Comptia (CS0-002) Exam Questions And Answers page 19
A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?
Restore the previous backup and scan with a live boot anti-malware scanner
Stand up a new server and restore critical data from backups
Offload the critical data to a new server and continue operations
Cyber Incident Response
Cybersecurity Tool Sets
An organization has the following risk mitigation policy:
• Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
• All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
• Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
• All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A, B, D, C
A, B, C, D
D, A, B, C
D, A, C, B
Threat Management
Security Architecture and Tool Sets
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.
Which of the following BEST describes the security analyst's goal?
Which of the following BEST describes the security analyst's goal?
To create a system baseline
To reduce the attack surface
To optimize system performance
To improve malware detection
Threat Management
Cybersecurity Tool Sets
While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from being successful?
Create a new rule in the IDS that triggers an alert on repeated login attempts
Implement MFA on the email portal using out-of-band code delivery
Alter the lockout policy to ensure users are permanently locked out after five attempts
Leverage password filters to prevent weak passwords on employee accounts from being exploited
Configure a WAF with brute-force protection rules in block mode
Threat Management
Cyber Incident Response
A managed security service provider (MSSP) has alerted a user that an account was added to the local administrator group for the servers named EC2AMAZ-HG87B4 and EC2AMAZ-B643M2. A security analyst logs in to the cloud provider s graphical user interface to determine the IP addresses of the servers and sees the following data:
Which of the following changes to the current architecture would work BEST to help the analyst to troubleshoot future alerts?
Which of the following changes to the current architecture would work BEST to help the analyst to troubleshoot future alerts?
Rename all hosts to the value listed in the instance ID field.
Create a standard naming convention for all hostnames.
Create an asset tag that identifies each instance by hostname.
Instruct the MSSP to add the platform name from the cloud console to all alerts.
Security Operations and Monitoring
A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.
Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)
Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)
Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.
Remove the servers reported to have high and medium vulnerabilities.
Tag the computers with critical findings as a business risk acceptance.
Manually patch the computers on the network, as recommended on the CVE website.
Harden the hosts on the network, as recommended by the NIST framework.
Resolve the monthly job issues and test them before applying them to the production network.
Cyber Incident Response
Cybersecurity Tool Sets
A security analyst is attempting to utilize the following threat intelligence for developing detection capabilities:
APT X s approach to a target would be sending a phishing email to the target after conducting active and passive reconnaissance. Upon successful compromise, APT X conducts internal reconnaissance and attempts to move laterally by utilizing existing resources. When APT X finds data that aligns to its objectives, it stages and then exfiltrates data sets in sizes that can range from 1GB to 5GB. APT X also establishes several backdoors to maintain a C2 presence in the environment.
In which of the following phases in this APT MOST likely to leave discoverable artifacts?
APT X s approach to a target would be sending a phishing email to the target after conducting active and passive reconnaissance. Upon successful compromise, APT X conducts internal reconnaissance and attempts to move laterally by utilizing existing resources. When APT X finds data that aligns to its objectives, it stages and then exfiltrates data sets in sizes that can range from 1GB to 5GB. APT X also establishes several backdoors to maintain a C2 presence in the environment.
In which of the following phases in this APT MOST likely to leave discoverable artifacts?
Data collection/exfiltration
Defensive evasion
Lateral movement
Reconnaissance
Threat Management
Cyber Incident Response
SIMULATION
You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of the servers and recommend changes if you find they are not.
The company's hardening guidelines indicate the following:
" TLS 1.2 is the only version of TLS running.
" Apache 2.4.18 or greater should be used.
" Only default ports should be used.
INSTRUCTIONS
Using the supplied data, record the status of compliance with the company's guidelines for each server.
The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for issues based ONLY on the hardening guidelines provided.
You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of the servers and recommend changes if you find they are not.
The company's hardening guidelines indicate the following:
" TLS 1.2 is the only version of TLS running.
" Apache 2.4.18 or greater should be used.
" Only default ports should be used.
INSTRUCTIONS
Using the supplied data, record the status of compliance with the company's guidelines for each server.
The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for issues based ONLY on the hardening guidelines provided.
Cybersecurity Tool Sets
Security Operations and Monitoring
A security analyst is monitoring a company s network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the BEST way for the security analyst to respond?
Report this activity as a false positive, as the activity is legitimate.
Isolate the system and begin a forensic investigation to determine what was compromised.
Recommend network segmentation to management as a way to secure the various environments.
Implement host-based firewalls on all systems to prevent ping sweeps in the future.
Security Architecture and Tool Sets
Compliance and Assessment
A company s change management team has asked a security analyst to review a potential change to the email server before it is released into production. The analyst reviews the following change request:
Which of the following is the MOST likely reason for the change?
Which of the following is the MOST likely reason for the change?
To reject email from servers that are not listed in the SPF record
To reject email from email addresses that are not digitally signed.
To accept email to the company s domain.
To reject email from users who are not authenticated to the network.
Security Operations and Monitoring
Comments