CS0-002 Topic 2
Q101.A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?
A. Add client addresses to the blocklist
B. Update the DLP rules and metadata
C. Sanitize the marketing material
D. Update the insider threat procedures
Hint answer: B
Q102.A cybersecurity analyst is working with a SIEM tool and reviewing the following table:
When creating a rule in the company’s SIEM, which of the following would be the BEST approach for the analyst to use to assess the risk level of each vulnerability that is discovered by the vulnerability assessment tool?
A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level of each vulnerability
B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster, and be able to display the table in a dashboard or export it as a report
C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by the vulnerability scanner data collector
D. Use the table as a new index or database for the SIEM to be able to use multisearch and then summarize the results as output
Hint answer: B
Q103.The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:
A. web servers on private networks.
B. HVAC control systems.
C. smartphones.
D. firewalls and UTM devices.
Hint answer: B
Q104.A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award.
The company needs to implement ta legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract. Which of the following describes the appropriate steps that should be taken to comply with the legal notice?
A. Notify the security team of the legal hold and remove user access to the email accounts.
B. Coordinate with legal counsel and then not the security team to ensure the appropriate email accounts are frozen.
C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business.
D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.
Hint answer: B
Q105.Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?
A. Data custodian
B. Data owner
C. Data processor
D. Senior management
Hint answer: B
Q106.An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs; the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?
A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix
Hint answer: D
Q107.An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor?
A. Gather information from providers, including data center specifications and copies of audit reports
B. Identify SLA requirements for monitoring and logging
C. Consult with the senior management team for recommendations
D. Perform a proof of concept to identify possible solutions
Hint answer: A
Q108.Which of the following is a reason to use a risk-based cybersecurity framework?
A. A risk-based approach always requires quantifying each cyber risk faced by an organization.
B. A risk-based approach better allocates an organization’s resources against cyberthreats and vulnerabilities.
C. A risk-based approach is driven by regulatory compliance and is required for most organizations.
D. A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-based processes.
Hint answer: B
Q109.An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Determine an annual patch cadence to ensure all patching occurs at the same time.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Hint answer: A
Q110.An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosure of the incident to external entities should be based on:
A. the responder’s discretion.
B. the public relations policy.
C. the communication plan.
D. the senior management team’s guidance.
Hint answer: C
Q111.The help desk provided a security analyst with a screenshot of a user’s desktop:
For which of the following is aircrack-ng being used?
A. Wireless access point discovery
B. Rainbow attack
C. Brute-force attack
D. PCAP data collection
Hint answer: C
Q112.An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issued mobile device while connected to the network. Which of the following actions would help during the forensic analysis of the mobile device? (Choose two.)
A. Resetting the phone to factory settings
B. Rebooting the phone and installing the latest security updates
C. Documenting the respective chain of custody
D. Uninstalling any potentially unwanted programs
E. Performing a memory dump of the mobile device for analysis
F. Unlocking the device by blowing the eFuse
Hint answer: C
E
Q113.An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization’s security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors. Which of the following would be the BEST recommendation for the security analyst to provide?
A. The organization should use a certified, trusted vendor as part of the supply chain.
B. The organization should evaluate current NDAs to ensure enforceability of legal actions.
C. The organization should maintain the relationship with the vendor and enforce vulnerability scans.
D. The organization should ensure all motherboards are equipped with a TPM.
Hint answer: A
Q114.An analyst is reviewing the following output:
Vulnerability found: Improper neutralization of script-related HTML tag.
Which of the following was MOST likely used to discover this?
A. Reverse engineering using a debugger
B. A static analysis vulnerability scan
C. A passive vulnerability scan
D. A web application vulnerability scan
Hint answer: D
Q115.A security analyst is reviewing the network security monitoring logs listed below:
A. 10.1.1.128 sent potential malicious traffic to the web server
B. 10.1.1.128 sent malicious requests, and the alert is a false positive
C. 10.1.1.129 successfully exploited a vulnerability on the web server
D. 10.1.1.129 sent potential malicious requests to the web server
E. 10.1.1.129 sent non-malicious requests, and the alert is a false positive
F. 10.1.1.130 can potentially obtain information about the PHP version
Hint answer: D
F
Q116.A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. The technique is referred to as:
A. Output encouting.
B. Data protection.
C. Query paramererization.
D. Input validation.
Hint answer: A
Q117.Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?
