Comptia (CS0-002) Exam Questions And Answers page 29
An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosing the incident to external entities should be based on:
the public relations policy
the communication plan
senior management s guidance
Cyber Incident Response
Cybersecurity Tool Sets
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:
The analyst uses the vendor's website to confirm the oldest supported version is correct.
Which of the following BEST describes the situation?
The analyst uses the vendor's website to confirm the oldest supported version is correct.
Which of the following BEST describes the situation?
This is a false positive, and the scanning plugin needs to be updated by the vendor.
This is a true negative, and the new computers have the correct version of the software.
This is a true positive, and the new computers were imaged with an old version of the software.
This is a false negative, and the new computers need to be updated by the desktop team.
Threat Management
Cybersecurity Tool Sets
The help desk notified a security analyst that emails from a new email server are not being sent out. The new email server was recently added to the existing ones. The analyst runs the following command on the new server:
Given the output, which of the following should the security analyst check NEXT?
Given the output, which of the following should the security analyst check NEXT?
The DNS name of the new email server
The version of SPF that is being used
The IP address of the new email server
The DMARC policy
Security Operations and Monitoring
A security engineer is reviewing security products that identify malicious actions by users as part of a company s insider threat program. Which of the following is the MOST appropriate product category for this purpose?
SCAP
SOAR
UEBA
WAF
Threat Management
Cybersecurity Tool Sets
A network attack that is exploiting a vulnerability in the SNMP is detected.
Which of the following should the cybersecurity analyst do FIRST?
Which of the following should the cybersecurity analyst do FIRST?
Apply the required patches to remediate the vulnerability.
Escalate the incident to senior management for guidance.
Disable all privileged user accounts on the network.
Temporarily block the attacking IP address.
Threat Management
Cyber Incident Response
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:
Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
Examine the server logs for further indicators of compromise of a web application.
Run kill -9 1325 to bring the load average down so the server is usable again.
Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.
Security Operations and Monitoring
A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.
Which of the following is the NEXT step the analyst should take to address the issue?
Which of the following is the NEXT step the analyst should take to address the issue?
Audit access permissions for all employees to ensure least privilege.
Force a password reset for the impacted employees and revoke any tokens.
Configure SSO to prevent passwords from going outside the local network.
Set up privileged access management to ensure auditing is enabled.
Threat Management
Cyber Incident Response
A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output:
Which of the following lines indicates the computer may be compromised?
Which of the following lines indicates the computer may be compromised?
Line 1
Line 2
Line 3
Line 4
Line 5
Line 6
Cyber Incident Response
Security Operations and Monitoring
An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A security analyst receives the following screenshot of an email error from the help desk:
The analyst then checks the email server and sees many of the following messages in the logs:
Error 550 Message rejected
Which of the following is MOST likely the issue?
The analyst then checks the email server and sees many of the following messages in the logs:
Error 550 Message rejected
Which of the following is MOST likely the issue?
SPF is failing.
The DMARC queue is full.
The DKIM private key has expired.
Port 25 is not open.
Security Operations and Monitoring
A security analyst is concerned that a third-party application may have access to user passwords during authentication. Which of the following protocols should the application use to alleviate the analyst s concern?
LDAPS
MFA
SAML
SHA-1
Threat Management
Cyber Incident Response
Comments