CS0-003 Answers PDF

Chat with Document Download Quiz & Flashcards

Document Details

LightHeartedLapisLazuli2536

Uploaded by LightHeartedLapisLazuli2536

Tags

cybersecurity exam cybersecurity questions online exam answers security certification

Related

Summary

This document contains exam questions and answers for a cybersecurity exam, likely for a professional certification. It includes questions on topics like zero-day vulnerabilities, data loss prevention (DLP), and web application security.

Full Transcript

- Expert Verified, Online, Free.  Custom View Settings Topic 1 - Exam A Question #1 Topic 1 A recent zero-day vulnerability is...

- Expert Verified, Online, Free.  Custom View Settings Topic 1 - Exam A Question #1 Topic 1 A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat? A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H Correct Answer: A Community vote distribution A (82%) B (18%)   roviy18891 Highly Voted  4 months ago Selected Answer: A passed the exams 01/10/24, 90% of my questions were from here. Had 3 PBQs which was from the version 2. Passed with 810. https://rb.gy/p0a69 upvoted 41 times   fepawim315 1 month, 3 weeks ago Really thanks for your suggestion. I am glad that I selected this source and get 92%. I would recommend it a 100% Thanks again upvoted 1 times   truearc 2 months, 3 weeks ago I took the test last week almost all except for one or two were from here. The 3/4 PBQs I got were questions 6,28,183 from 002 dump and the other was nmap scanning on command line. upvoted 5 times   GUYZO 1 month ago Hey can you please tell me where you get the 002 dump PBQs ? upvoted 1 times   0ee8014 2 months, 2 weeks ago "except for one or two were from here" what do you mean ? upvoted 1 times   Rumchata556 2 months, 1 week ago he means there were only one or two questions from here that weren't on his exam upvoted 1 times   Rumchata556 2 months, 1 week ago correction, one or two questions on his exam that were not in this dump lol upvoted 1 times   0ee8014 2 months, 1 week ago Thank You upvoted 1 times   cybergirl97 Highly Voted  6 months, 4 weeks ago Very valid dump, 90% of my questions were from here. I used the 002 dump for the PBQs. I passed with 807 on 30 Nov 2023. upvoted 13 times   LifeElevated 6 months, 3 weeks ago What PBQ's did you see upvoted 3 times   cybergirl97 5 months, 3 weeks ago The first set of PBQs before you have to pay for full access, those were the ones I saw. upvoted 3 times   Sebatian20 6 months, 3 weeks ago Thank you Cybergirl - was any questions from 002 (beside the PBQ) valid for the 003 exam? upvoted 2 times   cybergirl97 5 months, 3 weeks ago Sorry for the late reply, just now seeing this. All of my questions were from here. upvoted 3 times   ed69944 Most Recent  4 days ago Passed with a 789 today. My test only had about 60% of this dump within it though. upvoted 5 times   peneloco 1 month, 1 week ago Just PASSED this test 06/24/24. You really need to understand these types of questions because you will get a handful of them. Also there are two simulations from the last version of this test (CSO-002). So go back and check those. There are 2 new simulation for CSO-003 and 2 old ones they use from CSO-002. upvoted 4 times   TeresaCN 3 weeks, 2 days ago Do I need to check CSO-002 questions or can I pass the exam with CSO-003? upvoted 2 times   5f49b73 1 month, 1 week ago This question was on the test> passed with an 801 today // May 22, 2024. Labs 6,28, 183 from 002 exam topics set were the first 3 Labs i had today This set covers about 65% of the questions, the rest were str8 textbook definitions, couple mitre attack questions, alot of Siem, and honestly quite few that you had to decide between scope or impact questions. Pretty straight forward. KNOW YOUR malicious commands/ Injections, (sqli inject, RCE, XSS, SSRF, Goodluck guys! You got ts in the bag. upvoted 2 times   Kmelaun 1 month, 1 week ago Took my test today.. scored 811 this is a great resource! upvoted 1 times   marty_mcfly 1 month, 3 weeks ago Just took my exam & passed. 90% off the questions from this dump. 65 Multiple Choice, 4 PBQs, 69 questions total. PBQs were from 002 dump. PBQ = 6, 28, 183 & the last was one I did not recognize where they give you Firewall Logs, Malicious IP list, Scan results, and they ask you what could have been done to harden from the kill chain while also identifying what the malicious file, malicious IP and the time it entered the organization. upvoted 4 times   Brick69 1 month, 3 weeks ago Just took the exam and passed. I will say I got a 60/40 split. 60 of the questions were on here. I also got a new PBQ about phishing / remediation's which is not shown on the 002 exam. Id suggest looking at the cyber kill chain to understand it, I had a good few new questions about that upvoted 1 times   suribamba 1 month, 4 weeks ago has anyone taken the exam lately that could confirm if this dump still valid? upvoted 4 times   ca96 2 months ago Took the exam on the 4/26 and I'd say about 85-90% was on the test. Very good set of questions. upvoted 4 times   FrankyD92 2 months ago Took the test today 4/27/24. There were only a handful of questions from this, and I mean like maybe 5 that I recognized immediately and a coupl that were adjacent. I'd say unfortunately it was maybe 10% of the exam for me. Sucks because I paid for the contributor access but I wouldn't say i wasn't worth it. Everyone get's a different exam so your's may have more upvoted 1 times   FrankyD92 2 months ago Forgot to mention I did pass either way. Having the knowledge is much more important than getting the cert upvoted 1 times   DiddyKongJr 2 months ago Good questions about 85% from here, especially the last 20ish, paid version definitely worth it, saw same pbqs as truearc upvoted 1 times   dave_delete_me 2 months ago Great job upvoted 1 times   biggydanny 2 months, 1 week ago I just took the test 3 hours ago and scored 821, all the questions were from this dump, and only one question was not from this dump, it was an nmap question, 69 questions with 3 pbq's, the pbq's were question 6 on cs0-002 dump , question https://vceguide.com/simulation-686/ (help desk) and https://vceguide.com/simulation-421/, but these pbq's are on the CS0-002 dump upvoted 4 times   cartman_sc 2 months, 2 weeks ago Selected Answer: A Baseado no contexto do enunciado, que diz que não há interação do usuário, a única resposta possível é a letra A. "UI:N" upvoted 1 times   CyberJackal 3 months ago Correct answer is A as the UI (User Interaction) criteria specifies N for none. upvoted 1 times   testicaleight 3 months, 2 weeks ago This is what ChatGPT said when I asked it this question and then asked what "K" meant: I apologize for the oversight. In the context of CVSS (Common Vulnerability Scoring System), "K" represents "Key" and indicates a potential compromise of integrity, meaning that the integrity of the system might be compromised, but not to the extent of being completely altered or destroyed. Here's what each value of the Integrity (I) metric means: I:None (None): There is no impact on integrity. I:Low (Low): The integrity of the system can be partially modified. I:High (High): The integrity of the system can be completely compromised. I:K (Key): The integrity of the system can be compromised, but not to the extent of being completely altered or destroyed. upvoted 2 times Question #2 Topic 1 Which of the following tools would work best to prevent the exposure of PII outside of an organization? A. PAM B. IDS C. PKI D. DLP Correct Answer: D Community vote distribution D (100%)   dave_delete_me 2 months ago DLP is correct upvoted 1 times   judd1111 6 months ago Selected Answer: D D is correct answer. upvoted 1 times   VVV4WIN 6 months, 3 weeks ago For those wondering, this dump is accurate and I passed using it during the past month or so... There are just a few labs in the exam which are not at all covered here, however if you understand the questions and answers covered here, you will be able to pass it upvoted 4 times   examcol 8 months ago Selected Answer: D D is correct answer. upvoted 1 times   assfedassfinished 9 months ago Selected Answer: D Choosing D for DLP upvoted 1 times   Mr_TooTs 9 months, 2 weeks ago Selected Answer: D Choosing D as from Cert Master Lessons: "Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that **data is not viewed or transferred** without a proper authorization" upvoted 2 times   2f0b60f 9 months, 3 weeks ago Selected Answer: D DLP technologies prevent unauthorized access and sharing of sensitive data, such as PII. These tools can be configured to flag or block data transfers based on the type of data being sent or the recipient. upvoted 1 times   nmap_king_22 9 months, 4 weeks ago Selected Answer: D D. DLP (Data Loss Prevention) Explanation: DLP (Data Loss Prevention) is a security technology that helps prevent unauthorized access, sharing, or exposure of sensitive data, including PII. It allows organizations to monitor and control the movement of data within and outside the organization's network. DLP solutions can detect and block the transmission of sensitive information, such as PII, through various channels, including email, web uploads, removable devices, and more. upvoted 1 times   kmordalv 11 months, 2 weeks ago Correct upvoted 2 times Question #3 Topic 1 An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Which of the following tuning recommendations should the security analyst share? A. Set an HttpOnly flag to force communication by HTTPS B. Block requests without an X-Frame-Options header C. Configure an Access-Control-Allow-Origin header to authorized domains D. Disable the cross-origin resource sharing header Correct Answer: B Community vote distribution C (86%) 14%   ms123451 Highly Voted  10 months ago The answer is actually C if there is only one option to choose since this has the most issues and highlighted in the picture, if it's multiple options then B and C since it's also vulnerable to clickjacking upvoted 10 times   BanesTech Most Recent  2 months, 1 week ago Selected Answer: C Cross-Domain Misconfiguration suggests that there might be an issue related to how the web application handles cross-origin requests. Configuring an Access-Control-Allow-Origin header allows the server to specify which domains are permitted to access its resources, thereby controlling access to resources from