A. Data deidentification
B. Data encryption
C. Data masking
D. Data minimization
Hint answer: B
Q118.During a routine review of service restarts, a security analyst observes the following in a server log:
Which of the following is the GREATEST security concern?
A. The daemon’s binary was changed.
B. Four consecutive days of monitoring are skipped in the log.
C. The process identifiers for the running service change.
D. The PIDs are continuously changing.
Hint answer: A
Q119.During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:
• The development team used a new software language that was not supported by the security team’s automated assessment tools.
• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.
• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.
To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)
A. Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already familiar with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems
E. Instruct only the development team to document the remediation steps for this vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider
Hint answer: A
B
Q120.During an audit, several customer order forms v/ere found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the BEST way to locate this issue?
A. Reduce the session timeout threshold.
B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a static code scan.
Hint answer: D
Q121.After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred.
Which of the following IP addresses does the analyst need to investigate further?
A. 192.168 1.1
B. 192.168.1.10
C. 192.168.1.12
D. 192.168 1.193
Hint answer: C
Q122.A development team signed a contract that requires access to an on-premises physical server Access must be restricted to authorized users only and cannot be connected to the internet Which of the following solutions would meet this requirement?
A. Establish a hosted SSO
B. Implement a CASB
C. Virtualize the server
D. Air gap the server
Hint answer: D
Q123.Which of the following provides an automated approach to checking a system configuration?
A. SCAP
B. CI/CD
C. OVAL
D. Scripting
E. SOAR
Hint answer: A
’
Q124.Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the BEST solution to improve the equipment’s security posture?
A. Move the legacy systems behind a WAF
B. Implement an air gap for the legacy systems
C. Place the legacy systems in the perimeter network
D. Implement a VPN between the legacy systems and the local network
Hint answer: B
Q125.An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply. Which of the following would BEST identify potential indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device’s IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
Hint answer: C
Q126.A remote code execution vulnerability was discovered in the RDP. An organization currently uses RDP for remote access to a portion of its VDI environment. The analyst verified network-level authentication is enabled. Which of the following is the BEST remediation for this vulnerability?
A. Verify the threat intelligence feed is updated with the latest solutions.
B. Verify the system logs do not contain indicators of compromise.
C. Verify the latest endpoint-protection signature is in place.
D. Verify the corresponding patch for the vulnerability is installed.
Hint answer: D
Q127.An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?
A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor
Hint answer: D
Q128.Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:
A. vulnerability scanning.
B. threat hunting.
C. red teaming.
D. penetration testing.
Hint answer: B
Q129.A security analyst needs to determine the best method for securing access to a top-secret datacenter. Along with an access card and PIN code, which of the following additional authentication methods would be BEST to enhance the datacenter’s security?
A. Physical key
B. Retinal scan
C. Passphrase
D. Fingerprint
Hint answer: B
Q130.Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
Hint answer: D
Q131.A company’s change management team has asked a security analyst to review a potential change to the email server before itis released into production. The analyst reviews the following change request:
Change request date: 2020-01-30 –
Change requester. Cindy Richardson
Change asset: WIN2K-EMAILOOI –
Change requested: Modify the following SPF record to change +all to –all
Which of the following is the MOST likely reason for the change?
A. To reject email from servers that are not listed in the SPF record
B. To reject email from email addresses that are not digitally signed
C. To accept email to the company’s domain
D. To reject email from users who are not authenticated to the network
Hint answer: A
Q132.A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:
Which of the following generated the above output?
A. A port scan
B. A TLS connection
C. A vulnerability scan
D. A ping sweep
Hint answer: A
Q133.A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are delivered to the company’s customers?
