Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

CompTIA CS0-003 - CompTIA CyberSecurity Analyst CySA+ Certification Exam

Page: 9 / 13
Total 433 questions

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

A.

Identify and discuss the lessons learned with the prior analyst.

B.

Accept all findings and continue to investigate the next item target.

C.

Review the steps that the previous analyst followed.

D.

Validate the root cause from the prior analyst.

A systems administrator is reviewing the output of a vulnerability scan.

INSTRUCTIONS

Review the information in each tab.

Based on the organization's environment architecture and remediation standards,

select the server to be patched within 14 days and select the appropriate technique

and mitigation.

An analyst receives an alert for suspicious IIS log activity and reviews the following entries:

2024-05-23 15:57:05 10.203.10.16 HEAT / - 80 - 10.203.10.17 DirBuster-1.0-RC1+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

...

Which of the following will the analyst infer from the logs?

A.

An attacker is performing network lateral movement.

B.

An attacker is conducting reconnaissance of the website.

C.

An attacker is exfiltrating data from the network.

D.

An attacker is cloning the website.

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

A.

Turn on all systems, scan for infection, and back up data to a USB storage device.

B.

Identify and remove the software installed on the impacted systems in the department.

C.

Explain that malware cannot truly be removed and then reimage the devices.

D.

Log on to the impacted systems with an administrator account that has privileges to perform backups.

E.

Segment the entire department from the network and review each computer offline.

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Select two).

A.

Signal-shielded bag

B.

Tamper-evident seal

C.

Thumb drive

D.

Crime scene tape

E.

Write blocker

F.

Drive duplicator

A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?

A.

To identify regulatory compliance requirements

B.

To facilitate the creation of DLP rules

C.

To prioritize IT expenses

D.

To establish the value of data to the organization

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

A.

Registry changes or anomalies

B.

Data exfiltration

C.

Unauthorized privileges

D.

File configuration changes