CS0-003 Final

For which part of an incident response can senior management provide useful information and assistance?

determining the financial cost of the incident

A company contacted a security consultant to find ways to better protect its network client computers. The company has asked the security consultant for a recommendation to help prevent rootkit infection. Which UEFI configuration setting should the consultant recommend?

enabling secure boot

Due to a rash of frequent security breaches, an organization has implemented several SOC metrics. The organization's goal is to track these metrics for each breach. Which of the following has the most impact on the MTTR metric?

incident response plan

A security consultant is working with a client that recently suffered a breach. The consultant has been tasked with recommending additional controls based on the lessons learned report from the incident. The report indicates that initial access was gained via a web application server that had no application layer protection between it and the internet, and lateral movement to internal servers was successful due to a lack of segmentation between this perimeter asset and the organization's internal assets. Which controls would prevent similar attacks in the future? (Select TWO.)

A DMZ A WAF

An ecommerce company discovers that the descriptions for many of their products have been mysteriously altered. Upon further analysis, it is determined that the site's shopping cart page includes a field that is susceptible to SQL injection. What should the company do to mitigate this risk?

Add input validation functions to the shopping cart page

An educational institution is considering buying several laptops that come with self-encrypting drives (SEDs) installed. Which statement about SED security is accurate?

An SED remains unlocked if the laptop is restarted without shutting off power

The CISO has requested that an incident timeline be completed for a recent breach. Which of the following is true of an incident timeline?

An incident timeline records events, description of events, date-time group (UTC) of occurrences, impacts, and data sources.

An administrator downloads and installs a driver from a driver listing site. After receiving complaints that the VM-based server is running slow, the administrator requests and receives the following digest from the vendor for fs-driver: 8ab52a8539b4cc358b521c2b215dbdf15ade2923db7d673dc74f7f287ba15087 The administrator runs the following command: user@WKST1 :~ $ sha256sum fs-driver 07e7780d2c49e18e6a5ae418edd042c4becc4e5a90eb9f4c423fd70b9207b7b2_fs-driver Which two actions should the administrator do next? (Select TWO.)

Ask the vendor to email the driver Revert the VM to the most recent snapshot

A vulnerability analyst is reviewing the results of a recent vulnerability scan. There are multiple critical severity vulnerabilities in the findings, and the analyst has been tasked with prioritizing which vulnerability to remediate first. The CISO decides to prioritize any critical vulnerabilities that can be exploited over the internet. Which specific CVSS 3.1 Exploitability Metric would be reviewed to make this decision?

Attack vector

A security consultant prepares a report based on threat modeling research at a company. The report focuses on items such as: . Compromised and weak credentials . Disgruntled employees . Poor data encryption . The large number of external consultants working on the company campus Which threat modeling methodology is this an example of?

Attack vector analysis

A company expands its operations with a pilot fleet of automated vehicles. A security analyst is performing penetration testing to assess vulnerabilities relating to the vehicles. Which attack vector is MOST likely to be used to exploit automated vehicles?

CAN Bus

A contract security analyst supplies an organization with the results of a vulnerability scan, which shows a list of vulnerabilities. Due to funding shortages, the organization can only afford to address the most critical vulnerabilities outlined in the report. Which of the following should the organization use to aid their decision making?

CVSS

A security consultant recommends reducing your network's digital attack surface as a way of minimizing the risk of unknown attacks. Which two of the following actions would reduce the attack surface? (Select TWO.)

Closing unnecessary open ports on firewalls Segmenting the internal network into multiple subnets

A financial services firm hires a software development contractor to create a new portfolio management platform. The firm has stipulated that the developers implement a continuous delivery methodology. What is the firm hoping for by setting this requirement?

Code changes are released quickly, in a sustainable way

A company requests help from a security consultant to harden its network. The security consultant made several recommendations; however, due to the cost involved and to technical difficulties the company decided not to implement all of these recommendations. One of the recommendations the security consultant gave was related to the possibility of network traffic being intercepted and exploited. The security consultant recommended reconfiguring the network so that it only uses fiber optic cabling. The company decided to implement an alternative solution in which it configured the network to support encrypted communication only. What type of control is this an example of?

