Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Page: 1 / 42
Total 424 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

Which of the following best describes the key goal of the containment stage of an incident response process?

Options:

A.

To limit further damage from occurring

B.

To get services back up and running

C.

To communicate goals and objectives of theincidentresponse plan

D.

To prevent data follow-on actions by adversary exfiltration

Question 2

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.

InLoud:Cobain: YesGrohl: NoNovo: YesSmear: YesChanning: No

B.

TSpirit:Cobain: YesGrohl: YesNovo: YesSmear: NoChanning: No

C.

ENameless:Cobain: YesGrohl: NoNovo: YesSmear: NoChanning: No

D.

PBleach:Cobain: YesGrohl: NoNovo: NoSmear: NoChanning: Yes

Question 3

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst's investigation?

Options:

A.

OpenVAS

B.

Angry IP Scanner

C.

Wireshark

D.

Maltego

Question 4

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Options:

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Question 5

The DevSecOps team is remediating a Server-Side Request Forgery (SSRF) issue on the company's public-facing website. Which of the following is the best mitigation technique to address this issue?

Options:

A.

Place a Web Application Firewall (WAF) in front of the web server.

B.

Install a Cloud Access Security Broker (CASB) in front of the web server.

C.

Put a forward proxy in front of the web server.

D.

Implement MFA in front of the web server.

Question 6

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

Options:

A.

SMB use domain SID to enumerate users

B.

SYN scanner

C.

SSL certificate cannot be trusted

D.

Scan not performed with admin privileges

Question 7

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Options:

A.

Eradication

B.

Recovery

C.

Containment

D.

Preparation

Question 8

The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

Options:

A.

An output of characters > and " as the parameters used m the attempt

B.

The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned

C.

The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe

D.

The vulnerable parameter and characters > and " with a reflected XSS attempt

Question 9

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

Options:

A.

Document the incident and any findings related to the attack for future reference.

B.

Interview employees responsible for managing the affected systems.

C.

Review the log files that record all events related to client applications and user access.

D.

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Question 10

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Question 11

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

Options:

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Question 12

The SOC receives a number of complaints regarding a recent uptick in desktop error messages that are associated with workstation access to an internal web application. An analyst, identifying a recently modified XML file on the web server, retrieves a copy of this file for review, which contains the following code:

Which of The following XML schema constraints would stop these desktop error messages from appearing?

Options:

A.

A white background with black text AI-generated content may be incorrect.

B.

A white background with black text AI-generated content may be incorrect.

C.

A white background with black text AI-generated content may be incorrect.

D.

A screenshot of a computer code AI-generated content may be incorrect.

Question 13

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?

Options:

A.

The most recent audit report

B.

The incident response playbook

C.

The incident response plan

D.

The lessons-learned register

Question 14

An organization has noticed large amounts of data are being sent out of its network. An

analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious

behavior.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Question 15

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:

Which of the following vulnerabilities should be prioritized?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Question 16

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

Options:

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Question 17

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Options:

A.

The current scanners should be migrated to the cloud

B.

Cloud-specific misconfigurations may not be detected by the current scanners

C.

Existing vulnerability scanners cannot scan laaS systems

D.

Vulnerability scans on cloud environments should be performed from the cloud

Question 18

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

Options:

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Question 19

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

Options:

A.

OSSTMM

B.

Diamond Model Of Intrusion Analysis

C.

OWASP

D.

MITRE ATT&CK

Question 20

Which of the following can be used to learn more about TTPs used by cybercriminals?

Options:

A.

ZenMAP

B.

MITRE ATT&CK

C.

National Institute of Standards and Technology

D.

theHarvester

Question 21

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Question 22

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Question 23

A security analyst runs the following command:

# nmap -T4 -F 192.168.30.30

Starting nmap 7.6

Host is up (0.13s latency)

PORT STATE SERVICE

23/tcp open telnet

443/tcp open https

636/tcp open ldaps

Which of the following should the analyst recommend first to harden the system?

Options:

A.

Disable all protocols that do not use encryption.

B.

Configure client certificates for domain services.

C.

Ensure that this system is behind a NGFW.

D.

Deploy a publicly trusted root CA for secure websites.

Question 24

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Question 25

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks?

Options:

A.

A web application firewall

B.

A network intrusion detection system

C.

A vulnerability scanner

D.

A web proxy

Question 26

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -EncodedCommand

Which of the following should the analyst use to gather more information about the purpose of this command?

Options:

A.

Echo the command payload content into 'base64 -d'.

B.

Execute the command from a Windows VM.

C.

Use a command console with administrator privileges to execute the code.

D.

Run the command as an unprivileged user from the analyst workstation.

Question 27

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

Options:

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Question 28

A Chief Information Security Officer has requested a dashboard to share critical vulnerability management goals with company leadership.

Which of the following would be the best to include in the dashboard?

Options:

A.

KPI

B.

MOU

C.

SLO

D.

SLA

Question 29

Which of the following risk management principles is accomplished by purchasing cyber insurance?

Options:

A.

Accept

B.

Avoid

C.

Mitigate

D.

Transfer

Question 30

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

Options:

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Question 31

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.

Implement step-up authentication for administrators

B.

Improve employee training and awareness

C.

Increase password complexity standards

D.

Deploy mobile device management

Question 32

Which of the following would an organization use to develop a business continuity plan?

Options:

A.

A diagram of all systems and interdependent applications

B.

A repository for all the software used by the organization

C.

A prioritized list of critical systems defined by executive leadership

D.

A configuration management database in print at an off-site location

Question 33

An analyst has discovered the following suspicious command:

Which of the following would best describe the outcome of the command?

Options:

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Question 34

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

Options:

A.

21

B.

22

C.

23

D.

636

E.

1723

F.

3389

Question 35

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question 36

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

Options:

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Question 37

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

Options:

A.

Header analysis

B.

Packet capture

C.

SSL inspection

D.

Reverse engineering

Question 38

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

Options:

A.

function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

B.

function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }

C.

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

D.

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

Question 39

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

Options:

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Question 40

Which of the following evidence collection methods is most likely to be acceptable in court cases?

Options:

A.

Copying all access files at the time of the incident

B.

Creating a file-level archive of all files

C.

Providing a full system backup inventory

D.

Providing a bit-level image of the hard drive

Question 41

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

Options:

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Question 42

A security analyst reviews a packet capture and identifies the following output as anomalous:

13:49:57.553161 TP10.203.10.17.45701>10.203.10.22.12930:Flags[FPU],seq108331482,win1024,urg0,length0

13:49:57.553162 IP10.203.10.17.45701>10.203.10.22.48968:Flags[FPU],seq108331482,win1024,urg0,length0

...

Which of the following activities explains the output?

Options:

A.

Nmap Xmas scan

B.

Nikto's web scan

C.

Socat's proxying traffic using the urgent flag

D.

Angry IP Scanner output

Question 43

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:

. Must use minimal network bandwidth

. Must use minimal host resources

. Must provide accurate, near real-time updates

. Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

Options:

A.

Internal

B.

Agent

C.

Active

D.

Uncredentialed

Question 44

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

Options:

A.

The server was configured to use SSI- to securely transmit data

B.

The server was supporting weak TLS protocols for client connections.

C.

The malware infected all the web servers in the pool.

D.

The digital certificate on the web server was self-signed

Question 45

While reviewing web server logs, a security analyst discovers the following suspicious line:

Which of the following is being attempted?

Options:

A.

Remote file inclusion

B.

Command injection

C.

Server-side request forgery

D.

Reverse shell

Question 46

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

Options:

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor's application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Question 47

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Question 48

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

Options:

A.

Scan the employee's computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Question 49

The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Options:

A.

Perform a forced password reset.

B.

Communicate the compromised credentials to the user.

C.

Perform an ad hoc AV scan on the user's laptop.

D.

Review and ensure privileges assigned to the user's account reflect least privilege.

E.

Lower the thresholds for SOC alerting of suspected malicious activity.

Question 50

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options:

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Question 51

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

Options:

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Question 52

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

• DNS traffic while a tunneling session is active.

• The mean time between queries is less than one second.

• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

Options:

A.

DNS exfiltration

B.

DNS spoofing

C.

DNS zone transfer

D.

DNS poisoning

Question 53

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

Options:

A.

High GPU utilization

B.

Bandwidth consumption

C.

Unauthorized changes

D.

Unusual traffic spikes

Question 54

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Question 55

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Options:

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Question 56

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Options:

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Question 57

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Options:

A.

Conduct regular red team exercises over the application in production

B.

Ensure that all implemented coding libraries are regularly checked

C.

Use application security scanning as part of the pipeline for the CI/CDflow

D.

Implement proper input validation for any data entry form

Question 58

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Question 59

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 60

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 61

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

Options:

A.

Registry changes or anomalies

B.

Data exfiltration

C.

Unauthorized privileges

D.

File configuration changes

Question 62

An analyst investigated a website and produced the following:

Starting Nmap 7.92 ( ) at 2022-07-21 10:21 CDT

Nmap scan report for insecure.org (45.33.49.119)

Host is up (0.054s latency).

rDNS record for 45.33.49.119: ack.nmap.org

Not shown: 95 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

25/tcp closed smtp

80/tcp open http Apache httpd 2.4.6

113/tcp closed ident

443/tcp open ssl/http Apache httpd 2.4.6

Service Info: Host: issues.nmap.org

Service detection performed. Please report any incorrect results at .org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

Options:

A.

nmap-sS -T4 -F insecure.org

B.

nmap-0 insecure.org

C.

nmap-sV -T4 -F insecure.org

D.

nmap-A insecure.org

Question 63

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Options:

Question 64

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's

personal email. Which of the following should the analyst recommend be done first?

Options:

A.

Place a legal hold on the employee's mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Question 65

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

Options:

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Question 66

A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investigating an incident, a user discovers data discrepancies in the file. Which of the following best describes this activity?

Options:

A.

Filesystem anomaly

B.

Illegal software

C.

Unauthorized changes

D.

Data exfiltration

Question 67

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Question 68

Which of the following makes STIX and OpenloC information readable by both humans and machines?

Options:

A.

XML

B.

URL

C.

OVAL

D.

TAXII

Question 69

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

Options:

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

Question 70

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

Options:

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Question 71

A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

Options:

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Question 72

Numerous emails were sent to a company's customer distribution list. The customers reported that the emails contained a suspicious link. The company's SOC determined the links were malicious. Which of the following is the best way to decrease these emails?

Options:

A.

DMARC

B.

DKIM

C.

SPF

D.

SMTP

Question 73

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question 74

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.

RFI

B.

LFI

C.

CSRF

D.

XSS

Question 75

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

Options:

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Question 76

A SOC manager reviews metrics from the last four weeks to investigate a recurring availability issue. The manager finds similar events correlating to the times of the reported issues.

Which of the following methods would the manager most likely use to resolve the issue?

Options:

A.

Vulnerability assessment

B.

Root cause analysis

C.

Recurrence reports

D.

Lessons learned

Question 77

A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

1

B.

2

C.

3

D.

4

Question 78

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Question 79

An analyst receives an alert for suspicious IIS log activity and reviews the following entries:

2024-05-23 15:57:05 10.203.10.16 HEAT / - 80 - 10.203.10.17

...

Which of the following will the analyst infer from the logs?

Options:

A.

An attacker is performing network lateral movement.

B.

An attacker is conducting reconnaissance of the website.

C.

An attacker is exfiltrating data from the network.

D.

An attacker is cloning the website.

Question 80

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Options:

A.

config. ini

B.

ntds.dit

C.

Master boot record

D.

Registry

Question 81

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

Which of the following should the security analyst prioritize for remediation?

Options:

A.

rogers

B.

brady

C.

brees

D.

manning

Question 82

Which of the following will most likely cause severe issues with authentication and logging?

Options:

A.

Virtualization

B.

Multifactor authentication

C.

Federation

D.

Time synchronization

Question 83

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Which of the following log entries provides evidence of the attempted exploit?

Options:

A.

Log entry 1

B.

Log entry 2

C.

Log entry 3

D.

Log entry 4

Question 84

Which of the following best describes the importance of KPIs in an incident response exercise?

Options:

A.

To identify the personal performance of each analyst

B.

To describe how incidents were resolved

C.

To reveal what the team needs to prioritize

D.

To expose which tools should be used

Question 85

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

Options:

A.

Testing

B.

Implementation

C.

Validation

D.

Rollback

Question 86

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Question 87

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

Options:

A.

Command injection

B.

XML injection

C.

Server-side request forgery

D.

Cross-site scripting

Question 88

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Question 89

A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information:

Which of the following systems should the analyst patch first?

Options:

A.

System 1

B.

System 2

C.

System 3

D.

System 4

E.

System 5

F.

System 6

Question 90

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

Which of the following is the most likely root cause of the incident?

Options:

A.

USB drop

B.

LFI

C.

Cross-site forgery

D.

SQL injection

Question 91

When starting an investigation, which of the following must be done first?

Options:

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Question 92

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of- life date. Which of the following best describes a security analyst's concern?

Options:

A.

Any discovered vulnerabilities will not be remediated.

B.

An outage of machinery would cost the organization money.

C.

Support will not be available for the critical machinery

D.

There are no compensating controls in place for the OS.

Question 93

A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?

Options:

A.

To identify regulatory compliance requirements

B.

To facilitate the creation of DLP rules

C.

To prioritize IT expenses

D.

To establish the value of data to the organization

Question 94

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?

Options:

A.

To allow policies that are easy to manage and less granular

B.

To increase the costs associated with regulatory compliance

C.

To limit how far an attack can spread

D.

To reduce hardware costs with the use of virtual appliances

Question 95

An analyst is evaluating the following vulnerability report:

Which of the following vulnerability report sections provides information about the level of impact on data confidentiality if a successful exploitation occurs?

Options:

A.

Payloads

B.

Metrics

C.

Vulnerability

D.

Profile

Question 96

A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network printers began to print pages that contained unreadable text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent vulnerability scans?

