CS0-001 CompTIA CySA Free Questions V11.02 | Killtest

2. The safer , easier way to help you pass any IT exams. 1.Malware is suspected on a server in the environment. The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware INSTRUCTIONS Servers 1. 2, and 4 are clickable. Select the Server and the process that host the malware. If at any time you would like to bring back the initial state of the simulation, please click the Resen All button 1 / 27

3. The safer , easier way to help you pass any IT exams. 2 / 27

4. The safer , easier way to help you pass any IT exams. 3 / 27

5. The safer , easier way to help you pass any IT exams. 4 / 27

6. The safer , easier way to help you pass any IT exams. Answer: Server 4 and Svchost.exe 2.A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and If a false positive occurred for each device. INSTRUCTIONS Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan. For ONLY the credentialed and non-credentialed scans, evaluate the results for False Positives and check the Findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time Lastly, based on the vulnerability scan results, identity the type of Server by dragging the Server to the results The Linux Web Server File-Print server, and Directory Server are draggable. If at any time you would like to bring back the initial state of the simulation please click the Reset AN button. 5 / 27

7. The safer , easier way to help you pass any IT exams. Answer: 3.A security analyst suspects that a workstation may be beaconing to a command control server Inspect the logs from the company's web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with minimum impact to the organization INSTRUCTIONS Modify the firewall ACL using the Firewall ACL form to mitigate the issue If at any time you would like to bring back the initial state of the simulation please click the Reset All button. 6 / 27

8. The safer , easier way to help you pass any IT exams. 7 / 27

9. The safer , easier way to help you pass any IT exams. Answer: DENY TCP |192.168.1.5 | 7999 | 67.8.9.224 | 8080 4.The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS. If the vulnerability is not valid the analyst must take the proper steps to get the scan clean If the vulnerability is valid, the analyst must remediate the finding. 8 / 27

10. The safer , easier way to help you pass any IT exams. After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options INSTRUC TIONS STEP 1: Review the information provided in the network diagram STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. 9 / 27

11. The safer , easier way to help you pass any IT exams. 10 / 27

12. The safer , easier way to help you pass any IT exams. 11 / 27

13. The safer , easier way to help you pass any IT exams. 12 / 27

14. The safer , easier way to help you pass any IT exams. Answer: 13 / 27

15. The safer , easier way to help you pass any IT exams. 5.A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report a five-minute sample is included. Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues? 14 / 27

16. The safer , easier way to help you pass any IT exams. A. Perform reverse lookups on each of the IP addresses listed to help determine if the traffic is necessary B. Recommend that networking block the unneeded protocols such as QuickTime to clear up some of the congestion C. Put ACLs in place to restrict traffic destined for random or non-default application ports D. Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic Answer:A 6.During the forensic phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation? A. Session hijacking, network intrusion detection sensors B. Cross site scripting, increased encryption key sizes C. Man-in-the-middle, well-controlled storage of private keys D. Rootkit, controlled storage of public keys Answer:C 7.Which of the following is a vulnerability when using Windows as a host OS for virtual machines? A. Windows requires frequent patching B. Windows virtualized environments are typically unstable C. Windows requires hundreds of open firewall ports to operate D. Windows is vulnerable to the "ping of death” Answer:D 8.A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered? A. Timing B. Scoping C. Authorization D. Enumeration Answer:C 9.A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Select TWO) A. A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes) B. A USB attack that turns the connected device into a rogue a point that spoofs the configured wireless SSIDs C. A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types 15 / 27

17. The safer , easier way to help you pass any IT exams. if physically connected to a USB port E. A USB attack that ticks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking Answer:AE 10.Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked with attempting to locate the information on the drive. The PII in question includes the following: Which of the following would BEST accomplish the task assigned to the analyst? A. 3[0-9] \d-2[0-9] \d-4[0-9] \d B. \d {30}- \d (2)- \d {4} C. ? [3] - ?[2] - ?[3] D. \d [9] | ‘xxx-xx-xxx’ Answer:A 11.A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and access credentials. A security manager is addressing the findings. Which of the following activities should be implemented? A. Update the password policy B. Increase training requirements C. Deploy a single sign-on platform D. Deploy Group Policy Objects Answer:B 12.During which of the following NIST risk management framework steps would an information system security engineer identify inherited security controls and tailor those controls to the system? A. Categorize B. Select C. Implement D. Assess Answer:B 13.A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring? A. Someone has logged on to the sinkhole and is using the device B. The sinkhole has begun blocking suspect or malicious traffic. C. The sinkhole has begun rerouting unauthorized traffic D. Something is controlling the sinkhole and causing CPU spikes due to malicious utilization 16 / 27