Compensating

A company decides to install motion detectors around its perimeter fence to avoid the cost of hiring security guards. How should you describe this control?

Compensation access control

A senior vulnerability analyst is reviewing the results of a recent vulnerability scan. There are multiple critical severity vulnerabilities in the findings, and the analyst has been tasked with identifying which vulnerabilities to remediate first. Which specific CVSS 3.1 metric would the analyst seek out to find which critical vulnerabilities could result in sensitive information being accessed or exfiltrated by attackers?

Confidentiality Impact

Which development strategy provides for the greatest automation of the development and release process for existing software?

Continuous deployment

A company replaces the routers used to segment its network. It replaces them with firewalls to gain better control over traffic between subnets. What type of control is being used?

Technical control

A security analyst is contracted to identify security risks in an organization. The analyst discovers several instances in which sensitive information was disclosed outside of the organization. It appears that most, if not all of the disclosures were inadvertent. Most instances occurred through email messages. The company provides a training program to help users better recognize what is and what is not considered sensitive data. The analyst recommends implementing technical controls to prevent the release of data. What should the company implement?

DLP

A company is developing a new application for processing patient records. The company is using external resources to develop the application. Initial testing will take place outside of the company. The company has decided to supply developers with data that is structurally similar to live data but that is an inauthentic version of the data. What is this an example of?

Data masking

A company is under regulatory restrictions regarding when and how archived digital data can be destroyed. Which of the company's policy should document this?

Data retention

After a breach, an organization follows the incident response process outlined in NIST SP 800-61. During the final phase of the process, the organization is considering the possibility of taking legal action against the attacker. What should the organization consider during this process regarding collected evidence data?

Data retention policy and process

An incident response analyst is analyzing the root cause of a ransomware event that impacted their organization's operations last week. Since it is still early in the IR process, no public acknowledgement of the incident has been made. However, the analyst receives telephone calls from a reporter asking for a comment on rumors that claim that an incident occurred. How should the analyst BEST respond to this request? (Select TWO).

Declining to make a comment and passing all media requests directly to the designated media contact Declining to make a comment and pointing the reporter to PR contact information on the company website

A company is implementing an information security vulnerability management process. The company runs a series of vulnerability scans so that the security team can schedule remediation. Credentialed server-based scans are returning a much higher number of results than expected that appear to be false positives. The company wants to reduce the number of potential false positives as quickly as possible so that they can initially focus on the most critical threats. What should the team do?

Decrease the scan sensitivity

A traveling salesperson's laptop was recently returned in an anonymously addressed package. Upon inspection, a security analyst is able to recover a malware executable that was attached to an email sitting in the salesperson's outbox. The analyst plans to perform executable process analysis. What should the analyst use for this task?

Detonation chamgber

An organization has recently completed the incident response planning process. The final requirement stipulated by management is that all emails sent by members of the computer security incident response team (CSIRT) are protected from spoofing or modification and remain encrypted in mailboxes. How should the CSIRT meet this requirement?

Ensure that all CSIRT communications use S/MIME

A company recently suffered a breach after a malware-infected firmware update was installed. A system administrator needs to ensure the authenticity and integrity of all future updates. What should the administrator do?

Ensure that all updates are digitally signed. Verify each update signature.

A security analyst who was the first responder to an incident has advised all other analysts on site not to turn off a compromised system until forensic evidence is gathered. What is the PRIMARY reason the analyst would be concerned about ensuring the system is not powered down?

Evidence in volatile memory could be lost

During the analysis phase of incident response, an analyst finds a copy of an Excel file from a user's desktop in the temp folder. After comparing hashes of the original file and the copy to check data integrity, the analyst finds they do not have matching SHA-2 hashes. Upon further inspection, both files appear identical when opened, but the copy has a substantially larger file size. The copy was emailed to an unknown external email address during the time the threat actor was in the environment. Which terms describe the way the data was manipulated and moved during this incident? (Select TWO).

Exfiltration Steganography

An anomaly-based NIDS is installed on a company's network. During end-of-quarter accounting activities, the NIDS generates multiple alerts related to network bandwidth and database server activity. The database server is running a signature-based HIDS. What is the MOST likely cause of the alerts?

False positive

A company works with a cybersecurity consultant to complete a risk assessment profile for network vulnerabilities. The assessment will be used to determine the best actions to take to mitigate risks and set remediation priorities. Which is NOT a factor in determining the likelihood of a potential risk?

Financial impact

Internal cyber security suspects that a network server is the target of a zero-day attack. What type of analysis should the cyber security team perform to verify this?

Heuristic

A company was targeted by an APT attack. A security consultant helped identify the attack and remediate its effects. The security consultant recommends deploying a system to act as a lure for the attacks. The device will be deployed in the company's DMZ (perimeter network). Which type of device should the company deploy?

Honeypot

Which of the following activities would a security analyst perform while applying a legal hold during the incident response process?

Identify the relevant data and preserve it in its original state

A network audit by a cybersecurity consultant finds unauthorized software installed on several client computers. The technical services department removes the applications. The company needs to prevent this from happening in the future. What should the company do?

Implement application whitelisting

A company's public website is deployed in the company network DMZ. Several visitors to the website report that they have been infected with malware. The problem is traced to an XSS attack on the web server. The company needs to minimize the risk of this occurring again in the future. What should the company do?

Implement input validation with input filtering

What is the difference between cybersecurity incident declaration an cybersecurity incident escalation?

Incident declaration is the formal acknowledgment of a security breach, while incident escalation is the process of transferring the responsibility of the incident to another team or department.

Recently, a vendor was able to break into a sensitive data center while performing maintenance on an air conditioning unit. The organization decides to implement preventative physical controls to mitigate this risk. Which solution should the organization choose?

Install a locked fence that limits access to the data center

Upper management has tasked the in-house security team with making protection against unknown threats a priority. Which of the following actions is NOT considered effective against unknown threats?

Installing anti-malware

Which two statements describe vulnerabilities that are associated with IoT devices? (Choose two.)

IoT devices usually ship with known default passwords IoT devices can offer a broader attack surface

The incident response team is contacted when an end user's computer is infected with ransomware. The team wants to contain the incident but also preserve as much forensic evidence as possible. What action should the team take FIRST?

Isolate the end user's computer

The CISO is currently reviewing root cause analysis findings and preparing a report based on the discoveries made throughout the incident response process. What is the importance of root cause analysis in incident response reporting?

It helps to identify the underlying causes of the incident to prevent similar incidents from occurring in the future.

A company's website is deployed on a perimeter network and it is accessible from the Internet. A cybersecurity consultant recommends that the company should require encrypted communication with its website in order to prevent unauthorized parties from intercepting information related to intellectual property. Which type of threat is the cybersecurity consultant trying to prevent?

Known

A threat hunter is analyzing logs as part of the detection phase of incident response. The logs show a user received 24 prompts in a row from their authenticator app before accepting the prompt. Correlating with other logs from the SIEM, this user then started attempting to log into systems that they had never previously logged into. What type of attack is indicated by the large number of prompts found in the logs?

MFA Fatigue

A junior threat intelligence analyst wants to improve their organization's awareness of TTPs used by several APT groups that target their industry. What popular open-source tool can be used to gather threat intelligence on the APTs known for targeting the industry, as well as the APT groups' TTPs, all in one source?

MITRE ATT&CK

A company completes its vulnerability scans as part of the implementation for an information security management process. The company is finalizing its remediation plans, and the legal team is working with in- house technicians to determine if there are any inhibitors to remediation. Which agreements should the legal team consider as inhibitors to remediation? (Choose two.)

MOU SLA

An in-house team is collecting downtime and repair time data based on recommendations made by a cybersecurity consultant. What information should they get from device manufacturers?

MTBF

Which IoC would lead a security consultant to suspect that a command-and-control (C&) server is present on the network?

Mismatched port and application traffic

A security administrator is analyzing the data provided in the exhibit below: IP packet size distribution (46255 total packets) : 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .009.000.002 .000 .000 .000 .003.000.000.000.000.000.000.000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .00 2 .000.000.008 .931 .000 .000 .000 .000 .000 .000 Which technology or tool most likely generated this output?

