CompTIA CySA+ CS0-003 (CS0-003) — Questions 226300

503 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only the facilities manager
B.Only the vulnerability scanner vendor
C.Only the graphic design team
D.Legal, privacy, and compliance stakeholders
AnswerD

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data (e.g., PII, PHI, or GDPR-protected data), legal, privacy, and compliance stakeholders must be engaged early to determine notification obligations. These stakeholders interpret breach notification laws (such as HIPAA, GDPR, or CCPA) and advise on required timelines, affected parties, and regulatory reporting. The SOC manager needs this input to ensure the incident response plan aligns with legal mandates, not just technical containment.

Exam trap

Cisco often tests the misconception that technical teams (e.g., vulnerability scanner vendors) or non-IT departments (e.g., facilities) are responsible for legal compliance decisions, when in fact only legal, privacy, and compliance stakeholders have the authority to determine notification obligations.

How to eliminate wrong answers

Option A is wrong because the facilities manager handles physical security and building access, not data privacy regulations or breach notification laws. Option B is wrong because the vulnerability scanner vendor provides technical scanning tools but has no authority or expertise to determine legal notification obligations for regulated data. Option C is wrong because the graphic design team creates visual assets and has no role in incident response or compliance decisions regarding personal data breaches.

227
MCQhard

An analyst views the above SIEM logs from a Linux server. Which of the following attacks is MOST likely occurring?

A.Man-in-the-middle attack intercepting credentials
B.SQL injection through the web application
C.Brute force attack leading to credential compromise and malware installation
D.Denial of service attack against the SSH service
AnswerC

Failed logins then success, then download of suspicious file.

Why this answer

The SIEM logs show repeated failed SSH login attempts from multiple IP addresses, followed by a successful login and then a wget command to download a suspicious file, indicating a brute force attack that succeeded, leading to credential compromise and subsequent malware installation. This pattern matches the typical lifecycle of a brute force attack against SSH services, where an attacker gains access and then stages malware.

Exam trap

CompTIA often tests the distinction between a brute force attack and a denial of service attack by including a successful login event, which eliminates DoS as the answer since DoS does not involve credential compromise or post-exploitation activity.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack intercepting credentials would typically involve ARP spoofing or SSL stripping, not repeated SSH login attempts from diverse IPs followed by a file download. Option B is wrong because SQL injection attacks target web application parameters (e.g., HTTP GET/POST) and would not generate SSH authentication logs or wget commands. Option D is wrong because a denial of service attack against SSH would flood the service with connection requests to exhaust resources, not result in a single successful login and subsequent file download.

228
Matchingmedium

Match each threat intelligence source to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Publicly available information

Sector-specific sharing community

Structured language for cyber threat intelligence

Protocol for exchanging threat intelligence

Open-source threat intelligence platform

Why these pairings

These terms are key to understanding threat intelligence sharing and formats.

229
MCQhard

During a post-compromise review, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action should be prioritized before closure?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containing a compromised host, the recovery phase requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised via the same lateral movement path. This ensures the attacker cannot regain access and that the incident is fully remediated before closure.

Exam trap

Cisco often tests the misconception that isolation alone is sufficient for closure, but the trap here is that recovery requires active remediation steps (removing persistence and rotating credentials) before the incident can be formally closed.

How to eliminate wrong answers

Option A is wrong because reconnecting the host without removing persistence and rotating credentials would allow the attacker to regain access immediately, violating containment and recovery best practices. Option B is wrong because disabling logging would destroy forensic evidence and blind the security team to ongoing malicious activity, which is never acceptable during incident response. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the backdoor active, meaning the attacker can still use the scheduled task and stolen account to re-enter the environment.

230
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Delete all audit logs to reduce liability
B.Wait for the next quarterly review
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to restrict public read access to the storage bucket to stop any ongoing unauthorized data exposure. The team must then determine whether sensitive data was accessed by reviewing access logs (e.g., AWS CloudTrail or S3 server access logs) to assess the scope of the breach. This aligns with incident response best practices: contain the threat first, then investigate.

Exam trap

Cisco often tests the misconception that rotating passwords or deleting logs is a valid first step, when in fact the correct first action is always to contain the vulnerability (restrict access) before investigating or performing unrelated administrative tasks.

How to eliminate wrong answers

Option A is wrong because deleting audit logs destroys forensic evidence, violates compliance requirements (e.g., GDPR, PCI DSS), and increases liability by obstructing investigation. Option B is wrong because waiting for a quarterly review leaves sensitive data exposed for months, violating the principle of timely remediation and increasing risk of data exfiltration. Option D is wrong because rotating database administrator passwords does not address the public read access on the storage bucket; it is an unrelated control that does not mitigate the exposure of customer exports.

231
MCQmedium

Refer to the exhibit. An analyst sees this alert in the SIEM console. What is the best immediate action?

A.Update the Suricata signature to block the traffic.
B.Run a full antivirus scan on destination host 10.0.0.1.
C.Isolate the source host 10.0.0.5 from the network.
D.Escalate the alert to the incident response team.
AnswerD

Escalation ensures proper investigation and containment by the designated team.

Why this answer

Option D is correct because the alert indicates a potential security incident that requires formal escalation to the incident response team for proper triage, analysis, and containment. The SIEM alert likely contains indicators of compromise (IoCs) that need expert investigation before any automated or manual remediation steps are taken, as premature actions could destroy forensic evidence or disrupt legitimate services.

Exam trap

CompTIA often tests the candidate's understanding of the incident response process hierarchy, where the trap is that candidates confuse immediate containment actions (like isolation) with the correct first step of escalation, failing to recognize that analysts must first report and escalate before taking technical actions.

How to eliminate wrong answers

Option A is wrong because updating a Suricata signature to block traffic is a reactive, long-term tuning action that should only be performed after the incident is fully analyzed and confirmed; it does not address the immediate need to investigate the alert. Option B is wrong because running a full antivirus scan on the destination host (10.0.0.1) is a secondary step that may be part of remediation, but it is not the best immediate action—the source host (10.0.0.5) is the likely origin of the threat, and scanning alone cannot stop an active attack. Option C is wrong because isolating the source host (10.0.0.5) from the network is a containment action that should be directed by the incident response team after proper analysis, not taken unilaterally by the analyst without understanding the full context, as it could disrupt business operations or alert the attacker.

232
MCQeasy

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. Any shutdown or reboot would destroy this evidence, making it impossible to analyze the malware's behavior, network connections, or injected processes. This follows the forensic order of volatility (RFC 3227), which mandates capturing the most volatile data first.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by presenting plausible but non-volatile evidence options, tricking candidates into thinking disk-based artifacts are acceptable when memory must be captured first.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and contain no technical data about malware execution. Option C is wrong because archived monthly reports are static, non-volatile data stored on disk, which would not contain the runtime state of fileless malware that exists only in memory. Option D is wrong because the office seating plan has no bearing on digital forensic evidence collection or malware analysis.

233
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Start with the oldest medium vulnerability
C.Remediate only low-risk internal findings to improve closure rate
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The critical unauthenticated remote-code-execution vulnerability on an internet-facing VPN appliance is actively exploited in the wild, posing an immediate risk of complete compromise. Remediation must be prioritized based on severity, exploitability, and exposure, making immediate patching or mitigation the only defensible first step.

Exam trap

The trap here is that candidates may choose to defer remediation to a scheduled patch window (Option D) due to change management policies, but the question explicitly requires prioritizing based on active exploitation and critical severity, overriding standard scheduling.

How to eliminate wrong answers

Option B is wrong because prioritizing the oldest medium vulnerability ignores the active exploitation and critical severity of the VPN flaw, which could lead to a full network breach. Option C is wrong because remediating only low-risk internal findings to improve closure rate is a metric-gaming approach that leaves the most dangerous vulnerability unaddressed, violating risk management principles. Option D is wrong because deferring all remediation until the monthly patch window would leave a critical, actively exploited flaw exposed for an unacceptable period, likely resulting in a security incident.

234
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Total coffee consumed by analysts
B.Mean time to detect, mean time to respond, containment time, and recurrence rate
C.Number of desktop wallpapers changed
D.Number of unused dashboards
AnswerB

These KPIs show detection and response effectiveness over time. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the standard metrics for measuring incident response effectiveness. These directly quantify how quickly threats are identified, contained, and whether they return, providing clear quarter-over-quarter trend data for the CISO. For a technical remediation owner, these same metrics are actionable, as they pinpoint where to improve detection rules, response playbooks, and patch cycles.

Exam trap

Cisco often tests the distinction between vanity metrics (like coffee consumption or dashboard counts) and operational metrics that directly measure the security team's performance in detection, response, and prevention.

How to eliminate wrong answers

Option A is wrong because total coffee consumed by analysts is a non-technical, irrelevant metric that does not measure any aspect of incident response performance or improvement. Option C is wrong because number of desktop wallpapers changed has no bearing on security operations, detection, or remediation effectiveness. Option D is wrong because number of unused dashboards is a measure of SIEM or reporting hygiene, not a direct indicator of incident response speed, containment, or recurrence.

235
Multi-Selecthard

A malware alert shows a signed binary performing suspicious actions. Which facts help decide whether it is living-off-the-land abuse? (Choose two.)

Select 2 answers
A.The binary is normally administrative but launched from an unusual parent process
B.The command line performs download, encode, dump, or remote-execution behaviour
C.The binary has a familiar vendor name only
D.The endpoint wallpaper is unchanged
AnswersA, B

Parent context can indicate abuse of legitimate tools.

Why this answer

Option A is correct because living-off-the-land (LotL) abuse often involves legitimate administrative binaries (e.g., PowerShell, certutil, wmic) being executed from an unexpected parent process, such as a Microsoft Office application or a script host. This deviation from the normal process tree (e.g., cmd.exe or explorer.exe spawning the binary) is a strong indicator of malicious intent, as attackers leverage trusted tools to evade detection.

Exam trap

Cisco often tests the misconception that a signed binary from a trusted vendor is inherently safe, but the trap here is that LotL abuse specifically exploits the trust in signed administrative tools, so candidates must focus on behavioral anomalies (parent process, command-line actions) rather than the binary's signature or vendor name.

236
Multi-Selectmedium

A security analyst must prepare a report on a recent intrusion for a technical audience (IT staff and security engineers). Which TWO elements should be included?

Select 2 answers
A.Estimated financial cost of the incident
B.Indicators of compromise (IoCs)
C.Mitigation steps and remediation actions taken
D.Full exploit code used in the attack
E.Executive summary explaining business impact
AnswersB, C

Technical staff need IoCs to detect and block similar threats.

Why this answer

Indicators of Compromise (IoCs) are essential for a technical audience because they provide the forensic artifacts—such as IP addresses, file hashes, registry keys, and domain names—that security engineers need to detect, contain, and eradicate the intrusion. Including IoCs enables the IT staff to update detection signatures, block malicious infrastructure, and perform host-based threat hunting, directly supporting incident response and future prevention.

Exam trap

CompTIA often tests the distinction between audience-appropriate content, where candidates mistakenly include business impact or exploit code for a technical audience, overlooking that technical staff need actionable forensic data like IoCs and clear remediation steps.

237
Matchingmedium

Match each log type to its typical source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Windows Event Log (Security)

Linux/Unix system messages

Web server (e.g., Apache, IIS)

Database or application activity

Network firewall traffic records

Why these pairings

Different log types originate from different systems and serve distinct purposes.

238
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For validation, Which action should be taken before closing or downgrading the finding?

A.Change the severity to informational automatically
B.Close the finding because the owner disagrees
C.Delete the server from the scan scope
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the only way to definitively resolve a discrepancy between a scanner finding and a service owner's claim is to perform an independent, manual test. Using a TLS client (e.g., OpenSSL s_client) or a scanner profile that specifically negotiates protocol versions allows you to directly verify whether the server actually accepts TLS 1.0 connections, eliminating false positives or misconfigurations.

Exam trap

Cisco often tests the trap that candidates will trust the service owner's assertion over the scanner's evidence, leading them to close the finding without independent verification, which violates the principle of validate-before-remediate.

How to eliminate wrong answers

Option A is wrong because automatically changing severity to informational bypasses the need for validation and could hide a real vulnerability. Option B is wrong because closing a finding solely because the owner disagrees ignores the scanner's evidence and violates due diligence in vulnerability management. Option C is wrong because deleting the server from the scan scope removes it from future assessments, which could mask a genuine security issue and is not a valid remediation step.

239
Multi-Selectmedium

A security analyst is reviewing the results of a recent vulnerability scan. The analyst needs to prioritize remediation efforts effectively. Which four of the following factors should the analyst consider when prioritizing vulnerabilities? (Choose four.)

Select 4 answers
.The Common Vulnerability Scoring System (CVSS) base score
.The age of the vulnerability since its public disclosure
.The number of times a vendor has released a patch for the vulnerability
.The existence of publicly available exploit code
.The asset's criticality to the organization's mission
.The color of the vulnerability in the scan report

Why this answer

The Common Vulnerability Scoring System (CVSS) base score provides a standardized numerical rating (0-10) of a vulnerability's severity, factoring in exploitability and impact metrics. This score helps analysts compare vulnerabilities across different systems and prioritize those with higher potential damage. It is a foundational input for risk-based prioritization, not the sole deciding factor.

Exam trap

CompTIA often tests that candidates confuse the number of patches or visual indicators (like color) with actual risk factors, leading them to select those distractors instead of focusing on exploitability, asset value, and standardized scoring.

240
MCQhard

A security analyst is prioritizing vulnerabilities for remediation. The following vulnerabilities have been identified: Vulnerability A: CVSS v3.1 Base Score 9.8 (Critical), no known exploit, affects internet-facing web server. Vulnerability B: CVSS v3.1 Base Score 7.5 (High), exploit available, affects internal database server. Vulnerability C: CVSS v3.1 Base Score 6.1 (Medium), exploit available, affects internal file server. Vulnerability D: CVSS v3.1 Base Score 4.0 (Medium), no known exploit, affects internal workstation. Which vulnerability should be remediated FIRST?

A.Vulnerability D
B.Vulnerability C
C.Vulnerability B
D.Vulnerability A
AnswerD

Critical severity on an internet-facing system poses the greatest risk.

Why this answer

Vulnerability A has a CVSS v3.1 Base Score of 9.8 (Critical) and affects an internet-facing web server, which is directly exposed to external threats. Even though no known exploit exists, the high severity and exposure mean that a zero-day or future exploit could cause severe impact, making it the highest priority for remediation according to risk-based prioritization frameworks like CVSS and NIST SP 800-40.

Exam trap

Cisco often tests the misconception that an available exploit always outweighs a higher CVSS score, but the correct prioritization must consider both severity and exposure, especially for internet-facing systems with Critical scores.

How to eliminate wrong answers

Option A (Vulnerability D) is wrong because it has a low CVSS score of 4.0, no known exploit, and affects an internal workstation, which poses minimal risk compared to internet-facing systems. Option B (Vulnerability C) is wrong because although it has an available exploit, its CVSS score is 6.1 (Medium) and it affects an internal file server, which is less critical than an internet-facing web server with a Critical score. Option C (Vulnerability B) is wrong because while it has an exploit available and a High score of 7.5, it affects an internal database server, which is not directly exposed to the internet, whereas Vulnerability A is internet-facing and has a higher severity score.

241
MCQeasy

A small business with 50 employees has been hit by ransomware. All files on the file server and local workstations are encrypted, and the ransom note demands $5,000 in Bitcoin for the decryption key. The CEO is panicking and wants to know the impact on operations and how to proceed. The security analyst has been tasked with preparing a report for the CEO. The company does not have cyber insurance, has minimal IT staff, and relies heavily on email and shared drives for daily operations. The analyst has identified that there is a one-week-old backup but is unsure of its integrity. The analyst must consider that the CEO has limited technical knowledge and that the report will form the basis for critical business decisions. The company's reputation and customer trust are at stake. The analyst must balance transparency with clear, actionable guidance. Which of the following is the BEST approach for the analyst to take in communicating with the CEO?

A.Provide a detailed technical timeline of the ransomware infection, including the malware variant and encryption algorithm used.
B.Tell the CEO that the incident is being handled and not to worry, then proceed with recovery without further updates.
C.Summarize the situation in non-technical terms, explain the business impact (e.g., inability to access customer data, potential revenue loss), outline recovery options (e.g., restore from backups or pay ransom with risks), and recommend immediate steps.
D.Immediately contact law enforcement and advise the CEO to wait for their instructions without providing additional information.
AnswerC

Provides clear, actionable information tailored to the CEO's needs.

Why this answer

Summarizing business impact and recovery options in non-technical terms is best for the CEO to make informed decisions.

242
MCQmedium

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it allows stakeholders (legal, PR, IT, executives) to validate their roles and decision-making processes during a ransomware incident without impacting production systems. This aligns with the NIST SP 800-61 incident response testing framework, which emphasizes discussion-based exercises for validating procedures and communication flows. Unlike destructive tests, a tabletop exercise uses a realistic scenario to simulate the incident lifecycle, ensuring role clarity and procedural readiness.

Exam trap

Cisco often tests the distinction between validation exercises (tabletop) and operational changes (SIEM purchase) or security controls (password reset), trapping candidates who confuse testing a process with implementing a tool or policy.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not validate role understanding or incident response processes; it introduces a tool without verifying operational readiness or integration with existing workflows. Option C is wrong because an annual password reset only addresses a single authentication control and does not test the multi-faceted coordination required during a ransomware incident, such as legal notifications or PR communication. Option D is wrong because full destructive malware detonation in production would disrupt live systems, violate the requirement to avoid touching production, and could cause data loss or service downtime, making it inappropriate for a non-destructive role-validation exercise.

243
MCQeasy

During a post-compromise review, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action should be prioritized before closure?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review must produce actionable improvements to prevent recurrence. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation and excessive dwell time by clarifying when and how to escalate, who is responsible, and by when changes must be implemented. This aligns with the NIST SP 800-61 incident response lifecycle, which emphasizes lessons learned leading to process refinement.

Exam trap

Cisco often tests the distinction between punitive actions (blame) and constructive process improvements (playbook updates), expecting candidates to recognize that the goal of a post-incident review is to fix the process, not assign fault.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable or actionable change to the incident response process, failing to correct the specific escalation failure. Option B is wrong because deletion of all incident tickets destroys forensic evidence and audit trails required for legal proceedings, regulatory compliance, and future analysis; incident tickets must be preserved per retention policies. Option C is wrong because a blame list of individual analysts violates the 'blameless postmortem' principle and discourages reporting of security incidents, undermining the entire incident response program.

244
MCQmedium

An analyst runs an external vulnerability scan and receives the output above. Which of the following should be the analyst's primary concern?

A.HTTPS is using a self-signed certificate
B.HTTP is open on port 80
C.RDP is filtered by a firewall
D.SSH is exposed to the internet
AnswerD

SSH is a common attack vector; if not required, it should be restricted.

Why this answer

SSH (port 22) exposed directly to the internet is the primary concern because it provides an administrative remote access channel that attackers can brute-force or exploit for credential-based attacks. Unlike HTTP or self-signed certificates, SSH exposure represents a direct attack surface for unauthorized system control, which is a critical vulnerability in external scans.

Exam trap

Cisco often tests the distinction between 'common but insecure' services (like HTTP or self-signed certs) and 'administrative exposure' (like SSH or RDP), where the latter is prioritized because it directly enables system compromise.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate on HTTPS, while not ideal, does not expose the service to remote code execution or credential theft; it primarily affects trust and encryption verification. Option B is wrong because HTTP on port 80 is a common, expected service for web traffic; while unencrypted, it is not inherently a high-risk exposure compared to administrative protocols. Option C is wrong because RDP being filtered by a firewall actually reduces risk by blocking external access, making it a security control rather than a concern.

245
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable all enrichment lookups
B.Increase the dashboard refresh interval
C.Move logs to cold storage immediately
D.Log normalization and field mapping in the parser
AnswerD

Detection rules depend on consistent normalized fields across sources.

Why this answer

Option D is correct because inconsistent field mapping (source IP, user, action) prevents the SIEM from correlating and analyzing log data. The engineer must fix the log parser to normalize these fields into a consistent schema, ensuring that enrichment lookups and analytics function correctly. This aligns with the Security Operations domain focus on data ingestion and parsing.

Exam trap

Cisco often tests the misconception that performance or storage adjustments (like refresh intervals or cold storage) can fix data quality issues, when the real solution is always at the parsing and normalization layer.