different origins. By configuring the Access-Control-Allow-Origin header to authorize specific domains, the organization can mitigate the risk of unauthorized cross origin access and prevent potential security vulnerabilities associated with cross-domain interactions. upvoted 2 times   m025 3 months, 2 weeks ago Selected Answer: C Cross-domain misconfiguration looks like the most relevant issue, rather than anti-clickjacking, so Access-Control-Allow-Origin (ACAO) upvoted 2 times   user82 4 months, 3 weeks ago It doesn't have the most issues though, Information Disclosure - Suspicious Comments has more. I don't think it being highlighted is relevant to the question. The reason B might be wrong is X-Frame-Options should be set to DENY but B says "block requests without an X-Frame Header" which I think it should say block requests WITH a X-Frame Header. upvoted 1 times   judd1111 6 months ago Answer is C. Access-Control-Allow-Origin (ACAO) – Specifies the external domains that can access the web server’s resources. If the server generates this heade dynamically, or if the website allows domains using a wildcard, the server may allow access to any domain, including those of attacker-controlled websites. Source: https://crashtest-security.com/cors-misconfiguration/ upvoted 1 times   greatsparta 7 months, 2 weeks ago Selected Answer: C Option B (Block requests without an X-Frame-Options header) deals with clickjacking protection, not specifically cross-domain misconfiguration. The Access-Control-Allow-Origin header is used to specify which domains are permitted to access the resources on the server. By configuring this header to authorized domains, you can control and restrict cross-origin access, addressing the cross-domain misconfiguration issue. upvoted 2 times   m025 8 months ago if "A cross-origin resource-sharing misconfiguration occurs when the web server allows third-party domains to perform privileged tasks through the browsers of legitimate users." then adding the autentication to the allow-origin as in C what is changing? instead why is not D "disable the cross-oring sharing header"? on this way all the 'allowed' misuconfigurations would be blocked upvoted 3 times   deeden 9 months, 1 week ago Selected Answer: C Agree on C based on the following understanding. What is Cross-Domain Misconfiguration? https://crashtest-security.com/cors- misconfiguration/#:~:text=commonly%20asked%20questions.-,What%20is%20CORS%20Misconfiguration%3F,the%20browsers%20of%20legitima e%20users. Troubleshooting and Solving CORS? https://www.linkedin.com/pulse/its-always-cors-problem-troubleshooting-solving-errors-carrubba-/ upvoted 2 times   kmordalv 9 months, 2 weeks ago Selected Answer: C After careful analysis of the question, this is the correct answer. In my previous comment I gave the explanation but I chose the wrong answer. In order to solve "Cross-Domain Misconfiguration" recommend "Access-Control-Allow-Origin header". (https://scanrepeat.com/web-security- knowledge-base/cross-domain-misconfiguration#content) On the other hand. The output shows that the web application has a cross-origin resource sharing (CORS) header that allows any origin to access its resources. The tuning recommendation is to configure the Access-Control-Allow-Origin header to only allow authorized domains that need to access the web applications resources. This would prevent unauthorized cross-origin requests and reduce the risk of cross-site request forgery (CSRF) attacks. This is the best answer for the scenario described upvoted 3 times   Uncle_Lucifer 9 months, 2 weeks ago Selected Answer: C This has more over wall impact compared to Option B. Both are viable options. But C will fix more issues. CompTIA is just acting a fool with these questions lately. upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago To hell with CompTIA. B and C are both correct. upvoted 2 times   kmordalv 9 months, 3 weeks ago Selected Answer: B Bad question. I agree with ms123451. Both answers can be equally valid Looking at the output see "Missing Anti-clickjacking Header". OWASP makes mention of X-Frame-Options and to solve "Missing Anti-clickjacking Header" I have found this: "https://www.iothreat.com/blog/missing-anti-clickjacking-header" However, in order to solve "Cross-Domain Misconfiguration" recommend "Access-Control-Allow-Origin header" (https://scanrepeat.com/web- security-knowledge-base/cross-domain-misconfiguration#content) and "CORS Header" seems be configured Still, I think the answer sought is B. upvoted 2 times Question #4 Topic 1 Which of the following items should be included in a vulnerability scan report? (Choose two.) A. Lessons learned B. Service-level agreement C. Playbook D. Affected hosts E. Risk score F. Education plan Correct Answer: DE Community vote distribution DE (100%)   bola12 Highly Voted  7 months, 3 weeks ago Did anyone write the 003 exams yet? is the dumbs valid or we need 002 also upvoted 5 times   Mr_TooTs Most Recent  9 months, 2 weeks ago Selected Answer: DE Correct - From CertMaster: Vulnerability Report Content The report should detail identified vulnerabilities, such as missing patches, incorrect configuration settings, and weak passwords, and include the following: Details regarding the type of vulnerability - The number of instances - The affected systems - The risk levels - Recommendations upvoted 2 times   kmordalv 11 months, 2 weeks ago Correct D. Affected hosts: The vulnerability scan report should clearly list the hosts or systems that are affected by the identified vulnerabilities. This information is crucial for understanding the scope of the vulnerabilities and taking appropriate remediation actions. E. Risk score: Vulnerability scans often assign risk scores or severity ratings to each identified vulnerability. These scores help prioritize remediation efforts by indicating the potential impact and exploitability of the vulnerabilities. Including risk scores in the report provides an understanding of the relative severity of the identified vulnerabilities. upvoted 3 times Question #5 Topic 1 The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization? A. A mean time to remediate of 30 days B. A mean time to detect of 45 days C. A mean time to respond of 15 days D. Third-party application testing Correct Answer: A Community vote distribution A (76%) C (24%)   ha33yp0tt3r69 Highly Voted  5 months, 3 weeks ago Selected Answer: A I think they trying to trick you... I am looking at the key words Response vs Remediation. Response - Incident response activities include detection, analysis, containment, eradication, recovery, communication, and documentation. Remediation - Remediation activities include applying patches, fixing misconfigurations, updating security policies, improving access controls, and implementing other corrective measures. upvoted 10 times   Phanna 1 month, 1 week ago I think that it wouldn't be "A" because they didn't mention this vuln existed in their environment. They just mentioned that the CEO heard, so this mean that they need to do some of the activities to identify whether vuln finding has existed on their environment or not! Please help to correct me, if I am wrong! upvoted 1 times   Ree1234 1 month, 2 weeks ago And we can also Calculate mean time to respond by measuring the time from when your team detects an incident to when you launch (or complete) the repair or remediation plan. So answer is A upvoted 1 times   muvisan Highly Voted  8 months, 1 week ago Selected Answer: A Not sure if A or C. I'm leaning more to A. The term 'mean time to remediate' is a definition - at least in comptia study guide! It is used in the IR metrics chapter. So we have it in this order: mean time to detect mean time to respond mean time to remediate I would say "mean time to respond" does not include patching, but in it is in the "mean time to remediate", so that is why I choose A. upvoted 5 times   Phanna Most Recent  1 month, 1 week ago I think that it wouldn't be "A" because they didn't mention this vuln existed in their environment. They just mentioned that the CEO heard, so this mean that they need to do some of the activities to identify whether vuln finding has existed on their environment or not! Please help to correct me, if I am wrong! upvoted 1 times   Mehe323 1 month, 2 weeks ago Selected Answer: A Mean time to respond has got more to do with security incidents. A patch needs to be applied, a system needs to be remediated, not responded to. upvoted 2 times   Ree1234 1 month, 2 weeks ago the answer is A. Remediation because the patch is already there. Responding takes place when the patch is not there.Mean time to respond (MTTR is the average time it takes DevOps teams to respond after receiving an alert. Teams often use this metric to measure the time between when they detect an incident and when they mount a remediation plan. Many teams include the time it takes to repair or remediate the issue in this metric. This does not include lag time in the alert system. upvoted 1 times   Ree1234 1 month, 2 weeks ago We can Calculate MTTR by measuring the time from when your team detects an incident to when you launch (or complete) the repair or remediation plan. upvoted 1 times   Ree1234 1 month, 2 weeks ago And we can also Calculate mean time to respond by measuring the time from when your team detects an incident to when you launch (or complete) the repair or remediation plan. So answer is A upvoted 1 times   Arunxr 2 months ago I think the more viable answer is Mean Time to Remediate. Remediation incorporates the response and determines the average time it is resolved by. Response does not determine when the issue is remediated, simple that it is being responded to. Since Remediation incorporates response and is below the 45 day window of exploitations this seems like the best answer that takes away all guesswork. upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: A A mean time to remediate of 30 days implies that the organization aims to remediate vulnerabilities within 30 days of their discovery. Since exploitation of new attacks tends to occur approximately 45 days after a patch is released, aiming for a mean time to remediate of 30 days ensures that vulnerabilities are patched before attackers have the opportunity to exploit them. upvoted 4 times   carletten 2 months, 4 weeks ago A is correct. MTTR involves the entire