18. The safer , easier way to help you pass any IT exams. Answer:C 14.Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host-based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT? A. Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation B. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM C. Run a vulnerability scan and patch discovered vulnerabilities on the next patching cycle Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected compute D. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot Permit the URLs classified as uncategorized to and from that host Answer:B 15.Which of the following has the GREATEST impact to the data retention policies of an organization? A. The CIA classification matrix assigned to each piece of data B. The level of sensitivity of the data established by the data owner C. The regulatory requirements concerning the data set D. The technical constraints of the technology used to store the data Answer:C 16.A company has decided to process credit card transactions directly. Which of the following would meet the requirements for scanning this type of data? A. Quarterly B. Yearly C. Bi-annually D. Monthly Answer:A 17.Which of the following countermeasures should the security administrator apply to MOST effectively mitigate Bootkit-level infections of the organization’s workstation devices? A. Remove local administrator privileges B. Configure a BIOS-level password on the device C. Install a secondary virus protection application D. Enforce a system state recovery after each device reboot Answer:A 18.A new zero- day vulnerability was discovered within a basic screen capture app, which is used throughout the environment Two days after discovering the vulnerability, the manufacturer of the software has management teams. The vulnerability allows remote code execution to gain privileged access to the 17 / 27

19. The safer , easier way to help you pass any IT exams. system. Which of the following is the BEST course of action to mitigate this threat? A. Work with the manufacturer to determine the time frame for the fix B. Block the vulnerable application traffic at the firewall and disable the application services on each computer C. Remove the application and replace it with a similar non-vulnerable application D. Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability. Answer:C 19.Which of the following tools should a cybersecurity analyst use to verity the integrity of a forensic image before and after an investigation? A. strings B. shalsum C. file D. dd E. gzip Answer:B 20.A computer has been infected with a virus and is sending out a beacon to a command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security Answer:A 21.A central zed tool for organizing security events and managing their response and resolution is known as: A. SIEM B. HIPS C. Syslog D. Wireshark Answer:A 22.After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment? A. Cross training 18 / 27

20. The safer , easier way to help you pass any IT exams. B. Succession planning C. Automated reporting D. Separation of duties Answer:D 23.A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensics lab. Which of the following items would be MOST helpful to secure the PC? (Select THREE) A. Tamper-proof seals B. Faraday cage C. Chain of custody form D. Drive eraser E. Write blockers F. Network tap G. Multimeter Answer:ACE 24.A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup company just announced a state-of-the-art solution to address the need for integrating the business and ICS networks. The solution requires a very small agent to be installed on the ICS equipment. Which of the following is the MOST important security control for the manager to invest in to protect the facility? A. Run a penetration test on the installed agent B. Require that the solution provider make the agent source code available for analysis C. Require thorough guides for administrator and users D. Install the agent for a week on a test system and monitor the activities Answer:D 25.A security professional is analyzing the results of a network utilization report. The report includes the following information: Which of the following servers needs further investigation? A. hr.dbprod.01 B. R&D.file.srvr.01 C. mrkty.file.srvr.02 D. Web.srvr.03 Answer:B 26.Due to new regulations, a company has decided to institute an organizational vulnerability management 19 / 27

21. The safer , easier way to help you pass any IT exams. program and assign the function to the security team. Which of the following frameworks would BEST support the program? (Select Two) A. COBIT B. NIST C. ISO 27000 series D. ITIL E. COSO Answer:BC 27.A cybersecurity analyst has received an alert that well-known "call home" messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause? A. Attackers are running reconnaissance on company resources. B. An outside command and control system is attempting to reach an infected system C. An insider is trying to exfiltrate information to a remote network D. Malware is running on a company system Answer:B 28.A company has implemented WPA2, a 20-character minimum for the WIFI passphrase, and a new WiFi passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate? A. Downgrade attacks B. Rainbow tables C. SSL pinning D. Forced deauthentication Answer:D 29.The help desk formed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.jp xerty.ini xerty.lib Further analysis indicates that when the zip file Is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? A. Disable access to the company VPN B. Move the files from the NAS to a cloud-based storage solution C. Set permissions on file shares to read-only D. Add the URL included in the is file to the company s web proxy filter Answer:B 20 / 27