A. Anti-tamper mechanism
B. SELinux
C. Trusted firmware updates
D. eFuse
Hint answer: C
Q134.A security analyst needs to assess the web-server versions on a list of hosts to determine which are running a vulnerable version of the software and then output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal?
A. nmap –iL webserverlist.txt –sC –p 443 –oX webserverlist.xml
B. nmap –iL webserverlist.txt –sV –p 443 –oX webserverlist.xml
C. nmap –iL webserverlist.txt –F –p 443 –oX weberserverlist.xml
D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml –scanports 443
Hint answer: B
Q135.A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called “packetCapture ”. The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will BEST accomplish the analyst’s objectives?
A. tcpdump -w packetCapture
B. tcpdump -a packetCapture
C. tcpdump -n packetCapture
D. nmap -v > packetCapture
E. nmap -oA > packetCapture
Hint answer: A
Q136.The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability.
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Hint answer: A
Q137.An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A security analyst receives the following screenshot of an email error from the help desk:
The analyst then checks the email server and sees many of the following messages in the logs:
Which of the following is MOST likely the issue?
A. SPF is failing.
B. The DMARC queue is full.
C. The DKIM private key has expired.
D. Port 25 is not open.
Hint answer: A
Q138.A security engineer must deploy X 509 certificates to two web servers behind a load balancer. Each web server is configured identically. Which of the following should be done to ensure certificate name mismatch errors do not occur?
A. Create two certificates, each with the same fully qualified domain name, and associate each with the web servers’ real IP addresses on the load balancer.
B. Create one certificate on the load balancer and associate the site with the web servers’ real IP addresses.
C. Create two certificates, each with the same fully qualified domain name, and associate each with a corresponding web server behind the load balancer.
D. Create one certificate and export it to each web server behind the load balancer.
Hint answer: C
Q139.A company’s legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. They have asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to achieve this goal?
A. Focus on incidents that have a high chance of reputation harm.
B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support
Hint answer: B
Q140.A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies are easy to:
A. parameterize
B. decode
C. guess
D. decrypt
Hint answer: C
Q141.Which of the following BEST explains hardware root of trust?
A. It uses the processor security extensions to protect the OS from malicious software installation.
B. It prevents side-channel attacks that can take advantage of speculative execution vulnerabilities.
C. It ensures the authenticity of firmware and software during the boot process until the OS is loaded.
D. It has been implemented as a mitigation to the Spectre and Meltdown hardware vulnerabilities.
Hint answer: C
Q142.A penetration tester physically enters a datacenter and attaches a small device to a switch. As part of the tester’s effort to evaluate which nodes are present on the network; the tester places the network agape in promiscuous mode and logs traffic for later analysis. Which of the following is the tester performing?
A. Credential scanning
B. Passive scanning
C. Protocol analysis
D. SCAP scanning
E. Network segmentation
Hint answer: B
Q143.A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Which of the following threats applies to this situation?
A. Potential data loss to external users
B. Loss of public/private key management
C. Cloud-based authentication attack
D. Insufficient access logging
Hint answer: A
Q144.A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do NEXT?
A. Document the procedures and walkthrough the incident training guide
B. Reverse engineer the malware to determine its purpose and risk to the organization
C. Sanitize the workstation and verify countermeasures are restored
D. Isolate the workstation and issue a new computer to the user
Hint answer: C
Q145.A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse:
• The clocks must be configured so they do not respond to ARP broadcasts.
• The server must be configured with static ARP entries for each clock.
Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing
Hint answer: A
Q146.A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation and brute forcing. Which of the flowing frameworks or models did the security team MOST likely use to identify the tactics and techniques?
A. MITRE ATT&CK
B. ITIL
C. Kill chain
D. Diamond Model of intrusion Analysis
Hint answer: A
Q147.A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?
A. Enabling sandboxing technology
B. Purchasing cyber insurance
C. Enabling application blacklisting
D. Installing a firewall between the workstations and internet
Hint answer: A
Q148.Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?