process, detection is only part. upvoted 2 times   bolinhtinh 4 months ago Selected Answer: C C is correct. When you have a response policy that requires a review at least every 15 days, it will help the company recognize all newly patched exploitations within that timeframe, as a mean time to respond (MTTR) of 15 days is required. When you discover a risk, your team will fix it right away with just a click of a button to update the patch released 15 days ago. The goal is to find out about it ASAP. It is nonsensical to compare mean time to remediate or respond in this context. Are you going to sit there after you have responded to it and watch because no-one told you to remediate it, or act honorably, honestly, justly, an responsibly by fixing the issue as soon as possible with your professional responsibility? upvoted 1 times   B3hindCl0sedD00rs 4 months, 1 week ago Selected Answer: C Guys this is C 100%, this question is eluding to the fact that the company are taking too long to patch vulnerable systems. A mean time to respond of 15 days is much better & faster than a mean time to remediate of 30 days. upvoted 1 times   sujon_london 4 months, 4 weeks ago Mean time to respond of 15 days Faster reaction to threats Somewhat relevant - but patching speed remains crucial. Therefore answer should be A upvoted 1 times   RobV 6 months, 2 weeks ago What is MTTR - Mean Time to Respond/Remediate? MTTR is the amount of time it takes an organization to neutralize an identified threat or failur within their network environment. Threat remediation is the process organizations use to identify and resolve threats to their network environmen upvoted 1 times   RobV 6 months, 2 weeks ago Selected Answer: A To best protect the organization from exploitation of new attacks, it's important to reduce the time between the release of patches and their implementation within the organization. This is known as the "time to remediate" or "mean time to remediate" (MTTR). Therefore, the option that aligns with this objective is: A. A mean time to remediate of 30 days A shorter mean time to remediate ensures that patches are applied more quickly, reducing the window of vulnerability and the likelihood of exploitation. Options B and C, with longer timeframes, would increase the organization's exposure to potential attacks. Third-party application testing (option D) is important but is not directly addressing the time it takes to apply patches after they are released. upvoted 3 times   wauyykzabq 9 hours, 17 minutes ago prep4exams.com Valid Answer upvoted 1 times   Narobi 6 months, 3 weeks ago Selected Answer: A Scored around 820. Went with A upvoted 3 times   greatsparta 7 months, 2 weeks ago Selected Answer: C Mean time to respond refers to the average time it takes an organization to respond to a security incident after it has been detected. A shorter mean time to respond is generally associated with more effective incident response and containment. upvoted 1 times   BigBear 9 months ago It is A. There is no such phrase in security as 'mean time to remediate'. MTTR = mean time to respond, and it includes remediation implicitly. upvoted 2 times   Tdarling77 2 months, 3 weeks ago There is such a phrase in Security as "mean Time to Remediate". Look it up! upvoted 1 times   kmordalv 8 months, 2 weeks ago For this very reason. If there is no "mean time to remediate", the correct answer is C. upvoted 1 times   [Removed] 9 months, 2 weeks ago Selected Answer: C Key statement is "would best protect this organization" So the earlier a vulnerability is detected the better. upvoted 2 times   deeden 8 months, 2 weeks ago Agree on C. You can't fix something you don't know is broken. It also make sense to have 30 days SLA to remediate critical vulnerability in most production - after it's detected. upvoted 1 times Question #6 Topic 1 A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: Which of the following scripting languages was used in the script? A. PowerShell B. Ruby C. Python D. Shell script Correct Answer: A Community vote distribution A (100%)   kmordalv Highly Voted  11 months, 1 week ago Selected Answer: A the syntax in the given script, such as cmdlet names starting with "Get-", "Add-", "Set-", and the use of the pipeline "|", is characteristic of PowerShell scripting. Moreover, the use of Active Directory cmdlets like "Get-ADUser," "Add-ADGroupMember," and "Set-ADUser" indicates that this script is designed to interact with Active Directory, which aligns with PowerShell's primary use case in managing Windows environments and Active Directory services. upvoted 20 times   dave_delete_me Most Recent  2 months ago I absolutely love kmordalv's explanation above!!! Spot On!!!! upvoted 2 times   ae2d3eb 2 months, 1 week ago This is powershell no question. Verb / noun upvoted 2 times   RobV 6 months, 2 weeks ago Selected Answer: A A. PowerShell upvoted 1 times   64fc66a 7 months, 1 week ago I will go with D Shell Script since we are looking for a scripting language. upvoted 1 times   Ree1234 1 month, 2 weeks ago PowerShell is a task-based command-line shell and scripting language built on.NET. PowerShell helps system administrators and power-users rapidly automate task that manage operating systems (Linux, macOS, and Windows) and processes. A shell script is a computer program designed to be run by a Unix shell, a command-line interpreter. The various dialects of shell scripts are considered to be scripting languages though.. upvoted 1 times Question #7 Topic 1 A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity? A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access B. An on-path attack is being performed by someone with internal access that forces users into port 80 C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80 D. An error was caused by BGP due to new rules applied over the company's internal routers Correct Answer: B Community vote distribution B (100%)   kmordalv Highly Voted  11 months, 1 week ago Selected Answer: B The fact that the company's internal portal is sometimes accessible through HTTP (port 80) and other times through HTTPS (port 443) suggests that someone with internal access is actively manipulating the network traffic. An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies communication between two parties. By forcing users into using HTTP instead of HTTPS, the attacker can potentially capture sensitive information transmitted over the network, such as login credentials or session data. An issue with the SSL certificate (Option A) would generally result in HTTPS not working at all, rather than it being intermittently accessible. A web server unable to handle an increasing amount of HTTPS requests (Option C) would likely result in performance issues or server errors, but it wouldn't selectively redirect users to HTTP. BGP (Border Gateway Protocol) is used for routing between autonomous systems on the internet, and it generally would not cause the internal portal to switch between HTTP and HTTPS. It is more relevant to external internet routing. upvoted 13 times   BanesTech Most Recent  2 months, 1 week ago Selected Answer: B In this scenario, users are experiencing inconsistent access to the company's internal portal, sometimes accessing it through HTTP and other times through HTTPS, which suggests that someone with internal access is performing an on-path attack, manipulating network traffic to force users into using port 80 (HTTP) instead of port 443 (HTTPS). This explanation aligns with the observed behavior of inconsistent access to the internal portal and indicates a potential security threat that should be investigated further. upvoted 1 times   RobV 6 months, 2 weeks ago Selected Answer: B B. An on-path attack is being performed by someone with internal access that forces users into port 80 upvoted 1 times   Alizade 7 months, 2 weeks ago Selected Answer: B The answer is B. An on-path attack is being performed by someone with internal access that forces users into port 80. upvoted 1 times   nmap_king_22 9 months, 4 weeks ago Selected Answer: B The observed activity most likely corresponds to: B. An on-path attack is being performed by someone with internal access that forces users into port 80. Explanation: The situation where users sometimes access the company's internal portal via HTTP (port 80) instead of HTTPS (port 443) suggests that there may be an active attacker within the internal network, performing a man-in-the-middle (MITM) or on-path attack. upvoted 1 times Question #8 Topic 1 A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below: Security Policy 1006: Vulnerability Management 1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities. 2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data. 3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch? A. Name: THOR.HAMMER - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Internal System B. Name: CAP.SHIELD - CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N External System C. Name: LOKI.DAGGER - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H External System D. Name: THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Internal System Correct Answer: B Community vote distribution B (87%) 13%   kmordalv Highly Voted  11 months, 1 week ago Selected Answer: B Based on the security policy and the CVSSv3.1 Base Scores, vulnerability B (CAP.SHIELD) with a high impact on confidentiality should be the highes priority to patch. It is an externally accessible system, and since confidentiality takes precedence over availability, it should be addressed before other vulnerabilities. upvoted 7 times   BanesTech Most Recent  2 months, 1 week ago Selected Answer: B Based on the security policy's criteria, vulnerabilities B (CAP.SHIELD) and D (THANOS.GAUNTLET) have the highest priority in patching because the have the highest impact on confidentiality, which takes precedence over availability. B. CAP.SHIELD - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (External System) Exploitability: Low Impact: High (Confidentiality) Patching Priority: Highest D. THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Internal System) Exploitability: Low Impact: High (Confidentiality) Patching Priority: Highest According to the policy, external systems should be prioritized over internal systems. Therefore, vulnerability B should be addressed first. upvoted 1 times   BAMMRM 5 days, 11 hours ago Yes. However, D shouldn't even be considered at this point because it is an INTERNAL system which does not take priority over an external facing one. So it is between B and C. When you look at option B, however, you see: /C:H which means the impact on confidentiality is high. Thu B is your answer. upvoted 1 times   user82 4 months, 3 weeks ago Both B and D have the exact same CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N How do ya'll who chose B know for sure Cap.Shield is external and Thanos.Gauntlet is not ? upvoted 2 times   user82 4 months, 3 weeks ago Nevermind, it won't let me delete my comment. It says external the bottom. upvoted 3 times   RobV 6 months, 2 weeks ago Selected Answer: B Answer is B upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago Selected Answer: B B. Answer came down to B vs D in C and I preference, but the third criteria puts more preference for external system over internal - therefore B. upvoted 1 times   ms123451 9 months, 4 weeks ago Selected Answer: B According to policy, obviously B upvoted 3 times   nmap_king_22 9 months, 4 weeks ago Selected Answer: C In the Common Vulnerability Scoring System (CVSS), "A:N" stands for "Availability: None." CAPS SHIELD is A:N According to the provided security policy, the highest priority for patching should be given to vulnerabilities that prioritize confidentiality of data over availability of systems and data. If there is a choice between these two factors, confidentiality takes precedence. Additionally, publicly availabl systems and services should be prioritized over internally available systems. Given these criteria, the vulnerability with the highest priority to patch is: C. Name: LOKI.DAGGER - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H External System upvoted 2 times   kmordalv 9 months, 4 weeks ago Are you sure? As stated in point 2 "In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data"... This means that confidentiality should be given higher priority than availability. Since confidentiality in answer B is H and in answer C is N (none), the correct answer should be B. upvoted 4 times   Uncle_Lucifer 9 months, 2 weeks ago NO. Its either B or D. In this case since its external system preference over internal, then B is correct upvoted 2 times Question #9 Topic 1 Which of the following will most likely ensure that mission-critical services are available in the event of an incident? A. Business continuity plan B. Vulnerability management plan C. Disaster recovery plan D. Asset management plan Correct Answer: C Community vote distribution A (69%) C (29%)   attesco Highly Voted  11 months ago Selected Answer: A The Answer here is A, because a business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event. The BCP states the essential functions of the business, identifies which systems and processes mus be sustained, and details how to maintain them. Note that a Disaster recovery plan is a document to re-energise systems or repair a system after it has been affected by a bad incidents upvoted 11 times   nmap_king_22 9 months, 4 weeks ago Agreed upvoted 2 times   ms123451 10 months ago This is incorrect, it is Disaster Recovery Plan, which is how to restore mission critical systems in case of a disaster, a BCP involves everyone and everything during and after a disaster upvoted 3 times   BAMMRM Most Recent  5 days, 11 hours ago Selected Answer: A a business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event. upvoted 2 times   499f1a0 3 weeks, 1 day ago Selected Answer: A notice the word incident in the question, it is not disaster so the answer is A which is BCP upvoted 2 times   Redman69 1 month ago *ISC2 CC upvoted 1 times   Redman69 1 month ago The answer is A. I just took the ICS2 CC exam and passed. BCP is the choice anytime the words continuity or continuous are used. Disaster Recover Plan is how you get the critical systems back up and functioning. I also work as a Site Reliability Engineer and maintaining the BCP and DRP are pa of my job. upvoted 1 times   dave_delete_me 2 months ago I say A (BCP) is a better choice for this question. upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: C A disaster recovery plan (DRP) outlines the procedures and protocols to follow in the event of a disaster or disruptive incident that affects the availability of critical systems and services. It typically includes strategies for restoring operations, recovering data, and ensuring the continuity of essential business functions. By having a robust disaster recovery plan in place, organizations can minimize downtime, mitigate the impact of incidents, and ensure the availability of mission-critical services during and after the occurrence of disruptive events. While option (A) Business continuity plan is an essential component of an organization's overall resilience strategy, it does not specifically address the restoration and availability of mission-critical services in the same way that a disaster recovery plan does. upvoted 1 times   kentasmith 2 months, 1 week ago This is a good read. https://www.ibm.com/blog/business-continuity-vs-disaster-recovery-plan/ upvoted 2 times   POGActual 2 months, 2 weeks ago Business continuity is an organization's ability to maintain critical business functions during and after a disaster has occurred. (https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity) upvoted 1 times   Bogus1488 2 months, 3 weeks ago Selected Answer: C The answer is C - DRP upvoted 1 times   Aderli 2 months, 3 weeks ago Selected Answer: A in the CySA+ study guide says. The goal of the business continuity program is to ensure that the organization is able to maintain normal operations even during an unexpected event. When an incident strikes, business continuity controls may protect the business’ core functions from disruption. The goal of the disaster recovery program is to help the organization quickly recover normal operations if they are disrupted. An incident may cause service disruptions that would trigger the disaster recovery plan. upvoted 1 times   StillFiguringItOut 3 months, 2 weeks ago Selected Answer: A Disaster Recovery is a subset of BCP and only pertains to natural disasters. This question implies its just an incident, no natural disasters upvoted 1 times   ReViive 4 months, 3 weeks ago A. Business Continuity Plan (BCP): While a BCP is crucial for ensuring the continuation of business operations during and after a disaster, it encompasses a broader scope than a DRP. BCPs are designed to keep the entire business running, not just the IT or mission-critical services. Although most voted for in your options, a BCP includes the DRP as part of its framework. The DRP is more specifically targeted at restoring critica IT services, which is why C is a more precise answer. upvoted 1 times   WaaHassan 5 months, 4 weeks ago Selected Answer: A I choose A and not C, because the disaster recovery plan is a subset of a business continuity plan that focuses on restoring the IT infrastructure and data after a disaster or incident upvoted 1 times   b0ad9e1 6 months, 2 weeks ago Selected Answer: A BC - enables a business continue if there is an incident. DR - enables a business to recovery from a disaster. upvoted 3 times   RobV 6 months, 2 weeks ago Selected Answer: C C. DRP In the context of the question about ensuring mission-critical services, both a Business Continuity Plan and a Disaster Recovery Plan are important. However, when it comes to specifically ensuring the availability of mission-critical services in the event of an incident, a Disaster Recovery Plan is more directly focused on the IT aspects critical for service availability. upvoted 2 times   [Removed] 7 months, 1 week ago Selected Answer: A A) BCP From CompTIA Certmaster, Topic 8A: Exploring Incident Response Planning Disaster recovery describes the efforts taken to restore infected systems to a safe operating state. By comparison, business continuity describes the work the organization does to keep running, manage the legal ramification of the event, keep staff employed, work with insurance companies, provide internal and external communications regarding the event and its ramifications, investigate the root cause, develop plans to prevent reoccurrence, and much more. upvoted 4 times Question #10 Topic 1 The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk? A. Deploy a CASB and enable policy enforcement B. Configure MFA with strict access C. Deploy an API gateway D. Enable SSO to the cloud applications Correct Answer: A Community vote distribution A (100%)   nmap_king_22 Highly Voted  9 months, 4 weeks ago Selected Answer: A To reduce the risk associated with shadow IT and high-risk cloud applications, the most effective solution is: A. Deploy a CASB (Cloud Access Security Broker) and enable policy enforcement. Explanation: A CASB is a specialized security solution designed to provide visibility and control over the use of cloud applications and services within an organization. It helps organizations identify and manage shadow IT by monitoring and controlling access to cloud applications. upvoted 8 times   dave_delete_me Most Recent  2 months ago CASB for sure.. I know this from experience... I worked for a company which used Google for business SaaS Apps across the board and the CASB tool helped us stop malicious, un-approved Apps and even flagged PII data!!!!! upvoted 1 times   Hellyeahpass 2 months, 2 weeks ago A. Deploy a CASB upvoted 1 times   RobV 6 months, 2 weeks ago Selected Answer: A A. Deploy a CASB and enable policy enforcement upvoted 1 times   Alizade 7 months, 2 weeks ago Selected Answer: A The answer is A. Deploy a CASB and enable policy enforcement. upvoted 1 times   Sharecyber 7 months, 3 weeks ago Selected Answer: A Cloud is the key word for CASB upvoted 3 times Question #11 Topic 1 An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first? A. CDN B. Vulnerability scanner C. DNS D. Web server Correct Answer: C Community vote distribution C (76%) 14% 10%   nmap_king_22 Highly Voted  9 months, 4 weeks ago Selected Answer: C In the case of an internet outage caused by a Distributed Denial of Service (DDoS) attack that is preventing users from accessing external SaaS resources, the incident response team should review the DNS (Domain Name System) logs first. C. DNS Explanation: DNS Logs: DDoS attacks often involve overwhelming the DNS infrastructure to disrupt normal internet services. By reviewing DNS logs, the inciden response team can identify abnormal traffic patterns, unusual queries, and potential signs of a DDoS attack targeting the organization's DNS servers. Analyzing DNS logs can help pinpoint the attack source, the type of attack, and the affected domains. upvoted 9 times   VVV4WIN Highly Voted  7 months ago Selected Answer: C Really tricky one, think it just clicked for me. Let me explain how I see it. Problem is with external SaaS resources (example O365) that your users cannot access from anywhere in the world (multiple locations). The organization affected was not your own, but Microsoft in this example. It will not be your Web Server, CDN or Vulnerability scanner that will show anything as this was not on your network and you were not the target. Then also take not that many DDoS attacks bring targets down by stopping DNS replication of their services. Your DNS servers will thus show they were not able to find any related DNS records for the O365 resources and thus not able to provide any DNS query responses to the client devices. (This all after the DNS record TTL expired and the records needed to be updated). So in my opinion, DNS is the only place that will reflect any of this. upvoted 5 times   mzajy 5 months, 3 weeks ago users from multiple places cannot reach (((external))) SaaS resource. so in your example, if my employees cant reach O365, how does it relate to my DNS (and not Microsoft's DNS)? upvoted 1 times   boog Most Recent  1 month, 3 weeks ago Nothing in the question says the type of ddos. Go to the source of the outage first, Web server logs. Then work backwards towards the users. upvoted 1 times   sirquinton95 3 months, 3 weeks ago Selected Answer: C DDoS attacks target the Domain Name System infrastructure upvoted 1 times   Mountain_Man_Yuppie 5 months, 2 weeks ago Lots of people giving compelling reasons for CDN here. I'd like to make the caveat that nowhere in the CompTIA CySA+ book is CDN ever mentioned so it's most likely DNS. upvoted 2 times   WaaHassan 5 months, 4 weeks ago Selected Answer: C If I set all the devices on my network to use my internal DNS server, I will be able to access my local resources by name, as well as the internet. However, if my internal DNS server goes down (Dd DDos attack), my devices will not be able to resolve any domain names, neither local nor external. This means that I will not be able to access any websites or services by name, only by IP address. upvoted 1 times   RobV 6 months, 2 weeks ago Selected Answer: A A: CDN Reviewing DNS (Domain Name System) logs is indeed an important aspect of investigating a DDoS attack, but in the context of an internet outage affecting the ability to access external SaaS resources, CDN logs would typically be more directly relevant. While DNS logs are important, CDN logs are likely to provide more directly relevant information about the ongoing DDoS attack and its impact on accessing external SaaS resources during an internet outage. upvoted 1 times   greatsparta 7 months, 2 weeks ago Selected Answer: C CDN (Content Delivery Network) logs may also be useful in understanding traffic patterns, but DNS logs are generally more directly relevant in the early stages of investigating a DDoS attack. upvoted 1 times   Sharecyber 7 months, 3 weeks ago Selected Answer: C Most DDoS attacks are in DNS logs upvoted 3 times   chaddman 8 months ago Selected Answer: A A. CDN (Content Delivery Network): CDNs are often used to mitigate the effects of DDoS attacks by distributing traffic across multiple servers. CDN logs can provide immediate insights into the nature and scale of the attack, including source IP addresses, types of requests, and geographic origins. upvoted 3 times   eacunha 10 months ago Selected Answer: C 3. **Verificador de Vulnerabilidade e Servidor Web**: Embora esses elementos sejam importantes em uma investigação de incidente de segurança eles normalmente não fornecerão informações imediatas sobre um ataque DDoS em andamento. O verificador de vulnerabilidades e o servidor web podem ser relevantes para determinar se o ataque DDoS causou outras vulnerabilidades ou danos, mas não são a primeira linha de investigação para identificar e mitigar um ataque DDoS. Portanto, a revisão dos registros DNS é a melhor opção inicial para entender e lidar com um ataque DDoS que está afetando o acesso aos recurso SaaS externos da organização. upvoted 2 times   attesco 11 months ago Selected Answer: D Web server is the answer. What is DNS have to do with it, afterall--------we are not querying IP address or translating upvoted 3 times   Uncle_Lucifer 9 months, 2 weeks ago DNS is valid mate. Google how to mitigate DDOS you will see - Mitigate DNS DDoS upvoted 2 times   Uncle_Lucifer 9 months, 2 weeks ago A DDoS attack is a type of attack that floods a target with more traffic than it can handle. This can cause the target to become unavailable to legitimate users. The DNS logs will show the IP addresses of the devices that were sending the traffic to the target. This information can be used to identify the attackers. The other logs may also be helpful in investigating a DDoS attack, but they are less likely to provide the same level of detail as the DNS logs. upvoted 1 times Question #12 Topic 1 A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in? A. Weaponization B. Reconnaissance C. Delivery D. Exploitation Correct Answer: D Community vote distribution D (100%)   BanesTech 2 months, 1 week ago Selected Answer: D In this scenario, the threat actor has already gained access to the internal network through social engineering, indicating that the Exploitation stag has occurred. The threat actor's objective at this point is to maintain access to the network to continue the attack, which aligns with the Actions on Objectives stage. However, since the question specifically asks about the current stage of the Cyber Kill Chain, the threat actor is currently operating in the Exploitation stage. upvoted 2 times   cartman_sc 2 months, 2 weeks ago Selected Answer: D Pergunta confusa, mas a alternativa é D upvoted 2 times   StillFiguringItOut 3 months, 2 weeks ago Selected Answer: D Don't like this question but Exploitation is the only one that would fit. upvoted 1 times   Alizade 7 months, 2 weeks ago Selected Answer: D The current stage of the Cyber Kill Chain that the threat actor is currently operating in is D. Exploitation. upvoted 2 times   greatsparta 7 months, 2 weeks ago i would have said "actions and objectives" IF IT WAS AN OPTION! upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago this question is just messed up. Both DRP and BCP are related. One is part of the other. upvoted 1 times Question #13 Topic 1 An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external- facing assets. Which of the following steps of an attack framework is the analyst witnessing? A. Exploitation B. Reconnaissance C. Command and control D. Actions on objectives Correct Answer: B Community vote distribution B (100%)   6463ab5 1 week ago The answer is B: Reconnaissance because of the fact that the IP address is located outside of the company network indicates that someone externa to the organization is actively scanning the company's external-facing assets. This aligns with the initial phase of an attack where attackers seek to gather information about potential entry points into the target environment. upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: B When an IP address outside of the company network is observed running network and vulnerability scans across external-facing assets, it indicates that the attacker is gathering information about the organization's network infrastructure and potential weaknesses. This activity aligns with the reconnaissance stage, as the attacker is actively probing the target's defenses and vulnerabilities to gather intelligence for potential future attacks. Therefore, the analyst is witnessing the reconnaissance stage of an attack framework. upvoted 3 times   Alizade 7 months, 2 weeks ago Selected Answer: B The answer is B. Reconnaissance. upvoted 2 times   nmap_king_22 9 months, 4 weeks ago Selected Answer: B The analyst is witnessing the following step in the attack framework: B. Reconnaissance Explanation: In the context described, where an external IP address is actively conducting network and vulnerability scans across external-facing assets of the company network, this activity aligns with the reconnaissance phase of an attack. upvoted 4 times Question #14 Topic 1 An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.) A. Beaconing B. Domain Name System hijacking C. Social engineering attack D. On-path attack E. Obfuscated links F. Address Resolution Protocol poisoning Correct Answer: CE Community vote distribution CE (84%) Other   LiveLaughToasterBath Highly Voted  7 months, 1 week ago Selected Answer: CE ”…target only the administrators of the company.” “…contains a concealed URL…” Social Engineering and Obfuscated Links upvoted 7 times   cartman_sc Most Recent  2 months, 2 weeks ago Selected Answer: CE Administradores da empresa = Engenharia social URL Oculta = Links ofuscados upvoted 2 times   Alizade 7 months, 2 weeks ago Selected Answer: CE The two best answers are C—social engineering attack and E. Obfuscated links. upvoted 3 times   Cukur 9 months, 1 week ago Selected Answer: CE It's targeted, no reason to beacon upvoted 1 times   chrys 9 months, 2 weeks ago It's not beaconing. Beaconing is when a bot (zombie) is seeking to communicate with its command and control server. upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago moderator should pls delete my selection of BC. It was erroneous meant CE upvoted 2 times   Uncle_Lucifer 9 months, 2 weeks ago Selected Answer: BC You cant assume beaconing. The question says concealed links -> obfuscated link. The obfuscated link may be performing beaconing, but that info was not disclosed in the question. CE - good AC - bad upvoted 2 times   Uncle_Lucifer 9 months, 2 weeks ago Meant CE. Why did i select BC upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago moderator should pls delete this selection of BC. It was erroneous meant CE upvoted 1 times   IrishBeast 9 months, 3 weeks ago Selected Answer: CE This is CE, it's targeting