22. The safer , easier way to help you pass any IT exams. 30.A staff member reported that a laptop has degraded performance. The security analyst has investigated the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are consuming the laptop resources. Which of the following is the BEST course of action to resolve the problem? A. Identify and remove malicious processes B. Disable scheduled tasks C. Suspend virus scan D. Increase laptop memory E. Ensure the laptop OS is properly patched Answer:A 31.A security analyst has discovered that an outbound SHIP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination P for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take? A. Investigate a potential incident B. Verify user permissions C. Run a vulnerability scan D. Verify SLA with cloud provider Answer:A 32.During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take? A. Power off the computer and remove it from the network B. Unplug the network cable and take screenshots of the desktop C. Perform a physical hard disk image D. Initiate chain-of-custody documentation. Answer:D 33.A security analyst has determined the security team should take action based on the following log: Host 192.168.2.7 [00:00:01] successful login: 015 192.168.2.7: local [00:00:02] unsuccessful login: 022 222.34.56.8: RDP 192.168.2.8 [00:00:04] unsuccessful login: 010 222.34.56.8: RDP 192.168.2.8 [00:00:06] unsuccessful login: 015 222.34.56.8: RDP 192.168.2.8 [00:00:09] unsuccessful login: 012 222.34.56.8: RDP 192.168.2.8 Which of the following should be used to improve the security posture of the system? A. Enable login account auditing B. Limit the number of unsuccessful login attempts C. Upgrade the firewalls D. Increase password complexity requirements 21 / 27

23. The safer , easier way to help you pass any IT exams. Answer:B 34.An organization has recently experienced a data breach. A forensic analysis confirmed the attacker found a legacy web server that had not been used in over a year and was not regularly patched. After a discussion with the security team, management decided to initiate and penetration testing. They want to start the process by scanning the network for active hosts and open ports. Which of the following tools is BEST suited for this job? A. Ping B. Nmap C. Netstat D. ifconfig E. Wireshark F. L0phtCrack Answer:B 35.A medical organization recently started accepting payments over the phone. The manager is concerned about the impact of the storage of different types of data. Which of the following types of data incurs the highest regulatory constraints? A. PHI B. PCI C. PII D. IP Answer:B 36.An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? A. Reports indicate that findings are informational. B. Any items labeled "low are considered informational only C. The scan result version is different from the automated asset inventory D. Https entries indicate the web page is encrypted securely Answer:B 37.A newly discovered malware has a known behavior of connecting outbound to an external destination on port 27500 for the purposes of exfiltrating data. The following are four snippets taken from running netstat -an on separate Windows workstations: 22 / 27

24. The safer , easier way to help you pass any IT exams. Based on the above information, which of the following is MOST likely to be exposed to this malware? A. Workstation A B. Workstation B C. Workstation C D. Workstation D Answer:A 38.An insurance company employs quick-response team drivers that carry corporate issued mobile devices with the insurance company s app installed on them. Devices are configuration- -hardened by an MDM and kept up to date. The employees use the app to collect insurance claim information and process payments Recently, a number of customers have filed complaints of credit card fraud against the insurance company, which occurred shortly after their payments were processed via the mobile app. The cyber-incident response team has been asked to investigate. Which of the following is MOST likely the cause? A. The MDM server is misconfigured B. The app does not employ TLS C. USB tethering is enabled D. 3G and less secure cellular technologies are not restricted Answer:B 39.A cybersecurity consultant found common vulnerabilities across the following services used by multiple servers at an organization VPN, SSH, and HTTPS. 23 / 27

