CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 931:

  A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output.

  

  Which of the following commands should the administrator run NEXT to further analyze the compromised system?

  A. strace /proc/1301

  B. rpm -V openash-server

  C. /bin/la -1 /proc/1301/exe

  D. kill -9 1301

  Correct Answer: C

• Question 932:

  Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

  A. Self-encrypting drive

  B. Bus encryption

  C. TPM

  D. HSM

  Correct Answer: A

• Question 933:

  A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage The security analyst is trying to determine which user caused the malware to get onto the system

  Which of the following registry keys would MOST likely have this information?

  A. HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run

  B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  C. HKEY_USERS\\Software\Microsoft\Windows\explorer\MountPoints2

  D. HKEY_USERS\\Software\Microsoft\Internet Explorer\Typed URLs

  E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

  Correct Answer: C

  The article states that Windows stores USB history-related info using five registry keys, and each one offers a different set of information about the connected device.

  One of those keys is the following:

  HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2: This key will hold information that states which user was logged into Windows when a specific USB device was

  connected.

  This is a good place to start to figure out which user caused the malware to get onto the system.

• Question 934:

  Which of the following MOST accurately describes an HSM?

  A. An HSM is a low-cost solution for encryption.

  B. An HSM can be networked based or a removable USB

  C. An HSM is slower at encrypting than software

  D. An HSM is explicitly used for MFA

  Correct Answer: B

• Question 935:

  A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured. Which of the following should the analyst do?

  A. Shut down the computer

  B. Capture live data using Wireshark

  C. Take a snapshot

  D. Determine if DNS logging is enabled.

  E. Review the network logs.

  Correct Answer: D

  The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor.

• Question 936:

  A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost- paymonts .conf file The output of the diff command against the known-good backup reads as follows:

  SecRule ARGS:Card "@rx ([0-9]+" "id:123456,pass,capture,proxy:https://10.0.0.128/% (matched_var),nolog,noauditlog"

  Which of the following MOST likely occurred?

  A. The file was altered to accept payments without charging the cards

  B. The file was altered to avoid logging credit card information

  C. The file was altered to verify the card numbers are valid.

  D. The file was altered to harvest credit card numbers

  Correct Answer: A

• Question 937:

  A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack .The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices

  Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

  A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,

  B. Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.

  C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network

  D. Conduct a wireless survey to determine if the wireless strength needs to be reduced.

  Correct Answer: A

• Question 938:

  Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet. Which of the following would BEST provide this solution?

  A. File fingerprinting

  B. Decomposition of malware

  C. Risk evaluation

  D. Sandboxing

  Correct Answer: A

• Question 939:

  Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client's company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise. Which of the following techniques were used in this scenario?

  A. Enumeration and OS fingerprinting

  B. Email harvesting and host scanning

  C. Social media profiling and phishing

  D. Network and host scanning

  Correct Answer: C

• Question 940:

  A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process. Which of the following remediation actions should the analyst take to implement a vulnerability management process?

  A. Personnel training

  B. Vulnerability scan

  C. Change management

  D. Sandboxing

  Correct Answer: C