A. Input validation
B. SQL injection
C. Parameterized queries
D. Web-application firewall
E. Multifactor authentication
Hint answer: C
Q149.An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances,
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region.
D. Configure the systems with a cold site at another cloud provider that can be used for failover.
Hint answer: C
Q150.A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch. Which of the following BEST describes the reason for the analyst’s immediate action?
A. Nation-state hackers are targeting the region.
B. A new vulnerability was discovered by a vendor.
C. A known exploit was discovered.
D. A new zero-day threat needs to be addressed.
E. There is an insider threat.
Hint answer: C
Q151.A company recently experienced similar network attacks. To determine whether the attacks were identical, the company should gather a list of IPs domains, and files and use:
A. behavior data
B. the Diamond Model of Intrusion Analysis.
C. the attack kill chain.
D. the reputational data.
Hint answer: B
Q152.A company’s security administrator needs to automate several security processes related to testing for the existence of changes within the environment. Conditionally, other processes will need to be created based on input from prior processes. Which of the following is the BEST method for accomplishing this task?
A. Machine learning and process monitoring
B. Continuous integration and configuration management
C. API integration and data enrichment
D. Workflow orchestration and scripting
Hint answer: D
Q153.A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following
Which of the following should the security analyst conclude?
A. user@company.com is a malicious insider.
B. The valid dates are too far apart and are generating the alerts
C. certServer has been compromised
D. The root certificate was not installed in the trusted store
Hint answer: D
Q154.An organization supports a large number of remote users. Which of the following is the BEST option to protect the data on the remote users’ laptops?
A. Require the use of VPNs.
B. Require employees to sign an NDA
C. Implement a DLP solution.
D. Use whole disk encryption.
Hint answer: D
Q155.Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?
A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis membership
D. Common vulnerability and exposure bulletins
Hint answer: C
Q156.An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the DNS entry and sees the following:
The organization’s primary mail server IP is 180.10.6.6 and the secondary mail server IP is 180.10.6.5. The organization’s third-party mail provider is “Robust Mail” with the domain name robustmail.com. Which of the following is the MOST likely reason for the rejected emails?
A. SPF version 1 does not support third-party providers.
B. The primary and secondary email server IP addresses are out of sequence.
C. An incorrect IP version is being used.
D. The wrong domain name is in the SPF record.
Hint answer: D
Q157.To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?
A. SCAP
B. SAST
C. DAST
D. DACS
Hint answer: A
Q158.An organization has the following risk mitigation policy:
• Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
• All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, D, C
B. A, B, C, D
C. D, A, B, C
D. D, A, C, B
Hint answer: B
Q159.A security analyst has discovered that developers have installed browsers on all development servers in the company’s cloud infrastructure and are using them to browse the Internet. Which of the following changes should the security analyst make to BEST protect the environment?
A. Create a security rule that blocks Internet access in the development VPC
B. Place a jumpbox in between the developers’ workstations and the development VPC
C. Remove the administrator’s profile from the developer user group in identity and access management
D. Create an alert that is triggered when a developer installs an application on a server
Hint answer: B
Q160.When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?
A. nmap –sA –O -noping
B. nmap –sT –O -Pn
C. nmap –sS –O -Pn
D. nmap –sQ –O -Pn
Hint answer: C
Q161.A security analyst receives an alert to expect increased and highly advanced cyberattacks originating from a foreign country that recently had sanctions implemented. Which of the following describes the type of threat actors that should concern the security analyst?
A. Insider threat
B. Nation-threat
C. Hacktivist
D. Organized crime
Hint answer: B
Q162.A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?
A. Geotagging
B. IP restrictions
C. Reverse proxy
D. Single sign-on
Hint answer: A
Q163.Which of the following are considered PII by themselves? (Choose two.)
A. Government ID
B. Job title
C. Employment start date
D. Birth certificate
E. Employer address
F. Mother’s maiden name
Hint answer: A
D
Q164.A security analyst notices the following entry while reviewing the server logs:
OR 1=1′ ADD USER attacker’ PW 1337password’ —
Which of the following events occurred?