Netflow

An organization implemented defense in depth methodology by deploying anti-malware on workstations and placing firewalls between sensitive network segments. The organization wants to further enhance the system by improving detection capabilities. Which two technologies or methods can the organization use to passively monitor all inbound and outbound network traffic? (Select TWO.)

Network tap Port mirror

A company network is configured as a single subnet. A cybersecurity consultant recommends deploying a signature-based NIDS on the subnet to identify, collect, and report information about malicious activity. What is the drawback of this type of device?

New (previously unknown) threats typically go undetected

During a recent security audit at a medical practice, it was discovered that sensitive patient records are left open on publicly visible computer screens. The auditor warns the practice they may be in violation of regulatory laws. What is the auditor concerned will be disclosed?

PHI

A security administrator receives the results of a vulnerability scan. Upon investigation, the administrator discovers the information shown in the exhibit. Which of the following is the best recommendation for mitigating this and similar risks in the future?

Patch management

A company detects an incident that impacts multiple offices in various locations in its network. The incident has been verified, but the incident response team has not yet been able to determine the scope of the incident or all of the devices and servers that are involved. The incident response team includes personnel from different departments within the company. The need for secure and timely communication between team members is critical. What should they use for communication?

Personal mobile devices

What is the FIRST key phase of an incident response plan?

Preparation

What is the eFuse in computing devices?

Prevent downgrading the device firmware version.

A company is preparing to release an online service that is targeted at healthcare providers. The company contracts a cybersecurity consultant to assist with final security tests. A vulnerability scan identifies a vulnerability in the web interface to the service. The consultant determines that although the risk is low, it is technically in violation of HIPAA requirements. Remediation would be expensive and it would delay the public release of the service. Future expansion plans rely on the service, so management will not consider not releasing the service. What should the company do?

Remediate the vulnerability and delay the release

A security analyst is re-imaging systems as part of incident response procedures. What activity would the analyst perform as part of this process?

Restoring the system to a clean, default state

To mitigate the risk of a breach, a health services company has deployed a network-based intrusion prevention system (NIPS). However, a security analyst claims that this IPS may not detect breaches that use lost or stolen credentials. The analyst recommends that the company purchase cyberliability insurance. Which of the following risk management techniques is the analyst recommending?

Risk transference

A company's security team needs to validate the results of a vulnerability scan. They want to compare the results with historic log data from network routers, switches, and firewalls. What should they use to do this?

SIEM

A company's security team wants to implement a security solution that aggregates data from both Linux and Windows computers in order to establish relationships between data entries. The solution should leverage machine learning technologies to help recognize concerns. What should the company implement?

SIEM

A security analyst determines that a network is being targeted by a zombie botnet. What should the analyst use to gather information about the botnet?

SInkholing

An organization has deployed an NGFW, a SIEM system, and a HIDS on all workstations that handle sensitive data. However, the security team still spends an inordinate amount of time responding to low-level security events. Which technology can help the organization to automate this process?

SOAR

As part of an organization's risk mitigation planning, an incident response (IR) team has been formed and an incident response plan (IRP) has been drafted and approved by management. The IR team leader would like to meet with the team and review each member's role. The team leader also plans to guide the team through a simple IR scenario. What should the IR team leader do?

Schedule a tabletop exercise for all team members

A government contractor works with data that has been labeled as Top Secret. The contractor has addressed encryption at rest and in motion; however it must also be possible for data in use to be encrypted. Which technology should the contractor deploy?

Secure enclaves

An organization frequently suffers phishing attacks and has determined that managerial controls need to be implemented to mitigate the risk of further attacks. Which of these controls is categorized as a managerial control?

Security awareness training for end users

A security consultant has run a vulnerability scan in a client's network. Upon reviewing the results of the scan, the consultant notices that there any many assets not showing up in the scans that should be included in the scope of the assessment. What change in the scan configuration should the consultant make?

Set scan to include all required subnets

Point-in-time analysis of network traffic through the perimeter network indicates that some network clients are streaming traffic to www.company.com. The number of clients involved is increasing, and the cyber security team suspects that the network is infected with a worm. The security team needs to prevent other clients from contacting that web location and redirect the traffic. What should the team use?

