Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

CS0-002 Questions and Answers

Question # 6

An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which following actions would help during the forensic analysis of the mobile device? (Select TWO).

A.

Resetting the phone to factory settings

B.

Rebooting the phone and installing the latest security updates

C.

Documenting the respective chain of custody

D.

Uninstalling any potentially unwanted programs

E.

Performing a memory dump of the mobile device for analysis

F.

Unlocking the device by blowing the eFuse

Full Access
Question # 7

A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no following should the analyst review FIRST?

A.

The DNS configuration

B.

Privileged accounts

C.

The IDS rule set

D.

The firewall ACL

Full Access
Question # 8

A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?

A.

A TXT record on the name server for SPF

B.

DNSSEC keys to secure replication

C.

Domain Keys identified Man

D.

A sandbox to check incoming mad

Full Access
Question # 9

The Chief information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue

A.

Induce digital signatures on messages originating within the company.

B.

Require users authenticate to the SMTP server

C.

Implement DKIM to perform authentication that will prevent this Issue.

D.

Set up an email analysis solution that looks for known malicious Iinks within the email.

Full Access
Question # 10

In web application scanning, static analysis refers to scanning:

A.

the system for vulnerabilities before installing the application.

B.

the compiled code of the application to detect possible issues.

C.

an application that is installed and active on a system.

D.

an application that is installed on a system that is assigned a static IP.

Full Access
Question # 11

A security analyst needs to perform a search for connections with a suspicious IP on the network traffic. The company collects full packet captures at the Internet gateway and retains them for one week. Which of the following will enable the analyst to obtain the BEST results?

A.

tcpdump –n –r internet.pcap host

B.

strings internet.pcap | grep

C.

grep –a internet.pcap

D.

npcapd internet.pcap | grep

Full Access
Question # 12

After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:

Which of the following it the BEST solution to mitigate this type of attack?

A.

Implement a better level of user input filters and content sanitization.

B.

Property configure XML handlers so they do not process sent parameters coming from user inputs.

C.

Use parameterized Queries to avoid user inputs horn being processed by the server.

D.

Escape user inputs using character encoding conjoined with whitelisting

Full Access
Question # 13

Which of the following is a best practice when sending a file/data to another individual in an organization?

A.

Encrypt the file but do not compress it.

B.

When encrypting, split the file: and then compress each file.

C.

Compress and then encrypt the file.

D.

Encrypt and then compress the file.

Full Access
Question # 14

A security analyst needs to provide the development learn with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

A.

CASB

B.

VPC

C.

Federation

D.

VPN

Full Access
Question # 15

An analyst needs to provide a recommendation that will allow a custom-developed application to have full access to the system's processors and peripherals but still be contained securely from other applications that will be developed. Which of the following is the BEST technology for the analyst to recommend?

A.

Software-based drive encryption

B.

Hardware security module

C.

Unified Extensible Firmware Interface

D.

Trusted execution environment

Full Access
Question # 16

A cybersecurity analyst is investigating a potential incident affecting multiple systems on a company's internal network. Although there is a negligible impact to performance, the following symptom present on each of the affected systems:

• Existence of a new and unexpected svchost exe process

• Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred

• DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain

If this situation remains unresolved, which of the following will MOST likely occur?

A.

The affected hosts may participate in a coordinated DDoS attack upon command

B.

An adversary may leverage the affected hosts to reconfigure the company's router ACLs.

C.

Key files on the affected hosts may become encrypted and require ransom payment for unlock.

D.

The adversary may attempt to perform a man-in-the-middle attack.

Full Access
Question # 17

An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization's security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors.

Which of the following would be the BEST recommendation for the security analyst to provide'?

A.

The organization should evaluate current NDAs to ensure enforceability of legal actions.

B.

The organization should maintain the relationship with the vendor and enforce vulnerability scans.

C.

The organization should ensure all motherboards are equipped with a TPM.

D.

The organization should use a certified, trusted vendor as part of the supply chain.

Full Access
Question # 18

A security analyst needs to obtain the footprint of the network. The footprint must identify the following information;

• TCP and UDP services running on a targeted system

• Types of operating systems and versions

• Specific applications and versions

Which of the following tools should the analyst use to obtain the data?

A.

ZAP

B.

Nmap

C.

Prowler

D.

Reaver

Full Access
Question # 19

Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

A.

Data encryption

B.

Data deidentification

C.

Data masking

D.

Data minimization

Full Access
Question # 20

Understanding attack vectors and integrating intelligence sources are important components of:

A.

proactive threat hunting

B.

risk management compliance.