A. CSRF
B. XSS
C. SQLi
D. RCE
Hint answer: C
Q165.Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?
A. Reverse engineering
B. Application log collectors
C. Workflow orchestration
D. API integration
E. Scripting
Hint answer: D
Q166.An analyst performs a routine scan of a host using Nmap and receives the following output:
Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
Hint answer: C
Q167.A security analyst has received a report that servers are no longer able to connect to the network. After many hours of troubleshooting, the analyst determines a
Group Policy Object is responsible for the network connectivity issues. Which of the following solutions should the security analyst recommend to prevent an interruption of service in the future?
A. CI/CD pipeline
B. Impact analysis and reporting
C. Appropriate network segmentation
D. Change management process
Hint answer: D
Q168.A security analyst observes a large amount of scanning activity coming from an IP address outside the organization’s environment. Which of the following should the analyst do to block this activity?
A. Create an IPS rule to block the subnet.
B. Sinkhole the IP address.
C. Create a firewall rule to block the IP address.
D. Close all unnecessary open ports.
Hint answer: C
Q169.A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
✑ The FTP service is running with the data directory configured in /opt/ftp/data.
✑ The FTP server hosts employees’ home directories in /home.
✑ Employees may store sensitive information in their home directories.
An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?
A. Implement file-level encryption of sensitive files.
B. Reconfigure the FTP server to support FTPS.
C. Run the FTP server in a chroot environment.
D. Upgrade the FTP server to the latest version.
Hint answer: C
Q170.Which of the following is an advantage of SOAR over SIEM?
A. SOAR is much less expensive.
B. SOAR reduces the amount of human intervention required.
C. SOAR can aggregate data from many sources.
D. SOAR uses more robust encryption protocols.
Hint answer: C
Q171.A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization’s data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use once the device returns home.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Hint answer: C
Q172.At which of the following phases of the SDLC should security FIRST be involved?
A. Design
B. Maintenance
C. Implementation
D. Analysis
E. Planning
F. Testing
Hint answer: E
Q173.A company’s security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported, and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the
BEST method to protect these workstations from threats?
A. Deploy whitelisting to the identified workstations to limit the attack surface.
B. Determine the system process criticality and document it.
C. Isolate the workstations and air gap them when it is feasible.
D. Increase security monitoring on the workstations.
Hint answer: C
Q174.A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend?
A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture.
Hint answer: C
Q175.A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident.
The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfiltrated?
A. Monday’s logs
B. Tuesday’s logs
C. Wednesday’s logs
D. Thursday’s logs
Hint answer: D
Q176.A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs. Which of the following is the main concern a security analyst should have with this arrangement?
A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
Hint answer: D
Q177.A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?
A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty
Hint answer: A
Q178.During a review of the vulnerability scan results on a server, an information security analyst notices the following:
The MOST appropriate action for the analyst to recommend to developers is to change the web server so:
A. it only accepts TLSv1 .2.
B. it only accepts cipher suites using AES and SH
A.
C. it no longer accepts the vulnerable cipher suites.
D. SSL/TLS is offloaded to a WAF and load balancer.
Hint answer: B
Q179.A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?
A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal.
D. Establish guidelines for the handling of sensitive information.
Hint answer: B
Q180.A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:
Packet capture:
TCP stream:
Which of the following actions should the security analyst take NEXT?
A. Review the known Apache vulnerabilities to determine if a compromise actually occurred.
B. Contact the application owner for connect.example.local for additional information.
C. Mark the alert as a false positive scan coming from an approved source.
D. Raise a request to the firewall team to block 203.0.113.15.
Hint answer: B
Q181.An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?
A. Implement MDM.
B. Update the malware catalog.
C. Patch the mobile device’s OS.
D. Block third-party applications.
Hint answer: A
Q182.Which of the following types of controls defines placing an ACL on a file folder?
