Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

CompTIA CS0-001 CompTIA CSA+ Certification Exam Exam Practice Test

Page: 1 / 46
Total 455 questions

CompTIA CSA+ Certification Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$40.25  $114.99

PDF Study Guide

  • Product Type: PDF Study Guide
$35  $99.99
Question 1

A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers.

Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread?

Options:

A.

Implement a traffic sinkhole.

B.

Block all known port/services.

C.

Isolate impacted servers.

D.

Patch affected systems.

Question 2

A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice?

Options:

A.

Invest in and implement a solution to ensure non-repudiation

B.

Force a daily password change

C.

Send an email asking users not to share their credentials

D.

Run a report on all users sharing their credentials and alert their managers of further actions

Question 3

A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensic lab. Which of the following items would be MOST helpful to secure the PC? (Choose three.)

Options:

A.

Tamper-proof seals

B.

Faraday cage

C.

Chain of custody form

D.

Drive eraser

E.

Write blockers

F.

Network tap

G.

Multimeter

Question 4

A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring?

Options:

A.

Someone has logged on to the sinkhole and is using the device.

B.

The sinkhole has begun blocking suspect or malicious traffic.

C.

The sinkhole has begun rerouting unauthorized traffic.

D.

Something is controlling the sinkhole and causing CPU spikes due to malicious utilization.

Question 5

A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?

Options:

A.

Web application firewall

B.

Network firewall

C.

Web proxy

D.

Intrusion prevention system

Question 6

Scan results identify critical Apache vulnerabilities on a company’s web servers. A security analyst believes many of these results are false positives because the web environment mostly consists of Windows servers.

Which of the following is the BEST method of verifying the scan results?

Options:

A.

Run a service discovery scan on the identified servers.

B.

Refer to the identified servers in the asset inventory.

C.

Perform a top-ports scan against the identified servers.

D.

Review logs of each host in the SIEM.

Question 7

During a web application vulnerability scan, it was discovered that the application would display inappropriate data after certain key phrases were entered into a webform connected to a SQL database server. Which of the following should be used to reduce the likelihood of this type of attack returning sensitive data?

Options:

A.

Static code analysis

B.

Peer review code

C.

Input validation

D.

Application fuzzing

Question 8

A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company?

Options:

A.

DDoS

B.

ICS destruction

C.

IP theft

D.

IPS evasion

Question 9

A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due to SYN floods from a small number of IP addresses.

Which of the following would be the BEST action to take to support incident response?

Options:

A.

Increase the company’s bandwidth.

B.

Apply ingress filters at the routers.

C.

Install a packet capturing tool.

D.

Block all SYN packets.

Question 10

A malware infection spread to numerous workstations within the marketing department. The workstations were quarantined and replaced with machines.

Which of the following represents a FINAL step in the eradication of the malware?

Options:

A.

The workstations should be isolated from the network.

B.

The workstations should be donated for reuse.

C.

The workstations should be reimaged.

D.

The workstations should be patched and scanned.

Question 11

A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered?

Options:

A.

Timing

B.

Scoping

C.

Authorization

D.

Enumeration

Question 12

A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup company just announced a state-of-the-art solution to address the need for integrating the business and ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the following is the MOST important security control for the manager to invest in to protect the facility?

Options:

A.

Run a penetration test on the installed agent.

B.

Require that the solution provider make the agent source code available for analysis.

C.

Require through guides for administrator and users.

D.

Install the agent for a week on a test system and monitor the activities.

Question 13

A new policy requires the security team to perform web application and OS vulnerability scans. All of the company’s web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company’s web application, while at the same time reducing false positives?

Options:

A.

The vulnerability scanner should be configured to perform authenticated scans.

B.

The vulnerability scanner should be installed on the web server.

C.

The vulnerability scanner should implement OS and network service detection.

D.

The vulnerability scanner should scan for known and unknown vulnerabilities.

Question 14

Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Select THREE).

Options:

A.

VLANs

B.

OS

C.

Trained operators

D.

Physical access restriction

E.

Processing power

F.

Hard drive capacity

Question 15

A company has decided to process credit card transactions directly. Which of the following would meet the requirements for scanning this type of data?

Options:

A.

Quarterly

B.

Yearly

C.

Bi-annually

D.

Monthly

Question 16

A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following:

Which of the following mitigation techniques is MOST effective against the above attack?

Options:

A.

The company should contact the upstream ISP and ask that RFC1918 traffic be dropped.

B.

The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router.

C.

The company should implement the following ACL at their gateway firewall:DENY IP HOST 192.168.1.1 170.43.30.0/24.

