CompTIA CySA+ (CS0-002) Free Dumps Questions [2023]

Jonnie Karnath2023-05-25T06:41:43+00:00

Preparing for CompTIA CySA+ (CS0-002) certification exam is crucial for cybersecurity professionals who want to demonstrate their expertise in information security analysis. Certspots offers a vast collection of CompTIA CySA+ (CS0-002) Free Dumps Questions that can help you evaluate your skills and prepare for the exam effectively. By using Certspots CompTIA CySA+ (CS0-002) Free Dumps Questions, you can enhance your knowledge and skills and increase your chances of passing the CySA+ exam.

Page 1 of 9

1. A security analyst is performing a Diamond Model analysis of an incident the company had last quarter.

A potential benefit of this activity is that it can identify:

detection and prevention capabilities to improve.

which systems were exploited more frequently.

possible evidence that is missing during forensic analysis.

which analysts require more training.

the time spent by analysts on each of the incidents.

2. Which of the following are the MOST likely reasons lo include reporting processes when updating an incident response plan after a breach? (Select TWO).

To establish a clear chain of command

To meet regulatory requirements for timely reporting

To limit reputation damage caused by the breach

To remediate vulnerabilities that led to the breach

To isolate potential insider threats

To provide secure network design changes

3. A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:

Which of the following technologies would MOST likely be used to prevent this phishing attempt?

DNSSEC

DMARC

STP

S/IMAP

4. A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix.

Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Web-application vulnerability scan

Static analysis

Packet inspection

Penetration test

5. Which of the following ICS network protocols has no inherent security functions on TCP port 502?

CIP

DHCP

SSH

Modbus

6. An organization has the following risk mitigation policies

• Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000

• Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

A, C, D, B

B, C, D, A

C, B, A, D

C, D, A, B

D, C, B, A

7. An organizational policy requires one person to input accounts payable and another to do accounts receivable. A separate control requires one person to write a check and another person to sign all checks greater than $5,000 and to get an additional signature for checks greater than $10,000.

Which of the following controls has the organization implemented?

Segregation of duties

Job rotation

Non-repudiaton

Dual control

8. A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent.

Which of the following would be an appropriate course of action?

Automate the use of a hashing algorithm after verified users make changes to their data.

Use encryption first and then hash the data at regular, defined times.

Use a DLP product to monitor the data sets for unauthorized edits and changes.

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

9. A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures.

Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.

Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed

Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist.

Review the current blocklist to determine which domains can be removed from the list and then update the ACLs

10. A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response.

Which of the following procedures is the NEXT step for further in investigation?

Data carving

Timeline construction

File cloning

Reverse engineering

Page 2 of 9

11. Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.

The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.

The disclosure section should include the names and contact information of key employees who are needed for incident resolution

The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening m the future.

12. A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also see that deployed, up-to-date antivirus signatures are ineffective.

Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?

IDS signatures

Data loss prevention

Port security

Sinkholing

13. An organization has the following policies:

* Services must run on standard ports.

* Unneeded services must be disabled.

The organization has the following servers:

* 192.168.10.1 - web server

* 192.168.10.2 - database server

A security analyst runs a scan on the servers and sees the following output:

Which of the following actions should the analyst take?

Disable HTTPS on 192.168.10.1.

Disable IIS on 192.168.10.1.

Disable DNS on 192.168.10.2.

Disable MSSQL on 192.168.10.2.

Disable SSH on both servers.

14. A security analyst at exampte.com receives a SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:

Winch of the following actions should the security analyst lake NEXT?

Review the known Apache vulnerabilities to determine if a compromise actually occurred

Contact the application owner for connect example local tor additional information

Mark the alert as a false positive scan coming from an approved source.

Raise a request to the firewall team to block 203.0.113.15.

15. After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the Issue.

Which of the following security solutions would resolve this issue?

Privilege management

Group Policy Object management

Change management

Asset management

16. Which of the following is the greatest security concern regarding ICS?

The involved systems are generally hard to identify.

The systems are configured for automatic updates, leading to device failure.

The systems are oftentimes air gapped, leading to fileless malware attacks.

Issues on the systems cannot be reversed without rebuilding the systems.

