answer