How to eliminate wrong answers

Option A is wrong because disabling enrichment lookups would remove valuable context (e.g., threat intelligence, geolocation) and does not address the root cause of inconsistent field mapping. Option B is wrong because increasing the dashboard refresh interval only affects how often the UI updates, not the underlying data quality or parsing issues. Option C is wrong because moving logs to cold storage immediately would archive the data without fixing the parsing problem, making the logs unusable for analytics and triage.

246
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Trust the unauthenticated result as complete
B.Increase only the port range
C.Disable host firewalls permanently
D.Run authenticated scans using least-privilege scanner credentials
AnswerD

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans only enumerate open ports and services visible without credentials, missing OS-level patch data such as missing KBs, registry settings, or file versions. Authenticated scans using least-privilege credentials allow the scanner to query the Windows registry, WMI, or WinRM to retrieve the actual installed patch level, providing accurate vulnerability results. For stakeholder management, formal approval (e.g., a signed authorization from system owners or change control board) is required to document the use of privileged credentials, ensuring the program remains defensible in audits.

Exam trap

Cisco often tests the misconception that increasing scan scope (e.g., ports or disabling firewalls) can substitute for authentication, when in fact only credentialed scanning provides the deep OS-level patch data needed for accurate vulnerability assessment.

How to eliminate wrong answers

Option A is wrong because trusting an unauthenticated result as complete ignores the fact that without credentials, the scanner cannot access registry or file-level patch data, leading to false negatives and missing critical vulnerabilities. Option B is wrong because increasing only the port range expands network-layer discovery but does not enable the scanner to retrieve OS patch information, which requires authenticated access to internal system state. Option C is wrong because disabling host firewalls permanently reduces security posture and still does not provide the scanner with the necessary credentials to query patch levels; it only removes network access controls without solving the data access problem.

247
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Packet captures from user laptops only
B.Cloud audit logs for identity, policy, and key-management API calls
C.Web server access logs from the public website
D.Endpoint antivirus quarantine reports only
AnswerB

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Control-plane operations in cloud environments are managed through APIs for identity (IAM), policy, and key management. Cloud audit logs (e.g., AWS CloudTrail, Azure Activity Log) capture every API call to these services, including who made the call, from which IP address, and what changes were made. The spike in IAM policy changes, access key creation, and failed console logons from a new country is directly recorded in these logs, making them the strongest evidence for a control-plane compromise.

Exam trap

Cisco often tests the distinction between control-plane and data-plane telemetry, and the trap here is that candidates mistakenly think packet captures or web logs can reveal cloud API activity, when in fact only cloud audit logs provide the necessary API-level detail for identity and policy changes.

How to eliminate wrong answers

Option A is wrong because packet captures from user laptops only show network-layer traffic (e.g., HTTP/HTTPS packets) and cannot capture cloud control-plane API calls made to the cloud provider's endpoints, as those calls are encrypted and the cloud provider's internal audit logs are the authoritative source. Option C is wrong because web server access logs from the public website record only HTTP requests to the tenant's web application (e.g., GET, POST), not IAM policy changes, access key creation, or console logons, which are control-plane operations managed by the cloud provider's identity service.

248
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant?

A.Office document spawning a script interpreter from a user context
B.A password expiry warning
C.High CPU usage on the print server
D.Successful DHCP renewal
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

The correct detection logic is 'Office document spawning a script interpreter from a user context' because the scenario describes a classic phishing attack where a malicious macro or embedded script in an invoice document launches wscript.exe (a Windows Script Host interpreter) from the user's profile directory. This behavior is a strong indicator of script-based malware execution, as legitimate Office documents rarely spawn script interpreters directly from user-writable paths. The detection logic specifically targets the parent-child process relationship between an Office application (e.g., WINWORD.EXE, EXCEL.EXE) and wscript.exe, which is a common technique used by attackers to bypass application whitelisting and execute arbitrary code.

Exam trap

Cisco often tests the distinction between process execution anomalies and unrelated system events, so the trap here is that candidates may confuse a script interpreter launch with generic system performance issues or authentication events, missing the critical parent-child process chain that defines the attack vector.

How to eliminate wrong answers

Option B is wrong because a password expiry warning is an authentication-related event (typically logged as Event ID 4738 or 4724 in Windows Security logs) and has no relevance to the process execution chain of an Office document spawning wscript.exe. Option C is wrong because high CPU usage on the print server is a performance metric unrelated to endpoint process behavior; it does not involve user-context script execution or document-based attacks, and would be monitored by system health tools, not security detection logic.

249
MCQhard

You are a senior incident responder for a large technology company. During a routine threat hunting exercise, you detect unusual network traffic from a Linux web server to an external IP address that is known to be associated with an advanced persistent threat (APT) group. The web server runs a custom PHP application and is not in the DMZ; instead, it's on the internal network serving a management dashboard. You have captured a memory dump of the web server and analyzed it with volatility. The output shows a suspicious process running with the name 'apache2' but with an invalid parent process (PID 1 is 'apache2' itself). Additionally, you find a kernel module loaded called 'hideproc.ko' that is not part of the standard kernel. The network connections show a reverse shell to the external IP. You need to determine the most effective containment and eradication strategy that minimizes data loss and maintains business continuity while preserving evidence for law enforcement involvement.

A.Revert the web server to a previous snapshot from before the suspected compromise date, then run a full antivirus scan on the restored system.
B.Perform a live forensic analysis of the PHP application logs and database to identify the specific vulnerability used, then apply a hotfix to the application code.
C.Isolate the web server from the network immediately, capture a full disk and memory image, then reimage the server from a trusted backup or OS image, and restore application data from a known clean backup.
D.Block the external IP address at the firewall and block all outbound traffic from the web server except to specific internal IPs, then continue monitoring for other compromised hosts.
AnswerC

Isolation stops the active reverse shell and lateral movement. Imaging preserves evidence of the rootkit and attacker activities. Reimaging ensures the kernel module and any other persistence are removed.

Why this answer

Option C is correct because the presence of a kernel rootkit ('hideproc.ko') and a reverse shell indicates deep, persistent compromise that cannot be cleaned by patching or scanning. Isolating the server preserves volatile evidence (memory, disk) for law enforcement, while reimaging from a trusted backup ensures complete removal of the attacker's foothold, minimizing data loss and restoring business continuity.

Exam trap

The trap here is that candidates may choose a containment-only option (D) or a patch-only option (B) because they underestimate the persistence of kernel-level rootkits, failing to recognize that eradication requires complete reimaging from a trusted source.

How to eliminate wrong answers

Option A is wrong because reverting to a snapshot does not guarantee the snapshot itself is clean (the APT may have persisted before the snapshot date), and a full antivirus scan cannot detect or remove a kernel-mode rootkit like 'hideproc.ko'. Option B is wrong because live forensic analysis of logs and applying a hotfix addresses the vulnerability but does not remove the already-loaded kernel rootkit or the active reverse shell, leaving the attacker with persistent access. Option D is wrong because blocking the external IP and restricting outbound traffic only contains the immediate C2 channel; the kernel rootkit and backdoor remain on the server, allowing the attacker to pivot or establish alternative egress paths.

250
Drag & Dropmedium

Order the steps for proper forensic acquisition of a hard drive.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic acquisition requires documentation, write-blocked imaging, hash verification, secure storage, and image hash verification.

251
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only the analyst's personal opinion
B.A permanent exception with no review
C.No mention of the accepted risk
D.Risk owner, reason, compensating controls, review date, and expiry
AnswerD

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option D is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for acceptance, any compensating controls in place, a scheduled review date, and an expiry date for the exception. This ensures traceability, accountability, and that the risk is not forgotten, aligning with governance frameworks like NIST SP 800-37 or ISO 27001.

Exam trap

CompTIA often tests the misconception that risk acceptance can be a one-time, permanent decision without ongoing review, leading candidates to choose Option B, but the correct approach requires a defined expiry and review cycle to maintain accountability.

How to eliminate wrong answers

Option A is wrong because including only the analyst's personal opinion violates the requirement for objective, evidence-based reporting; risk acceptance decisions must be documented with business context, not subjective views. Option B is wrong because a permanent exception with no review bypasses the need for periodic reassessment, which is a key control in risk management frameworks to ensure the risk is still acceptable over time. Option C is wrong because omitting the accepted risk from the report hides critical information from the SOC manager, undermining the purpose of the report to provide full visibility into the system's risk posture.

252
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Block all DNS traffic from the subnet
B.Search only for successful HTTP 200 responses
C.Correlate DNS query logs with endpoint process and network connection telemetry
D.Delete the host from the SIEM asset inventory
AnswerC

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option C is correct because correlating DNS query logs with endpoint process and network connection telemetry provides direct evidence of command-and-control (C2) beaconing. The algorithmically generated domains (DGA) and NXDOMAIN responses are characteristic of malware that generates many domains to evade static blocklists, but only a few are actually registered by the attacker. By mapping the DNS queries to the specific process that initiated them (via endpoint telemetry) and the subsequent network connections (e.g., to the resolved IP of a successful DGA domain), the analyst can confirm C2 activity rather than just anomalous DNS traffic.

Exam trap

The trap here is that candidates focus on the NXDOMAIN responses as a sign of failure and assume the activity is benign or that blocking DNS is the solution, rather than recognizing that the fixed-interval DGA pattern itself is the key indicator of C2 beaconing that requires cross-telemetry correlation.

How to eliminate wrong answers

Option A is wrong because blocking all DNS traffic from the subnet is a disruptive, non-analytical response that would break legitimate network operations and does not help validate or explain the beaconing behavior. Option B is wrong because searching only for successful HTTP 200 responses is too narrow; C2 traffic often uses non-HTTP protocols, encrypted channels, or different HTTP status codes (e.g., 302 redirects), and many DGA-based C2 channels may not use HTTP at all, so this approach would miss the actual beaconing.

253
MCQhard

During a security assessment, you discover that an organization's web application is vulnerable to SQL injection because it concatenates user input directly into SQL queries. Which of the following is the BEST remediation strategy?

A.Encode all output data.
B.Deploy a web application firewall (WAF).
C.Use parameterized queries or prepared statements.
D.Implement input validation using a whitelist.
AnswerC

Separates SQL logic from data, preventing injection.

Why this answer

Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders, ensuring that user input is always treated as data, not executable code. This directly prevents SQL injection by eliminating the ability to alter the query structure, regardless of the input content.

