Comptia (CS0-002) Exam Questions And Answers page 14
A Chief Security Officer (CSO) is working on the communication requirements for an organization's incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?
Improper communications can create unnecessary complexity and delay response actions.
Organizational personnel must only interact with trusted members of the law enforcement community.
Senior leadership should act as the only voice for the incident response team when working with forensics teams.
Cyber Incident Response
Cybersecurity Tool Sets
After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred:
Which of the following IP addresses does the analyst need to investigate further?
Which of the following IP addresses does the analyst need to investigate further?
192.168.1.1
192.168.1.10
192.168.1.12
192.168.1.193
Security Operations and Monitoring
During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries for IP 192.168.50.2 for a 24-hour period:
To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________.
To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________.
DST 138.10.2.5.
DST 138.10.25.5.
DST 172.10.3.5.
DST 172.10.45.5.
DST 175.35.20.5.
Threat Management
Security Architecture and Tool Sets
A security analyst needs to obtain the footprint of the network. The footprint must identify the following information:
• TCP and UDP services running on a targeted system
• Types of operating systems and versions
• Specific applications and versions
Which of the following tools should the analyst use to obtain the data?
• TCP and UDP services running on a targeted system
• Types of operating systems and versions
• Specific applications and versions
Which of the following tools should the analyst use to obtain the data?
Prowler
Nmap
Reaver
ZAP
Security Architecture and Tool Sets
Cybersecurity Tool Sets
A forensic analyst took an image of a workstation that was involved in an incident. To BEST ensure the image is not tampered with, the analyst should use:
hashing
backup tapes
a legal hold
chain of custody
Cyber Incident Response
Security Architecture and Tool Sets
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)
Probability
Adversary capability
Attack vector
Impact
Classification
Indicators of compromise
Threat Management
Cyber Incident Response
A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?
The extended support mitigates any risk associated with the software.
The extended support contract changes this vulnerability finding to a false positive.
The company is transferring the risk for the vulnerability to the software vendor.
The company is accepting the inherent risk of the vulnerability.
Cybersecurity Tool Sets
Compliance and Assessment
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?
Which of the following would be the MOST appropriate to remediate the controller?
Segment the network to constrain access to administrative interfaces.
Replace the equipment that has third-party support.
Remove the legacy hardware from the network.
Install an IDS on the network between the switch and the legacy equipment.
Threat Management
Security Operations and Monitoring
A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.
Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?
Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?
Port 22
Port 135
Port 445
Port 3389
Security Operations and Monitoring
A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?
The malware is fileless and exists only in physical memory
The malware detects and prevents its own execution in a virtual environment
The antivirus does not have the malware s signature
The malware is being executed with administrative privileges
Threat Management
Cyber Incident Response
Comments