CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 461:

  A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

  A. Contact the Office of Civil Rights (OCR) to report the breach

  B. Notify the Chief Privacy Officer (CPO)

  C. Activate the incident response plan

  D. Put an ACL on the gateway router

  Correct Answer: D

• Question 462:

  A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of?

  A. Exfiltration

  B. DoS

  C. Buffer overflow

  D. SQL injection

  Correct Answer: A

• Question 463:

  While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?

  A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.

  B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network.

  C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.

  D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

  Correct Answer: C

• Question 464:

  Following a data compromise, a cybersecurity analyst noticed the following executed query:

  SELECT * from Users WHERE name = rick OR 1=1

  Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack? (Select TWO).

  A. Cookie encryption

  B. XSS attack

  C. Parameter validation

  D. Character blacklist

  E. Malicious code execution

  F. SQL injection

  Correct Answer: CF

  Reference: https://lwn.net/Articles/177037/

• Question 465:

  When reviewing network traffic, a security analyst detects suspicious activity:

  

  Based on the log above, which of the following vulnerability attacks is occurring?

  A. ShellShock

  B. DROWN

  C. Zeus

  D. Heartbleed

  E. POODLE

  Correct Answer: E

• Question 466:

  An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities?

  A. Impersonation

  B. Privilege escalation

  C. Directory traversal

  D. Input injection

  Correct Answer: C

• Question 467:

  A production web server is experiencing performance issues. Upon investigation, new unauthorized applications have been installed and suspicious traffic was sent through an unused port. Endpoint security is not detecting any malware or virus. Which of the following types of threats would this MOST likely be classified as?

  A. Advanced persistent threat

  B. Buffer overflow vulnerability

  C. Zero day

  D. Botnet

  Correct Answer: A

• Question 468:

  Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by a company name, product name, and version. Which of the following would this string help an administrator to identify?

  A. Operating system

  B. Running services

  C. Installed software

  D. Installed hardware

  Correct Answer: A

• Question 469:

  Three similar production servers underwent a vulnerability scan. The scan results revealed that the three servers had two different vulnerabilities rated "Critical".

  The administrator observed the following about the three servers:

  1.

  The servers are not accessible by the Internet

  2.

  AV programs indicate the servers have had malware as recently as two weeks ago

  3.

  The SIEM shows unusual traffic in the last 20 days

  4.

  Integrity validation of system files indicates unauthorized modifications

  Which of the following assessments is valid and what is the most appropriate NEXT step? (Select TWO).

  A. Servers may have been built inconsistently

  B. Servers may be generating false positives via the SIEM

  C. Servers may have been tampered with

  D. Activate the incident response plan

  E. Immediately rebuild servers from known good configurations

  F. Schedule recurring vulnerability scans on the servers

  Correct Answer: CD

• Question 470:

  A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week:

  

  Based on the above information, which of the following should the system administrator do? (Select TWO).

  A. Verify the vulnerability using penetration testing tools or proof-of-concept exploits.

  B. Review the references to determine if the vulnerability can be remotely exploited.

  C. Mark the result as a false positive so it will show in subsequent scans.

  D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port.

  E. Implement the proposed solution by installing Microsoft patch Q316333.

  Correct Answer: DE