Free CompTIA CS0-002 Practice Exam with Questions & Answers | Set: 5

A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on security incidents and events. A SIEM system can help the IT team to determine which devices are USB enabled by querying the log data for events related to USB device insertion, removal, or usage. The other options are not relevant or effective for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15; https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-management-siem-implementation-33969

• F. A reverse shell was used: A reverse shell is a technique that allows a remote attacker to execute commands on a compromised system by opening a connection from the target to the attacker’s machine. The image shows that the attacker used the netcat tool to create a reverse shell on host 192.168.1.210, which is running a web server on port 80. The attacker then used the reverse shell to access the /images folder and download a file named secret.jpg.
• C. IP address 43.23.10.201 should be blocked at the firewall: IP address 43.23.10.201 is the source of the attack, as shown by the netstat command output in the image. The attacker used this IP address to connect to host 192.168.1.210 on port 80 and exploit a vulnerability in the web server software. Blocking this IP address at the firewall would prevent further attacks from this source.

A hash is a mathematical function that produces a unique value for a given input. A hash can be used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive by comparing the hash values of both drives. If the hash values match, then the drives are identical. If the hash values differ, then there is some discrepancy between the drives. Inserting the hard drive on a test computer and booting the computer, recording the serial numbers of both hard drives, or comparing the file-directory listing of both hard drives are not reliable methods to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive. Reference: https://www.forensicswiki.org/wiki/Hashing

These steps are the best to confirm and respond to the incident because they preserve the state of the compromised server for further analysis and evidence collection. Pausing the virtual machine prevents any further changes or damage by the attacker, while taking a snapshot creates a copy of the virtual machine’s memory and disk contents.

A routine vulnerability scan is a process of identifying and assessing known vulnerabilities in a system or network using automated tools or software3 A vulnerability scan does not necessarily mean that there is an active threat or exploit on the system or network, but rather that there are potential weaknesses that could be exploited by attackers. The best next step after a routine vulnerability scan detected a known vulnerability in a critical enterprise web application is to evaluate the risk and criticality of the vulnerability, which means assessing the likelihood and impact of an exploit on the web application, and prioritizing the remediation actions based on the severity and urgency of the vulnerability.

This is most likely occurring based on the symptoms observed after a recent sales meeting. An insider threat is a person who has legitimate access to an organization’s network or data and uses it for malicious purposes, such as stealing, leaking, or sabotaging information. The symptoms suggest that someone from the sales team or someone who attended the meeting has copied sensitive corporate documents and uploaded them to the dark web using large data packets.

Option A shows a successful administrator login from an IP address that is not part of the organization’s network. This is a high reporting priority event, because it violates the organization’s policy that prohibits users from logging in to the administrator account and it could indicate a compromise of the administrator credentials or a malicious insider. Option B shows a failed administrator login from an IP address that is part of the organization’s network. This is a medium reporting priority event, because it could indicate an unauthorized attempt to access the administrator account. Option C shows a failed temporary elevated permission request from a user account that is part of the organization’s network. This is a low reporting priority event, because it could indicate a user error or a legitimate need for elevated permission that was denied. Option D shows a successful temporary elevated permission request from a user account that is part of the organization’s network. This is a non-reportable event, because it complies with the organization’s policy that allows users to escalate permission only as needed and on a temporary basis. Reference: https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-systems-microsoft-windows-event-logs-2074

A managerial control is a function of management that involves setting performance standards, measuring performance, and taking corrective actions when necessary. A managerial control helps to regulate the organizational activities and ensure that they are aligned with the organizational goals and objectives1. One of the functions of a managerial control is to help design and implement the security planning, program development, and maintenance of the security life cycle. The security life cycle is a process that defines the phases of security activities from initiation to disposal2. A managerial control can help to establish the security policies, procedures, roles, and responsibilities for each phase of the security life cycle. A managerial control can also help to monitor and evaluate the security performance and effectiveness of each phase and take corrective actions if needed.

Requests identified by a threat intelligence service with a bad reputation are likely to be malicious or suspicious, as they originate from sources that are known to be involved in cyberattacks or other malicious activities. These requests may indicate that an attacker is trying to exploit a vulnerability or perform reconnaissance on the web server.

Requests sent from the same IP address using different user agents are also likely to be malicious or suspicious, as they indicate that an attacker is trying to evade detection or bypass security controls by changing their browser or device identification. These requests may indicate that an attacker is using automated tools or scripts to scan or attack the web server.

Secure and thorough disposal can involve deleting or wiping all data from the hardware appliances, physically destroying or shredding them, or recycling them through certified vendors or programs. Compliance with company policies can help to ensure that the disposal follows the best practices and standards for data protection and environmental responsibility .

References: : https://www.bestbuy.com/site/services/recycling/pcmcat149900050025.c?id=pcmcat149900050025 : https://www.epa.gov/recycle/electronics-donation-and-recycling : https://www.techtarget.com/searchdatacenter/tip/A-6-step-guide-for-hardware-disposal