17. A company has alerted planning the implemented a vulnerability management procedure. However, to security maturity level is low, so there are some prerequisites to complete before risk calculation and prioritization.

Which of the following should be completed FIRST?

A business Impact analysis

A system assessment

Communication of the risk factors

A risk identification process

18. Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

Security regression testing

Code review

User acceptance testing

Stress testing

19. Due to a rise m cyberattackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally .

Which of the following countermeasures can BEST prevent the loss of customers' sensitive data?

Implement privileged access management

Implement a risk management process

Implement multifactor authentication

Add more security resources to the environment

20. During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT.

The lessons-learned report noted the following:

• The development team used a new software language that was not supported by the security team's automated assessment tools.

• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.

• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)

Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed

Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically

Contact the human resources department to hire new security team members who are already familiar with the new language

Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems

Instruct only the development team to document the remediation steps for this vulnerability

Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider

Page 3 of 9

21. While observing several host machines, a security analyst notices a program is overwriting data to a buffer.

Which of the following controls will best mitigate this issue?

Data execution prevention

Output encoding

Prepared statements

Parameterized queries

22. During an audit several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products .

Which of the following would be the BEST way to locate this issue?

Reduce the session timeout threshold

Deploy MFA for access to the web server

Implement input validation

Run a static code scan

23. Which of the following factors would determine the regulations placed on data under data sovereignty laws?

What the company intends to do with the data it owns

The company's data security policy

The type of data the company stores

The data laws of the country in which the company is located

24. During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity The analyst also notes there is no other alert in place for this traffic

After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?

Share details of the security incident with the organization's human resources management team

Note the security incident so other analysts are aware the traffic is malicious

Communicate the security incident to the threat team for further review and analysis

Report the security incident to a manager for inclusion in the daily report

25. During a routine review of service restarts a security analyst observes the following in a server log:

Which of the following is the GREATEST security concern?

The daemon's binary was AChanged

Four consecutive days of monitoring are skipped in the tog

The process identifiers for the running service change

The PIDs are continuously changing

26. While investigating reports or issues with a web server, a security analyst attempts to log in remotely and recedes the following message:

The analyst accesses the server console, and the following console messages are displayed:

The analyst is also unable to log in on the console.

While reviewing network captures for the server, the analyst sees many packets with the following signature:

Which of the following is the BEST step for the analyst to lake next in this situation?

Load the network captures into a protocol analyzer to further investigate the communication with 128.30.100.23, as this may be a botnet command server

After ensuring network captures from the server are saved isolate the server from the network take a memory snapshot, reboot and log in to do further analysis.

Corporate data is being exfilltrated from the server Reboot the server and log in to see if it contains any sensitive data.

Cryptomining malware is running on the server and utilizing an CPU and memory. Reboot the server and disable any cron Jobs or startup scripts that start the mining software.

27. According to a static analysis report for a web application, a dynamic code evaluation script injection vulnerability was found.

Which of the following actions is the BEST option to fix the vulnerability in the source code?

Delete the vulnerable section of the code immediately.

Create a custom rule on the web application firewall.

Validate user input before execution and interpretation.

Use parameterized queries.

28. Wncn of the following provides an automated approach 10 checking a system configuration?

SCAP

CI/CD

OVAL

Scripting

SOAR

29. An analyst is responding 10 an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the held. Maiware was loaded on the device via the installation of a third-party software package The analyst has baselined the device .

Which of the following should the analyst do to BEST mitigate future attacks?

Implement MDM

Update the maiware catalog

Patch the mobile device's OS

Block third-party applications

30. A customer notifies a security analyst that a web application is vulnerable to information disclosure The analyst needs to indicate the seventy of the vulnerability based on its CVSS score, which the analyst needs to calculate When analyzing the vulnerability the analyst realizes that tor the attack to be successful, the Tomcat configuration file must be modified .

Which of the following values should the security analyst choose when evaluating the CVSS score?

Network

Physical

Adjacent

Local

Page 4 of 9

31. Which of the following is the BEST option to protect a web application against CSRF attacks?

Update the web application to the latest version.

Set a server-side rate limit for CSRF token generation.