Exam trap

Cisco often tests the misconception that input validation or a WAF is sufficient to prevent SQL injection, but the exam expects you to recognize that only parameterized queries/prepared statements address the root cause by enforcing data vs. code separation.

How to eliminate wrong answers

Option A is wrong because output encoding (e.g., HTML entity encoding) addresses cross-site scripting (XSS), not SQL injection, which occurs at the database layer before output is generated. Option B is wrong because a web application firewall (WAF) is a reactive, bypassable control that can be evaded with crafted payloads; it does not fix the root cause of insecure code. Option D is wrong because input validation using a whitelist is insufficient as a primary defense—attackers can bypass whitelists with encoding or alternative characters, and it does not guarantee that all malicious input is blocked, whereas parameterized queries provide a deterministic, structural fix.

254
MCQeasy

A security analyst has identified a critical vulnerability in a customer-facing web application. The analyst needs to communicate this to senior management. Which of the following is the best approach for this communication?

A.Send a brief email stating that a critical vulnerability exists and ask management to schedule a meeting.
B.Notify the development team only and have them fix it before informing management.
C.Provide a detailed technical analysis of the vulnerability, including exploit code.
D.Summarize the vulnerability in terms of business risk, potential financial impact, and recommended mitigation timeline.
AnswerD

Summarizing business impact and recommended actions is most effective for management.

Why this answer

Option D is correct because communicating a critical vulnerability to senior management requires translating technical risk into business impact. Security analysts must present findings in terms of potential financial loss, regulatory consequences, and a clear mitigation timeline, enabling informed decision-making without requiring deep technical expertise.

Exam trap

CompTIA often tests the distinction between technical reporting (for engineers) and business-risk communication (for management), trapping candidates who overemphasize technical detail or assume management needs exploit-level information.

How to eliminate wrong answers

Option A is wrong because a brief email with no context fails to convey urgency or actionable details, and asking management to schedule a meeting delays response to a critical vulnerability. Option B is wrong because bypassing management violates incident response protocols and could lead to uncoordinated fixes, legal liability, or non-compliance with disclosure requirements. Option C is wrong because providing exploit code and deep technical analysis to non-technical senior management is inappropriate; it risks information overload and potential misuse, and does not address the business risk they need to evaluate.

255
Drag & Dropmedium

Arrange the steps for conducting a security incident response in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows the NIST framework: Prepare, Detect & Analyze, Contain/Eradicate/Recover, Post-Incident, and Report.

256
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A list of analyst shift times only
B.Every command the scanner executed
C.Business risk, customer impact assessment, remediation status, and remaining exposure
D.Raw packet captures from the scan
AnswerC

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because the executive summary for legal/privacy stakeholders must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the summary should communicate the potential regulatory and privacy implications (e.g., GDPR, CCPA) and the steps taken to close the vulnerability, not technical details. This aligns with the CS0-003 objective of tailoring communication to the audience's need for risk-based, non-technical summaries.

Exam trap

Cisco often tests the misconception that an executive summary should include all technical findings, but the trap here is that legal/privacy stakeholders require a risk-focused, non-technical summary, not operational or scanner output details.

How to eliminate wrong answers

Option A is wrong because listing analyst shift times is irrelevant to a vulnerability report and provides no value to legal/privacy stakeholders who need risk and compliance context. Option B is wrong because every command the scanner executed is excessive technical detail that would overwhelm non-technical stakeholders and obscure the key message of no exploitation and remediation status.

257
Multi-Selecthard

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

Select 2 answers
A.Blame an individual without process review
B.Delete the alert rule because it was inconvenient
C.Define queue ownership and escalation thresholds
D.Add monitoring for stale or unassigned alerts
AnswersC, D

Ownership prevents alerts being orphaned.

Why this answer

Option C is correct because defining queue ownership and escalation thresholds ensures that alerts are assigned to a specific team or individual and have a clear path for escalation if not acknowledged within a defined time. This directly addresses the root cause of the alert never being triaged by enforcing accountability and automated follow-up, which is a standard incident response practice per NIST SP 800-61.

Exam trap

Cisco often tests the misconception that punitive measures (blaming individuals) or removing inconvenient alerts are valid corrective actions, when the correct approach is always to improve process and automation to prevent recurrence.

258
MCQmedium

A company wants to prioritize vulnerabilities based on exploitability and impact. Which industry standard framework should the analyst use?

A.CVSS v3
B.OWASP Top 10
C.CVE
D.NIST SP 800-53
AnswerA

CVSS provides a numeric severity score based on exploitability and impact.

Why this answer

CVSS v3 (Common Vulnerability Scoring System) is the industry-standard framework for prioritizing vulnerabilities based on exploitability and impact. It provides a numerical score (0-10) derived from metrics such as Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope, along with Confidentiality, Integrity, and Availability impact. This allows analysts to objectively rank vulnerabilities for remediation.

Exam trap

CompTIA often tests the distinction between a vulnerability scoring system (CVSS) and a vulnerability identification system (CVE), causing candidates to confuse CVE as a prioritization tool.

How to eliminate wrong answers

Option B (OWASP Top 10) is wrong because it is a list of the most critical web application security risks, not a scoring system for individual vulnerabilities; it does not assign exploitability or impact scores. Option C (CVE) is wrong because it is a dictionary of publicly disclosed vulnerabilities with unique identifiers, not a prioritization or scoring framework. Option D (NIST SP 800-53) is wrong because it is a catalog of security controls for federal information systems, not a vulnerability scoring methodology.

259
Multi-Selectmedium

An organization is implementing a new security incident response plan and wants to establish clear communication protocols. Which three of the following are essential components of effective incident communication? (Choose three.)

Select 3 answers
.Defining a single point of contact (POC) for each stakeholder group
.Using only email for all incident updates to maintain a written record
.Establishing pre-approved templates for different incident types
.Including all employees in every incident notification to ensure transparency
.Creating an escalation matrix with authority levels for decision-making
.Automatically releasing incident details to the press within one hour

Why this answer

Defining a single point of contact (POC) for each stakeholder group ensures clear, controlled communication and prevents conflicting information. Pre-approved templates for different incident types enable rapid, consistent, and accurate notifications without needing to craft messages from scratch during a crisis. An escalation matrix with authority levels ensures that decisions are made by the appropriate personnel based on incident severity, preventing delays and unauthorized actions.

Exam trap

CompTIA often tests the distinction between 'transparency' and 'controlled communication' — candidates may incorrectly choose 'include all employees' thinking it promotes transparency, but the exam expects role-based, need-to-know notifications to avoid operational chaos.

260
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For business prioritization, Which recommendation gives the best risk-based order of work?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Whether the hostname is shorter
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Option D is correct because remediation priority in vulnerability management is determined by asset criticality, exposure, and business impact, not by superficial attributes. The public payment API server has high business impact and exposure to external threats, making it a higher priority than the isolated lab server, even though both share the same vulnerability. This aligns with risk-based prioritization frameworks such as CVSS environmental metrics and FAIR analysis.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVSS base score should be remediated with equal urgency, ignoring the critical role of asset context and business impact in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts has no bearing on vulnerability severity, exploitability, or business risk; it is an irrelevant system configuration detail. Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element that does not affect technical risk assessment or prioritization decisions. Option C is wrong because hostname length is arbitrary and does not correlate with asset criticality, exposure, or the likelihood of exploitation; a shorter hostname does not indicate higher risk.

261
MCQmedium

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised cloud access key to prevent further unauthorized use, while simultaneously reviewing logs to understand the scope of the attacker's actions. In a regulated payment environment (e.g., PCI DSS), failing to disable the key promptly could lead to a data breach and non-compliance penalties. Reviewing actions with the key is essential for incident response and forensic evidence collection.

Exam trap

Cisco often tests the misconception that containment means physically isolating the user (e.g., blocking Wi-Fi) rather than logically revoking the compromised credential, leading candidates to pick Option C over the correct technical containment action.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially exfiltrating sensitive payment data or escalating privileges — this violates the 'containment' phase of incident response. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the cloud access key; the key remains valid and can still be used from the unfamiliar IP, and it may hinder legitimate incident response activities by isolating the developer without addressing the root cause.

262
MCQeasy

During a phishing investigation, an employee reports clicking a link and entering credentials. Which of the following should be the first step?

A.Conduct user awareness training
B.Block the phishing domain
C.Analyze the email headers
D.Reset the employee's password
AnswerD

Immediate password reset mitigates account compromise.

Why this answer

The immediate priority after credential compromise is to secure the account and prevent unauthorized access. Resetting the employee's password (Option D) invalidates the stolen credentials, stopping the attacker from using them to log in. This aligns with the NIST Incident Response Framework's containment phase, which must occur before any remediation or analysis steps.

Exam trap

Cisco often tests the distinction between containment and remediation; the trap here is that candidates choose 'Analyze the email headers' (Option C) because they confuse forensic analysis with the first step of incident response, but the priority must always be to stop active harm before investigating.

How to eliminate wrong answers

Option A is wrong because user awareness training is a long-term preventive measure, not an immediate containment step; conducting it first would leave the compromised account vulnerable. Option B is wrong because blocking the phishing domain, while useful, does not address the immediate risk of the attacker using the stolen credentials to access the account. Option C is wrong because analyzing email headers is part of the forensic investigation phase, which should follow containment to avoid delaying critical account protection.

263
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is executive leadership, which content choice is most appropriate?

A.A vague recommendation to improve security
B.Deletion of the integration record
C.Named owner, due date, acceptance criteria, and retest plan
D.No action because the incident is closed
AnswerC

Corrective actions should be accountable and verifiable. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option C is correct because a failed alert integration indicates a gap in accountability and process validation. The corrective action must assign a named owner, set a due date, define acceptance criteria, and include a retest plan to ensure the integration is properly configured and monitored. This aligns with ITIL's change management and incident management practices, where ownership and verification are critical to closing the loop on failed controls.

Exam trap

Cisco often tests the misconception that a vague recommendation or deleting a record is sufficient for corrective action, when in fact the exam emphasizes the need for specific, accountable, and verifiable remediation steps in post-incident reporting.

How to eliminate wrong answers

Option A is wrong because a vague recommendation to improve security lacks specificity and does not address the root cause of the failed integration; it provides no actionable steps for remediation or verification. Option B is wrong because deleting the integration record removes evidence of the failure and does not fix the underlying configuration or ownership issue; it also violates audit trail requirements and could mask recurring problems.

