CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 691:

  A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

  A. Stack counting

  B. Searching

  C. Clustering

  D. Grouping

  Correct Answer: A

• Question 692:

  During the threal modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideralion. Whitch of the following are part of a known threat modeling method?

  A. Threat profile, infrastructure and application vulnerabilities, security strategy and plans

  B. Purpose, objective, scope, (earn management, cost, roles and responsibilities

  C. Spoofing tampering, repudiation, information disclosure, denial of service elevation of privilege

  D. Human impact, adversary's motivation, adversary's resources, adversary's methods

  Correct Answer: C

• Question 693:

  A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies are easy to:

  A. parameterize.

  B. decode.

  C. guess.

  D. decrypt.

  Correct Answer: B

• Question 694:

  A security analyst is reviewing WAF alerts and sees the following request:

  Request="GET /public/report.html?iewt=9064 AND 1=1 UNION ALL SELECT 1,NULL,table_name FROM information_schema.tables WHERE 2>1--/**/; HTTP/1.1 Host=mysite.com

  Which of the following BEST describes the attack?

  A. SQL injection

  B. LDAP injection

  C. Command iniection

  D. Denial of service

  Correct Answer: A

  This request is likely an attempt to perform an SQL injection attack.

  SQL injection attacks involve injecting malicious code into an application's SQL database in order to execute unauthorized commands or access sensitive data. The request shown in the example appears to be attempting to perform an SQL injection attack by appending malicious code to the end of a legitimate SQL query. The code "UNION ALL SELECT 1, NULL, table_name FROM information_schema.tables WHERE 2>1--" is attempting to retrieve the names of tables in the database, and the "--" at the end is used to comment out the rest of the query and prevent it from being executed.

  Overall, this request appears to be an attempt to perform an SQL injection attack on the application.

• Question 695:

  An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:

  1.

  Successful administrator login reporting priority - high

  2.

  Failed administrator login reporting priority - medium

  3.

  Failed temporary elevated permissions - low

  4.

  Successful temporary elevated permissions - non-reportable

  A security analyst is reviewing server syslogs and sees the following:

  

  Which of the following events is the HIGHEST reporting priority?

  A. <100>2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 - BOM 'sudo vi users.txt' success

  B. <100>2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 - BOM 'sudo more /etc/passwords' success

  C. <100>2 2020-01-10T19:33:48.002Z webserver su 201 32001 - BOM 'su' success

  D. <100>2 2020-01-10T21:53:11.002Z financeserver su 201 32001 - BOM 'su vi syslog.conf failed for joe

  Correct Answer: C

  According to the organization's reporting priorities, a successful administrator login is a high priority, and a failed administrator login is a medium priority. In this log message, the user is attempting to log in to the administrator account using the "su" command, which suggests that the user is attempting to gain elevated privileges. Therefore, this event is a failed administrator login, which is a medium reporting priority.

  In comparison, the other log messages in the choices provided involve the use of the "sudo" command, which indicates that the user is attempting to temporarily escalate permissions rather than logging in to the administrator account. As such, these events would not be considered administrator login events and would not be considered high or medium reporting priorities. Instead, they would be considered temporary elevated permissions events, which have a low or non-reportable reporting priority according to the organization's reporting priorities.

• Question 696:

  A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with acKvare. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?

  A. Blacklist the hash in the next-generation antivirus system.

  B. Manually delete the file from each of the workstations.

  C. Remove administrative rights from all developer workstations.

  D. Block the download of the fie via the web proxy

  Correct Answer: D

• Question 697:

  While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

  

  Based on the Prowler report, which of the following is the BEST recommendation?

  A. Delete CloudDev access key 1.

  B. Delete BusinessUsr access key 1.

  C. Delete access key 1.

  D. Delete access key 2.

  Correct Answer: B

• Question 698:

  Which of the following is a difference between SOAR and SCAP?

  A. SOAR can be executed taster and with fewer false positives than SCAP because of advanced heunstics

  B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope

  C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does

  D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts

  Correct Answer: B

• Question 699:

  A consultant evaluating multiple threat intelligence leads to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface?

  A. Ask for external scans from industry peers, look at the open ports, and compare Information with the client.

  B. Discuss potential tools the client can purchase lo reduce the livelihood of an attack.

  C. Look at attacks against similar industry peers and assess the probability of the same attacks happening.

  D. Meet with the senior management team to determine if funding is available for recommended solutions.

  Correct Answer: C

• Question 700:

  A company frequently expenences issues with credential stuffing attacks.

  Which of the following is the BEST control to help prevent these attacks from being successful?

  A. SIEM

  B. IDS

  C. MFA

  D. TLS

  Correct Answer: C