CompTIA CS0-002 Online Practice Questions and Exam Preparation

CompTIA CS0-002 Online Questions & Answers

• Question 781:

  The following output is from a tcpdump al the edge of the corporate network:

  

  Which of the following best describes the potential security concern?

  A. Payload lengths may be used to overflow buffers enabling code execution.
  B. Encapsulated traffic may evade security monitoring and defenses
  C. This traffic exhibits a reconnaissance technique to create network footprints.
  D. The content of the traffic payload may permit VLAN hopping.
  B. Encapsulated traffic may evade security monitoring and defenses

  ---

  Explanation/Reference:

  Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique that wraps data packets with additional headers or protocols to enable communication across different network types or layers. Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated traffic . Reference: https://www.techopedia.com/definition/10339/memory-dump

• Question 782:

  Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

  A. Data custodian
  B. Data owner
  C. Data processor
  D. Senior management
  B. Data owner

  ---

  Explanation/Reference:

  Reference: https://www.pearsonitcertification.com/articles/article.aspx?p=2731933andseqNum=3

• Question 783:

  A company has a popular shopping cart website hosted geographically diverse locations. The company has started hosting static content on a content delivery network (CDN) to improve performance. The CDN provider has reported the company is occasionally sending attack traffic to other CDN-hosted targets.

  Which of the following has MOST likely occurred?

  A. The CDN provider has mistakenly performed a GeoIP mapping to the company.
  B. The CDN provider has misclassified the network traffic as hostile.
  C. A vulnerability scan has tuned to exclude web assets hosted by the CDN.
  D. The company has been breached, and customer PII is being exfiltrated to the CDN.
  D. The company has been breached, and customer PII is being exfiltrated to the CDN.

• Question 784:

  A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week:

  

  Based on the above information, which of the following should the system administrator do? (Select TWO).

  A. Verify the vulnerability using penetration testing tools or proof-of-concept exploits.
  B. Review the references to determine if the vulnerability can be remotely exploited.
  C. Mark the result as a false positive so it will show in subsequent scans.
  D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port.
  E. Implement the proposed solution by installing Microsoft patch Q316333.
  D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port.
  E. Implement the proposed solution by installing Microsoft patch Q316333.

• Question 785:

  A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report?

  A. Kali
  B. Splunk
  C. Syslog
  D. OSSIM
  B. Splunk

• Question 786:

  A security analyst receives a report indicating a system was compromised due to malware that was downloaded from the internet using TFTP. The analyst is instructed to block TFTP at the corporate firewall. Given the following portion of the current firewall rule set:

  

  Which of the following rules should be added to accomplish this goal?

  A. UDP ANY ANY ANY 20 Deny
  B. UDP ANY ANY 69 69 Deny
  C. UDP ANY ANY 67 68 Deny
  D. UDP ANY ANY ANY 69 Deny
  E. UDP ANY ANY ANY 69 Deny
  D. UDP ANY ANY ANY 69 Deny

  ---

  Explanation/Reference:

  D. TFTP client should have a source port of something higher that 1024 and connect to a DST port on the TFTP server on port 69. The TFTP server will then respond on a port higher than 1024. This is done so there no conflicts with sessions.

• Question 787:

  A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due to SYN floods from a small number of IP addresses.

  Which of the following would be the BEST action to take to support incident response?

  A. Increase the company's bandwidth.
  B. Apply ingress filters at the routers.
  C. Install a packet capturing tool.
  D. Block all SYN packets.
  B. Apply ingress filters at the routers.

• Question 788:

  The Cruel Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organza lion Which of the following actions would work BEST to prevent against this type of attack?

  A. Turn on full behavioral analysis to avert an infection
  B. Implement an EOR mail module that will rewrite and analyze email links.
  C. Reconfigure the EDR solution to perform real-time scanning of all files
  D. Ensure EDR signatures are updated every day to avert infection.
  E. Modify the EDR solution to use heuristic analysis techniques for malware.
  B. Implement an EOR mail module that will rewrite and analyze email links.

• Question 789:

  During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to:

  

  Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server?

  A. FTP was explicitly allowed in Seq 8 of the ACL.
  B. FTP was allowed in Seq 10 of the ACL.
  C. FTP was allowed as being included in Seq 3 and Seq 4 of the ACL.
  D. FTP was allowed as being outbound from Seq 9 of the ACL.
  A. FTP was explicitly allowed in Seq 8 of the ACL.

• Question 790:

  A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked.

  Which of the following possible TTP combinations might warrant further investigation? (Select TWO).

  A. Requests identified by a threat intelligence service with a bad reputation
  B. Requests sent from the same IP address using different user agents
  C. Requests blocked by the web server per the input sanitization
  D. Failed log-in attempts against the web application
  E. Requests sent by NICs with outdated firmware
  F. Existence of HTTP/501 status codes generated to the same IP address
  B. Requests sent from the same IP address using different user agents
  F. Existence of HTTP/501 status codes generated to the same IP address