最新的CompTIA CS0-001免費考試真題

問題1

A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.)

A. Validate the folder and file directory listings on both.

B. Check the hash value between the image and the original.

C. Copy the data to a disk of the same size and manufacturer.

D. Boot up the image and the original systems to compare.

E. Connect a write blocker to the imaging device.

正確答案: B,D

問題2

A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid?

A. Data ownership policy

B. Access control policy

C. Password policy

D. Account management policy

正確答案: C

問題3

A company has a popular shopping cart website hosted geographically diverse locations. The company has started hosting static content on a content delivery network (CDN) to improve performance. The CDN provider has reported the company is occasionally sending attack traffic to other CDN-hosted targets.
Which of the following has MOST likely occurred?

A. The company has been breached, and customer PII is being exfiltrated to the CDN.

B. The CDN provider has mistakenly performed a GeoIP mapping to the company.

C. The CDN provider has misclassified the network traffic as hostile.

D. A vulnerability scan has tuned to exclude web assets hosted by the CDN.

正確答案: A

問題4

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement?

A. Chain of custody report

B. Trends analysis report

C. Lessons learned report

D. Forensic analysis report

正確答案: C

問題5

Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.
Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

A. Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway.

B. Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.

C. Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.

D. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

正確答案: D

問題6

A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors.
The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client.
Which of the following should the company implement?

A. Mandatory Access Control

B. Port security

C. Network Intrusion Prevention

D. WPA2

正確答案: B

問題7

A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention (DLP) system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss? (Select THREE).

A. Prevent users from using roaming profiles when changing workstations

B. Prevent users from accessing personal email and file-sharing sites via web proxy

C. Prevent users from copying data from workstation to workstation

D. Prevent Internet access on laptops unless connected to the network in the office or via VPN

E. Prevent flash drives from connecting to USB ports using Group Policy

F. Prevent users from being able to use the copy and paste functions

正確答案: B,D,E

問題8

A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response?

A. Correct the audit. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636.

B. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.

C. Change all devices and servers that support it to 636, as encrypted services run by default on 636.

D. Correct the audit. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical.

正確答案: C

問題9

Which of the following countermeasures should the security administrator apply to MOST effectively mitigate Bootkit-level infections of the organization's workstation devices?

A. Install a secondary virus protection application.

B. Configure a BIOS-level password on the device.

C. Enforce a system state recovery after each device reboot.

D. Remove local administrator privileges.

正確答案: D

問題10

A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to perform?

A. Continue monitoring critical systems.

B. Inform users regarding the affected systems.

C. Inform management of the incident.

D. Shut down all server interfaces.

正確答案: C

問題11

A technician receives the following security alert from the firewall's automated system:

After reviewing the alert, which of the following is the BEST analysis?

A. This alert indicates an endpoint may be infected and is potentially contacting a suspect host.

B. This alert was generated by the SIEM because the user attempted too many invalid login attempts.

C. This alert indicates a user was attempting to bypass security measures using dynamic DNS.

D. This alert is a false positive because DNS is a normal network function.

正確答案: A

問題12

A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response?

A. Correct the audit. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636.

B. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.

C. Change all devices and servers that support it to 636, as encrypted services run by default on 636.

D. Correct the audit. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical.

正確答案: C

最新的CompTIA Cybersecurity Analyst (CySA+) Certification - CS0-001免費考試真題

聯系我們

站內鏈接

最新更新