CS0-001
Free trial
Verified
Question 1
SIMULATION -
The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS.
If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.
If the vulnerability is valid, the analyst must remediate the finding.
After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and
Remediation Action for each server listed using the drop-down options.
Instructions -
STEP 1: Review the information provided in the network diagram.
STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.
Question 2
A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the
FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?
- A: Make a copy of the hard drive.
- B: Use write blockers.
- C: Run rm ""R command to create a hash.
- D: Install it on a different machine and explore the content.
Question 3
Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Choose three.)
- A: VLANs
- B: OS
- C: Trained operators
- D: Physical access restriction
- E: Processing power
- F: Hard drive capacity
Question 4
Given the following output from a Linux machine:
file2cable ""i eth0 -f file.pcap
Which of the following BEST describes what a security analyst is trying to accomplish?
- A: The analyst is attempting to measure bandwidth utilization on interface eth0.
- B: The analyst is attempting to capture traffic on interface eth0.
- C: The analyst is attempting to replay captured data from a PCAP file.
- D: The analyst is attempting to capture traffic for a PCAP file.
- E: The analyst is attempting to use a protocol analyzer to monitor network traffic.
Question 5
Various devices are connecting and authenticating to a single evil twin within the network. Which of the following are MOST likely being targeted?
- A: Mobile devices
- B: All endpoints
- C: VPNs
- D: Network infrastructure
- E: Wired SCADA devices
Question 6
An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.
Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve management's objective?
- A: (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement
- B: (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement
- C: (CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement
- D: ((CVSS Score) * 2) / Difficulty = Priority Where CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement
Question 7
A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice?
- A: Install agents on the endpoints to perform the scan
- B: Provide each endpoint with vulnerability scanner credentials
- C: Encrypt all of the traffic between the scanner and the endpoint
- D: Deploy scanners with administrator privileges on each endpoint
Question 8
A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week:
Based on the above information, which of the following should the system administrator do? (Choose two.)
- A: Verify the vulnerability using penetration testing tools or proof-of-concept exploits.
- B: Review the references to determine if the vulnerability can be remotely exploited.
- C: Mark the result as a false positive so it will show in subsequent scans.
- D: Configure a network-based ACL at the perimeter firewall to protect the MS SQL port.
- E: Implement the proposed solution by installing Microsoft patch Q316333.
Question 9
File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 ""Rv /usr
Which of the following may be occurring?
- A: The ownership pf /usr has been changed to the current user.
- B: Administrative functions have been locked from users.
- C: Administrative commands have been made world readable/writable.
- D: The ownership of/usr has been changed to the root user.
Question 10
A production web server is experiencing performance issues. Upon investigation, new unauthorized applications have been installed and suspicious traffic was sent through an unused port. Endpoint security is not detecting any malware or virus. Which of the following types of threats would this MOST likely be classified as?
- A: Advanced persistent threat
- B: Buffer overflow vulnerability
- C: Zero day
- D: Botnet
Question 11
Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by a company name, product name, and version. Which of the following would this string help an administrator to identify?
- A: Operating system
- B: Running services
- C: Installed software
- D: Installed hardware
Question 12
When reviewing network traffic, a security analyst detects suspicious activity:
Based on the log above, which of the following vulnerability attacks is occurring?
- A: ShellShock
- B: DROWN
- C: Zeus
- D: Heartbleed
- E: POODLE
Question 13
An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities?
- A: Impersonation
- B: Privilege escalation
- C: Directory traversal
- D: Input injection
Question 14
Following a data compromise, a cybersecurity analyst noticed the following executed query:
SELECT * from Users WHERE name = rick OR 1=1
Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack?
(Choose two.)
- A: Cookie encryption
- B: XSS attack
- C: Parameter validation
- D: Character blacklist
- E: Malicious code execution
- F: SQL injection
Question 15
A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of?
- A: Exfiltration
- B: DoS
- C: Buffer overflow
- D: SQL injection
Question 16
While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?
- A: Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.
- B: Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network.
- C: Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.
- D: Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.
Question 17
A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?
- A: The analyst should create a backup of the drive and then hash the drive.
- B: The analyst should begin analyzing the image and begin to report findings.
- C: The analyst should create a hash of the image and compare it to the original drive's hash.
- D: The analyst should create a chain of custody document and notify stakeholders.
Question 18
A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice?
- A: Invest in and implement a solution to ensure non-repudiation
- B: Force a daily password change
- C: Send an email asking users not to share their credentials
- D: Run a report on all users sharing their credentials and alert their managers of further actions
Question 19
A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?
- A: Contact the Office of Civil Rights (OCR) to report the breach
- B: Notify the Chief Privacy Officer (CPO)
- C: Activate the incident response plan
- D: Put an ACL on the gateway router
Question 20
A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following:
Which of the following mitigation techniques is MOST effective against the above attack?
- A: The company should contact the upstream ISP and ask that RFC1918 traffic be dropped.
- B: The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router.
- C: The company should implement the following ACL at their gateway firewall: DENY IP HOST 192.168.1.1 170.43.30.0/24.
- D: The company should enable the DoS resource starvation protection feature of the gateway NIPS.
Question 21
An ATM in a building lobby has been compromised. A security technician has been advised that the ATM must be forensically analyzed by multiple technicians.
Which of the following items in a forensic tool kit would likely be used FIRST? (Choose two.)
- A: Drive adapters
- B: Chain of custody form
- C: Write blockers
- D: Crime tape
- E: Hashing utilities
- F: Drive imager
Question 22
A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters.
Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application?
- A: A compensating control
- B: Altering the password policy
- C: Creating new account management procedures
- D: Encrypting authentication traffic
Question 23
A threat intelligence analyst who works for a financial services firm received this report:
"There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector."
The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.)
- A: Advise the firewall engineer to implement a block on the domain
- B: Visit the domain and begin a threat assessment
- C: Produce a threat intelligence message to be disseminated to the company
- D: Advise the security architects to enable full-disk encryption to protect the MBR
- E: Advise the security analysts to add an alert in the SIEM on the string "LockMaster"
- F: Format the MBR as a precaution
Question 24
The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all required best practices. Which of the following would be the BEST choice?
- A: OSSIM
- B: SDLC
- C: SANS
- D: ISO
Question 25
A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss?
(Choose three.)
- A: Prevent users from accessing personal email and file-sharing sites via web proxy
- B: Prevent flash drives from connecting to USB ports using Group Policy
- C: Prevent users from copying data from workstation to workstation
- D: Prevent users from using roaming profiles when changing workstations
- E: Prevent Internet access on laptops unless connected to the network in the office or via VPN
- F: Prevent users from being able to use the copy and paste functions
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!