CySA+ (CS0-002) question with complete solution 2022

CySA+ (CS0-002) question with complete solution 2022An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams? A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file D. A Windows attribute that can be used by attackers to hide malicious files within system memory D. A Windows attribute that can be used by attackers to hide malicious files within system memory An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis. B. Have the internal development team script connectivity and file transfers to the new service. C. Create a dedicated SFTP site and schedule transfers to ensure file transport security. D. Utilize the cloud product's API for supported and ongoing integrations. D. Utilize the cloud product's API for supported and ongoing integrations Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident? A. SSO B. DLP C. WAF D. VDI B. DLP A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality. Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing? A. Deidentification B. Encoding C. Encryption D. Watermarking A. Deidentification Which of the following are components of the intelligence cycle? (Select TWO). A. Collection B. Normalization C. Response D. Analysis E. Correction F. Dissension A. Collection D. Analysis During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry A. The system memory A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management C. Multifactor authentication An organization wants to move non-essential services into a cloud computing Environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome? A. Duplicate all services in another instance and load balance between the instances. B. Establish a hot site with active replication to another region within the same cloud provider C. Set up a warm disaster recovery site with the same cloud provider in a different region. D. Configure the systems with a cold site at another cloud provider that can be used for failover. C. Set up a warm disaster recovery site with the same cloud provider in a different region. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is . The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task? A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. B. Add TXT @ "v=spfl mx include:_ -all" to the email server. C. Add TXT @ "v=spfl mx include:_ -all" to the domain controller. D. Add TXT @ "v=spfl mx include:_ -all" to the web server. A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities. Which of the following would be BEST to implement to alleviate the CISO's concern? A. DLP B. Encryption C. Test data D. NDA C. Test data A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application. B. Implement a software repository management tool. C. Install a HIPS on the server. D. Instruct the developers to use input validation in the code. B. Implement a software repository management tool. Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks? A. It demonstrates the organization's mitigation of risks associated with internal threats. B. It serves as the basis for control selection. C. It prescribes technical control requirements D. It is an input to the business impact assessment B. It serves as the basis for control selection. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement: A. federated authentication. B. role-based access control. C. manual account reviews D. multifactor authentication. A. federated authentication A security analyst had received information from a third-party intelligence-sharing resource that indicates employee accounts were breached. Which of the following is the NEXT step the analyst should take to address the issue? A. Audit access permissions for all employees to ensure least privilege B. Force a password reset for the impacted employees and revoke any tokens. C. Configure SSO to prevent passwords from going outside the local network. D. Set up prevailed access management to ensure auditing is enabled B. Force a password reset for the impacted employees and revoke any tokens. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode A. Compatibility mode A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs. B. Moving the FPGAs between development sites will less the time that is available for security testing. C. Development phases occurring at multiple sites may produce change management issues. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. During routing monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries IP 192.168.50.2 for a 24-hour period: Time SRC DST Domain Bytes 6/26/19 10:01 192.168.50.2 138.10.2.5 50 6/26/19 11:05 192.168.50.2 138.10.2.5 1000 6/26/19 13:09 192.168.50.2 138.10.25.5 1000 6/26/19 15:13 192.168.50.2 172.10.2.5 1000 6/26/19 17:17 192.168.50.2 138.10.45.5 1000 6/26/19 23:45 192.168.50.2 172.10.3.5 50000 6/27/19 10:21 192.168.50.2 138.35.2.5 25 6/27/19 11:25 192.168.50.2 138.35.2.5 25 To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and: A. DST 138.10.2.5 B. DST 138.10.25.5 C. DST 172.10.3.5 D. DST 172.10.45.5 E. DST 175.35.20.5 C. DST 172.10.3.5 During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent he activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. A firewall rule that will block traffic from the specific IP address D. A firewall rule that will block traffic from the specific IP address Because some clients have reported unauthorized activity of their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below: POST / services/v1_0/Public/M .,s:Body> <GetIPLocation+xmlns= <request+xmlns:a=+xmlns:i= s:Body> </s:Envelope> 192.168.1. 