D.

The company should enable the DoS resource starvation protection feature of the gateway NIPS.

Question 17

An investigation showed a worm was introduced from an engineer’s laptop. It was determined the company does not provide engineers with company-owned laptops, which would be subject to company policy and technical controls.

Which of the following would be the MOST secure control implement?

Options:

A.

Deploy HIDS on all engineer-provided laptops, and put a new router in the management network.

B.

Implement role-based group policies on the management network for client access.

C.

Utilize a jump box that is only allowed to connect to clients from the management network.

D.

Deploy a company-wide approved engineering workstation for management access.

Question 18

A retail corporation with widely distributed store locations and IP space must meet PCI requirements relating to vulnerability scanning. The organization plans to outsource this function to a third party to reduce costs.

Which of the following should be used to communicate expectations related to the execution of scans?

Options:

A.

Vulnerability assessment report

B.

Lessons learned documentation

C.

SLA

D.

MOU

Question 19

A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters. Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application?

Options:

A.

A compensating control

B.

Altering the password policy

C.

Creating new account management procedures

D.

Encrypting authentication traffic

Question 20

A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention (DLP) system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss? (Select THREE).

Options:

A.

Prevent users from accessing personal email and file-sharing sites via web proxy

B.

Prevent flash drives from connecting to USB ports using Group Policy

C.

Prevent users from copying data from workstation to workstation

D.

Prevent users from using roaming profiles when changing workstations

E.

Prevent Internet access on laptops unless connected to the network in the office or via VPN

F.

Prevent users from being able to use the copy and paste functions

Question 21

A company has received the results of an external vulnerability scan from its approved scanning vendor. The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgement of the scan results.

Which of the following contract breaches would result if this remediation is not provided for clients within the time frame?

Options:

A.

Service level agreement

B.

Regulatory compliance

C.

Memorandum of understanding

D.

Organizational governance

Question 22

An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.

Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve management’s objective?

Options:

A.

(CVSS Score) * Difficulty = PriorityWhere Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement

B.

(CVSS Score) * Difficulty = PriorityWhere Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement

C.

(CVSS Score) / Difficulty = PriorityWhere Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement

D.

((CVSS Score) * 2) / Difficulty = PriorityWhere CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement

Question 23

A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and access credentials. A security manager is addressing the findings. Which of the following activities should be implemented?

Options:

A.

Update the password policy

B.

Increase training requirements

C.

Deploy a single sign-on platform

D.

Deploy Group Policy Objects

Question 24

As part of an internal banking project, a developer configured a new SSO solution between the company's native application, API gateway, and identity provider. All the traffic has been configured to be encrypted at rest and in transit. During a security review of the solution the developer highlights the requirements around long-lived sessions to support the digital experience. A security analyst is reviewing the solution. Which of the following controls should the analyst recommend to the developer ? (Select TWO.)

Options:

A.

Ensure secure storage of the session cookies

B.

Ensure short-lived timeouts an configured on lire access lokens.

C.

Ensure refresh lokens are configured to never time out

D.

Ensure there is context-based authentication utilizing multifactor authentication.

E.

Ensure customers are able to self-service password resets.

Question 25

An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive?

Options:

A.

Reports indicate that findings are informational.

B.

Any items labeled ‘low’ are considered informational only.

C.

The scan result version is different from the automated asset inventory.

D.

‘HTTPS’ entries indicate the web page is encrypted securely.

Question 26

A security analyst is monitoring authentication exchanges over the company’s wireless network. A sample of the Wireshark output is shown below:

Which of the following would improve the security posture of the wireless network?

Options:

A.

Using PEAP instead of LEAP

B.

Using SSL 2.0 instead of TLSv1.1

C.

using aspx instead of .jsp

D.

Using UDP instead of TCP

Question 27

Which of the following describes why it is important for an organization’s incident response team and legal department to meet and discuss communication processes during the incident response process?

Options:

A.

To comply with existing organization policies and procedures on interacting with internal and external parties

B.

To ensure all parties know their roles and effective lines of communication are established

C.

To identify which group will communicate details to law enforcement in the event of a security incident

D.

To predetermine what details should or should not be shared with internal or external parties in the event of an incident

Question 28

Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access to a server outside the network. Currently, users are only able to access remote sites through a VPN connection. Which of the following should Joe use to BEST accommodate the vendor?

Options:

A.

Allow incoming IPSec traffic into the vendor’s IP address.

B.

Set up a VPN account for the vendor, allowing access to the remote site.

C.

Turn off the firewall while the vendor is in the office, allowing access to the remote site.