264
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For control selection, Which control best addresses the stated weakness without hiding risk?

A.The phishing training completion list
B.The risk register with owner, justification, expiry date, and compensating controls
C.The firewall vendor invoice
D.The incident containment playbook only
AnswerB

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

Option B is correct because when a business unit accepts the risk of delaying a patch, the risk register must be updated to formally document the risk acceptance. This update should include the risk owner, the business justification for the delay, an expiry date for the exception, and any compensating controls (e.g., network segmentation, enhanced monitoring) that reduce the risk during the gap. This ensures the risk is tracked, reviewed, and eventually remediated, aligning with vulnerability management best practices.

Exam trap

Cisco often tests the distinction between operational activities (e.g., training, billing) and formal risk management documentation; the trap here is that candidates may confuse updating a training list or invoice with the required risk register update, failing to recognize that risk acceptance must be formally recorded with ownership and compensating controls.

How to eliminate wrong answers

Option A is wrong because phishing training completion lists address user awareness and social engineering risks, not the technical risk of delaying a critical patch; updating this list does not document or manage the accepted risk. Option C is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not capture the risk owner, justification, expiry date, or compensating controls needed for formal risk tracking.

265
MCQeasy

Which technology is specifically designed to detect anomalous user behavior that may indicate a compromised account?

A.IDS.
B.UEBA.
C.SIEM.
D.Antivirus.
AnswerB

UEBA uses machine learning to detect anomalous user and entity behavior.

Why this answer

User and Entity Behavior Analytics (UEBA) is specifically designed to establish baselines of normal user behavior and detect anomalous activities—such as unusual login times, impossible travel, or abnormal data access patterns—that may indicate a compromised account. Unlike signature-based tools, UEBA leverages machine learning and statistical modeling to identify deviations from established norms, making it the correct choice for detecting account compromise.

Exam trap

CompTIA often tests the distinction between correlation-based tools (SIEM) and behavior-based tools (UEBA), and the trap here is that candidates confuse SIEM's log aggregation and rule-based alerting with UEBA's machine learning-driven anomaly detection for user behavior.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) primarily monitors network traffic for known attack signatures or protocol anomalies, not user behavior patterns. Option C is wrong because a Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources but relies on predefined rules and signatures rather than behavioral baselining to detect anomalies. Option D is wrong because Antivirus software detects and blocks known malware based on signatures and heuristics, not user behavior or account compromise indicators.

266
Multi-Selectmedium

A vulnerability report is going to system owners. Which elements make it actionable? (Choose three.)

Select 3 answers
A.Only a generic statement that risk exists
B.Affected assets and owners
C.Due dates based on severity or SLA
D.Remediation guidance and validation steps
AnswersB, C, D

Owners need to know what they must fix.

Why this answer

Option B is correct because identifying affected assets and their owners is essential for accountability and remediation. Without this information, system owners cannot determine which systems require patching or configuration changes, making the report non-actionable. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability management, which emphasizes asset ownership as a prerequisite for response.

Exam trap

Cisco often tests the misconception that a vulnerability report is actionable if it merely states risk exists, but without asset ownership and due dates, the report lacks the specificity required for system owners to take concrete steps.

267
MCQmedium

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the incident responder must first revoke the malicious OAuth app grant to immediately stop the attacker's access via the delegated mailbox permissions. Following revocation, reviewing mailbox access logs (e.g., Mailbox Audit Log, EWS/Graph API calls) is essential to assess the scope of compromise, and identifying other users who consented to the same app is critical to contain lateral movement. This aligns with the NIST SP 800-61 incident response lifecycle's containment and eradication phase.

Exam trap

CompTIA often tests the misconception that password resets or MFA can mitigate OAuth consent attacks, when in reality the OAuth grant is independent of the user's authentication credentials and must be explicitly revoked.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app can access the mailbox without any further authentication, bypassing MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the attacker's persistent access via the OAuth grant, which must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the delegated permissions; the app retains mailbox access until the grant is explicitly revoked.

268
MCQmedium

After a high-priority SOC escalation, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant, which removes the app's access to the mailbox via the Microsoft Graph API. Reviewing mailbox access (e.g., via Exchange Online audit logs) is necessary to assess data exfiltration, and identifying other users who consented helps contain a potential phishing campaign targeting the same app. This follows the NIST SP 800-61 incident response process for containment, eradication, and recovery.

Exam trap

CompTIA often tests the misconception that resetting a password or enabling MFA is sufficient to revoke OAuth app access, when in fact OAuth tokens are independent of user credentials and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants delegated permissions, the app can access the mailbox using its own tokens without requiring MFA. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the app's persistent access; the OAuth grant must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the app's granted permissions; the app can continue to access the mailbox via the Microsoft identity platform.

269
Multi-Selecthard

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Select 2 answers
A.Memory image or live response data
B.Active network connections and running processes
C.A list of cafeteria purchases
D.A printed office map
AnswersA, B

Fileless activity may exist mainly in memory.

Why this answer

Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.

Exam trap

Cisco often tests the misconception that fileless malware leaves no artifacts at all, leading candidates to overlook memory and live response data, or to choose irrelevant options like cafeteria purchases that seem like a distractor but have no forensic value.

270
MCQmedium

A security operations center (SOC) analyst is investigating an alert from the endpoint detection and response (EDR) system indicating that a process named "svchost.exe" spawned from a parent process "cmd.exe" on a user workstation. The user is a software developer who frequently uses command-line tools. The analyst checks the command line arguments: "cmd.exe /c powershell -EncodedCommand ...". The encoded command decodes to a script that downloads a payload from a remote server and executes it. The analyst also sees that the workstation has established an outbound connection to the same server on port 443. Which of the following is the BEST immediate action?

A.Isolate the workstation from the network.
B.Disable the user account.
C.Kill the svchost.exe process.
D.Block the remote server IP at the firewall.
AnswerA

Immediately contains the threat by preventing further communication and lateral movement.

Why this answer

Isolating the workstation is the best immediate action because the EDR alert confirms active compromise: a malicious encoded PowerShell command executed via cmd.exe spawned svchost.exe (a process commonly abused for masquerading), and an outbound connection to the same C2 server on port 443 (HTTPS) indicates ongoing data exfiltration or further payload delivery. Network isolation stops all communication with the attacker while preserving forensic evidence on the endpoint, which is critical for containment in a SOC response.

Exam trap

CompTIA often tests the misconception that blocking the remote IP or killing the process is sufficient, but the trap here is that the active outbound connection and running payload require immediate network containment to prevent data exfiltration and lateral movement, not just reactive blocking or process termination.

How to eliminate wrong answers

Option B is wrong because disabling the user account does not stop the already-running malicious process or its outbound C2 connection; the threat persists on the endpoint regardless of authentication status. Option C is wrong because killing svchost.exe may disrupt the malware but does not block the outbound connection already established, and the process could be a legitimate svchost.exe instance that has been injected or hollowed, making termination risky without analysis. Option D is wrong because blocking the remote server IP at the firewall only prevents future connections from that IP but does not stop the current active session or the malware already executing on the workstation, and the attacker can easily switch to a different IP or domain.

271
MCQmedium

During a vulnerability scan, an analyst discovers a high-severity vulnerability on a critical database server. The server is in production and cannot be taken offline. The vendor has released a patch but requires a reboot. Which of the following should the analyst recommend FIRST?

A.Implement a workaround from the vendor.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately.
D.Migrate the database to a new server.
AnswerB

This balances security with availability.

Why this answer

Option B is correct because the database server is in production and cannot be taken offline, so the patch must be applied during a scheduled maintenance window to minimize business disruption. The vulnerability is high-severity, but the vendor requires a reboot, which would cause downtime; therefore, the first step is to plan the patch application at the next available maintenance window, not to apply it immediately or implement a workaround that may not fully mitigate the risk.

Exam trap

CompTIA often tests the candidate's ability to prioritize business continuity over immediate remediation, leading candidates to incorrectly choose 'Apply the patch immediately' (Option C) because they focus solely on the high severity without considering the operational impact of a reboot on a critical production server.

How to eliminate wrong answers

Option A is wrong because implementing a workaround from the vendor is a temporary measure that may not fully address the vulnerability and could introduce additional complexity or performance issues; the analyst should prioritize the patch itself. Option C is wrong because applying the patch immediately would cause an unplanned reboot of a critical production database server, leading to unacceptable downtime and potential data loss or corruption. Option D is wrong because migrating the database to a new server is a drastic, time-consuming, and high-risk operation that is not the first recommendation; it should only be considered if patching is impossible or the server is end-of-life.

272
Multi-Selectmedium

Which TWO of the following are best practices for vulnerability scanning in a PCI DSS compliant environment? (Select TWO)

Select 2 answers
A.Perform quarterly scans
B.Scan only external IP ranges
C.Use a single scanning vendor
D.Scan after any significant network change
E.Use authenticated scanning for more accurate results
AnswersA, E

PCI DSS requirement 11.2 mandates quarterly external and internal scans.

Why this answer

Options A and C are correct. PCI DSS requires quarterly internal and external vulnerability scans. Option B is incorrect because both credentialed and non-credentialed scans are recommended.

Option D is incorrect because post-change scanning is a general best practice but not specifically a PCI DSS requirement for this context. Option E is incorrect because multiple scanning vendors can be used.

273
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Treat every HTTP 200 as proof of exploitation
D.Ask users to change passwords without checking logs
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because HTTP 200 responses from a WAF-protected endpoint do not rule out successful SQL injection; the application may have processed the malicious input without triggering an HTTP error. Reviewing application logs for query errors, authentication anomalies, and abnormal database access provides direct evidence of whether the injection actually succeeded, which is essential before declaring compromise. This approach balances containment by not disrupting legitimate traffic while preserving forensic evidence for analysis.

Exam trap

Cisco often tests the misconception that an HTTP 200 status code definitively indicates no exploitation occurred, when in reality it only reflects the web server's response, not the success or failure of the injected SQL.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical detection layer, potentially allowing ongoing exploitation and destroying evidence of the attack. Option C is wrong because an HTTP 200 status code only indicates the web server responded normally; it does not confirm that the SQL injection payload executed successfully, as many injections fail silently or are caught by parameterized queries.