Avoid the transmission of CSRF tokens using cookies.

Configure the web application to only use HTTPS and TLS 1.3.

32. A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets.

Which of the following contains the most useful information to produce this script?

API documentation

Protocol analysis captures

MITRE ATT&CK reports

OpenloC files

33. A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device.

The security analyst then identifies the following additional details:

• Bursts of network utilization occur approximately every seven days.

• The content being transferred appears to be encrypted or obfuscated.

• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

• Single file sizes are 10GB.

Which of the following describes the most likely cause of the issue?

Memory consumption

Non-standard port usage

Data exfiltration

System update

Botnet participant

34. A security analyst needs to automate the incident response process for malware infections.

When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Which of the following is the best way for the analyst to automate alert generation?

Deploy a signature-based IDS

Install a UEBA-capable antivirus

Implement email protection with SPF

Create a custom rule on a SIEM

35. Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

There is a longer period of time to assess the environment.

The testing is outside the contractual scope

There is a shorter period of time to assess the environment

No status reports are included with the assessment.

36. An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis.

The organization has the following reporting priorities when reviewing system activity:

• Successful administrator login reporting priority - high

• Failed administrator login reporting priority - medium

• Failed temporary elevated permissions - low

• Successful temporary elevated permissions - non-reportable

A security analyst is reviewing server syslogs and sees the following:

Which of the following events is the HIGHEST reporting priority?

Option A

Option B

Option C

Option D

37. A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment .

Which of the following is the BEST recommendation?

Require users to sign NDAs

Create a data minimization plan.

Add access control requirements

Implement a data loss prevention solution

38. A code review reveals a web application is using lime-based cookies for session management. This is a security concern because lime-based cookies are easy to:

parameterize.

decode.

guess.

decrypt.

39. Which of the following solutions is the BEST method to prevent unauthorized use of an API?

HTTPS

Geofencing

Rate liming

Authentication

40. An analyst received an alert regarding an application spawning a suspicious command shell process.

Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

Which of the following was the suspicious event able to accomplish?

Impair defenses.

Establish persistence.

Bypass file access controls.

Implement beaconing.

Page 5 of 9

41. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

The use of infrastructure-as-code capabilities leads to an increased attack surface.

Patching the underlying application server becomes the responsibility of the client.

The application is unable to use encryption at the database level.

Insecure application programming interfaces can lead to data compromise.

42. A vulnerability assessment solution is hosted in the cloud This solution will be used as an accurate inventory data source for both the configuration management database and the

governance nsk and compliance tool An analyst has been asked to automate the data acquisition .

Which of the following would be the BEST way to acqutre the data?

CSV export

SOAR

API

Machine learning

43. A small organization has proprietary software that is used internally. The system has not been wen maintained and cannot be updated with the rest or the environment.

Which of the following is the BEST solution?

virtualize the system and decommission the physical machine.

Remove it from the network and require air gapping.

Implement privileged access management for identity access.

Implement MFA on the specific system.

44. A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

output encoding.

data protection.

query parameterization.

input validation.

45. An organization is focused on restructuring its data governance programs and an analyst has been Tasked with surveying sensitive data within the organization.

Which of the following is the MOST accurate method for the security analyst to complete this assignment?

Perform an enterprise-wide discovery scan.

Consult with an internal data custodian.

Review enterprise-wide asset Inventory.

Create a survey and distribute it to data owners.

46. A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed.

Which of the following commands will best accomplish the analyst's objectives?

tcpdump -w packetCapture

tcpdump -a packetCapture

tcpdump -n packetCapture

nmap -v > packetCapture

nmap -oA > packetCapture

47. A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment.

Which of the following should the analyst do to block this activity?

Create an IPS rule to block the subnet.

Sinkhole the IP address.

Create a firewall rule to block the IP address.

Close all unnecessary open ports.

48. 1.An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages.

Which Of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?

Change the passwords on the devices.

Implement BIOS passwords.

Remove the assets from the production network for analysis.

Report the findings to the threat intel community.

49. A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed.

Which of the following BST describes the result the security learn hopes to accomplish by adding these sources?