Options:

A.

Perform non-credentialed scans.

B.

Ignore embedded web server ports.

C.

Create a tailored scan for the printer subnet.

D.

Increase the threshold length of the scan timeout.

Question 97

During the log analysis phase, the following suspicious command is detected-

Which of the following is being attempted?

Options:

A.

Buffer overflow

B.

RCE

C.

ICMP tunneling

D.

Smurf attack

Question 98

A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

Options:

A.

Deploy a WAF to the front of the application.

B.

Replace the current MD5 with SHA-256.

C.

Deploy an antivirus application on the hosting system.

D.

Replace the MD5 with digital signatures.

Question 99

The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate?

Options:

A.

Alert department managers to speak privately with affected staff.

B.

Schedule a press release to inform other service provider customers of the compromise.

C.

Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.

D.

Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Question 100

A healthcare organization must develop an action plan based on the findings from a risk

assessment. The action plan must consist of:

· Risk categorization

· Risk prioritization

. Implementation of controls

INSTRUCTIONS

Click on the audit report, risk matrix, and SLA expectations documents to review their

contents.

On the Risk categorization tab, determine the order in which the findings must be

prioritized for remediation according to the risk rating score. Then, assign a categorization to each risk.

On the Controls tab, select the appropriate control(s) to implement for each risk finding.

Findings may have more than one control implemented. Some controls may be used

more than once or not at all.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Options:

Question 101

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Question 102

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options:

A.

Delivery

B.

Reconnaissance

C.

Exploitation

D.

Weaponizatign

Question 103

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).

Options:

A.

Minimize security attacks

B.

Itemize tasks for approval

C.

Reduce repetitive tasks

D.

Minimize setup complexity

E.

Define a security strategy

F.

Generate reports and metrics

Question 104

A Chief Information Security Officer wants to implement security by design, starting …… vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

Options:

A.

Reverse engineering

B.

Known environment testing

C.

Dynamic application security testing

D.

Code debugging

Question 105

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

Options:

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Question 106

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Options:

A.

Agree on the goals and objectives of the plan

B.

Determine the site to be used during a disasterC Demonstrate adherence to a standard disaster recovery process

C.

Identity applications to be run during a disaster

Question 107

While reviewing the web server logs a security analyst notices the following snippet

..\../..\../boot.ini

Which of the following is being attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of/etc/pasawd

Question 108

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Question 109

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

Options:

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Question 110

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 111

Which of the following is the best use of automation in cybersecurity?

Options:

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Question 112

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Options:

A.

PCI Security Standards Council

B.

Local law enforcement

C.

Federal law enforcement

D.

Card issuer

Question 113

An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution for the organization to use to eliminate the need for multiple authentication credentials?

Options:

A.

API

B.

MFA

C.

SSO

D.

VPN

Question 114

A security analyst noticed the following entry on a web server log:

Warning: fopen : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Question 115

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Options:

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Question 116

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

Options:

A.

Chain of custody was not maintained for the evidence drive.

B.

Legal authorization was not obtained prior to seizing the evidence drive.

C.

Data integrity of the imaged drive could not be verified.

D.

Evidence drive imaging was performed without a write blocker.

Question 117

Which of the following does "federation" most likely refer to within the context of identity and access management?

Options:

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one's identity with the attributes and associated applications the user has access to

Question 118

Which of the following best explains the importance of utilizing an incident response playbook?

Options:

A.

It prioritizes the business-critical assets for data recovery.

B.

It establishes actions to execute when inputs trigger an event.

C.

It documents the organization asset management and configuration.

D.

It defines how many disaster recovery sites should be staged.

Question 119

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following

would be missing from a scan performed with this configuration?

Options:

A.

Operating system version

B.

Registry key values

C.

Open ports

D.

IP address

Question 120

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

Options:

A.

Single pane of glass

B.

Single sign-on

C.

Data enrichment

D.

Deduplication

Question 121

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

Options:

A.

Implementing multifactor authentication on the server OS

B.

Hashing user passwords on the web application

C.

Performing input validation before allowing submission

D.

Segmenting the network between the users and the web server

Question 122

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Question 123

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

Options:

A.

DNS poisoning

B.

Pharming

C.

Phishing

D.

Cross-site scripting

Question 124

A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?

Options:

A.

HIPS

B.

GPO

C.

Registry

D.

DLP

Question 125

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Question 126

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Which of the following vulnerability IDs should the analyst address first?

Options:

A.

1

B.

2

C.

3

D.

4

Question 127

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

Options:

A.

Upload the binary to an air gapped sandbox for analysis

B.

Send the binaries to the antivirus vendor

C.

Execute the binaries on an environment with internet connectivity

D.

Query the file hashes using VirusTotal

Page: 1 / 42
Total 424 questions