274
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Asset criticality, exposure, and business impact
D.Whether the hostname is shorter
AnswerC

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which combines asset criticality, exposure, and business impact. The public payment API has high exposure (internet-facing) and high business impact (PCI DSS compliance, financial data), while the lab server is isolated and non-production. A vulnerability scanner like Nessus or Qualys uses asset tags and CVSS environmental metrics (e.g., modified impact sub-scores) to calculate a risk-based priority score, not the number of installed fonts or dashboard color.

Exam trap

Cisco often tests the misconception that vulnerability severity alone (e.g., a high CVSS score) determines remediation priority, ignoring that asset context—exposure, criticality, and business impact—is the actual driver of risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts is a cosmetic system attribute with no bearing on vulnerability severity, exposure, or business impact; it does not affect CVSS scoring or remediation prioritization. Option B is wrong because the color of the scanner dashboard is a purely aesthetic UI setting that has zero influence on scan results, risk calculation, or the quality of vulnerability detection.

275
MCQhard

A hospital's IT department has been receiving reports from nursing staff that the electronic medical record (EMR) system is responding slowly during peak hours. The network team has verified that the local area network is operating normally and there is no bandwidth congestion. The security analyst reviews the firewall logs and observes repeated outbound connections from the EMR server to an external IP address 198.51.100.23 on TCP port 443 at regular 5-minute intervals. Each connection transfers a small amount of data. The analyst also notes that the EMR server's antivirus software is up to date and no malware has been detected. The hospital's security policy requires that all outbound connections from critical servers be explicitly approved. Further investigation reveals that 198.51.100.23 is associated with a hosting provider in a foreign country. The analyst suspects a data exfiltration. Which of the following actions should the analyst take FIRST?

A.Install a network-based intrusion detection system to monitor the server.
B.Capture and analyze the network traffic between the EMR server and the external IP.
C.Isolate the EMR server from the network and run a full forensic analysis.
D.Block all outbound traffic from the EMR server to the internet immediately.
AnswerB

Capturing and analyzing the traffic provides insight into whether data exfiltration is occurring and what data is being sent, allowing for an informed response.

Why this answer

Option B is correct because the analyst must first confirm whether the outbound connections are actually exfiltrating data or are legitimate (e.g., software updates, license checks). Capturing and analyzing the network traffic (e.g., using tcpdump or Wireshark) allows the analyst to inspect the payload and determine the nature of the data being sent, which is a standard step in incident response before taking more disruptive actions.

Exam trap

CompTIA often tests the principle of 'least disruption first' in incident response, where candidates mistakenly choose an aggressive containment action (like isolation or blocking) before gathering sufficient evidence to confirm the threat.

How to eliminate wrong answers

Option A is wrong because installing a network-based intrusion detection system (NIDS) is a long-term monitoring solution, not an immediate first step to investigate a suspected active exfiltration; it would not provide the specific payload analysis needed now. Option C is wrong because isolating the EMR server and running a full forensic analysis is too disruptive and premature without first confirming that the traffic is malicious; it could halt critical hospital operations unnecessarily. Option D is wrong because immediately blocking all outbound traffic from the EMR server could disrupt legitimate services (e.g., updates, cloud backups) and would destroy evidence of the ongoing communication before it can be analyzed.

276
MCQmedium

A security analyst is configuring a SIEM correlation rule to detect multiple failed login attempts followed by a successful login from the same source IP within a short time window. This pattern suggests a successful brute-force attack. Which of the following correlation types should the analyst use?

A.Thresholding
B.Sequential correlation
C.Aggregation
D.Time-based correlation
AnswerB

Sequential correlation detects events in a specific order, ideal for detecting a pattern of failures followed by success.

Why this answer

Sequential correlation is the correct choice because it detects a specific ordered sequence of events: multiple failed logins followed by a successful login from the same source IP within a defined time window. This pattern is characteristic of a brute-force attack, where an attacker attempts many passwords before succeeding. SIEM tools like Splunk or QRadar use sequential correlation to match event chains where the order matters, not just the count or aggregation of events.

Exam trap

Cisco often tests the distinction between sequential correlation and aggregation, where candidates mistakenly choose aggregation because they focus on the 'multiple failed logins' count rather than the required ordered sequence of failures followed by a success.

How to eliminate wrong answers

Option A is wrong because thresholding triggers on a count of events exceeding a threshold (e.g., 10 failed logins) but does not require a subsequent successful login, missing the key pattern of a successful brute-force. Option C is wrong because aggregation groups events by a common attribute (e.g., source IP) but does not enforce an ordered sequence; it would flag any set of failed logins followed by a success even if the success occurred before the failures. Option D is wrong because time-based correlation simply matches events within a time window without requiring a specific order or sequence, so it could match a successful login followed by failed attempts, which is not the brute-force pattern.

277
MCQhard

Your organization has deployed a new web application on a Linux server. The application uses a custom database port (TCP 3307). During a routine vulnerability scan, the scanner reports a critical vulnerability: 'MySQL Server - Unrestricted File Upload (CVE-20XX-XXXX)'. The system administrator confirms that MySQL is not installed; the custom database uses PostgreSQL on port 3307. The scanner likely misidentified the service due to port-based fingerprinting. On further investigation, you find that the scanner's fingerprinting database has an incorrect mapping for port 3307. The PostgreSQL version is current and fully patched. The environment is production and cannot be disrupted. Which of the following is the BEST action to take?

A.Manually update the scanner's database to correct the port mapping.
B.Schedule an immediate patch of the supposed MySQL vulnerability.
C.Apply a workaround to block file upload functionality on port 3307.
D.Mark the vulnerability as a false positive and suppress it for this asset.
AnswerD

Accurately identifies the issue and prevents future alerts.

Why this answer

Option D is correct because the vulnerability report is based on a false positive: the scanner misidentified the service on port 3307 as MySQL due to an incorrect port mapping in its fingerprinting database, while the actual service is a fully patched PostgreSQL. Since MySQL is not installed and no actual vulnerability exists, marking the finding as a false positive and suppressing it for this asset is the appropriate response in a production environment that cannot be disrupted.

Exam trap

CompTIA often tests the candidate's ability to distinguish between a true vulnerability and a false positive caused by service misidentification, trapping those who jump to patching or blocking without verifying the actual service running on the port.

How to eliminate wrong answers

Option A is wrong because manually updating the scanner's database is not a standard or recommended remediation action; scanner databases are vendor-managed, and manual edits could cause further inaccuracies or be overwritten on the next update. Option B is wrong because scheduling an immediate patch for a supposed MySQL vulnerability is unnecessary and potentially disruptive, as MySQL is not installed and the PostgreSQL service is fully patched—applying a non-existent patch wastes resources and may introduce risk. Option C is wrong because applying a workaround to block file upload functionality on port 3307 is irrelevant; PostgreSQL does not have an unrestricted file upload vulnerability, and blocking functionality would disrupt legitimate database traffic without addressing the actual scanner misidentification.

278
MCQeasy

While supporting a hybrid workforce, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth grant to stop the attacker's access, then review the mailbox for any data exfiltration or abuse, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold and assess the scope of compromise. Ignoring the issue or taking non-targeted actions like password resets or email deletion fails to address the root cause—the OAuth consent grant—which persists independently of user credentials.

Exam trap

CompTIA often tests the misconception that resetting a user's password or enforcing MFA is sufficient to revoke OAuth tokens, when in reality the refresh token persists independently and must be explicitly revoked via the identity provider's admin interface.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; the attacker obtains a refresh token via the consent grant, which bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not revoke the attacker's persistent access via the OAuth token. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token stored in Azure AD/Entra ID; the app retains mailbox access until the grant is explicitly revoked.

279
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Wireless spectrum analysis
B.Physical badge access reviews
C.Database transaction log backups
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it automatically scans the project's dependencies against known vulnerability databases (e.g., NVD, GitHub Advisory Database) to identify vulnerable open-source libraries before deployment. Integrating SCA into the CI/CD pipeline ensures that vulnerabilities are caught early in the development lifecycle, aligning with the shift-left security principle without suppressing or masking risk.

Exam trap

CompTIA often tests the distinction between vulnerability scanning (SCA) and other security controls like network monitoring or physical security, so the trap here is confusing a general security practice (e.g., backups or access reviews) with a specific software dependency scanning control that directly addresses the stated weakness.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis (e.g., using tools like Wireshark or spectrum analyzers) is used to detect rogue access points or interference in wireless networks, not to identify vulnerable open-source libraries in code. Option B is wrong because physical badge access reviews control physical access to facilities, not software dependencies or code-level vulnerabilities. Option C is wrong because database transaction log backups are a data recovery and integrity control, unrelated to scanning for vulnerable open-source libraries in a development pipeline.

280
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Change the severity to informational automatically
B.Delete the server from the scan scope
C.Close the finding because the owner disagrees
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the most reliable way to validate whether TLS 1.0 is truly disabled is to perform an active, negotiated test using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to connect using only TLS 1.0. This bypasses any potential misconfiguration in the scanner's service detection or version negotiation logic, and directly confirms whether the server accepts a TLS 1.0 handshake. Relying solely on the scanner's banner grab or the owner's assertion can miss cases where the server still supports the protocol on certain ports or under specific cipher suites.

Exam trap

CompTIA often tests the concept that scanner results must be validated through active, protocol-specific testing rather than relying on configuration assertions or passive detection, and the trap here is assuming that a service owner's claim or a scanner's default detection is sufficient without manual verification.

How to eliminate wrong answers

Option A is wrong because changing severity to informational does not resolve the underlying validation issue; it merely hides the finding and could mask a real vulnerability if TLS 1.0 is actually enabled. Option B is wrong because deleting the server from the scan scope removes all future visibility into that asset, which is an overreaction and prevents ongoing security monitoring. Option C is wrong because closing a finding solely because the owner disagrees violates the principle of independent validation; the scanner's result must be verified through technical means, not dismissed based on opinion.

281
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Prioritize only the source with the highest EPS
B.Time synchronization and timezone normalization across log sources
C.Assume the firewall logs are falsified
D.Delete one source from the timeline
AnswerB

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

Time synchronization and timezone normalization across log sources is the correct first check because a consistent five-minute offset between firewall and endpoint events for the same connection strongly indicates a clock drift or timezone misconfiguration rather than a security anomaly. In incident reconstruction, analysts must ensure all timestamps are aligned to a common reference (e.g., UTC) and that NTP is properly configured on all devices; otherwise, the timeline is unreliable. This step directly addresses the root cause before any triage or prioritization can occur.

