CompTIA CS0-001 Bootcamp 2021

NEW QUESTION 1

An organization has recently experienced a data breach A forensic analysis. On formed the attacker found a legacy web server that had not been used in over a year and was not regularly patched After a discussion with the security team, management decided to initiate a program of network reconnaissance and penetration testing They want to start the process by scanning the network for active hosts and open pods Which of the following tools is BEST suited for this job?

• A. Ping
• B. Nmap
• C. Netstal
• D. ifconfig
• E. Wireshark
• F. L0phtCrack

Answer: B

NEW QUESTION 2

A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor’s laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario?

• A. Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources.
• B. Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server.
• C. Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic.
• D. Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location.
• E. Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.

Answer: E

NEW QUESTION 3

A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as “root” and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Select TWO).

• A. Log aggregation and analysis
• B. Software assurance
• C. Encryption
• D. Acceptable use policies
• E. Password complexity
• F. Network isolation and separation

Answer: AD

NEW QUESTION 4

A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company’s asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization?

• A. A manual log review from data sent to syslog
• B. An OS fingerprinting scan across all hosts
• C. A packet capture of data traversing the server network
• D. A service discovery scan on the network

Answer: B

NEW QUESTION 5

The director of software development is concerned with recent web application security incidents, including the successful breach of a back-end database server. The director would like to work with the security team to implement a standardized way to design, build, and test web applications and the services that support them. Which of the following meets the criteria?

• A. OWASP
• B. SANS
• C. PHP
• D. Ajax

Answer: A

Explanation:
Reference https://www.synopsys.com/software-integrity/resources/knowledge-database/owasp-top-10.html

NEW QUESTION 6

Which of the following principles describes how a security analyst should communicate during an incident?

• A. The communication should be limited to trusted parties only.
• B. The communication should be limited to security staff only.
• C. The communication should come from law enforcement.
• D. The communication should be limited to management only.

Answer: B

NEW QUESTION 7

Which of the following describes why it is important to include scope within the rules of engagement of a
penetration test?

• A. To ensure the network segment being tested has been properly secured
• B. To ensure servers are not impacted and service is not degraded
• C. To ensure all systems being scanned are owned by the company
• D. To ensure sensitive hosts are not scanned

Answer: C

NEW QUESTION 8

An organization has a practice of running some administrative services on non-standard ports as a way of frustrating any attempts at reconnaissance. The output of the latest scan on host 192.168.1.13 is shown below:

Which of the following statements is true?

• A. Running SSH on the Telnet port will now be sent across an unencrypted port.
• B. Despite the results of the scan, the service running on port 23 is actually Telnet and not SSH, and creates an additional vulnerability
• C. Running SSH on port 23 provides little additional security from running it on the standard port.
• D. Remote SSH connections will automatically default to the standard SSH port.
• E. The use of OpenSSH on its default secure port will supersede any other remote connection attempts.

Answer: C

NEW QUESTION 9

A cybersecurity analyst is conducting packet analysis on the following:

Which of the following is occurring in the given packet capture?

• A. ARP spoofing
• B. Broadcast storm
• C. Smurf attack
• D. Network enumeration
• E. Zero-day exploit

Answer: D

NEW QUESTION 10

The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to provide a list of enhancement to the company’s cybersecurity operation. As a result, the CISO has identified the need to align security operations with industry best practices. Which of the following industry references is appropriate to accomplish this?

• A. OSSIM
• B. NIST
• C. PCI
• D. OWASP

Answer: B

Explanation:
Reference https://www.nist.gov/sites/default/files/documents/itl/Cybersecurity_Green-Paper_FinalVersion.pdf

NEW QUESTION 11

An analyst wants to use a command line tool to identify open ports and running services on a host along with the application that is associated with those services and port. Which of the following should the analyst use?

• A. Wireshark
• B. Qualys
• C. netstat
• D. nmap
• E. ping

Answer: D

NEW QUESTION 12

Which of the following systems would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect forward secrecy?

• A. Endpoints
• B. VPN concentrators
• C. Virtual hosts
• D. SIEM
• E. Layer 2 switches

Answer: B

NEW QUESTION 13

A security incident has been created after noticing unusual behavior from a Windows domain controller. The server administrator has discovered that a user logged in to the server with elevated permissions, but the user’s account does not follow the standard corporate naming scheme. There are also several other accounts in the administrators group that do not follow this naming scheme. Which of the following is the possible cause for this behavior and the BEST remediation step?

• A. The Windows Active Directory domain controller has not completed synchronization, and should forceThe domain controller to sync.
• B. The server has been compromised and should be removed from the network and cleaned before reintroducing it to the network.
• C. The server administrator created user accounts cloning the wrong user ID, and the accounts should be removed from administrators and placed in an employee group.
• D. The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.

Answer: D

NEW QUESTION 14

After implementing and running an automated patching tool, a security administrator ran a vulnerability scan that reported no missing patches found. Which of the following BEST describes why this tool was used?

• A. To create a chain of evidence to demonstrate when the servers were patched.
• B. To harden the servers against new attacks.
• C. To provide validation that the remediation was active.
• D. To generate log data for unreleased patches.

Answer: B

NEW QUESTION 15

A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information?

• A. The cloud provider
• B. The data owner
• C. The cybersecurity analyst
• D. The system administrator

Answer: B

NEW QUESTION 16

A vulnerability scan returned the following results for a web server that hosts multiple wiki sites: Apache-HTTPD-cve-2014-023: Apache HTTPD: mod_cgid denial of service CVE-2014-0231
Due to a flaw found in mog_cgid, a server using mod_cgid to host CGI scripts could be vulnerable to a DoS attack caused by a remote attacker who is exploiting a weakness in non-standard input, causing processes to hang indefinitely.

The security analyst has confirmed the server hosts standard CGI scripts for the wiki sites, does not have mod_cgid installed, is running Apache 2.2.22, and is not behind a WAF. The server is located in the DMZ, and the purpose of the server is to allow customers to add entries into a publicly accessible database.
Which of the following would be the MOST efficient way to address this finding?

• A. Place the server behind a WAF to prevent DoS attacks from occurring.
• B. Document the finding as a false positive.
• C. Upgrade to the newest version of Apache.
• D. Disable the HTTP service and use only HTTPS to access the server.

Answer: B

NEW QUESTION 17

During a network reconnaissance engagement, a penetration tester was given perimeter firewall ACLs to accelerate the scanning process. The penetration tester has decided to concentrate on trying to brute force log in to destination IP address 192.168.192.132 via secure shell.

Given a source IP address of 10.10.10.30, which of the following ACLs will permit this access?

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: C

NEW QUESTION 18

Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Select two.)

• A. Patching
• B. NIDS
• C. Segmentation
• D. Disabling unused services
• E. Firewalling

Answer: CD

NEW QUESTION 19

A company decides to move three of its business applications to different outsourced cloud providers. After moving the applications, the users report the applications time out too quickly and too much time is spent logging back into the different web-based applications throughout the day. Which of the following should a security architect recommend to improve the end-user experience without lowering the security posture?

• A. Configure directory services with a federation provider to manage accounts.
• B. Create a group policy to extend the default system lockout period.
• C. Configure a web browser to cache the user credentials.
• D. Configure user accounts for self-service account management.

Answer: B

NEW QUESTION 20

A security analyst has just completed a vulnerability scan of servers that support a business critical application that is managed by an outside vendor. The results of the scan indicate the devices are missing critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Select TWO)

• A. Inappropriate data classifications
• B. SLAs with the supporting vendor
• C. Business process interruption
• D. Required sandbox testing
• E. Incomplete asset inventory

Answer: CD

NEW QUESTION 21

A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

• A. Syslog
• B. Network mapping
• C. Firewall logs
• D. NIDS

Answer: A

NEW QUESTION 22

A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of?

• A. Exfiltration
• B. DoS
• C. Buffer overflow
• D. SQL injection

Answer: A

NEW QUESTION 23

In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues. Which of the following is the BEST way to proceed?

• A. Attempt to identify all false positives and exceptions, and then resolve all remaining items.
• B. Hold off on additional scanning until the current list of vulnerabilities have been resolved.
• C. Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities.
• D. Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.

Answer: D

NEW QUESTION 24

Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided that the scan frequency should be determined only by vendor patch schedules and the organization’s application deployment schedule. Which of the following would force the organization to conduct an out-of-cycle vulnerability scan?

• A. Newly discovered PII on a server
• B. A vendor releases a critical patch update
• C. A critical bug fix in the organization’s application
• D. False positives identified in production

Answer: B

NEW QUESTION 25

A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response?

• A. Correct the audi
• B. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical.
• C. Change all devices and servers that support it to 636, as encrypted services run by default on 636.
• D. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.
• E. Correct the audi
• F. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636.

Answer: B

NEW QUESTION 26

A technician receives the following security alert from the firewall’s automated system:

After reviewing the alert, which of the following is the BEST analysis?

• A. This alert is a false positive because DNS is a normal network function.
• B. This alert indicates a user was attempting to bypass security measures using dynamic DNS.
• C. This alert was generated by the SIEM because the user attempted too many invalid login attempts.
• D. This alert indicates an endpoint may be infected and is potentially contacting a suspect host.

Answer: D

NEW QUESTION 27

An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server’s BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against future adversary access to the BIOS, in case another rootkit is installed?

• A. Anti-malware application
• B. Host-based IDS
• C. TPM data sealing
• D. File integrity monitoring

Answer: C

NEW QUESTION 28
......