A. Technical control
B. Confidentiality control
C. Managerial control
D. Operational control
Hint answer: A
Q183.A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?
A. Nessus
B. Nikto
C. Fuzzer
D. Wireshark
E. Prowler
Hint answer: A
Q184.Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?
A. Remote code execution
B. Buffer overflow
C. Unauthenticated commands
D. Certificate spoofing
Hint answer: C
Q185.While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be __________.
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
Hint answer: A
Q186.A security analyst is reviewing the following server statistics:
Which of the following is MOST likely occurring?
A. Race condition
B. Privilege escalation
C. Resource exhaustion
D. VM escape
Hint answer: C
Q187.When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:
Which of the following can the analyst conclude from viewing the log file?
A. The comptia user knows the sudo password.
B. The comptia user executed the sudo su command.
C. The comptia user knows the root password.
D. The comptia user added himself or herself to the /etc/sudoers file.
Hint answer: C
Q188.An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place, which of the following should be notified for lessons learned?
A. The human resources department
B. Customers
C. Company leadership
D. The legal team
Hint answer: C
Q189.After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?
A. Header analysis
B. File carving
C. Metadata analysis
D. Data recovery
Hint answer: B
Q190.Which of the following BEST describes what an organization’s incident response plan should cover regarding how the organization handles public or private disclosures of an incident?
A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.
B. The disclosure section should contain the organization’s legal and regulatory requirements regarding disclosures.
C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution.
D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening in the future.
Hint answer: B
Q191.A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a crypto mining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the following:
Which of the following is the BEST way to isolate and triage the host?
A. Remove rules 1, 2, and 3.
B. Remove rules 1, 2, 4, and 5.
C. Remove rules 1, 2, 3, 4, and 5.
D. Remove rules 1. 2, and 5.
E. Remove rules 1, 4, and 5.
F. Remove rules 4 and 5.
Hint answer: D
Q192.Which of the following BEST explains the function of TPM?
A. To provide hardware-based security features using unique keys
B. To ensure platform confidentiality by storing security measurements
C. To improve management of the OS Installations
D. To implement encryption algorithms for hard drives
Hint answer: A
Q193.An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service?
A. Manually log in to the service and upload data files on a regular basis.
B. Have the internal development team script connectivity and file transfers to the new service.
C. Create a dedicated SFTP site and schedule transfers to ensure file transport security.
D. Utilize the cloud product’s API for supported and ongoing integrations.
Hint answer: D
Q194.A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company’s network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?
A. The server is configured to communicate on the secure database standard listener port.
B. Someone has configured an unauthorized SMTP application over SSL.
C. A connection from the database to the web front end is communicating on the port.
D. The server is receiving a secure connection using the new TLS 1.3 standard.
Hint answer: B
Q195.An organization has not had an incident for several months. The Chief Information Security Officer wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting
Hint answer: E
Q196.A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst’s goal?
A. To create a system baseline
B. To reduce the attack surface
C. To optimize system performance
D. To improve malware detection
Hint answer: B
Q197.Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?
A. To identify weaknesses in an organization’s security posture
B. To identify likely attack scenarios within an organization
C. To build a business continuity plan for an organization
D. To build a network segmentation strategy
Hint answer: B
Q198.An organization has specific technical risk mitigation configurations that must be implemented before a new server can be approved for production. Several critical servers were recently deployed with the antivirus missing, unnecessary ports disabled, and insufficient password complexity. Which of the following should the analyst recommend to prevent a recurrence of this risk exposure?
A. Perform password-cracking attempts on all devices going into production
B. Perform an Nmap scan on all devices before they are released to production
C. Perform antivirus scans on all devices before they are approved for production
D. Perform automated security controls testing of expected configurations prior to production
Hint answer: D
Q199.Understanding attack vectors and integrating intelligence sources are important components of:
A. a vulnerability management plan.
B. proactive threat hunting.
C. risk management compliance.
D. an incident response plan.
Hint answer: B
Q200.A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.
Which of the following commands would MOST likely indicate if the email is malicious?
A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep “
