CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 841:

  A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS. Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?

  A. Run an anti-malware scan on the system to detect and eradicate the current threat

  B. Start a network capture on the system to look into the DNS requests to validate command and control traffic

  C. Shut down the system to prevent further degradation of the company network

  D. Reimage the machine to remove the threat completely and get back to a normal running state

  E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway

  Correct Answer: E

• Question 842:

  A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?

  A. Work backward, restoring each backup until the server is clean

  B. Restore the previous backup and scan with a live boot anti-malware scanner

  C. Stand up a new server and restore critical data from backups

  D. Offload the critical data to a new server and continue operations

  Correct Answer: C

• Question 843:

  An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

  A. tcpdump –X dst port 21

  B. ftp ftp.server –p 21

  C. nmap –o ftp.server –p 21

  D. telnet ftp.server 21

  Correct Answer: A

• Question 844:

  During an investigation, an analyst discovers the following rule in an executive's email client:

  IF * TO THEN mailto: SELECT FROM `sent' THEN DELETE FROM

  The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

  A. Check the server logs to evaluate which emails were sent to

  B. Use the SIEM to correlate logging events from the email server and the domain server

  C. Remove the rule from the email client and change the password

  D. Recommend that management implement SPF and DKIM

  Correct Answer: A

• Question 845:

  Clients are unable to access a company's API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?

  A. IP whitelisting

  B. Certificate-based authentication

  C. Virtual private network

  D. Web application firewall

  Correct Answer: D

• Question 846:

  Given the Nmap request below: Which of the following actions will an attacker be able to initiate directly against this host?

  

  A. Password sniffing

  B. ARP spoofing

  C. A brute-force attack

  D. An SQL injection

  Correct Answer: C

• Question 847:

  As part of an organization's information security governance process, a Chief Information Security Officer (CISO) is working with the compliance officer to update policies to include statements related to new regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are appropriately aware of changes to the policies?

  A. Conduct a risk assessment based on the controls defined in the newly revised policies

  B. Require all employees to attend updated security awareness training and sign an acknowledgement

  C. Post the policies on the organization's intranet and provide copies of any revised policies to all active vendors

  D. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them

  Correct Answer: B

• Question 848:

  Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?

  A. Input validation

  B. Output encoding

  C. Parameterized queries

  D. Tokenization

  Correct Answer: D

• Question 849:

  A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.

  

  Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

  A. Port 22

  B. Port 135

  C. Port 445

  D. Port 3389

  Correct Answer: A

• Question 850:

  A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session. Which of the following is the BEST technique to address the CISO's concerns?

  A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.

  B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.

  C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy.Monitor the files for unauthorized changes.

  D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

  Correct Answer: A