D.

Write a firewall rule to allow the vendor to have access to the remote site.

Question 29

A technician is troubleshooting a desktop computer with low disk space. The technician reviews the following information snippets:

Which of the following should the technician do to BEST resolve the issue based on the above information? (Choose two.)

Options:

A.

Delete the movies/movies directory

B.

Disable the movieDB service

C.

Enable OS auto updates

D.

Install a file integrity tool

E.

Defragment the disk

Question 30

A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the company’s firewall, while all production networks are protected by a stateful firewall. Which of the following would BEST allow an external penetration tester to determine which one is the honeynet’s network?

Options:

A.

Banner grab

B.

Packet analyzer

C.

Fuzzer

D.

TCP ACK scan

Question 31

A cybersecurity analyst was asked to review several results of web vulnerability scan logs.

Given the following snippet of code:

Which of the following BEST describes the situation and recommendations to be made?

Options:

A.

The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The code should include the domain name. Recommend the entry be updated with the domain name.

B.

The security analyst has discovered an embedded iframe that is hidden from users accessing the web page. This code is correct. This is a design preference, and no vulnerabilities are present.

C.

The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.

D.

The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. Recommend making the iframe visible. Fixing the code will correct the issue.

Question 32

A system analyst receives multiple alerts from the systems, reporting they cannot access the Internet. After tracking down the problem to the UTM IP address 120.136.1.1. the analyst notices the Issues occurred with the latest threat feed, which updated the UTM blocklist:

Reviewing the above blocklist, which of the following Is the MOST likely reason for the unwanted behavior on the UTM?

Options:

A.

The threat feed contained a mistyped subnet mask In the list, causing the UTM to block Its own Internal traffic processing.

B.

The network's public IP was entered as part of the external threat feed, causing the UTM to block only external-bound traffic.

C.

The network's private internal address range was included in the feed, blocking internal traffic from leaving the network.

D.

The threat feed contained the IANA range reserved for experimental IP addresses, which the UTM was unable to process, causing Inbound and outbound traffic stoppage.

Question 33

A vulnerability scan came back with critical findings for a Microsoft SharePoint server:

Which of the following actions should be taken?

Options:

A.

Remove Microsoft Office from the server.

B.

Document the finding as an exception.

C.

Install a newer version of Microsoft Office on the server.

D.

Patch Microsoft Office on the server.

Question 34

A security analyst Is trying to capture network traffic In a web server that is suspected of using the DNS service for exfiltrating Information out of the network. The server usually transfers several gigabytes of data per day. and the analyst wants the size of the capture to be as reduced as possible. Which of the following commands should the analyst use to achieve such goals?

Options:

A.

tcpdump tcp port 53 -i eth0 -w evidencel.pcap

B.

tcpdump udp port 53 -i eth0 -w evidencel.pcap

C.

tcpdump port 53 -i eth0 -w evidencel.pcap

D.

tcpdump -i echo -w evidencel.pcap

Question 35

A newly discovered malware has a known behavior of connecting outbound to an external destination on port 27500 for the purposes of exfiltrating data. The following are four snippets taken from running netstat –an on separate Windows workstations:

Based on the above information, which of the following is MOST likely to be exposed to this malware?

Options:

A.

Workstation A

B.

Workstation B

C.

Workstation C

D.

Workstation D

Question 36

A security analyst at a large financial institution is evaluating the security posture of a smaller financial company. The analyst is performing the evaluation as part of a due diligence process prior to a potential acquisition. With which of the following threats should the security analyst be MOST concerned? (Choose two.)

Options:

A.

Breach of confidentiality and market risks can occur if the potential acquisition is leaked to the press.

B.

The parent company is only going through this process to identify and steal the intellectual property of the smaller company.

C.

Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers.

D.

Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers.

E.

The industry regulator may decide that the acquisition will result in unfair competitive advantage if the acquisition were to take place.

F.

The company being acquired may already be compromised and this could pose a risk to the parent company’s assets.

Question 37

A cybersecurity analyst is currently using Nessus to scan several FTP servers. Upon receiving the results of the scan, the analyst needs to further test to verify that the vulnerability found exists. The analyst uses the following snippet of code:

Which of the following vulnerabilities is the analyst checking for?

Options:

A.

Buffer overflow

B.

SQL injection

C.

Default passwords

D.

Format string attack

Question 38

A software engineer has resigned and given two weeks' notice. The organization is concerned the engineer may have taken proprietary code. Which of me following will BEST help the security analysis to determine IT any code has been exfilltrated?

Options:

A.

Terminate and immediately escort the engineer out of the building

B.

Develop a timeline of the engineer's system and network activity.

C.

Investigate when projects were checked out of me code repository by the engineer.

D.

Dump the contents of RAM from the engineers workstation and review.

Question 39

Now regulations have come out that require a company to conduct regular vulnerability scans. Not wanting to be found with a vulnerability during an audit, the company wants the most accurate and complete vulnerability scan. Which of the following BEST meets this objective?

Options:

A.

Regression scan

B.

Port scan

C.

SCAP scan

D.

Agent-based scan

Question 40

A security operations team was alerted to abnormal DNS activity coming from a user’s machine. The team performed a forensic investigation and discovered a host had been compromised. Malicious code was using DNS as a tunnel to extract data from the client machine, which had been leaked and transferred to an unsecure public Internet site. Which of the following BEST describes the attack?

Options:

A.

Phishing

B.

Pharming

C.

Cache poisoning

D.

Data exfiltration

Question 41

A corporation has implemented an 802.1X wireless network using self-signed certificates. Which of the following represents a risk to wireless users?

Options:

A.

Buffer overflow attacks

B.

Cross-site scripting attacks

C.

Man-in-the-middle attacks

D.

Denial of service attacks

Question 42

An organization has recently found some of its sensitive information posted to a social media site. An investigation has identified large volumes of data leaving the network with the source traced back to host 192.168.1.13. An analyst performed a targeted Nmap scan of this host with the results shown below:

Subsequent investigation has allowed the organization to conclude that all of the well-known, standard ports are secure. Which of the following services is the problem?

Options:

A.

winHelper

B.

ssh

C.

rpcbind

D.

timbuktu-serv1

E.

mysql

Question 43

A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usage, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this?

Options:

A.

Advanced persistent threat

B.

Zero day

C.

Trojan

D.

Logic bomb

Question 44

Which of the following tools should an analyst use to scan for web server vulnerabilities?

Options:

A.

Wireshark

B.

Quslys

C.

ArcSight

D.

SolarWinds

Question 45

Which of the following systems or services is MOST likely to exhibit issues stemming from the Heartbleed vulnerability (Choose two.)

Options:

A.

SSH daemons

B.

Web servers

C.

Modbus devices

D.

TLS VPN services

E.

IPSec VPN concentrators

F.

SMB service

Question 46

A small company Is publishing a new web application to receive customer feedback related to Its products. The web server will only host a form to receive the customer feedback and store It In a local database. The web server is placed In a DMZ network, and the web service and filesystem have been hardened. However, the cybersecurity analyst discovers data from the database can be mined from over the Internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database?

Options:

A.

Configure the database to listen for Incoming connections on the Internal network.

B.

Change the database connection string and apply necessary patches.

C.

Configure an ACL in the border firewall to block all connections to the web server for ports different than 80 and 443.

D.

Deploy a web application firewall to protect the web application from attacks to the database.

Question 47

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.

During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine.

Which of the following describes the type of attack the proxy has been legitimately programmed to perform?

Options:

A.

Transitive access

B.

Spoofing

C.

Man-in-the-middle

D.

Replay

Question 48

A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered?

Options:

A.

DDoS

B.

APT

C.

Ransomware

D.

Software vulnerability

Question 49

Using a heuristic system to detect an anomaly in a computer’s baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?

Options:

A.

Cookie stealing

B.

Zero-day

C.

Directory traversal

D.

XML injection

Question 50

A security analyst is creating baseline system images to remediate vulnerabilities found in different operating systems. Each image needs to be scanned before it is deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements?

Options:

A.

Utilizing an operating system SCAP plugin

B.

Utilizing an authorized credential scan

C.

Utilizing a non-credential scan

D.

Utilizing a known malware plugin

Question 51

The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files:

Locky.js

xerty.ini

xerty.lib

Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices?

Options:

A.

Disable access to the company VPN.

B.

Email employees instructing them not to open the invoice attachment.

C.

Set permissions on file shares to read-only.

D.

Add the URL included in the .js file to the company’s web proxy filter.

Question 52

A cybersecurity analyst has received an alert that well-known “call home” messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause?

Options:

A.

Attackers are running reconnaissance on company resources.

B.

An outside command and control system is attempting to reach an infected system.

C.

An insider is trying to exfiltrate information to a remote network.

D.

Malware is running on a company system.

Question 53

A system administrator has reviewed the following output:

Which of the following can a system administrator infer from the above output?

Options:

A.

The company email server is running a non-standard port.

B.

The company email server has been compromised.

C.

The company is running a vulnerable SSH server.

D.