0 192.168.1.22 POST / services/v1_0/Public/M <a:ResetPasswordToken+i:nil="true"/><a:ShouldImpersonatedAuthenticationBepopulated+i:nil="true"/> <a:Username></a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 - - 192.168.4.89 POST / services/v1_0/Public/M <s:Envelop+xmlns:s= <a:Body><GetIPLocation+xmlns= 192.168.1.22 POST / services/v1_0/Public/M envelope/"> <a:Body><IsLoggedIn+xmlns+http:/// <Request+xmlns:a= XMLSchemasinstance"><a:Authentication><a:ApiToken>kmL4Krg2CwwWBan5BReGv5Djb7syxXTNKcWFuS jd</a:ApiToken> <a:ImpersonateUserID>0</a:ImpersonateUserID><a:LocationID></a:LocationId><a:NetworkId>4</ a:NetworkId> <a:ProviderId:' ' 1=1</a:ProviderId><a:UserId></aUserId></a:Authentication></request></ IsLoggedIn> </s:Body></s: Envelope> 192.168.5. 48 192.168.4.89 Which of the following MOST likely explains how the clients' accounts were compromised? A. The clients' authentication tokens were impersonated and replayed. B. The clients' usernames and passwords were transmitted in cleartext. C. An XSS scripting attack was carried out on the server. D. A SQL injection attack was carried out on the server. B. The clients' usernames and passwords were transmitted in cleartext. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features. Which of the following should be done to prevent this issue from reoccurring? A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered. B. Install additional batteries in the SAM power supplies with enough capacity to keep the system powered on during maintenance. C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy D. Install a third power supply in the SAN so loss of any power input does not result in the SAN completely powering off. C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output: Antivirus is installed on the remote host: Installation path: C:Program FilesAVProductWin32 Product Engine: 14.12.101 Engine Version: 3.5.71 Scanner does not currently have information about AVProduct version 3.5.71. It may no Longer be supported. The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor. B. This is a true negative, and the new computers have the correct version of the software. C. This is a true positive, and the new computers were imaged with an old version of the software. D. This is a false negative, and the new computers need to be updated by the desktop team. A. This is a false positive, and the scanning plugin needs to be updated by the vendor. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be: A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network. B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate. C. bridged between the IT and operational technology networks to allow authenticated access. D. Placed on the IT side of the network, authenticated, and tunneled into the ICS environment. A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network. An analyst is participating in the solution analysis process for a cloud hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor? A. Gather information from providers, including datacenter specifications and copies of the audit reports. B. Identify SLA requirements for monitoring and logging. C. Consult with senior management for recommendations. D. Perform a proof of concept to identify possible solutions. A. Gather information from providers, including datacenter specifications and copies of the audit reports. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication. Which of the following will remediate this software vulnerability? A. Enforce unique session IDs for the application. B. Deploy a WAF in front of the web application. C. Check for and enforce the proper domain for the redirect. D. Use a parameterized query to check the credentials. E. Implement email filtering with anti-phishing protection. C. Check for and enforce the proper domain for the redirect. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. Internal network operations center B. Public relations When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal? A. nmap -sA -o <system> -noping B. nmap -sT -o <system> -po C. nmap -sS -o <system> -po D. nmap -sQ -o <system> -po C. nmap -sS -o <system> -po An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets. Which of the following should be considered FIRST prior to disposing of the electronic data? A. Sanitization policy B. Data sovereignty C. Encryption policy D. Retention standards D. Retention standards A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet. Which of the following solutions would meet this requirements? A. Establish a hosted SSO. B. Implement a CASB. C. Virtualize the server. D. Air gap the server. D. Air gap the server A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/ in a phishing email. To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the: A. email server that automatically deletes attached executables. B. IDS to match the malware sample. C. proxy to block all connections to <malwaresource> D. firewall to block connection attempts to dynamic DNS hosts. C. proxy to block all connections to <malwaresource> Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads? A. Stress test B. API compatibility test C. Code review D. User acceptance test E. Input validation A. Stress test A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Select TWO). A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. B. Remove the servers reported to have high and medium vulnerabilities. C. Tag the computers with critical findings as a business risk acceptance. D. Manually patch the computers on the network, as recommended on the CVE website. E. Harden the hosts on the network, as recommended by the NIST framework. F. Resolve the monthly job issues and test them before applying them to the production network. A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. F. Resolve the monthly job issues and test them before applying them to the production network.