C.

a vulnerability management plan.

D.

an incident response plan.

Full Access
Question # 21

A custom script currently monitors real-time logs of a SAMIL authentication server to mitigate brute-force attacks. Which of the following is a concern when moving authentication to a cloud service?

A.

Logs may contain incorrect information.

B.

SAML logging is not supported for cloud-based authentication.

C.

Access to logs may be delayed for some time.

D.

Log data may be visible to other customers.

Full Access
Question # 22

Employees of a large financial company are continuously being Infected by strands of malware that are not detected by EDR tools. When of the following Is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?

A.

MFA on the workstations

B.

Additional host firewall rules

C.

VDI environment

D.

Hard drive encryption

E.

Network access control

F.

Network segmentation

Full Access
Question # 23

A remote code-execution vulnerability was discovered in the RDP for the servers running a key-hosted application. While there is no automated check for this vulnerability from the vulnerability assessment vendor, the in-house technicians were able to evaluate manually whether this vulnerability was present through the use of custom scripts. This evaluation determined that all the hosts are vulnerable. A technician then tested the patch for this vulnerability and found that it can cause stability issues in the key-hosted application. The application is accessed through RDP to a jump host that does not run the application directly. To mitigate this vulnerability, the security operations team needs to provide remediation steps that will mitigate the vulnerability temporarily until the compatibility issues with the patch are resolved. Which of the following will BEST allow systems to continue to operate and mitigate the vulnerability in the short term?

A.

Implement IPSec rules on the application servers through a GPO that limits RDP access from only the jump host. Patch the jump host. Since it does not run the application natively, it will not affect the software's operation and functionality. Do not patch the application servers until the compatibility issue is resolved.

B.

Implement IPSec rules on the jump host server through a GPO that limits RDP access from only the other application servers. Do not patch the jump host. Since it does not run the application natively, it is at less risk of being compromised. Patch the application servers to secure them.

C.

Implement IPSec rules on the application servers through a GPO that limits RDP access to only other application servers. Do not patch the jump host. Since it does not run the application natively, it is at less risk of being compromised. Patch the application servers to secure them.

D.

Implement firewall rules on the application servers through a GPO that limits RDP access to only other application servers. Manually check the jump host to see if it has been compromised. Patch the application servers to secure them.

Full Access
Question # 24

A company is moving from the use of web servers hosted in an internal datacenter to a containerized cloud platform. An analyst has been asked to identify indicators of compromise in the containerized environment. Which of the following would BEST indicate a running container has been compromised?

A.

A container from an approved software image has drifted

B.

An approved software orchestration container is running with root privileges

C.

A container from an approved software image has stopped responding

D.

A container from an approved software image fails to start

Full Access
Question # 25

A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?

A.

The server is receiving a secure connection using the new TLS 1.3 standard

B.

Someone has configured an unauthorized SMTP application over SSL

C.

The traffic is common static data that Windows servers send to Microsoft

D.

A connection from the database to the web front end is communicating on the port

Full Access
Question # 26

While analyzing network traffic, a security analyst discovers several computers on the network are connecting to a malicious domain that was blocked by a DNS sinkhole. A new private IP range is now visible, but no change requests were made to add it. Which of the following is the BEST solution for the security analyst to implement?

A.

Block the domain IP at the firewall.

B.

Blacklist the new subnet

C.

Create an IPS rule.

D.

Apply network access control.

Full Access
Question # 27

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verity that a user's data is not altered without the user's consent Which of the following would be an appropriate course of action?

A.

Use a DLP product to monitor the data sets for unauthorized edits and changes.

B.

Use encryption first and then hash the data at regular, defined times.

C.

Automate the use of a hashing algorithm after verified users make changes to their data

D.

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Full Access
Question # 28

A company’s change management team has asked a security analyst to review a potential change to the email server before it is released into production. The analyst reviews the following change request:

Which of the following is the MOST likely reason for the change?

A.

To reject email from servers that are not listed in the SPF record

B.

To reject email from email addresses that are not digitally signed.

C.

To accept email to the company’s domain.

D.

To reject email from users who are not authenticated to the network.

Full Access
Question # 29

When reviewing a compromised authentication server, a security analyst discovers the following hidden file:

Further analysis shows these users never logged in to the server. Which of the following types of attacks was used to obtain the file and what should the analyst recommend to prevent this type of attack from reoccurring?

A.

A rogue LDAP server is installed on the system and is connecting passwords. The analyst should recommend wiping and reinstalling the server.

B.

A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password.

C.

A rainbow tables attack was used to compromise the accounts. The analyst should recommend that future password hashes contains a salt.

D.

A phishing attack was used to compromise the account. The analyst should recommend users install endpoint protection to disable phishing links.

Full Access
Question # 30

A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be:

A.

proprietary and timely

B.

proprietary and accurate

C.

relevant and deep

D.

relevant and accurate

Full Access
Question # 31

A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons- learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?

A.

Enabling application blacklisting

B.

Enabling sandboxing technology

C.

Purchasing cyber insurance

D.

Installing a firewall between the workstations and Internet

Full Access
Question # 32

A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely expiated?

A.

Insider threat

B.

Buffer overflow

C.

Advanced persistent threat

D.

Zero day

Full Access
Question # 33

The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device

mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?

A.

Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability

B.

Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability

C.

Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability

D.

Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability

Full Access
Question # 34

A security analyst is investigating an incident that appears to have started with SOL injection against a publicly available web application. Which of the following is the FIRST step the analyst should take to prevent future attacks?

A.

Modify the IDS rules to have a signature for SQL injection.

B.

Take the server offline to prevent continued SQL injection attacks.

C.

Create a WAF rule In block mode for SQL injection

D.

Ask the developers to implement parameterized SQL queries.

Full Access
Question # 35

Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

A.

Agile

B.

Waterfall

C.

SDLC

D.

Dynamic code analysis

Full Access
Question # 36

A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.

Which of the following would be the BEST solution to recommend to the director?

A.

Install a data loss prevention system, and train human resources employees on its use. Provide PII training to all employees at the company. Encrypt PII information.

B.

Enforce encryption on all emails sent within the company. Create a PII program and policy on how to handle datA. Train all human resources employees.

C.

Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present a plan on how PII should be handled.

D.

Install specific equipment to create a human resources policy that protects PII datA. Train company employees on how to handle PII datA. Outsource all PII to another company. Send the human resources director to training for PII handling.

Full Access
Question # 37

A security administrator needs to create an IDS rule to alert on FTP login attempts by root. Which of the following rules is the BEST solution?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 38

A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

A.

Audit access permissions for all employees to ensure least privilege.

B.

Force a password reset for the impacted employees and revoke any tokens.

C.

Configure SSO to prevent passwords from going outside the local network.

D.

Set up privileged access management to ensure auditing is enabled.

Full Access
Question # 39

A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:

Antivirus is installed on the remote host:

Installation path: C:\Program Files\AVProduct\Win32\

Product Engine: 14.12.101

Engine Version: 3.5.71

Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.

The engine version is out of date. The oldest supported version from the vendor is 4.2.11.

The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

A.

This is a false positive, and the scanning plugin needs to be updated by the vendor.

B.

This is a true negative, and the new computers have the correct version of the software.

C.

This is a true positive, and the new computers were imaged with an old version of the software.

D.

This is a false negative, and the new computers need to be updated by the desktop team.

Full Access
Question # 40

Which of the following MOST accurately describes an HSM?

A.

An HSM is a low-cost solution for encryption.

B.

An HSM can be networked based or a removable USB

C.

An HSM is slower at encrypting than software

D.

An HSM is explicitly used for MFA

Full Access
Question # 41

A security analyst is supporting an embedded software team. Which of the following is the BEST recommendation to ensure proper error handling at runtime?

A.

Perform static code analysis.

B.

Require application fuzzing.

C.

Enforce input validation

D.

Perform a code review

Full Access
Question # 42

Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

A.

SSO

B.

DLP

C.

WAF

D.

VDI

Full Access
Question # 43

Which of the following should be found within an organization's acceptable use policy?

A.

Passwords must be eight characters in length and contain at least one special character.

B.

Customer data must be handled properly, stored on company servers, and encrypted when possible

C.

Administrator accounts must be audited monthly, and inactive accounts should be removed.

D.

Consequences of violating the policy could include discipline up to and including termination.

Full Access
Question # 44

A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack .The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

A.

Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

B.

Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

C.

Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

D.

Conduct a wireless survey to determine if the wireless strength needs to be reduced.

Full Access
Question # 45

An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?

A.

Duplicate all services in another instance and load balance between the instances.

B.

Establish a hot site with active replication to another region within the same cloud provider.

C.

Set up a warm disaster recovery site with the same cloud provider in a different region

D.

Configure the systems with a cold site at another cloud provider that can be used for failover.