Sinkhole

What is a requirement of the Trusted Foundry program?

Suppliers must provide an assured "Chain of Custody" for classified and unclassified ICs.

Each university in a consortium actively performs threat hunting on their networks and systems. Rather than duplicate efforts, consortium members are interested in sharing cyber threat intelligence. Which option can help the consortium meet this requirement?

TAXII

A company that processes protected health information (PHI) needs to provide remote access to its systems. Which of the following offers root of trust security and ensures that only trusted devices are allowed when connected via untrusted networks?

TPM_based attestation

ISO 27002 is a popular framework for security controls. The ISO 27002 framework document separates controls into four different categories. Which category would include the use of vulnerability scanning tools like Nessus or OpenVAS?

Technological controls

A company has four rack-mounted physical servers that are physically secured in a locked room and deployed on a private subnet. Each server hosts multiple VMs. Event logs from both the physical hosts and the VMs are consolidated on a syslog server that runs in a separate physical server. Administrative access is provided using jump box. A review of the Windows system logs for the VMs indicates that two VMs are rebooting spontaneously at apparently random intervals. The VMs are hosts on different physical servers. One of the VM hosts a database instance and the other is configured as a general file server. No other problems or anomalies have been reported. What is MOST likely causing this problem?

The VMs are infected with malware

On which two assumptions does data carving of a hard disk rely? (Select TWO)

The beginning of the file containing the file signature is present The file is not fragmented

While prioritizing vulnerabilities, a security analyst was instructed by the CISO to consider asset values in the process. What is the relationship between asset value and vulnerability prioritization in information security?

The higher the asset value, the higher the priority for remediating vulnerabilities

A user reports that their account has been hacked. While investigating the user's claim, a security specialist performs packet analysis and obtains the partial results shown below: 220-s1.comptia.com ESMTP Exim #1 Mon, 05 Sep 2020 18:30:30 -0000 220-We do not authorize the use of this system to transport 220 unsolicited, and/or bulk e-mail. EHLO GP 250-s1.comptia.com Hello GP [12.16.14.57] 250-SIZE 51828800 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP AUTH LOGIN PLAIN 334 VXN1cm5hbWU6 Z3VycGFydGFwQHBhdHJpb3RzLmlu 334 UGFzc3dvcmQ6 cHVuamFiQDEyMw == 235 Authentication succeeded MAIL FROM: <j.doe.does.j.net> 250 OK RCPT TO: <[email protected]> 250 Accepted DATA 354 Enter message, ending with "." on a line by itself Which of the following should be the specialist's primary recommendation?

The organization should implement transport encryption

A critical database server is experiencing intermittent performance issues; however, it does not exhibit any other symptoms of a possible malware infection. All applications, services, and data on the server are scanned for potential problems. A signature-based analysis scan does not report any problems. A heuristic- based analysis scan reports three possible malware infections. Which statement BEST describes what is evident from the scan reports?

The possible infections should be further investigated

What are the characteristics of an APT attack? (Select TWO.)

The primary goal is to monitor or steal data A covert attack that remains undetected for a significant amount of time

A security analyst is running a Nessus scan to confirm the findings that a third-party vulnerability scan had detected in their environment. Upon comparing the Nessus scan results to the third-party assessment, the analyst notices that there are a large number of additional vulnerabilities on critical Windows servers. What is the most likely cause of this difference in the scan findings?

The security analyst ran a credentialed scan

The CISO for your company has been asked to make sure that the legal department is present at an upcoming meeting. Which of the following highlights the importance of involving the legal department in incident response reporting and communication? (Select TWO).

They can ensure that internal and external communications do not expose the organization to unnecessary additional liability. They can provide guidance on complying with regulatory requirements.

A company suffered a data breach when a user installed a malware-infected movie player on their work tablet. The system administrator has been tasked with preventing unauthorized software installations on all company-owned devices. Which technology should the administrator implement?

application whitelist

A security administrator has been tasked with improving an organization's security stance. The administrator has collected and processed data and used the information to establish a hypothesis. What process is the administrator performing?