Data enrichment

Continuous integration

Machine learning

Workflow orchestration

50. Which of the following activities is designed to handle a control

failure that leads to a breach?

Risk assessment

Incident management

Root cause analysis

Vulnerability management

Page 6 of 9

51. Given the output below:

#nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 -- script http-* -oA server.out 192.168.220.42 .

Which of the following is being performed?

Cross-site scripting

Local file inclusion attack

Log4] check

Web server enumeration

52. A cybersecurity analyst routinely checks logs, querying for login attempts.

While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

Users 4 and 5 are using their credentials to transfer files to multiple servers.

Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

An unauthorized user is using login credentials in a script.

A bot is running a brute-force attack in an attempt to log in to the domain.

53. When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

Deidentification

Hashing

Masking

Salting

54. A security analyst has received a report that servers are no longer able to connect to the network. After many hours of troubleshooting, the analyst determines a Group Policy Object is responsible for the network connectivity Issues.

Which of the following solutions should the security analyst recommend to prevent an interruption of service in the future?

Cl/CD pipeline

Impact analysis and reporting

Appropriate network segmentation

Change management process

55. A Chief Information Secunty Officer has asked for a list of hosts that have critical and high-seventy findings as referenced in the CVE database.

Which of the following tools would produce the assessment output needed to satisfy this request?

Nessus

Nikto

Fuzzer

Wireshark

Prowler

56. A company creates digitally signed packages for its devices.

Which of the following best describes the method by which the security packages are delivered to the company's customers?

Antitamper mechanism

SELinux

Trusted firmware updates

eFuse

57. An IT security analyst has received an email alert regarding vulnerability within the new fleet of vehicles the company recently purchased.

Which of the following attack vectors is the vulnerability MOST likely targeting?

SCADA

CAN bus

Modbus

loT

58. A product security analyst has been assigned to evaluate and validate a new products security capabilities Part of the evaluation involves reviewing design changes at specific intervals tor security deficiencies recommending changes and checking for changes at the next checkpoint .

Which of the following BEST defines the activity being conducted?

User acceptance testing

Stress testing

Code review

Security regression testing

59. A new variant of malware is spreading on the company network using TCP 443 to contact its command-and-control server. The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance .

Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

Implement a sinkhole with a high entropy level

Disable TCP/53 at the parameter firewall

Block TCP/443 at the edge router

Configure the DNS forwarders to use recursion

60. An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time.

Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

Requiring the use of the corporate VPN

Requiring the screen to be locked after five minutes of inactivity

Requiring the laptop to be locked in a cabinet when not in use

Requiring full disk encryption

Page 7 of 9

61. An analyst receives artifacts from a recent Intrusion and is able to pull a domain, IP address, email address, and software version.

When of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

Infrastructure

Capabilities

Adversary

Victims

62. A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment.

Which of the following is the BEST recommendation?

Require users to sign NDAs

Create a data minimization plan.

Add access control requirements.

Implement a data loss prevention solution.

63. An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts A security analyst has created a script to snapshot the system configuration each day.

Following iss one of the scripts:

This script has been running successfully every day.

Which of the following commands would provide the analyst with additional useful information relevant to the above script?

A)

Option A

Option B

Option C

Option D

64. A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to 90 offline.

Which of the following solutions would work BEST prevent to this from happening again?

Change management

Application whitelisting

Asset management

Privilege management

65. The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage.

Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

NAC

IPS

CASB

WAF

66. A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations .

Which of the following steps in the intelligence cycle is the security analyst performing?

Analysis and production

Processing and exploitation

Dissemination and evaluation

Data collection

Planning and direction

67. The Chief information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees.

Which of the following would BEST prevent this issue

Induce digital signatures on messages originating within the company.

Require users authenticate to the SMTP server

Implement DKIM to perform authentication that will prevent this Issue.

Set up an email analysis solution that looks for known malicious Iinks within the email.

68. A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations.

Which of the following will allow all data to be kept on the third-party network?

VDI

SaaS

CASB

FaaS

69. A company employee downloads an application from the internet.

After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop.

Which of the following processes will the security analyst Identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

Chrome.exe

Word.exe

Explorer.exe

mstsc.exe

taskmgr.exe

70. A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions.

Which of the following roles would be BEST suited to determine the breach notification requirements?

