Question 1

A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:  Which of the following can the analyst conclude?
A) Malware is attempting to beacon to 128.50.100.3.
B) The system is running a DoS attack against ajgidwle.com.
C) The system is scanning ajgidwle.com for PII.
D) Data is being exfiltrated over DNS.

Accepted Answer

The answer of A security analyst is reviewing packet captures...

Question 2

A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output:  Which of the following lines indicates the computer may be compromised?
A) Line 1
B) Line 2
C) Line 3
D) Line 4
E) Line 5
F) Line 6

Accepted Answer

The answer of A user's computer has been running slowly...

Question 3

An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability. Which of the following would be the MOST appropriate to remediate the controller?
A) Segment the network to constrain access to administrative interfaces.
B) Replace the equipment that has third-party support.
C) Remove the legacy hardware from the network.
D) Install an IDS on the network between the switch and the legacy equipment.

Accepted Answer

The answer of An analyst is working with a network...

Question 4

An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform. Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?
A) FaaS
B) RTOS
C) SoC
D) GPS
E) CAN bus

Accepted Answer

IoT devices also often run real-time operating systems (RTOS). These are either special purpose operating systems or variants of standard operating systems designed to process data rapidly as it arrives from sensors or other IoT components.

Question 5

A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:  Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
A) Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B) Examine the server logs for further indicators of compromise of a web application.
C) Run kill -9 1325 to bring the load average down so the server is usable again. kill -9 1325 to bring the load average down so the server is usable again.
D) Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

Accepted Answer

The answer of A security analyst has received reports of...

Question 6

A cybersecurity analyst is contributing to a team hunt on an organization's endpoints. Which of the following should the analyst do FIRST?
A) Write detection logic.
B) Establish a hypothesis.
C) Profile the threat actors and activities.
D) Perform a process analysis.

Accepted Answer

Establishing a hypothesis is the first step in a threat hunting process, as it guides the direction of the investigation and helps in identifying what to look for in the organization's endpoints.

Question 7

A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame. Which of the following is the MOST likely cause of this issue?
A) A password-spraying attack was performed against the organization.
B) A DDoS attack was performed against the organization.
C) This was normal shift work activity; the SIEM's AI is learning.
D) A credentialed external vulnerability scan was performed.

Accepted Answer

A password-spraying attack involves attempting to log in to many accounts using a few common passwords, which aligns with the scenario of numerous login attempts across all domain accounts.

Question 8

Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident?
A) SSO
B) DLP
C) WAF
D) VDI

Accepted Answer

DLP (Data Loss Prevention) controls would have most likely prevented this incident by monitoring and blocking the transmission of sensitive data to unauthorized recipients.

Question 9

A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?
A) Attack vectors
B) Adversary capability
C) Diamond Model of Intrusion Analysis
D) Kill chain
E) Total attack surface

Accepted Answer

The answer of A company was recently awarded several large...

Question 10

A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using?
A) Social media accounts attributed to the threat actor
B) Custom malware attributed to the threat actor from prior attacks
C) Email addresses and phone numbers tied to the threat actor
D) Network assets used in previous attacks attributed to the threat actor
E) IP addresses used by the threat actor for command and control

Accepted Answer

The answer of A security analyst for a large financial...

Question 11

Which of the following types of policies is used to regulate data storage on the network?
A) Password
B) Acceptable use
C) Account management
D) Retention

Accepted Answer

Retention policies are used to regulate how long data is stored on the network and when it should be deleted or archived.

Question 12

A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch. Which of the following is the MOST appropriate threat classification for these incidents?
A) Known threat
B) Zero day
C) Unknown threat
D) Advanced persistent threat

Accepted Answer

The answer of A security analyst has observed several incidents...

Question 13

A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?
A) Work backward, restoring each backup until the server is clean
B) Restore the previous backup and scan with a live boot anti-malware scanner
C) Stand up a new server and restore critical data from backups
D) Offload the critical data to a new server and continue operations

Accepted Answer

Standing up a new server and restoring critical data from backups ensures that the server is free from any potential logic bombs or rootkits, providing a clean and secure environment.

Question 14

An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?
A) Copies of prior audits that did not identify the servers as an issue
B) Project plans relating to the replacement of the servers that were approved by management
C) Minutes from meetings in which risk assessment activities addressing the servers were discussed
D) ACLs from perimeter firewalls showing blocked access to the servers
E) Copies of change orders relating to the vulnerable servers

Accepted Answer

The answer of An audit has revealed an organization is...

Question 15

A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output: Antivirus is installed on the remote host: Installation path: C:\Program Files\AVProduct\Win32\ Product Engine: 14.12.101 Engine Version: 3.5.71 Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported. The engine version is out of date. The oldest supported version from the vendor is 4.2.11. The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation?
A) This is a false positive, and the scanning plugin needs to be updated by the vendor.
B) This is a true negative, and the new computers have the correct version of the software.
C) This is a true positive, and the new computers were imaged with an old version of the software.
D) This is a false negative, and the new computers need to be updated by the desktop team.

Accepted Answer

The answer of A security analyst is reviewing vulnerability scan...

Question 16

During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving?
A) The system memory
B) The hard drive
C) Network packets
D) The Windows Registry

Accepted Answer

The system memory is the best place to acquire evidence for data carving because it contains the most recent and active data, including malware that may not be written to the hard drive yet. Memory forensics can reveal hidden or running processes and other artifacts that are not detectable by traditional antivirus solutions.

Question 17

A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?
A) Geofencing
B) IP restrictions
C) Reverse proxy
D) Single sign-on

Accepted Answer

The answer of A security team wants to make SaaS...

Question 18

A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process?
A) Escalate the incident to management, who will then engage the network infrastructure team to keep them informed.
B) Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections.
C) Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.
D) Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.

Accepted Answer

The next step in the detection phase is to identify potentially affected systems, which can be done by creating a correlation search in the SIEM based on the observed network traffic patterns.

Question 19

It is important to parameterize queries to prevent __________.
A) the execution of unauthorized actions against a database.
B) a memory overflow that executes code with elevated privileges.
C) the establishment of a web shell that would allow unauthorized access.
D) the queries from using an outdated library with security vulnerabilities.

Accepted Answer

Parameterizing queries is a technique used to prevent SQL injection attacks, which can lead to unauthorized actions against a database.

Question 20

A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:  Which of the following commands would work BEST to achieve the desired result?
A) grep -v chatter14 chat.log
B) grep -i pythonfun chat.log
C) grep -i javashark chat.log
D) grep -v javashark chat.log
E) grep -v pythonfun chat.log
F) grep -i chatter14 chat.log

Accepted Answer

The answer of A security analyst is reviewing the logs...

Exam 5: CompTIA Cloud Essentials+

A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output: Which of the following lines indicates the computer may be compromised?

An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform. Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

A cybersecurity analyst is contributing to a team hunt on an organization's endpoints. Which of the following should the analyst do FIRST?

Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident?

A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using?

Which of the following types of policies is used to regulate data storage on the network?

A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?

An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving?

A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?

It is important to parameterize queries to prevent __________.