The company web server has been compromised.

Question 54

A technician receives a report that a user’s workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the user’s VoIP phone is routed directly under the rolling chair and has been smashed flat over time.

Which of the following is the most likely cause of this issue?

Options:

A.

Cross-talk

B.

Electromagnetic interference

C.

Excessive collisions

D.

Split pairs

Question 55

A cybersecurity analyst has received the laptop of a user who recently left the company. The analyst types ‘history’ into the prompt, and sees this line of code in the latest bash history:

This concerns the analyst because this subnet should not be known to users within the company. Which of the following describes what this code has done on the network?

Options:

A.

Performed a ping sweep of the Class C network.

B.

Performed a half open SYB scan on the network.

C.

Sent 255 ping packets to each host on the network.

D.

Sequentially sent an ICMP echo reply to the Class C network.

Question 56

During a routine review of firewall logs, an analyst identified that an IP address from the organization’s server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident’s impact assessment?

Options:

A.

PII of company employees and customers was exfiltrated.

B.

Raw financial information about the company was accessed.

C.

Forensic review of the server required fall-back on a less efficient service.

D.

IP addresses and other network-related configurations were exfiltrated.

E.

The local root password for the affected server was compromised.

Question 57

An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan?

Options:

A.

Conduct a risk assessment.

B.

Develop a data retention policy.

C.

Execute vulnerability scanning.

D.

Identify assets.

Question 58

An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation?

Options:

A.

Zero-day attack

B.

Known malware attack

C.

Session hijack

D.

Cookie stealing

Question 59

Which of the following is MOST effective for correlation analysis by log for threat management?

Options:

A.

PCAP

B.

SCAP

C.

IPS

D.

SIEM

Question 60

A system administrator recently deployed and verified the installation of a critical patch issued by the company’s primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this?

Options:

A.

The administrator entered the wrong IP range for the assessment.

B.

The administrator did not wait long enough after applying the patch to run the assessment.

C.

The patch did not remediate the vulnerability.

D.

The vulnerability assessment returned false positives.

Question 61

Several users have reported that when attempting to save documents in team folders, the following message is received:

The File Cannot Be Copied or Moved – Service Unavailable.

Upon further investigation, it is found that the syslog server is not obtaining log events from the file server to which the users are attempting to copy files. Which of the following is the MOST likely scenario causing these issues?

Options:

A.

The network is saturated, causing network congestion

B.

The file server is experiencing high CPU and memory utilization

C.

Malicious processes are running on the file server

D.

All the available space on the file server is consumed

Question 62

A security analyst suspects that a workstation may be beaconing to a command and control server. Inspect the logs from the company’s web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with minimum impact to the organization.

Instructions:

Modify the firewall ACL, using the Firewall ACL form to mitigate the issue.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.

Options:

Question 63

A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate?

Options:

A.

Threat intelligence reports

B.

Technical constraints

C.

Corporate minutes

D.

Governing regulations

Question 64

You suspect that multiple unrelated security events have occurred on several nodes on a corporate network. You must review all logs and correlate events when necessary to discover each security event by clicking on each node. Only select corrective actions if the logs shown a security event that needs remediation. Drag and drop the appropriate corrective actions to mitigate the specific security event occurring on each affected device.

Instructions:

The Web Server, Database Server, IDS, Development PC, Accounting PC and Marketing PC are clickable. Some actions may not be required and each actions can only be used once per node. The corrective action order is not important. If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Options:

Question 65

A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as “root” and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Select TWO).

Options:

A.

Log aggregation and analysis

B.

Software assurance

C.

Encryption

D.

Acceptable use policies

E.

Password complexity

F.

Network isolation and separation

Question 66

In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues. Which of the following is the BEST way to proceed?

Options:

A.

Attempt to identify all false positives and exceptions, and then resolve all remaining items.

B.

Hold off on additional scanning until the current list of vulnerabilities have been resolved.

C.

Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities.

D.

Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.

Question 67

Which of the following policies BEST explains the purpose of a data ownership policy?

Options:

A.

The policy should describe the roles and responsibilities between users and managers, and the management of specific data types.

B.

The policy should establish the protocol for retaining information types based on regulatory or business needs.

C.

The policy should document practices that users must adhere to in order to access data on the corporate network or Internet.

D.

The policy should outline the organization’s administration of accounts for authorized users to access the appropriate data.

Question 68

Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server from anywhere in the company. Which of the following would be an effective solution?

Options:

A.

Honeypot

B.

Jump box

C.

Server hardening

D.

Anti-malware

Page: 1 / 46
Total 455 questions