the admin and has an obfuscated link. There is no beaconing at all. upvoted 3 times   IrishBeast 9 months, 3 weeks ago This is CE, it's targeting the admin and has an obfuscated link. There is no beaconing at all. upvoted 3 times   [Removed] 9 months, 3 weeks ago This is not A and C. Beaconing is not happening at all in the question. Data is not leaving the network. C and E. Social engineering via emailing only admins Obfuscated links because the concealed URL upvoted 2 times   ms123451 10 months ago Selected Answer: AC A and C, this is very common to send email with links to see who clicks, it's part of reconnaissance, URL obfuscation is better suited to bypass security controls upvoted 1 times   ms123451 10 months ago A and C, this is very common to send email with links to see who clicks, it's part of reconnaissance, URL obfuscation is better suited to bypass security controls upvoted 1 times Question #15 Topic 1 During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase? A. Conduct regular red team exercises over the application in production B. Ensure that all implemented coding libraries are regularly checked C. Use application security scanning as part of the pipeline for the CI/CD flow D. Implement proper input validation for any data entry form Correct Answer: C Community vote distribution C (92%) 8%   eapau6022 6 months, 3 weeks ago The answer is C Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning upvoted 1 times   nmap_king_22 9 months, 4 weeks ago Selected Answer: C C. Use application security scanning as part of the pipeline for the CI/CD flow. Explanation: Continuous Integration/Continuous Deployment (CI/CD) pipelines are an integral part of modern software development practices. By incorporating application security scanning into the CI/CD pipeline, vulnerabilities can be identified and addressed at various stages of development, including during the build and deployment processes. upvoted 4 times   ms123451 10 months ago Selected Answer: C Code will not be published if it has to be mitigated in early stage of CI/CD therefore stopping it from happening over and over upvoted 4 times   Underdog79198 10 months, 2 weeks ago Selected Answer: C By using security scanning as part of the CI/CD pipeline, you address vulnerabilities early in the development cycle upvoted 3 times   attesco 11 months ago Selected Answer: B If the analyst finds vulnerability in each application. Then the software developer must have been using a code library that is full of errors. To remediate is to check those coding library upvoted 1 times   Uncle_Lucifer 9 months, 2 weeks ago Hehe. What does code error have to do with vulnerability? The best thing is for those pushing the CI/CD to catch it before it is delivered - option C upvoted 1 times Question #16 Topic 1 An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent? A. Proprietary systems B. Legacy systems C. Unsupported operating systems D. Lack of maintenance windows Correct Answer: B Community vote distribution A (95%) 5%   Jhonys Highly Voted  8 months, 3 weeks ago Selected Answer: A I agreed with the comments of other colleagues below who selected answer A, had chosen B and spent a good amount of time reviewing it. After in-depth analysis, I realized and came to the conclusion that option A, “Proprietary Systems”, is the most appropriate. Proprietary systems are thos controlled and managed by a specific vendor, and the company does not have the ability to make changes or updates without the vendor's assistance. This is evident in the situation described, where two critical systems cannot be updated due to a vendor device that the company does not have access to. On the other hand, legacy systems, which are older systems that are still in use, can be accessed and potentially updated by the company. However, in this scenario, the problem arises from systems that the company does not have access to, which is a characteristic of proprietary systems. upvoted 18 times   Sebatian20 6 months, 1 week ago This is a poorly written question - it's not a device that the company can't access but an application on the system. Which can be applied to a legacy system as well. "A legacy system is outdated computing software and/or hardware that is still in use" Whereas the characterisation of a proprietor system is that it is owned by a company and that does not mean it can't be updated. I believe the correct answer is B. - Legacy system upvoted 2 times   ms123451 Highly Voted  10 months ago Selected Answer: A Properietary are like security appliances which are built and you don't have OS access and you cannot update until the vendor releases a patch for their own appliance upvoted 10 times   POGActual Most Recent  2 months, 2 weeks ago I chose A. Legacy systems are older systems that are no longer supported by the vendor. Because there is an upgrade available, that tells me it is still supported. So it has to be proprietary systems; something not owned by the operating company. They have to wait for the company that manufactured the system to give them access to the update. upvoted 3 times   CyberJackal 3 months ago Selected Answer: A The answer is A as it is explicitly stated that a 'vendor appliance' is the system in question, which are often proprietary hardware provided by the company that administrators do not have OS level access to. Think Fortinet/cisco appliances etc. upvoted 2 times   Mountain_Man_Yuppie 5 months, 2 weeks ago Just by what you'd excpect the definition of the word to be one would assume it's Proprietary but I believe it's actually Legacy. But under Topic 7B Proprietary systems are defined as being designed to serve a specific purpose and are tailored to an organization’s needs. Furthermore CompTIA goes on to specify that "They are often developed in-house, with the organization’s staff, rather than using outside vendors. Legacy systems are simply defined as "outdated systems or software applications that have been in use for an extended period". In this case the system is outdated but an "extended period" is a little too arbitrary. Poorly worded question in true CompTIA style but if it's testing who read the book then Legacy systems should be the answer here... upvoted 1 times   Remmmie 5 months, 3 weeks ago I select A Proprietary system because questions that relate to Legacy systems usually imply one way or another that the said system is "dated" or "old", if any of these kinds of word was used, the correct answer would be Legacy systems, but Proprietary Systems is right because it shows clearly that the systems are owned and protected and as such cannot be accessed like an "open-sourced" system. upvoted 1 times   WaaHassan 5 months, 3 weeks ago Selected Answer: A Proprietary systems upvoted 1 times   Kuyesa 6 months ago Answer is B. Legacy Systems - These are older systems upvoted 2 times   eapau6022 6 months, 3 weeks ago A. Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems can pose a challenge for vulnerability management, as they may not allow users to access or modify their configuration, update their software, or patch their vulnerabilities upvoted 2 times   Jhonys 9 months, 2 weeks ago Selected Answer: B In summary: Legacy systems are older systems that do not receive regular support or updates, making them vulnerable to security threats. Lack of update is the main problem here. Proprietary systems refer to systems that are exclusively owned by a company or supplier, but this does not necessarily imply a lack of updating. The lack of updates is more characteristic of legacy systems. Therefore, in the given scenario, where two critical systems cannot be upgraded due to vendor support or access restrictions, the correct answer is "Legacy Systems". upvoted 2 times   Jhonys 9 months ago I'll explain why the correct answer is "Legacy systems" instead of "Proprietary systems". Legacy systems: Legacy systems are older systems that are still in use, often because they contain specific applications or hardware that are critical to business operations. They can be difficult to update or replace because they are often no longer supported by manufacturers or vendors, meaning they don't receive regular security patches or updates. The lack of support makes these systems vulnerable to threats as there are no fixes available for the known vulnerabilities. In the scenario described, the company does not have access to the vendor's devices, which suggests that these systems are legacy and that th company is struggling to update them, making them vulnerable to security attacks. upvoted 3 times   Jhonys 9 months ago Proprietary systems: Proprietary systems refer to software or hardware systems that are the exclusive property of a specific company or vendor. While proprietary systems may not be as easily modified or customized by third parties, they do not necessarily imply a lack of updating. Lack of upgrade is often a feature of legacy systems, which are older systems that are still in use due to technical or financial constraints. Therefore, the "Legacy systems" answer is more appropriate in this context, as it better describes the situation where critical systems cannot be upgraded due to support restrictions or vendor access. upvoted 2 times   Uncle_Lucifer 9 months, 2 weeks ago Selected Answer: A Its A. Dont know how someone would seelct legacy. they didint mention anything about compatibility issue or oudated system only lack of access upvoted 2 times   581777a 10 months, 2 weeks ago I also thought it was A but ChatGPT says it's legacy systems because "proprietary systems typically refers to systems that are built using unique, specialized, and often closed technologies or architectures. These systems are usually owned and controlled by the organization itself, and they might not be easily replaceable or upgradable due to their unique nature." "In the scenario you described, the issue seems to be more related to the fact that the critical systems are older and not upgradeable due to a dependency on a vendor appliance." upvoted 2 times   [Removed] 9 months, 3 weeks ago Its A. The company doesn't have access to proprietary systems. Legacy systems are just older but yes you have access to them upvoted 2 times   kmordalv 9 months, 3 weeks ago Please, if chatgpt is used, let's think about the answer it provides. Let's go to other sources. Yesterday chatgpt said B and today