CompTIA CS0-002 Online Practice Questions and Exam Preparation

CompTIA CS0-002 Online Questions & Answers

• Question 621:

  A cybersecurity analyst needs to determine whether a large file named access log from a web server contains the following loC:

  ../../../../bin/bash

  Which of the following commands can be used to determine if the string is present in the log?

  A. echo access.log | grep "../../../../bin/bash"
  B. grep "../../../../bin/bash" 1 cat access.log
  C. grep "../../../. ./bin/bash" < access.log
  D. cat access.log > grep "../../../ ../bin/bash"
  C. grep "../../../. ./bin/bash" < access.log

• Question 622:

  A company's computer was recently infected with ransomware. After encrypting all documents, the malware logs a random AES-128 encryption key and associated unique identifier onto a compromised remote website. A ransomware code snippet is shown below:

  

  Based on the information from the code snippet, which of the following is the BEST way for a cybersecurity professional to monitor for the same malware in the future?

  A. Configure the company proxy server to deny connections to www.malwaresite.com.
  B. Reconfigure the enterprise antivirus to push more frequent to the clients.
  C. Write an ACL to block the IP address of www.malwaresite.com at the gateway firewall.
  D. Use an IDS custom signature to create an alert for connections to www.malwaresite.com.
  A. Configure the company proxy server to deny connections to www.malwaresite.com.

• Question 623:

  An insurance company employs quick-response team drivers that carry corporate-issued mobile devices with the insurance company's app installed on them. Devices are configuration-hardened by an MDM and kept up to date. The employees use the app to collect insurance claim information and process payments. Recently, a number of customers have filed complaints of credit card fraud against the insurance company, which occurred shortly after their payments were processed via the mobile app. The cyber-incident response team has been asked to investigate. Which of the following is MOST likely the cause?

  A. The MDM server is misconfigured.
  B. The app does not employ TLS.
  C. USB tethering is enabled.
  D. 3G and less secure cellular technologies are not restricted.
  B. The app does not employ TLS.

• Question 624:

  A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall's behavior and responses. The analyst executes the following commands:

  #nmap -p22 -sS 10.0.1.200 #hping3 -S -c1 -p22 10.0.1.200 The analyst then compares the following results for port 22:

  1.

  nmap returns "Closed"

  2.

  hping3 returns "flags=RA"

  Which of the following BEST describes the firewall rule?

  A. DNAT ?to-destination 1.1.1.1:3000
  B. REJECT with ?tcp-reset
  C. LOG ?log-tcp-sequence
  D. DROP
  B. REJECT with ?tcp-reset

  ---

  Explanation/Reference:

  No doubt does the nmap result mean its being rejected as it returns closed. However, what threw me for a loop was the hping3 response. After further web surfing I found that the "flag=RA" means actually means "flag= RST, ACK" which means that it too was rejected.

• Question 625:

  A security analyst receives an alert from the SIEM about a possible attack happening on the network. The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66, which is part of the network 192.168.54.0/24. The analyst then pulls all the command history logs from that server and sees the following:

  $ route -n $ ifconfig -a $ ping 192.168.54.1 $ tcpdump 192.168.54.80 -nns

  $ hping -s 192.168.54.80 -c 3

  Which of the following activities is MOST likely happening on the server?

  A. A vulnerability scan
  B. Enumeration
  C. Fuzzing
  D. A MITM attack
  D. A MITM attack

• Question 626:

  In an effort to be proactive, an analyst has run an assessment against a sample workstation before auditors visit next month. The scan results are as follows:

  

  Based on the output of the scan, which of the following is the BEST answer?

  A. Failed credentialed scan
  B. Failed compliance check
  C. Successful sensitivity level check
  D. Failed asset inventory
  A. Failed credentialed scan

• Question 627:

  A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

  

  Which of the following is the BEST action for the security analyst to take after analyzing the trends?

  A. Review the system configurations to determine if port 445 needs to be open.
  B. Assume there are new instances of Apache in the environment.
  C. Investigate why the number of open SSH ports varied during the six months.
  D. Raise a concern to a supervisor regarding possible malicious use Of port 8443.
  C. Investigate why the number of open SSH ports varied during the six months.

  ---

  Explanation/Reference:

  According to the CompTIA CySA+ Certification Exam Study guide, the best action for the security analyst to take after analyzing the trends is to investigate why the number of open SSH ports varied during the six months. This could indicate that malicious actors are attempting to gain access to the system, and it would be important to find out the root cause of this activity in order to prevent further intrusions. Additionally, raising a concern to a supervisor regarding possible malicious use of port 8443 would also be a prudent step, as this port is often used by attackers. As stated in the study guide, "Monitoring network ports and traffic can provide insight into suspicious activity and may be necessary to identify malicious activities". Additionally, "Ports can be used to gain unauthorized access to a system, so it is important to monitor the ports and to take steps to ensure that only necessary ports are open".

• Question 628:

  Which of the following is MOST important when developing a threat hunting program?

  A. Understanding penetration testing techniques
  B. Understanding how to build correlation rules within a SIEM
  C. Understanding security software technologies
  D. Understanding assets and categories of assets
  D. Understanding assets and categories of assets

• Question 629:

  An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested m a secure, built- in device to support its solution. Which of the following would MOST likely be required to perform the desired function?

  A. TPM
  B. eFuse
  C. FPGA
  D. HSM
  E. UEFI
  D. HSM

• Question 630:

  A security analyst's company uses RADIUS to support a remote sales staff of more than 700 people. The Chief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure the confidentiality of the communication as per RFC 3162. After the implementation was complete, many sales users reported latency issues and other performance issues when attempting to connect remotely. Which of the following is occurring?

  A. The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation.
  B. RFC 3162 is known to cause significant performance problems.
  C. The IPSec implementation has significantly increased the amount of bandwidth needed.
  D. The implementation should have used AES instead of 3DES.
  A. The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation.