Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

CS0-001 by CompTIA - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Choose three.)

A VLANs
B OS
C Trained operators
D Physical access restriction
E Processing power
F Hard drive capacity

Question 4

Given the following output from a Linux machine:
file2cable ""i eth0 -f file.pcap
Which of the following BEST describes what a security analyst is trying to accomplish?

A The analyst is attempting to measure bandwidth utilization on interface eth0.
B The analyst is attempting to capture traffic on interface eth0.
C The analyst is attempting to replay captured data from a PCAP file.
D The analyst is attempting to capture traffic for a PCAP file.
E The analyst is attempting to use a protocol analyzer to monitor network traffic.

Question 5

Various devices are connecting and authenticating to a single evil twin within the network. Which of the following are MOST likely being targeted?

A Mobile devices
B All endpoints
C VPNs
D Network infrastructure
E Wired SCADA devices

Question 6

An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.
Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve management's objective?

A (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement
B (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement
C (CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement
D ((CVSS Score) * 2) / Difficulty = Priority Where CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement

Question 7

A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice?

A Install agents on the endpoints to perform the scan
B Provide each endpoint with vulnerability scanner credentials
C Encrypt all of the traffic between the scanner and the endpoint
D Deploy scanners with administrator privileges on each endpoint

Question 8

A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week:

Question 9

File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 ""Rv /usr
Which of the following may be occurring?

A The ownership pf /usr has been changed to the current user.
B Administrative functions have been locked from users.
C Administrative commands have been made world readable/writable.
D The ownership of/usr has been changed to the root user.

Question 10

A production web server is experiencing performance issues. Upon investigation, new unauthorized applications have been installed and suspicious traffic was sent through an unused port. Endpoint security is not detecting any malware or virus. Which of the following types of threats would this MOST likely be classified as?

A Advanced persistent threat
B Buffer overflow vulnerability
C Zero day
D Botnet

Question 11

Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by a company name, product name, and version. Which of the following would this string help an administrator to identify?

A Operating system
B Running services
C Installed software
D Installed hardware

Question 12

When reviewing network traffic, a security analyst detects suspicious activity:

Question 13

An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities?

A Impersonation
B Privilege escalation
C Directory traversal
D Input injection

Question 14

Following a data compromise, a cybersecurity analyst noticed the following executed query:
SELECT * from Users WHERE name = rick OR 1=1
Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack?
(Choose two.)

A Cookie encryption
B XSS attack
C Parameter validation
D Character blacklist
E Malicious code execution
F SQL injection

Question 15

A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of?

A Exfiltration
B DoS
C Buffer overflow
D SQL injection

Question 16

While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?

A Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.
B Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network.
C Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.
D Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

Question 17

A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?

A The analyst should create a backup of the drive and then hash the drive.
B The analyst should begin analyzing the image and begin to report findings.
C The analyst should create a hash of the image and compare it to the original drive's hash.
D The analyst should create a chain of custody document and notify stakeholders.

Question 18

A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice?

A Invest in and implement a solution to ensure non-repudiation
B Force a daily password change
C Send an email asking users not to share their credentials
D Run a report on all users sharing their credentials and alert their managers of further actions

Question 19

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

A Contact the Office of Civil Rights (OCR) to report the breach
B Notify the Chief Privacy Officer (CPO)
C Activate the incident response plan
D Put an ACL on the gateway router

Question 20

A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following:

Question 21

An ATM in a building lobby has been compromised. A security technician has been advised that the ATM must be forensically analyzed by multiple technicians.
Which of the following items in a forensic tool kit would likely be used FIRST? (Choose two.)

A Drive adapters
B Chain of custody form
C Write blockers
D Crime tape
E Hashing utilities
F Drive imager

Question 22

A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters.
Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application?

A A compensating control
B Altering the password policy
C Creating new account management procedures
D Encrypting authentication traffic

Question 23

A threat intelligence analyst who works for a financial services firm received this report:
"There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector."
The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.)

A Advise the firewall engineer to implement a block on the domain
B Visit the domain and begin a threat assessment
C Produce a threat intelligence message to be disseminated to the company
D Advise the security architects to enable full-disk encryption to protect the MBR
E Advise the security analysts to add an alert in the SIEM on the string "LockMaster"
F Format the MBR as a precaution

Question 24

The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all required best practices. Which of the following would be the BEST choice?

A OSSIM
B SDLC
C SANS
D ISO

Question 25

A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss?
(Choose three.)

A Prevent users from accessing personal email and file-sharing sites via web proxy
B Prevent flash drives from connecting to USB ports using Group Policy
C Prevent users from copying data from workstation to workstation
D Prevent users from using roaming profiles when changing workstations
E Prevent Internet access on laptops unless connected to the network in the office or via VPN
F Prevent users from being able to use the copy and paste functions

Page 1 of 12 • Questions 1-25 of 277

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

SIMULATION -
The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS.
If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.
If the vulnerability is valid, the analyst must remediate the finding.
After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and
Remediation Action for each server listed using the drop-down options.

Instructions -
STEP 1: Review the information provided in the network diagram.
STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.

A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the
FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?

A Make a copy of the hard drive.
B Use write blockers.
C Run rm ""R command to create a hash.
D Install it on a different machine and explore the content.

Based on the above information, which of the following should the system administrator do? (Choose two.)

A Verify the vulnerability using penetration testing tools or proof-of-concept exploits.
B Review the references to determine if the vulnerability can be remotely exploited.
C Mark the result as a false positive so it will show in subsequent scans.
D Configure a network-based ACL at the perimeter firewall to protect the MS SQL port.
E Implement the proposed solution by installing Microsoft patch Q316333.

Based on the log above, which of the following vulnerability attacks is occurring?

A ShellShock
B DROWN
C Zeus
D Heartbleed
E POODLE

Which of the following mitigation techniques is MOST effective against the above attack?

A The company should contact the upstream ISP and ask that RFC1918 traffic be dropped.
B The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router.
C The company should implement the following ACL at their gateway firewall: DENY IP HOST 192.168.1.1 170.43.30.0/24.
D The company should enable the DoS resource starvation protection feature of the gateway NIPS.

CS0-001Preview