An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised.
Which of the following should the analyst do FIRST? A. Perform threat hunting in other areas of the cloud infrastructure. B. Contact law enforcement to report the incident. C. Perform a root cause analysis on the container and the service logs D. Isolate the container from production using a predefined policy template.
Which of the following incident response components can identify who is the liaison between multiple lines of business and the public? A. Red-team analysis B. Escalation process and procedures C. Triage and analysis D. Communications plan .
A new variant of malware is spreading on the company network using TCP/443 to contact its command-and-control server. The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance. Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service? A. Implement a sinkhole with a high entropy level. B. Disable TCP/53 at the perimeter firewall. C. Block TCP/443 at the edge router. D. Configure the DNS forwarders to use recursion.
HOTSPOT -
A security analyst performs various types of vulnerability scans.
Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.
INSTRUCTIONS -
Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for False Positives and check the Findings that display false positives.
NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results. The Linux Web Server, File-Print Server, and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
https://www.examtopics.com/discussions/comptia/view/81136-exam-cs0-002-topic-1-question-182-discussion/ Passed the exam today and I went with :
1. non-credentialed scan – File Print Server: False positive is the first bullet point.
2. credentialed scan – Linux Workstation: No False positives.
3. Compliance scan – Directory Server PBQ.
Given the output below:
#nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 --script http-* -oA
server.out 192.168.220.42 Which of the following is being performed?
a Cross-site scripting b Local file inclusion attack c Log4] check d Web server enumeration.
A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. The technique is referred to as:
A. Output encoding. B. Data protection. C. Query paramererization. D. Input validation.
The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication during incident response? A. To prevent adversaries from intercepting response and recovery details B. To ensure intellectual property remains on company servers C. To have a backup plan in case email access is disabled D. To ensure the management team has access to all the details that are being exchanged.
A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following
requirements:
* The partners' PCs must not connect directly to the laboratory network
* The tools the partners need to access while on the laboratory network must be available to all partners
* The partners must be able to run analyses on the laboratory network, which may take hours to complete
Which of the following capabilities will MOST likely meet the security objectives of the request? A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools foranalysis C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis D. Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis.
Which of the following allows Secure Boot to be enabled?
A. eFuse B. UEFI C. HSM D. PAM.
A company wants to configure the environment to allow passive network monitonng. To avoid disrupting the
sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's
request? a Port bridging b Tunnel all mode c Full-duplex mode d Port mirroring e Promiscuous mode.
A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment. The analyst must observe and assess the number of times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?
A. Stack counting B. Searching C. Clustering D. Grouping.
An email analysis system notifies a security analyst that the following message was quarantined and requires further review.
Which of the following actions should the security analyst take?
A. Release the email for delivery due to its importance. B. Immediately contact a purchasing agent to expedite. C. Delete the email and block the sender. D. Purchase the gift cards and submit an expense report.
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action? A. Automate the use of a hashing algorithm after verified users make changes to their data. B. Use encryption first and then hash the data at regular, defined times. C. Use a DLP product to monitor the data sets for unauthorized edits and changes. D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system? A. strace /proc/1301 B. rpm -V openssh-server C. /bin/ls -1 /proc/1301/exe D. kill -9 1301.
To prioritize the morning's work, an analyst is reviewing security alerts that have not yet been investigated. Which of the following assets should be investigated FIRST? A. The workstation of a developer who is installing software on a web server. B. A new test web server that is in the process of initial installation. C. An accounting supervisor's laptop that is connected to the VPN D. The laptop of the vice president that is on the corporate LAN.
A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The
technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT? A. Contact the CRM vendor. B. Prepare an incident summary report. C. Perform postmortem data correlation. D. Update the incident response plan.
Which of the following is an advantage of SOAR over SIEM
A. SOAR is much less expensive. B. SOAR reduces the amount of human intervention required. C. SOAR can aggregate data from many sources. D. SOAR uses more robust encryption protocols.
During an incident, it is determined that a customer database containing email addresses, first names, and last names was exfiltrated. Which of the following should the security analyst do NEXT? A. Consult with the legal department for regulatory impact. B. Encrypt the database with available tools. C. Email the customers to inform them of the breach. D. Follow the incident communications process. .
Which of the following ICS network protocols has no inherent security functions on TCP port 502? A. CIP B. DHCP C. SSH D. Modbus.
A. it only accepts TLSv1 .2. B. it only accepts cipher suites using AES and SHA. C. it no longer accepts the vulnerable cipher suites. D. SSL/TLS is offloaded to a WAF and load balancer.
|
