Question 1

A company is required to monitor for unauthorized changes to baselines on all assets to comply with industry regulations. Two of the remote units did not recover after scans were performed on the assets. An analyst needs to recommend a solution to prevent recurrence. Which of the following is the best way to satisfy the regulatory requirement without impacting the availability to similar assets and creating an unsustainable process?

AManually review the baselines daily and document the results in a change history log

BDocument exceptions with compensating controls to demonstrate the risk mitigation efforts.

CImplement a new scanning technology to satisfy the monitoring requirement and train the team.

DPurchase new remote units from other vendors with a proven ability to support scanning requirements.
A) Manually review the baselines daily and document the results in a change history log is not correct. This option would not prevent the recurrence of the problem, as it does not address the root cause of why the remote units did not recover after scans were performed. Moreover, this option would create an unsustainable process, as it would require a lot of time and resources to manually review and document the baselines of all assets on a daily basis.
C) Implement a new scanning technology to satisfy the monitoring requirement and train the team is not correct. This option would not guarantee that the problem would not recur, as it is possible that the new scanning technology would also cause issues with the remote units or other assets. Furthermore, this option would incur additional costs and efforts to acquire, deploy, and maintain the new scanning technology and train the team on how to use it.
D) Purchase new remote units from other vendors with a proven ability to support scanning requirements is not correct. This option would not be feasible or cost-effective, as it would require replacing all the remote units with new ones from different vendors. This option would also introduce new risks and challenges, such as compatibility, interoperability, or vendor lock-in.

Answer : B

Question 2

A cybersecurity analyst inspects DNS logs on a regular basis to identify possible IOCs that are not triggered by known signatures. The analyst reviews the following log snippet:

Which of the following should the analyst do next based on the information reviewed?

AThe analyst should disable DNS recursion.

BThe analyst should block requests to no---thanks. invalid.

CThe analyst should disconnect host 192.168.1.67.

DThe analyst should sinkhole 102.100.20.20.

EThe analyst should disallow queries to the 8.8.8.8 resolver.
A) The analyst should disable DNS recursion is not correct.DNS recursion is a process where a DNS server queries other DNS servers on behalf of a client until it finds the authoritative answer for a domain name2. Disabling DNS recursion would prevent the DNS server from resolving any domain names that are not in its cache or zone files, which would affect the normal functionality of the network and the internet access of the clients.
C) The analyst should disconnect host 192.168.1.67 is not correct. Disconnecting host 192.168.1.67 would stop the communication with the malicious domain, but it would also disrupt the legitimate activities of the host and its user. Moreover, disconnecting the host would not remove the malware or root cause of the compromise, and it would not prevent the host from reconnecting to the malicious domain once it is online again.
D) The analyst should sinkhole 102.100.20.20 is not correct.Sinkholing is a technique that redirects malicious or unwanted traffic to a controlled destination, such as a fake or isolated server3. Sinkholing 102.100.20.20 would prevent the communication with the malicious domain, but it would also require access and control over the public resolver 8.8.8.8, which is not owned or managed by the analyst or the company.
E) The analyst should disallow queries to the 8.8.8.8 resolver is not correct. Disallowing queries to the 8.8.8.8 resolver would prevent the communication with the malicious domain, but it would also affect the resolution of other legitimate domain names that are not in the local DNS server's cache or zone files.
1:DNS Tunneling: how DNS can be (ab)used by malicious actors2:What Is DNS Recursion?3:What Is a Sinkhole Attack?

Answer : B

Question 3

An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?

AScan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.

BExtract the server's system timeline, verifying hashes and network connections during a certain time frame.

CClone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.

DClone the server's hard disk and extract all the binary files, comparing hash signatures with malware databases.

Answer : B

Question 4

An intrusion detection analyst reported an inbound connection originating from an unknown IP address recorded on the VPN server for multiple internal hosts. During an investigation, a security analyst determines there were no identifiers associated with the hosts. Which of the following should the security analyst enforce to obtain the best information?

AUpdate the organization's IP table.

BEnable user access logging.

CShut down all VPN connections.

DCreate rules for the Active Directory.

Answer : B

Question 5

Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?

AEnable secure boot in the hardware and reload the operating system.

BReconfigure the system's MBR and enable NTFS.

CSet I-JEFI to legacy mode and enable security features.

DConvert the legacy partition table to UEFI and repair the operating system.
B) Reconfigure the system's MBR and enable NTFS is not correct. MBR stands for Master Boot Record, and it is a legacy partitioning scheme that stores information about the partitions and the boot loader on a disk. NTFS stands for New Technology File System, and it is a file system that supports features such as encryption, compression, and access control. Reconfiguring the system's MBR and enabling NTFS would not enable secure boot UEFI features, as they are not related to UEFI or secure boot.Moreover, MBR is incompatible with UEFI, as UEFI requires a different partitioning scheme called GPT (GUID Partition Table)3.
C) Set UEFI to legacy mode and enable security features is not correct. Legacy mode is a compatibility mode that allows UEFI systems to boot using legacy BIOS methods. Legacy mode disables some of the features and benefits of UEFI, such as secure boot, faster boot time, or larger disk support. Setting UEFI to legacy mode would not enable secure boot UEFI features, but rather disable them.
D) Convert the legacy partition table to UEFI and repair the operating system is not correct. Converting the legacy partition table to UEFI means changing the partitioning scheme from MBR to GPT, which is required for UEFI systems to boot. However, this alone would not enable secure boot UEFI features, as it also depends on the firmware settings and the operating system support. Repairing the operating system may or may not fix any issues caused by converting the partition table, but it would not necessarily enable secure boot either.
1:What Is Secure Boot?2:How to Enable Secure Boot3:MBR vs GPT: Which One Is Better for You?: [UEFI vs Legacy BIOS -- The Ultimate Comparison Guide]

Answer : A

Free CS0-002 Questions for CompTIA CS0-002 Exam as PDF & Practice Test Software

Question 1

Question 2

Question 3

Question 4

Question 5