it says D. upvoted 2 times   tboi 10 months, 2 weeks ago Selected Answer: A A is the obvious answer upvoted 1 times   attesco 11 months ago Selected Answer: A Again, the answer is -A. They says there are two critical systems that the company does not have access to. This tell us that proprietary systems are guided jealously and not everyone should have access except the manufacturer. We have a lot of these systems in Japan upvoted 3 times Question #17 Topic 1 The security team reviews a web server for XSS and runs the following Nmap scan: Which of the following most accurately describes the result of the scan? A. An output of characters > and " as the parameters used m the attempt B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe D. The vulnerable parameter and characters > and " with a reflected XSS attempt Correct Answer: D Community vote distribution D (100%)   sigmarseifer 1 month, 1 week ago Answer is C *ChatGPT-4o This option accurately describes the issue identified by the scan, which is that the characters > and " are being reflected in the response from the server without proper filtering or encoding. This indicates a potential reflected XSS vulnerability. upvoted 1 times   Narobi 6 months, 3 weeks ago Selected Answer: D I was originally going to go with B, but the syntax of the parameter is incorrect at the end (has id-2 and not id=2) which negated this choice as a potentially valid answer. This would make D the only viable correct answer. upvoted 3 times   Narobi 6 months, 3 weeks ago Syntax is correct on real exam. Still went with D. Scored around 820. upvoted 7 times   kumax 8 months, 3 weeks ago Selected Answer: D ChatGPT upvoted 2 times   ms123451 10 months ago Selected Answer: D it is mentioned that it is reflected in the output upvoted 2 times Question #18 Topic 1 Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future? A. Develop a call tree to inform impacted users B. Schedule a review with all teams to discuss what occurred C. Create an executive summary to update company leadership D. Review regulatory compliance with public relations for official notification Correct Answer: B Community vote distribution B (100%)   maggie22 2 weeks, 5 days ago B. The keyword is "review" for Post-Incident Review or Post-Mortem analysis upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: B Scheduling a review with all teams to discuss what occurred allows for a comprehensive post-incident analysis and facilitates a collective understanding of the incident's causes, impact, and response effectiveness. This review involves key stakeholders from various teams involved in incident response, including technical teams, management, legal, and communication teams. By gathering input from all relevant parties, the organization can identify strengths, weaknesses, and areas for improvement in its incident response process. upvoted 4 times   Cpt_Emerald 5 months, 1 week ago I am kind of leaning with C here. Why would you meet with ALL teams of a company to discuss what happened in an incident? In any incident, leadership knowing what happened afterward is a must. This is coming from someone who has done IR for 2 years. upvoted 1 times   eapau6022 6 months, 3 weeks ago B. One of the best actions to take after the conclusion of a security incident to improve incident response in the future is to schedule a review with all teams to discuss what occurred, what went well, what went wrong, and what can be improved. upvoted 2 times   Alizade 7 months, 2 weeks ago Selected Answer: B The answer is B. Schedule a review with all teams to discuss what occurred. upvoted 1 times   kmordalv 9 months, 3 weeks ago Selected Answer: B Correct. The purpose of this review is to identify the root causes of the incident, evaluate the effectiveness of the incident response process, document any gaps or weaknesses in the security controls, and recommend corrective actions or preventive measures for future incidents. upvoted 2 times Question #19 Topic 1 A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis? A. Code analysis B. Static analysis C. Reverse engineering D. Fuzzing Correct Answer: B Community vote distribution C (75%) B (25%)   [Removed] Highly Voted  7 months, 1 week ago Selected Answer: C C) Reverse engineering. From Certmaster Topic 5B: Understanding Vulnerability Scanning Methods: Reverse Engineering Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering's objective is to determine how much information can be extracted from delivered software. For example, reverse engineering can sometimes extract source code, identify software methods and languages used, developer comments, variable names and types, system and web calls, and many other things. An adversary can perform reverse engineering on a software patch to identify the vulnerabilities it is crafted to fix, or an analyst can perform reverse engineering on malware to determine how it operates. upvoted 7 times   Nixon333 Highly Voted  11 months, 1 week ago C. Reverse engineering upvoted 6 times   Ree1234 Most Recent  1 month ago Selected Answer: C static analysis (static code analysis)Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards. Static analysis is used in software engineering by software development and quality assurance teams. Automated tools can assist programmers and developers in carrying out static analysis. The software will scan all code in a project to check for vulnerabilities while validating the code.https://www.techtarget.com/whatis/definition/static-analysis-static-code-analysis A and B are the same think, Static analysis or Code Analysis means the same the, the names are used interchangeably. Therefore C is the best correct answer. upvoted 1 times   Kanika786 1 month, 2 weeks ago Selected Answer: C What is right answer B or C? upvoted 1 times   Mehe323 1 month, 2 weeks ago Static analysis and reverse engineering are both helpful but if you have to choose, it is better to go for reverse engineering because it will provide you with much more information. If the question specifically said: what is the first thing you have to do? then the answer would be static analysis. But often with static analysis you don't get much information, so in this case it should be reverse engineering I believe. upvoted 1 times   dave_delete_me 2 months ago C. Reverse engineering upvoted 1 times   dave_delete_me 2 months ago FROM: CompTIA CySA+ Study Guide: Exam CS0-003, Third Edition Technologists seeking to reverse-engineer compiled code have two options. First, they can attempt to use a specialized program known as a decompiler to convert the binary code back to source code. Unfortunately, however, this process usually does not work very well. Second, they can use a specialized environment and carefully monitor how software responds to different inputs in an attempt to discover its inner workings. In either case, reverse engineering compiled software is extremely difficult. Understand how reverse engineering techniques attempt to determine how hardware and software function internally. Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Other reverse engineering techniques are difficult to perform, are often unsuccessful, and are quite time-consuming. upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: C Reverse engineering is the process of analyzing a binary file to understand its structure, functionality, and behavior. This typically involves disassembling or decompiling the binary file to extract higher-level representations, such as assembly code or source code. Reverse engineering allows analysts to uncover the inner workings of the binary, identify malicious functionality, and develop countermeasures or detection signatures. Therefore, it is the most appropriate technique for analyzing a malicious binary file. upvoted 2 times   biggydanny 2 months, 1 week ago Selected Answer: B Static analysis involves examining the binary file without executing it. This can provide valuable information such as headers, sections, imported and exported functions, strings, and other binary characteristics. It’s a safe and effective first step in malware analysis because it doesn’t involve running the potentially harmful code. And then the reason I would not choose C is because Reverse Engineering: This is a more advanced technique that involves disassembling or decompiling the code to understand its operation. It’s typically used after static and dynamic analysis. upvoted 3 times   8eff281 2 months, 3 weeks ago Selected Answer: C B and C are both correct but C: reverse engineering is the "best" method. upvoted 3 times   BanesTech 2 months, 1 week ago Static analysis involves examining the binary file without executing it to identify potential security issues. While static analysis can provide valuable insights, it may not fully reveal the functionality and behavior of the malicious binary. upvoted 2 times   section8santa 2 months, 3 weeks ago Selected Answer: B Given the context of needing to analyze a known malicious binary file, B. Static analysis should be the initial technique used to safely examine the file, followed by C. Reverse engineering for a more in-depth understanding of the malware's functionality. Both methods are crucial for a comprehensive analysis of the malicious binary without the risk of executing the malware during the process. upvoted 1 times   tcgod666 3 months ago Selected Answer: C Question is about best way to analyze binary file and it is reverse engineering. Static analysis can also analyze but RE is better option. upvoted 1 times   StillFiguringItOut 3 months, 2 weeks ago Selected Answer: B B. Static Analysis. Before you start reverse engineering malware you have find evidence that points to the binary being potentially malicious. upvoted 1 times   RobV 6 months, 2 weeks ago Selected Answer: C C. Reverse engineering upvoted 2 times   [Removed] 8 months, 1 week ago Selected Answer: C Static analysis is typically done when you have the source code in front of you. This is a precompiled binary, you won't know its librares, functions, system calls, etc. without reverse engineering of some kind. Typically what you'll do is put it in some sort of sandbox and see what it beacons, etc. guess you can call that reverse engineering, so C would be the best answer here. upvoted 4 times   Demarco 8 months, 2 weeks ago Reverse engineering is the process of decompiling