Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CS0-001
Free trial
Verified
Question 26
A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring?
- A: Buffer overflow attack
- B: Man-in-the-middle attack
- C: Smurf attack
- D: Format string attack
- E: Denial of service attack
Question 27
A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information?
- A: The cloud provider
- B: The data owner
- C: The cybersecurity analyst
- D: The system administrator
Question 28
An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely conducting?
- A: Trend analysis
- B: Behavior analysis
- C: Availability analysis
- D: Business analysis
Question 29
A malicious user is reviewing the following output:
root:~#ping 192.168.1.137
64 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms
64 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.45 ms
root: ~#
Based on the above output, which of the following is the device between the malicious user and the target?
- A: Proxy
- B: Access point
- C: Switch
- D: Hub
Question 30
The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation?
- A: The security analysts should not respond to internal audit requests during an active investigation
- B: The security analysts should report the suspected breach to regulators when an incident occurs
- C: The security analysts should interview system operators and report their findings to the internal auditors
- D: The security analysts should limit communication to trusted parties conducting the investigation
Question 31
A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company?
- A: DDoS
- B: ICS destruction
- C: IP theft
- D: IPS evasion
Question 32
A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of the month. It has port 3333 open; however, there have not been any alerts or notices regarding the server or its activities. Which of the following did the analyst discover?
- A: APT
- B: DDoS
- C: Zero day
- D: False positive
Question 33
A cybersecurity analyst is reviewing the following outputs:
Which of the following can the analyst infer from the above output?
- A: The remote host is redirecting port 80 to port 8080.
- B: The remote host is running a service on port 8080.
- C: The remote host's firewall is dropping packets for port 80.
- D: The remote host is running a web server on port 80.
Question 34
A new policy requires the security team to perform web application and OS vulnerability scans. All of the company's web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company's web application, while at the same time reducing false positives?
- A: The vulnerability scanner should be configured to perform authenticated scans.
- B: The vulnerability scanner should be installed on the web server.
- C: The vulnerability scanner should implement OS and network service detection.
- D: The vulnerability scanner should scan for known and unknown vulnerabilities.
Question 35
HOTSPOT -
Malware is suspected on a server in the environment. The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.
Instructions:
Servers 1, 2 and 4 are clickable. Select the Server which hosts the malware, and select the process which hosts this malware.
If any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.
Hot Area:
Question 36
A security analyst is reviewing logs and discovers that a company-owned computer issued to an employee is generating many alerts and warnings. The analyst continues to review the log events and discovers that a non-company-owned device from a different, unknown IP address is generating the same events. The analyst informs the manager of these findings, and the manager explains that these activities are already known and part of an ongoing events. Given this scenario, which of the following roles are the analyst, the employee, and the manager filling?
- A: The analyst is red team. The employee is blue team. The manager is white team.
- B: The analyst is white team. The employee is red team. The manager is blue team.
- C: The analyst is red team. The employee is white team. The manager is blue team.
- D: The analyst is blue team. The employee is red team. The manager is white team.
Question 37
During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to:
Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server?
- A: FTP was explicitly allowed in Seq 8 of the ACL.
- B: FTP was allowed in Seq 10 of the ACL.
- C: FTP was allowed as being included in Seq 3 and Seq 4 of the ACL.
- D: FTP was allowed as being outbound from Seq 9 of the ACL.
Question 38
A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report?
- A: Kali
- B: Splunk
- C: Syslog
- D: OSSIM
Question 39
A vulnerability scan has returned the following information:
Which of the following describes the meaning of these results?
- A: There is an unknown bug in a Lotus server with no Bugtraq ID.
- B: Connecting to the host using a null session allows enumeration of share names.
- C: Trend Micro has a known exploit that must be resolved or patched.
- D: No CVE is present, so it is a false positive caused by Lotus running on a Windows server.
Question 40
A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor's laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario?
- A: Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources.
- B: Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server.
- C: Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic.
- D: Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location.
- E: Implement NAC to check for updated proxy and location-based rules for PCs connecting to the internal network.
Question 41
While preparing for a third-party audit, the vice president of risk management and the vice president of information technology have stipulated that the vendor may not use offensive software during the audit. This is an example of:
- A: organizational control.
- B: service-level agreement.
- C: rules of engagement.
- D: risk appetite
Question 42
Which of the following is a feature of virtualization that can potentially create a single point of failure?
- A: Server consolidation
- B: Load balancing hypervisors
- C: Faster server provisioning
- D: Running multiple OS instances
Question 43
A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due to
SYN floods from a small number of IP addresses.
Which of the following would be the BEST action to take to support incident response?
- A: Increase the company's bandwidth.
- B: Apply ingress filters at the routers.
- C: Install a packet capturing tool.
- D: Block all SYN packets.
Question 44
During a routine network scan, a security administrator discovered an unidentified service running on a new embedded and unmanaged HVAC controller, which is used to monitor the company's datacenter:
The enterprise monitoring service requires SNMP and SNMPTRAP connectivity to operate. Which of the following should the security administrator implement to harden the system?
- A: Patch and restart the unknown service.
- B: Segment and firewall the controller's network.
- C: Disable the unidentified service on the controller.
- D: Implement SNMPv3 to secure communication.
- E: Disable TCP/UDP ports 161 through 163.
Question 45
The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan.
Which of the following actions should the analyst take?
- A: Reschedule the automated patching to occur during business hours.
- B: Monitor the web application service for abnormal bandwidth consumption.
- C: Create an incident ticket for anomalous activity.
- D: Monitor the web application for service interruptions caused from the patching.
Question 46
A malware infection spread to numerous workstations within the marketing department. The workstations were quarantined and replaced with machines.
Which of the following represents a FINAL step in the eradication of the malware?
- A: The workstations should be isolated from the network.
- B: The workstations should be donated for reuse.
- C: The workstations should be reimaged.
- D: The workstations should be patched and scanned.
Question 47
An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic?
- A: Log review
- B: Service discovery
- C: Packet capture
- D: DNS harvesting
Question 48
An investigation showed a worm was introduced from an engineer's laptop. It was determined the company does not provide engineers with company-owned laptops, which would be subject to company policy and technical controls.
Which of the following would be the MOST secure control implement?
- A: Deploy HIDS on all engineer-provided laptops, and put a new router in the management network.
- B: Implement role-based group policies on the management network for client access.
- C: Utilize a jump box that is only allowed to connect to clients from the management network.
- D: Deploy a company-wide approved engineering workstation for management access.
Question 49
HOTSPOT -
A security analyst performs various types of vulnerability scans.
Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.
Hot Area:
Question 50
A Chief Information Security Officer (CISO) wants to standardize the company's security program so it can be objectively assessed as part of an upcoming audit requested by management.
Which of the following would holistically assist in this effort?
- A: ITIL
- B: NIST
- C: Scrum
- D: AUP
- E: Nessus
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!