Exam trap

Cisco often tests the misconception that a timestamp discrepancy automatically indicates log tampering or that high EPS should drive triage priority, when in fact the immediate technical root cause is almost always a time synchronization issue.

How to eliminate wrong answers

Option A is wrong because prioritizing only the source with the highest EPS (Events Per Second) ignores the fundamental time discrepancy and could lead to focusing on a noisy but irrelevant log source while the actual timing issue remains unresolved. Option C is wrong because assuming the firewall logs are falsified without first verifying time synchronization introduces bias and wastes investigative effort; log falsification is a serious claim that requires evidence, not a default assumption when a simple clock skew is the most likely explanation.

282
MCQeasy

A security dashboard is being designed for the executive team. Which metric is MOST appropriate to display?

A.Current CPU utilization on firewalls
B.Overall risk posture score with trend over time
C.Patch installation status of all endpoints
D.Number of IDS alerts per hour
AnswerB

Provides a concise summary of security health.

Why this answer

The executive team requires a high-level, strategic view of security effectiveness, not granular operational data. The overall risk posture score with trend over time directly communicates the organization's security health and whether it is improving or deteriorating, enabling informed decision-making. This aligns with the Reporting and Communication domain's emphasis on translating technical metrics into business-relevant insights.

Exam trap

CompTIA often tests the distinction between operational metrics (for technical teams) and strategic metrics (for executives), and the trap here is that candidates mistake a detailed, operational metric like patch status or alert counts as appropriate for an executive dashboard, ignoring the need for aggregated, trended risk visibility.

How to eliminate wrong answers

Option A is wrong because current CPU utilization on firewalls is an operational metric relevant to network engineers for troubleshooting performance issues, not a strategic indicator for executives. Option C is wrong because patch installation status of all endpoints is a detailed, tactical metric that belongs in IT operations or vulnerability management dashboards, not an executive summary. Option D is wrong because the number of IDS alerts per hour is a raw, high-volume data point that lacks context and would overwhelm executives; it requires correlation and analysis to be meaningful.

283
Multi-Selectmedium

When briefing legal and privacy teams after a suspected data exposure, which details matter? (Choose two.)

Select 2 answers
A.Data types and jurisdictions potentially affected
B.A complete list of unrelated server patches
C.Speculation about attacker identity without evidence
D.Timeline of discovery, containment, and known access
AnswersA, D

Notification duties depend on data and jurisdiction.

Why this answer

Data types (e.g., PII, PHI, PCI) and affected jurisdictions determine legal notification obligations under regulations like GDPR, HIPAA, or CCPA. Jurisdictions dictate breach notification timelines and penalties, making this information critical for legal and privacy teams to assess risk and compliance. Without this detail, the response cannot be properly scoped or legally defensible.

Exam trap

Cisco often tests the distinction between operational details (like patch lists) and legally relevant information (data types and jurisdictions), trapping candidates who think all technical details are equally important for legal teams.

284
Multi-Selecteasy

A security analyst is reviewing alerts from an IDS. Which TWO indicators are most likely to suggest a successful command and control (C2) communication? (Choose two.)

Select 2 answers
A.An inbound connection from a known malicious IP to the mail server
B.A high volume of outbound traffic to an unusual destination IP on port 443
C.A single large file upload to a cloud storage service
D.An internal host performing a DNS query for a known malicious domain
E.Regular beaconing activity to an external IP with consistent payload sizes
AnswersB, E

High volume outbound traffic to an unusual IP on 443 could be data exfiltration or C2 traffic masquerading as HTTPS.

Why this answer

B is correct because a high volume of outbound traffic to an unusual destination IP on port 443 (HTTPS) is a classic indicator of data exfiltration or C2 communication, as attackers often use encrypted channels to blend in with legitimate web traffic. The combination of high volume and an unusual destination IP suggests the host is sending data to an external server controlled by the attacker, which is a key sign of an active C2 session.

Exam trap

Cisco often tests the distinction between attempted and successful C2 communication, where candidates mistakenly choose indicators like DNS queries or inbound connections as proof of success, but only outbound beaconing or sustained data transfer on unusual ports confirms an established C2 channel.

285
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Physical badge access reviews
B.Wireless spectrum analysis
C.Software composition analysis in the CI/CD pipeline
D.Database transaction log backups
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable dependencies are detected automatically before code is deployed, enabling early remediation without manual overhead.

Exam trap

Cisco often tests the distinction between vulnerability scanning (SCA) and network or physical controls, expecting candidates to recognize that open-source library risks require a software-focused tool, not a hardware or access control solution.

How to eliminate wrong answers

Option A is wrong because physical badge access reviews control physical security, not software library vulnerabilities; they have no mechanism to inspect open-source code or its dependencies. Option B is wrong because wireless spectrum analysis monitors radio frequency interference and rogue access points, not software libraries; it addresses network-layer threats, not application-layer dependency risks.

286
MCQeasy

A company's IDS generated an alert for a SQL injection attempt against a web server. The web application firewall (WAF) is already in place. What is the best action?

A.Update the WAF rules
B.Block the source IP at the firewall
C.Shut down the web server
D.Verify if the attack succeeded by checking server logs
AnswerD

Determines if the WAF blocked the injection or if further action is needed.

Why this answer

Option B is correct because the first step is to verify whether the attack succeeded by checking the server logs. Premature blocking or shutdown may be unnecessary.

287
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Restrict public access and determine whether sensitive data was accessed
B.Wait for the next quarterly review
C.Rotate database administrator passwords only
D.Delete all audit logs to reduce liability
AnswerA

The priority is exposure containment and impact assessment.

Why this answer

Option A is correct because the immediate priority is to stop the data leak by restricting public read access to the storage bucket, then investigate whether sensitive data was actually accessed. This aligns with the incident response principle of containment before analysis. In cloud environments like AWS S3 or Azure Blob Storage, a bucket with public read access exposes all objects to the internet, and the first step is to apply a bucket policy or ACL to deny public access.

Exam trap

Cisco often tests the misconception that rotating credentials (like database passwords) is a catch-all fix for data exposure, but the trap here is that the vulnerability is a misconfigured storage bucket, not compromised credentials, so the correct first step is to restrict public access and assess exposure.

How to eliminate wrong answers

Option B is wrong because waiting for the next quarterly review leaves sensitive customer data exposed to the internet for an extended period, violating data protection regulations and incident response best practices. Option C is wrong because rotating database administrator passwords does not address the root cause—a misconfigured storage bucket with public read access—and is an irrelevant action for this specific vulnerability.

288
Multi-Selectmedium

Which evidence helps distinguish a true brute-force attack from a misconfigured service account? (Choose two.)

Select 2 answers
A.The number of monitors used by the administrator
B.Source distribution and timing of failed logons
C.Whether one service account repeatedly fails after a password change
D.The brand of the office router only
AnswersB, C

Distributed or patterned failures suggest attack activity.

Why this answer

Option B is correct because a true brute-force attack typically originates from multiple source IP addresses or a single source with a high frequency of failed logons over a short time window, whereas a misconfigured service account usually fails from a consistent source at regular intervals. Analyzing the source distribution and timing of failed logons helps distinguish automated attack patterns from predictable service account behavior, such as retry intervals defined in application configuration.

Exam trap

Cisco often tests the misconception that any repeated failed logon after a password change is evidence of an attack, when in fact it is a classic symptom of a misconfigured service account that has not been updated with the new credentials.

289
Multi-Selecthard

Which TWO of the following are indicators of potential data exfiltration via DNS?

Select 2 answers
A.Unusual TLS handshake patterns
B.Traffic to known malicious IPs over HTTP
C.Large number of NXDOMAIN responses
D.High volume of TXT record queries
E.Frequent queries to long subdomains
AnswersD, E

TXT records are commonly used to encode exfiltrated data.

Why this answer

Option D is correct because TXT records are commonly used in DNS tunneling to encode exfiltrated data. Attackers embed data in TXT record queries or responses, and a high volume of such queries is a strong indicator of data exfiltration via DNS.

Exam trap

CompTIA often tests the distinction between DNS tunneling indicators (TXT record volume and long subdomains) and other DNS anomalies like NXDOMAIN responses, which are more associated with DGA or reconnaissance rather than exfiltration.

290
MCQeasy

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review in a regulated payment environment must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures, so the review should yield specific playbook updates, escalation triggers, assigned owners, and due dates to ensure timely response in future incidents. This aligns with NIST SP 800-61r2 and PCI DSS requirements for continuous improvement of incident response processes.

Exam trap

Cisco often tests the misconception that post-incident reviews are about assigning blame or deleting evidence, rather than focusing on process improvement and evidence preservation.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the identified procedural gap, and would fail audit scrutiny in a regulated environment. Option B is wrong because deletion of all incident tickets violates evidence preservation requirements under regulations like PCI DSS and GDPR, and destroys the forensic trail needed for root cause analysis and legal proceedings. Option C is wrong because a blame list of individual analysts creates a punitive culture that discourages reporting and collaboration, and does not address the systemic process failure that allowed delayed escalation.

291
Multi-Selectmedium

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

Select 2 answers
A.Review audit logs for actions performed with the key
B.Only delete the public repository commit
C.Grant the key administrator privileges for investigation
D.Disable or rotate the exposed key
AnswersA, D

Audit review establishes scope and impact.

Why this answer

Reviewing audit logs for actions performed with the compromised key is appropriate during containment because it allows the incident response team to determine the scope of unauthorized access, identify affected resources, and understand the attacker's actions. This step is critical for informed decision-making before revoking or rotating the key, ensuring that legitimate operations are not disrupted and that forensic evidence is preserved.

Exam trap

Cisco often tests the misconception that immediate revocation or deletion of the key is the only containment step, but the correct approach requires first auditing the key's usage to understand the full impact before taking irreversible actions.

292
MCQmedium

A security analyst receives an alert from the HIDS indicating that a critical configuration file was modified unexpectedly. What is the best immediate action?

A.Ignore the alert as HIDS false positives are common
B.Immediately revert the file and block any similar changes
C.Check the change management system to see if the change was approved
D.Restore the file from a known good backup
AnswerC

Determines if modification is legitimate.

