CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 391:

  Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host-based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT?

  A. Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation.

  B. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM.

  C. Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers.

  D. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.

  Correct Answer: B

• Question 392:

  Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked with attempting to locate the information on the drive. The PII in question includes the following:

  

  Which of the following would BEST accomplish the task assigned to the analyst?

  A. 3 [0-9]\d-2[0-9]\d-4[0-9]\d

  B. \d(3)-d(2)-\d(4)

  C. ?[3]-?[2]-?[3]

  D. \d[9] `XXX-XX-XX'

  Correct Answer: B

• Question 393:

  A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and access credentials. A security manager is addressing the findings. Which of the following activities should be implemented?

  A. Update the password policy

  B. Increase training requirements

  C. Deploy a single sign-on platform

  D. Deploy Group Policy Objects

  Correct Answer: B

• Question 394:

  During which of the following NIST risk management framework steps would an information system security engineer identify inherited security controls and tailor those controls to the system?

  A. Categorize

  B. Select

  C. Implement

  D. Assess

  Correct Answer: B

• Question 395:

  Which of the following is a vulnerability when using Windows as a host OS for virtual machines?

  A. Windows requires frequent patching.

  B. Windows virtualized environments are typically unstable.

  C. Windows requires hundreds of open firewall ports to operate.

  D. Windows is vulnerable to the "ping of death".

  Correct Answer: D

• Question 396:

  A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered?

  A. Timing

  B. Scoping

  C. Authorization

  D. Enumeration

  Correct Answer: B

• Question 397:

  A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.)

  A. A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes)

  B. A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs

  C. A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack

  D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types if physically connected to a USB port

  E. A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking

  Correct Answer: CD

• Question 398:

  During the forensic a phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation?

  A. Session hijacking; network intrusion detection sensors

  B. Cross-site scripting; increased encryption key sizes

  C. Man-in-the-middle; well-controlled storage of private keys

  D. Rootkit; controlled storage of public keys

  Correct Answer: C

• Question 399:

  A cybersecurity analyst is reviewing log data and sees the output below:

  

  Which of the following technologies MOST likely generated this log?

  A. Stateful inspection firewall

  B. Network-based intrusion detection system

  C. Web application firewall

  D. Host-based intrusion detection system

  Correct Answer: C

• Question 400:

  A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report over a five-minute sample is included.

  

  Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues?

  A. Perform reverse lookups on each of the IP addresses listed to help determine if the traffic is necessary.

  B. Recommend that networking block the unneeded protocols such as Quicktime to clear up some of the congestion.

  C. Put ACLs in place to restrict traffic destined for random or non-default application ports.

  D. Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic.

  Correct Answer: A