Threat hunting

An application that is currently under development calls for the use of parameterized queries. What is the justification for requiring parameterized queries?

To avoid SQL injection attacks

What is the role of Measure Boot in the Windows 10 boot process?

To log the boot process to teh computers UEFI and load in the information to a trusted server.

A security engineer has been tasked with analyzing the security posture of a SCADA environment. Which of the following statements about scanning for vulnerabilities in ICS and SCADA environments are true? (Select TWO).

Traditional scanning tools may not be able to detect all ICS or SCADA system vulnerabilities. Vulnerability scanning can cause disruptions of damage to critical systems.

During a security audit, an analyst performs a full packet capture. The analyst is surprised to discover the packet payload displayed below. Message-ID: <000d01cf001a5$1e5ea$abefa8c119kay> From: "J Doe" <[email protected]> To: <L [email protected]> Subject: Info Date: Tue, 9 Sep 2020 22:30:00 -0000 MIME-Version: 1.0 Content-Type: multipart/alternative; X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900 This is a multi-part message in MIME format. <! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html"> <META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>The numbers are :< /FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT>&nbsp ;< /DIV> <DIV><FONT face=3DArial size=3D2>123-32-4567</FONT></DIV> <DIV><FONT face=3DArial si

Transport encryption DLP functionality

A SOC analyst notices that Tier 1 analysts are passing too many false positive alerts to Tier 2 analysts. What should the analyst suggest to improve this process? (Select TWO).

Triage training for Tier 1 analysts Improved alert tuning

An organization plans to supply laptops to all sales executives and has asked a security administrator to provide a list of suggested specifications. The primary security requirement states that all data at rest should be encrypted and that encryption keys should be stored securely. Which technology should the administrator recommend?

Trusted Platform Modules (TPM)

The development team needs to determine if an application fulfills its defined business requirements. What type of testing should they use?

UAT

A company recently suffered a data breach when the CEO's laptop was modified to boot from an untrusted OS. The company plans to deploy more secure laptops to mitigate this risk in the future. Which technology should the company ensure the new laptops support?

UEFI

A security consultant recommends implementing measured boot on all company computers that run Microsoft Windows 10. What are the two hardware prerequisites for measured boot? (Select TWO.)

UEFI TPM

The security team updated your vulnerability scanner with current plug-ins. The result after running a non- credentialed scan of the network shows an increase in reported vulnerabilities. A custom application running on several hosts is reported as vulnerable. The security team suspects a false positive. What action should the security team take first?

Verify whether the reported vulnerability is a true vulnerability

A company establishes a Computer Security Incident Response Team (CSIRT). The company is documenting guidelines for communications during incident responses. The guidelines specify which stakeholders must be contacted and when, as well as the stakeholder roles. When should human resources (HR) be notified in incident response?

When an employee is involved in the incident

An IT department of a major accounting firm has been informed that regulatory requirements stipulate that the firm must have a written data retention policy. Besides compliance, in which of the following scenarios is a data retention policy important? (Select TWO).

When proving that chain of custody has been maintained When performing eDiscovery and litigation holds

A company purchases mobile devices for employee use. Employees should be limited to running only a specific list of approved applications on the devices. How should the company control access to applications?

Whitelisitng

A web application team has just finished developing the first major update for their inventory management system. The new functionality has been verified; however, a security analyst is concerned that unexpected vulnerabilities have not been addressed. Which process should the development team implement to address this concern?

security regression testing

New application requirements are requested shortly after the implementation and coding phase of the software development lifecycle is complete. The projected number of transactions per minute is increased by 50%. What type of testing should the development team use to determine if the application can meet this performance goal in its current version?

stress testing

Odd activity in server applications running on a Linux server leads a forensic analyst to suspect that the server was breached during a recent incident. The server is deployed in a company's perimeter network. The analyst needs to determine if the server is infected with malware. The anti-malware software that is running on the server did not detect an infection. The analyst is concerned about losing potentially volatile evidence. What data should the analyst attempt to capture FIRST?

system memory

Which command should be used to capture network packets and write them to a text file?

tcpdump