Legal counsel

Chief Security Officer

Human resources

Law enforcement

Page 8 of 9

71. A help desk technician inadvertently sent the credentials of the company's CRM n clear text to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident

According to the incident response procedure, which of the following should the security team do NEXT?

Contact the CRM vendor.

Prepare an incident summary report.

Perform postmortem data correlation.

Update the incident response plan.

72. Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.

Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom toots for embedded devices.

Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices

Trusted firmware updates provide organizations with secure code signing, distribution, installation. and attestation for embedded devices.

73. During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring toot about files from a newly deployed application that should not change.

Which of the following steps should the analyst complete FIRST to respond to the issue?

Warn the incident response team that the server can be compromised

Open a ticket informing the development team about the alerts

Check if temporary files are being monitored

Dismiss the alert, as the new application is still being adapted to the environment

74. After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:

Which of the following it the BEST solution to mitigate this type of attack?

Implement a better level of user input filters and content sanitization.

Property configure XML handlers so they do not process sent parameters coming from user inputs.

Use parameterized Queries to avoid user inputs horn being processed by the server.

Escape user inputs using character encoding conjoined with whitelisting

75. Which of the following incident response components can identify who is the llaison between multiple lines of business and the pubic?

Red-team analysis

Escalation process and procedures

Triage and analysis

Communications plan

76. A security analyst is reviewing the network security monitoring logs listed below:

Which of the following is the analyst most likely observing? (Select two).

10.1.1.128 sent potential malicious traffic to the web server.

10.1.1.128 sent malicious requests, and the alert is a false positive

10.1.1.129 successfully exploited a vulnerability on the web server

10.1.1.129 sent potential malicious requests to the web server

10.1.1.129 can determine mat port 443 is being used

10.1.1.130 can potentially obtain information about the PHP version

77. During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideralion

Wtiich of the following are part of a known threat modeling method?

Threat profile, infrastructure and application vulnerabilities, security strategy and plans

Purpose, objective, scope, (earn management, cost, roles and responsibilities

Spoofing tampering, repudiation, information disclosure, denial of service elevation of privilege

Human impact, adversary's motivation, adversary's resources, adversary's methods

78. A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations.

Which of the following would work BEST to prevent this type of Incident in the future?

Implement a UTM instead of a stateful firewall and enable gateway antivirus.

Back up the workstations to facilitate recovery and create a gold Image.

Establish a ransomware awareness program and implement secure and verifiable backups.

Virtualize all the endpoints with dairy snapshots of the virtual machines.

79. The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

Payload lengths may be used to overflow buffers enabling code execution.

Encapsulated traffic may evade security monitoring and defenses

This traffic exhibits a reconnaissance technique to create network footprints.

The content of the traffic payload may permit VLAN hopping.

80. A company is aiming to test a new incident response plan. The management team has made it clear that the initial test should have no impact on the environment. The company has limited

resources to support testing.

Which of the following exercises would be the best approach?

Tabletop scenarios

Capture the flag

Red team vs. blue team

Unknown-environment penetration test

Page 9 of 9

81. As part of the senior leadership team's ongoing nsk management activities the Chief Information Security Officer has tasked a security analyst with coordinating the right training and testing methodology to respond to new business initiatives or significant changes to existing ones The management team wants to examine a new business process that would use existing infrastructure to process and store sensitive data .

Which of the following would be appropnate for the security analyst to coordinate?

A black-box penetration testing engagement

A tabletop exercise

Threat modeling

A business impact analysis

82. The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion An analyst was asked to submit sensitive network design details for review The forensic specialist recommended electronic delivery for efficiency but email was not an approved communication channel to send network details .

Which of the following BEST explains the importance of using a secure method of communication during incident response?

To prevent adversaries from intercepting response and recovery details

To ensure intellectual property remains on company servers

To have a backup plan in case email access is disabled

To ensure the management team has access to all the details that are being exchanged

83. A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility.

Which of the following activities best describes the process the development team is initiating?

Static analysis

Stress testing

Code review

User acceptance testing

Facebook Twitter LinkedIn Google + Email