Full Access
Question # 46

A security analyst is conceded that a third-party application may have access to user passwords during authentication. Which of the following protocols should the application use to alleviate the analyst's concern?

A.

SAML

B.

MFA

C.

SHA-1

D.

LADPS

Full Access
Question # 47

An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

A.

Copies of prior audits that did not identify the servers as an issue

B.

Project plans relating to the replacement of the servers that were approved by management

C.

Minutes from meetings in which risk assessment activities addressing the servers were discussed

D.

ACLs from perimeter firewalls showing blocked access to the servers

E.

Copies of change orders relating to the vulnerable servers

Full Access
Question # 48

A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain. Which of the following should be performed NEXT to investigate the availability issue?

A.

Review the firewall logs.

B.

Review syslogs from critical servers.

C.

Perform fuzzing.

D.

Install a WAF in front of the application server.

Full Access
Question # 49

A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

A.

Apply the required patches to remediate the vulnerability.

B.

Escalate the incident to senior management for guidance.

C.

Disable all privileged user accounts on the network.

D.

Temporarily block the attacking IP address.

Full Access
Question # 50

An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

A.

A simulated breach scenario evolving the incident response team

B.

Completion of annual information security awareness training by ail employees

C.

Tabtetop activities involving business continuity team members

D.

Completion of lessons-learned documentation by the computer security incident response team

E.

External and internal penetration testing by a third party

Full Access
Question # 51

A security analyst has a sample of malicious software and needs to know what the sample does? The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior. Which of the following malware analysis approaches is this?

A.

White box testing

B.

Fuzzing

C.

Sandboxing

D.

Static code analysis

Full Access
Question # 52

Which of the following attacks can be prevented by using output encoding?

A.

Server-side request forgery

B.

Cross-site scripting

C.

SQL injection

D.

Command injection

E.

Cross-site request forgery

F.

Directory traversal

Full Access
Question # 53

After a breach involving the exfiltration of a large amount of sensitive data a security analyst is reviewing the following firewall logs to determine how the breach occurred:

Which of the following IP addresses does the analyst need to investigate further?

A.

192.168.1.1

B.

192.168.1.10

C.

192.168.1.12

D.

192.168.1.193

Full Access
Question # 54

A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities The type of vulnerability that should be disseminated FIRST is one that:

A.

enables remote code execution that is being exploited in the wild.

B.

enables data leakage but is not known to be in the environment

C.

enables lateral movement and was reported as a proof of concept

D.

affected the organization in the past but was probably contained and eradicated

Full Access
Question # 55

A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised Which of the following would provide the BEST results?

A.

Baseline configuration assessment

B.

Uncredentialed scan

C.

Network ping sweep

D.

External penetration test

Full Access
Question # 56

A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization To BEST resolve the issue, the organization should implement

A.

federated authentication

B.

role-based access control.

C.

manual account reviews

D.

multifactor authentication.

Full Access
Question # 57

Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

A.

vulnerability scanning.

B.

threat hunting.

C.

red learning.

D.

penetration testing.

Full Access
Question # 58

An internally developed file-monitoring system identified the following except as causing a program to crash often:

Which of the following should a security analyst recommend to fix the issue?

A.

Open the access.log file ri read/write mode.

B.

Replace the strcpv function.

C.

Perform input samtizaton

D.

Increase the size of the file data buffer

Full Access
Question # 59

industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacks used privilege escalation to gain access to SCADA administration and access management solutions would help to mitigate this risk?

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Full Access
Question # 60

Which of the following organizational initiatives would be MOST impacted by data severighty issues?

A.

Moving to a cloud-based environment

B.

Migrating to locally hosted virtual servers

C.

Implementing non-repudiation controls

D.

Encrypting local database queries

Full Access
Question # 61

A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

A.

Submit a change request to have the system patched

B.

Evaluate the risk and criticality to determine it further action is necessary

C.

Notify a manager of the breach and initiate emergency procedures.

D.

Remove the application from production and Inform the users.

Full Access
Question # 62

A SIEM analyst receives an alert containing the following URL:

Which of the following BEST describes the attack?

A.

Password spraying

B.

Buffer overflow

C.

insecure object access

D.

Directory traversal

Full Access
Question # 63

The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

A.

MFA

B.

CASB

C.

SSO

D.

RBAC

Full Access
Question # 64

Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

A.

The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.

B.

The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.

C.

The disclosure section should include the names and contact information of key employees who are needed for incident resolution

D.

The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening m the future.

Full Access