Why this answer

Option C is correct because the best immediate action when a HIDS alerts on a critical configuration file change is to first verify whether the change was authorized through the change management system. This aligns with the incident response process of validation before remediation; reverting or restoring without checking could disrupt approved maintenance or patch deployments. HIDS monitors file integrity via checksums (e.g., SHA-256), but it cannot distinguish approved changes from malicious ones without external context.

Exam trap

Cisco often tests the principle that immediate remediation (reverting or restoring) is not the best first step; candidates mistakenly jump to containment actions without validating whether the change was authorized, confusing incident response speed with due diligence.

How to eliminate wrong answers

Option A is wrong because ignoring HIDS alerts on critical configuration files is negligent; while false positives can occur, dismissing them without investigation violates security operations best practices and could allow a breach to go undetected. Option B is wrong because immediately reverting the file and blocking changes is premature and could undo an authorized change (e.g., a scheduled security patch or configuration update), potentially causing service disruption or compliance issues. Option D is wrong because restoring from a known good backup is a remediation step that should only be taken after confirming the change was unauthorized; doing so without checking change management could overwrite legitimate modifications and lose audit trail data.

293
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

A.The risk register with owner, justification, expiry date, and compensating controls
B.The firewall vendor invoice
C.The incident containment playbook only
D.The phishing training completion list
AnswerA

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch due to contractual constraints, the risk must be documented in the risk register. This entry should include the owner, justification, expiry date, and compensating controls to ensure the risk is tracked, reviewed, and eventually remediated. This aligns with the vulnerability management lifecycle, where accepted risks require formal documentation and periodic reassessment.

Exam trap

Cisco often tests the distinction between risk acceptance documentation (risk register) and operational documents (playbooks, invoices), tricking candidates into thinking any update related to the delay is sufficient, when only the risk register captures the formal acceptance process.

How to eliminate wrong answers

Option B is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not track risk decisions or compensating controls. Option C is wrong because the incident containment playbook is designed for active incident response, not for documenting accepted risks from delayed patching; updating it would not address the need to formally record the risk acceptance.

294
MCQhard

During a threat hunting exercise, an analyst formulates a hypothesis that an attacker may be using DNS tunneling to exfiltrate data. Which data source would provide the best evidence to confirm or deny this hypothesis?

A.Firewall logs showing allowed outbound connections
B.NetFlow records from the border router
C.EndPoint detection and response (EDR) logs showing DNS client activity
D.Deep packet inspection (DPI) of DNS traffic
AnswerD

DPI reveals content of DNS packets which can indicate tunneling.

Why this answer

Deep packet inspection (DPI) of DNS traffic is the best evidence because DNS tunneling works by encoding data within DNS queries and responses, often using non-standard record types (e.g., TXT, NULL) or unusually long domain names. DPI can decode the payload within DNS packets to reveal hidden data, whereas other methods only see metadata or connection summaries. This allows the analyst to directly inspect the content of DNS messages for signs of exfiltration, such as base64-encoded data or anomalous query patterns.

Exam trap

Cisco often tests the misconception that NetFlow or firewall logs are sufficient for detecting data exfiltration, when in reality only deep packet inspection can reveal the payload content necessary to confirm DNS tunneling.

How to eliminate wrong answers

Option A is wrong because firewall logs showing allowed outbound connections only indicate that traffic passed through the firewall, not the content or structure of DNS packets; they cannot reveal whether data is being tunneled within DNS. Option B is wrong because NetFlow records from the border router provide metadata such as source/destination IPs, ports, and byte counts, but they lack the payload-level detail needed to detect encoded data inside DNS queries or responses. Option C is wrong because EDR logs showing DNS client activity typically record process-level events (e.g., which process made a DNS query) but do not capture the full DNS packet payload, making them insufficient to identify tunneling without additional deep inspection.

295
Multi-Selecthard

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

Select 2 answers
A.Unusual volume of TGS requests for many service principals
B.Requests from a workstation that does not normally administer services
C.A user changing their desktop wallpaper
D.Successful DHCP lease renewal
AnswersA, B

Kerberoasting often generates broad service-ticket requests.

Why this answer

Kerberoasting involves requesting Ticket-Granting Service (TGS) tickets for service principals (SPNs) to crack their passwords offline. An unusual volume of TGS requests for many SPNs is a strong indicator because attackers typically enumerate SPNs and request tickets in bulk, which deviates from normal user behavior.

Exam trap

Cisco often tests the distinction between benign user actions (like wallpaper changes) and actual Kerberos-related attack indicators, trapping candidates who confuse general system changes with authentication-specific anomalies.

296
MCQhard

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because proper chain of custody documentation is critical for evidence admissibility in legal proceedings. The responder must record who collected the evidence, the exact date and time, the physical location, cryptographic hash values (e.g., SHA-256) to verify integrity, transfer details (e.g., chain-of-custody forms), and the secure storage location. This ensures the evidence is not tampered with and can be defended in court.

Exam trap

Cisco often tests the misconception that only superficial details (like colour or job title) are sufficient for documentation, when in fact the full chain of custody—including collector identity, timestamps, hashes, and storage—is mandatory for evidence admissibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop colour provides no forensic value—it does not establish chain of custody, integrity, or provenance of the evidence. Option B is wrong because the ticket priority is an administrative metric unrelated to forensic acquisition; it does not help prove the evidence was handled properly or securely. Option C is wrong because the user's job title is irrelevant to the technical acquisition process; it does not record who collected the evidence, when, or how it was preserved.

297
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Authenticated scanning with a test account and session handling
B.Reduce the scan to only the landing page
C.Disable all application authentication
D.Treat absence of findings as proof of security
AnswerA

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners analyze live web applications by sending HTTP requests and inspecting responses. When authentication is required to access protected pages, the scanner must maintain a valid session to reach those endpoints. Configuring authenticated scanning with a test account and proper session handling (e.g., using cookies, tokens, or form-based login) allows the scanner to traverse authenticated pages, ensuring the scan covers the full attack surface and reports findings from restricted areas.

Exam trap

Cisco often tests the misconception that disabling authentication or reducing scope is an acceptable workaround, when the correct approach is to configure the scanner to properly handle the existing authentication mechanism.

How to eliminate wrong answers

Option B is wrong because reducing the scan to only the landing page would intentionally ignore all other pages, including authenticated ones, which directly contradicts the goal of improving result quality by reaching more content. Option C is wrong because disabling all application authentication would fundamentally alter the application's security posture, potentially breaking business logic and causing the scanner to test a non-representative environment, rather than properly handling the existing authentication mechanism.

298
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option D is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. The SOC must honor this marking to protect the confidentiality of the indicators and avoid violating the trust model established by the Traffic Light Protocol (TLP), as defined by FIRST.

Exam trap

CompTIA often tests the distinction between TLP:AMBER and TLP:AMBER+STRICT, where candidates mistakenly assume 'AMBER' allows sharing within the entire organization, but the '+STRICT' suffix explicitly narrows that to only those with a direct need to know.

How to eliminate wrong answers

Option A is wrong because publishing TLP:AMBER+STRICT indicators on a public GitHub repository violates the core TLP restriction against any external sharing, potentially exposing sensitive threat intelligence to adversaries. Option B is wrong because sending the indicators to all customers, even if they are internal, exceeds the 'need to know' principle of TLP:AMBER+STRICT, which limits distribution to only those individuals directly involved in the response. Option C is wrong because TLP markings are mandatory, not optional; ignoring them would break the trust framework and could lead to mishandling of sensitive intelligence.

299
MCQeasy

A security analyst is reviewing vulnerability scan results and notices that several critical vulnerabilities have been reported on the same web server for three consecutive months. The server owner states that the patches cannot be applied due to application compatibility issues. Which of the following is the BEST course of action?

A.Escalate the issue to senior management and move on
B.Remove the web server from service until patches are applied
C.Schedule a rescan to verify if the vulnerabilities still exist
D.Implement compensating controls to reduce the risk
AnswerD

Compensating controls mitigate the risk when patching is not possible.

Why this answer

Option D is correct because when a known vulnerability cannot be patched due to application compatibility issues, the standard risk management approach is to implement compensating controls. These controls (e.g., Web Application Firewall rules, network segmentation, or host-based IPS) reduce the likelihood or impact of exploitation without modifying the vulnerable application. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability handling, which explicitly recommends compensating controls when patching is not feasible.

Exam trap

Cisco often tests the misconception that rescanning (Option C) is the correct next step, but the trap here is that rescanning does not change the risk posture—it only confirms what is already known, while the question requires a risk-reducing action.

How to eliminate wrong answers

Option A is wrong because simply escalating to senior management without taking any action to reduce risk is a passive approach that leaves the vulnerability exploitable; the analyst must still recommend or implement compensating controls. Option B is wrong because removing the web server from service is an extreme measure that may not be justified if compensating controls can adequately mitigate the risk, and it could cause unnecessary business disruption. Option C is wrong because rescanning will only confirm the same vulnerabilities still exist (since patches were not applied), wasting time without addressing the underlying risk.

300
MCQhard

A large e-commerce site is under a DDoS attack targeting its web servers. The incident response team is activated. Which goal should receive the HIGHEST priority during the response?

A.Maintain availability of the service.
B.Implement attribution.
C.Identify the attacker's identity.
D.Quantify the financial loss.
AnswerA

Preserving service availability is the primary goal in a DDoS scenario.

Why this answer

During a DDoS attack targeting web servers, the highest priority is maintaining availability of the service because the primary goal of incident response in this scenario is to preserve business continuity and minimize disruption to legitimate users. The incident response team must first focus on mitigating the attack (e.g., rate-limiting, blackholing traffic, or scaling resources) before any forensic or attribution steps, as service downtime directly impacts revenue and customer trust.

Exam trap

Cisco often tests the principle that during an active incident, the priority is containment and recovery (availability) over forensic activities like attribution or identification, which are handled in later phases of the incident response lifecycle.

How to eliminate wrong answers

Option B is wrong because attribution (identifying the source of the attack) is a secondary goal that typically occurs after the immediate threat is contained; focusing on attribution during the active attack can delay mitigation and prolong downtime. Option C is wrong because identifying the attacker's identity is a forensic objective that is rarely achievable in real-time during a DDoS attack (attackers often use spoofed IPs, botnets, or reflection techniques), and it does not help restore service availability. Option D is wrong because quantifying financial loss is a post-incident activity that should be performed after the attack is mitigated; prioritizing it during the response would divert resources from stopping the attack and restoring service.

Page 3

Page 4 of 7

Page 5

All pages