a program to its source code, or of analyzing a binary file to understand its function. This is the best technique to perform the analysis of a malicious binary file, as it allows the analyst to see the code that the malware is actually running. This can help the analyst to identify the malware's purpose, its capabilities, and how it spread upvoted 1 times   Just_wanna_pass 8 months, 2 weeks ago Selected Answer: B static analysis involves examining the file’s code without executing it. This technique helps identify the file’s structure, such as its functions, libraries and system calls. https://www.varonis.com/blog/malware-analysis-tools upvoted 3 times   G33kSquad 9 months ago B. The given answer is correct. You will do Static analysis before Reverse Engineering. upvoted 1 times Question #20 Topic 1 An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server? A. Hard disk B. Primary boot partition C. Malicious files D. Routing table E. Static IP address Correct Answer: C Community vote distribution D (69%) A (16%) C (15%)   [Removed] Highly Voted  7 months, 1 week ago Selected Answer: D D) Routing table. It's the only volatile data. CompTIA certmaster Topic 8B: Performing Incident Response Activities "Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows: CPU registers and cache memory (including cache on disk controllers, GPUs, and so on) Contents of system memory (RAM), including the following: Routing table, ARP cache, process table, kernel statistics Temporary file systems/swap space/virtual memory Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space Remote logging and monitoring data Physical configuration and network topology Archival media" upvoted 19 times   kmordalv Highly Voted  9 months, 2 weeks ago Selected Answer: D Excuse me The "Guide to Collecting and Archiving Evidence" (RFC 3227) establishes the following order of volatility - registers, cache - routing table, arp cache, process table, kernel statistics, memory - temporary file systems - disk - remote logging and monitoring data that is relevant to the system in question - physical configuration, network topology - archival media References: https://www.ciberforensic.com/directrices-rfc-3227 https://www.ietf.org/rfc/rfc3227.txt https://resources.infosecinstitute.com/certifications/retired/security-plus-basic-forensic-procedures-sy0- 401/#:~:text=The%20order%20of%20volatility%20is,the%20computer%20is%20turned%20off. https://www.computer-forensics-recruiter.com/order-of-volatility/ upvoted 10 times   499f1a0 Most Recent  2 weeks, 3 days ago Selected Answer: D According to the order of volatility the routing tables should be the best option here. So D it is! upvoted 1 times   saidamef 1 month, 3 weeks ago ORDER OF VOLATILE DATA Registers, Cache Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology Archival Media upvoted 1 times   dave_delete_me 2 months ago D. Routing table data stored in memory or caches is considered highly volatile, since it will be lost if the system is turned off, whereas data stored in printed form o as a backup is considered much less volatile. upvoted 1 times   BanesTech 2 months, 1 week ago Selected Answer: C Malicious files found on the critical server are key pieces of evidence that could provide insights into the nature of the security incident, the methods used by the attackers, and the potential impact on the system. Collecting these files first allows the incident response team to preserve crucial evidence before taking any actions that might disrupt the server or alter its state. Once the malicious files are collected, the incident response team can proceed with isolating the server and conducting further investigation to gather additional evidence, such as analyzing the hard disk, examining the primary boot partition, reviewing the routing table, and documenting the static IP address configuration. However, collecting the malicious files should be prioritized to ensure that critical evidence is preserved in its original state. upvoted 1 times   biggydanny 2 months, 1 week ago Selected Answer: A The Hard Disk contains all the data stored on the server, including system files, application files, and user data. It’s crucial to collect a bit-by-bit copy (also known as a forensic image) of the hard disk first because it preserves the state of the system at the time of the incident. This includes any potential indicators of compromise (IoCs) and can provide valuable evidence for the investigation. The other options, while they may contain useful information, are either subsets of the data on the hard disk (Primary Boot Partition, Malicious Files) or are dynamic data that would not typically be preserved in an incident response scenario (Routing Table, Static IP Address). upvoted 2 times   sujon_london 4 months, 2 weeks ago Selected Answer: C incident response follows the principle of data volatility, prioritizing collecting the most fleeting information first. In this case, malicious files directl tied to the suspected breach take precedence. Answer should be C upvoted 2 times   WaaHassan 5 months, 3 weeks ago Selected Answer: A According to the NIST SP 800-611, a guide for incident response, the first step in evidence gathering and handling is to acquire a snapshot of the system as-is, before any changes are made by the incident responders or system administrators. This snapshot should include the hard disk of the affected system, as it contains the most comprehensive and valuable information for further analysis. Therefore, the correct answer is A. Hard disk upvoted 2 times   RobV 6 months, 2 weeks ago Selected Answer: D D. Routing table upvoted 2 times   throughthefray 6 months, 3 weeks ago Data that will be lost if the system is powered down is referred to as volatile data. Volatile data can be data in the CPU, routing table, or ARP cache upvoted 2 times   Alizade 7 months, 2 weeks ago Selected Answer: C The answer is C. Malicious files. upvoted 1 times   psense 8 months, 1 week ago Selected Answer: D The priority in incident response is to collect the most volatile data that would be lost or altered if the system were powered down or rebooted. Malicious Files, while important, are non-volatile and will remain on the disk for later analysis. upvoted 5 times   Demarco 8 months, 2 weeks ago Collecting malicious files is important because they can provide valuable information about the nature of the attack, the malware used, and potentially even the threat actor responsible. It allows for analysis without altering the system's state. Once the malicious files are collected, you can proceed with isolating the server and taking other steps to secure the environment. upvoted 1 times   Jhonys 8 months, 4 weeks ago Selected Answer: C Here we are talking about data on the critical server and not network routes. So the answer is C. The choice between collecting a routing table and malicious files depends on the nature of the incident and the order of volatility. In the case at hand, initial priority was given to malicious files due to prior identification of IoCs on the critical server, and because files are generally more volati and crucial to investigating the incident. The order of priority may vary based on the specific circumstances of the incident. upvoted 4 times   ocord14 6 months, 2 weeks ago The question states before isolating the server, what should be gathered first. upvoted 1 times   Cukur 9 months, 1 week ago Selected Answer: D routing table. upvoted 1 times   chrys 9 months, 2 weeks ago The VERY first thing I would do IRL is dump contents of memory. BUT since that's not a choice, I would make an offline copy of the disk, then boot that copy up in a sandbox to watch what it does. You wouldn't turn a machine off to isolate it. You would isolate its switchport into its own VLAN with no L3 routing, so it thinks it's still on a working network (just can't reach anything) upvoted 1 times Question #21 Topic 1 Which of the following security operations tasks are ideal for automation? A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules C. Security application user errors: Search the error logs for signs of users having trouble with the security application Look up the user's phone number - Call the user to help with any questions about using the application D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine Correct Answer: B Community vote distribution D (63%) B (37%)   Tonying Highly Voted  2 months, 3 weeks ago D is not the best answer, what if the domain of the sender is benign like gmail or yahoo or any free email services then you block those legitimate domains, that will compromise the availability of the firm. Most phishers are using free email services. upvoted 7 times   Christof 1 week, 6 days ago True, domains are not normally blocked. Maybe the answer was supposed to be written better to say the sender address though. upvoted 1 times   499f1a0 Most Recent  2 weeks, 2 days ago Selected Answer: D D is the ideal option because B has followup part which can not be automated and must be done by humans. upvoted 2 times   Olae 1 month, 1 week ago The answer is D: Email Header Analysis. Every process there can be completely automated. Those saying B, how do you automate the follow up of false positives? upvoted 1 times   Geronemo 1 month, 1 week ago Selected Answer: D This is one of those questions where A,B, or D are all ideal or suitable for automation. b) This task is also suitable for automation. Automated systems can continuously monitor firewall logs for indicators of compromise (IoCs) and promptly take mitigating actions to block malicious behavior, thereby reducing the window of exposure. d) Automating this task is ideal. Automated systems can analyze email headers for phishing indicators and apply predefined actions (such as blocking the sender's domain and moving the email to quarantine) based on confidence metrics, thereby reducing the risk of successful phishing attacks. upvoted 2 times   Dub3 1 month, 1 week ago Agreed! upvoted 1 times   Mehe323 1 month, 2 weeks ago Selected Answer: D I don't think it should be B because of the zero day exploit part, much more information needs to be uncovered before calling it 'ideal' for automation. upvoted 2 times   dave_delete_me 2 months ago D. Email header analysis (for the WIN)!!!!! Seems to be the BEST re

Use Quizgecko on...
Browser
Open
Browser
Browser