25. The safer , easier way to help you pass any IT exams. Which of the following is the Most likely reason for the discovered vulnerabilities? A. Leaked PKI private key B. Vulnerable version of OpenSSL C. Common initialization vector D. Weak level of encryption entropy E. Vulnerable implementation of PEAP Answer:B 40.A recent audit included a vulnerability scan that found critical patches released 60 days prior were not applied to servers in the environment. The infrastructure team was able to isolate the issue and determined it was due to a service being disabled on the server running the automated patch management application Which of the following would be the MOST efficient way to avoid similar audit findings in the future? A. Implement a manual patch management application package to regain greater control over the process. B. Create a patch management policy that requires all servers to be patched within 30 days of patch release C. Implement service monitoring to validate that tools are functioning properly D. Set services on the patch management server to automatically run on start-up Answer:C 41.Which of the following could be directly impacted by an unpatched vulnerability in vSphere ESXi? A. The organization's physical routers B. The organizations mobile devices C. The organization's virtual infrastructure D. The organizations VPN Answer:C 42.A security analyst performed a review of an organization’s software development life cycle. The analyst reports that the life cycle does not contain a phase in which team members evaluate and provide critical feedback on another developer's code. Which of the following assessment techniques is BEST for describing the analyst's report? A. Architectural evaluation B. Waterfall C. Whitebox testing D. Peer review Answer:D 43.The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifying those running outdated Oss. The automated scan reports are not displaying OS version details, so the CSO cannot determine risk exposure levels from vulnerable systems. Which of the following should the cybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in the MOST efficient manner? A. Execute the ver command B. Execute the nmap -p command. C. Use Wireshark to export a list 24 / 27

26. The safer , easier way to help you pass any IT exams. D. Use credentialed configuration Answer:D 44.Organizational policies require vulnerability remediation on severity 7 or greater within one week. Anything with a severity less than 7 must be remediated within 30 days. The organization also requires Security teams to investigate the details of a vulnerability before performing any remediation. If the investigation determines the finding is a false positive, no remediation is performed and the vulnerability scanner configuration is updated to omit the false positive from future scans. The organization has three Apache web serve 192.168.1.20 - Apache v2.4.1 192.168.1.21 - Apache v2.4.0 192.168.1.22 - Apache v2.4.0 The results of a recent vulnerability scan are shown below: ---- Scan Host:192.168.1.22 15-Feb-1610:12:10.1 CDT Vulnerability CVE-2006-5752 Cross-site scripting (XSS) vulnerability in the mod_status module of Apache server (httpd), when ExtendedStatus is enabled and a public-server-status page is used, allows remote attackers to inject arbitrary web script or HTML. Severity: 4.3 (medium) --- The team performs some investigation and finds a statement from Apache “Fixed in apache HTTP server 2.4.1 and later” Which of the following actions should the security team perform? A. Ignore the false positive on 192.168.1.22 B. Remediate 192.168.1.20 within 30 days C. Remediate 192.168.1.22 within 30 days D. Investigate the false negative on 192.168.1.20 Answer:C 45.A security analyst is creating ACLs on a perimeter firewall that will deny inbound packets that are from internal addresses, reserved external addresses, and multicast addresses. Which of the following is the analyst attempting to prevent? A. Broadcast storms B. Spoofing attacks C. DDoS attacks D. Man-in-the-middle attacks Answer:B 46.A server contains baseline images that are deployed to sensitive workstations on a regular basis. The images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of the following controls should be put in place to secure the file server and ensure the images are not changed? 25 / 27

27. The safer , easier way to help you pass any IT exams. A. Install and configure a file integrity monitoring tool on the server and allow updates to the images each month B. Schedule vulnerability scans of the server at least once per month before the images are updated C. Require the use of two-factor authentication for any administrator or user who needs to connect to the server D. Install a honeypot to identify any attacks before the baseline images can be compromised Answer:A 47.A security analyst notices PII has been copied from the customer database to an anonymous FTP server in the DMZ. Firewall logs indicate the customer database has not been accessed from the anonymous FTP server. Which of the following departments should a decision about pursuing further investigation? (Select TWO) A. Human resources B. Public relations C. Legal D. Executive management E. IT management Answer:CD 48.A security analyst received several service tickets reporting that a company storefront website is not accessible by internal domain users. However, external users are accessing the website without issue. Which of the following is the MOST likely reason for this behavior? A. The FODN is incorrect B. The DNS server is corrupted C. The time synchronization server is corrupted D. The certificate is expired Answer:B 49.Which of the following utilities could be used to resolve an IP address to a domain name, assuming the address has a PTR record? A. ifconfig B. ping C. arp D. nbtstat Answer:B 50.A security analyst has just completed a vulnerability scan of servers that support a business critical application that is managed by an outside vendor. The results of the scan indicate the devices are missing critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Select Two) A. Inappropriate data classifications B. SLAs with the supporting vendor C. Business process interruption 26 / 27

28. The safer , easier way to help you pass any IT exams. D. Required sandbox testing E. Incomplete asset inventory Answer:BC 27 / 27