CompTIA CySA+ CS0-003 (CS0-003) — Questions 451503

503 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

A company's incident response team is handling a ransomware incident that has encrypted all files on the file server and spread to several workstations. The team has isolated the affected systems and obtained memory dumps and disk images. The CEO demands immediate restoration of operations and suggests paying the ransom to decrypt files quickly. The company has recent backups but they are stored on a network share that was also encrypted. The CISO wants to ensure that the root cause is identified before restoration. As the lead incident responder, which of the following actions should you take NEXT?

A.Pay the ransom and then restore from the decrypted files
B.Restore the backups to a clean environment and then reimage the affected systems
C.Immediately reimage all affected systems and restore from the most recent clean backups
D.Analyze the memory dumps to identify the infection vector and check for persistence mechanisms
AnswerD

Root cause analysis ensures that the vulnerability is fixed before restoration.

Why this answer

Option C is correct because analyzing the memory dumps will help identify the initial infection vector (e.g., phishing email, exploited vulnerability) and any persistence mechanisms. This information is critical to prevent reinfection after restoration. Options A and D skip root cause analysis, risking reinfection.

Option B is ill-advised and may not work.

452
Multi-Selectmedium

A security analyst is reviewing alerts from multiple security tools. Which three of the following are key indicators of a potential credential-based attack in the environment? (Choose three.)

Select 3 answers
.Multiple failed logon attempts followed by a single successful logon from the same source IP address.
.A single user account logging in from two geographically distant locations within a short time window.
.An account that has been inactive for 90 days suddenly authenticating to a critical server.
.A spike in outbound DNS traffic from a workstation during business hours.
.An increase in the number of TCP SYN packets sent to a single external IP address.
.A system event log showing a successful logon after a scheduled patch reboot.

Why this answer

Multiple failed logon attempts followed by a single successful logon from the same source IP address is a classic indicator of a password spraying or brute-force attack. The attacker tries many usernames or passwords, and when one succeeds, the pattern shifts from failures to a success. This sequence is a key sign of credential compromise.

Exam trap

CompTIA often tests the distinction between credential-based attacks (e.g., brute-force, password spraying) and other attack types like reconnaissance (SYN scan) or data exfiltration (DNS tunneling), so candidates must focus on the authentication sequence rather than traffic volume or protocol anomalies.

453
MCQhard

During a vulnerability scan, the scanner reports a high number of open ports on a server that is supposed to be a hardened web server. The analyst investigates and finds that the server is running unnecessary services. Which of the following is the MOST effective long-term solution?

A.Implement a configuration management baseline and enforce it
B.Disable the unnecessary services manually
C.Increase the frequency of vulnerability scans
D.Install a host-based firewall to block the ports
AnswerA

Configuration management ensures consistent hardening and drift detection.

Why this answer

Implementing a configuration management baseline and enforcing it (Option A) is the most effective long-term solution because it ensures that the server is consistently provisioned with only the necessary services and configurations. This approach uses tools like Ansible, Puppet, or Chef to automatically remediate drift, preventing unnecessary services from reappearing after manual changes or reboots. It addresses the root cause by codifying the desired state, rather than relying on ad-hoc fixes.

Exam trap

CompTIA often tests the distinction between detection (scanning) and remediation (configuration management), and the trap here is that candidates choose a reactive control like a firewall or manual disabling instead of the proactive, automated enforcement that prevents the issue from recurring.

How to eliminate wrong answers

Option B is wrong because manually disabling unnecessary services is a temporary, non-scalable fix that does not prevent the services from being re-enabled during updates or reboots, and it lacks auditability and enforcement. Option C is wrong because increasing the frequency of vulnerability scans only detects the problem more often; it does not remediate the root cause of unnecessary services running. Option D is wrong because installing a host-based firewall to block ports only masks the vulnerability by hiding the open ports from scans, but the unnecessary services remain running and could still be exploited via local access or other attack vectors.

454
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Database transaction log backups
B.Physical badge access reviews
C.Wireless spectrum analysis
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software Composition Analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures vulnerabilities are detected and blocked before the code is deployed, aligning with the 'shift left' security principle. This directly addresses the team's goal of finding vulnerable open-source libraries pre-deployment.

Exam trap

CompTIA often tests the concept that 'shift left' security controls like SCA are distinct from operational or physical security controls, and the trap here is confusing vulnerability scanning of code with unrelated security processes like backups or physical access reviews.

How to eliminate wrong answers

Option A is wrong because database transaction log backups are a data recovery and integrity control, not a method for scanning open-source libraries for vulnerabilities. Option B is wrong because physical badge access reviews control physical access to facilities, not the security of software dependencies in a development pipeline. Option C is wrong because wireless spectrum analysis detects RF interference and rogue access points, not vulnerabilities in open-source code libraries.

455
MCQhard

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures; therefore, specific playbook updates, escalation triggers, owners, and due dates directly address the root cause by refining incident response workflows and ensuring timely escalation in future incidents.

Exam trap

CompTIA often tests the misconception that post-incident reviews are about assigning blame or cleaning up records, when the correct focus is on process improvement through specific, measurable updates to the incident response plan.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no concrete, measurable changes to processes or procedures, failing to correct the specific escalation delay. Option B is wrong because deletion of all incident tickets destroys forensic evidence and audit trails required for compliance, legal proceedings, and future analysis under frameworks like NIST SP 800-61. Option C is wrong because a blame list of individual analysts fosters a punitive culture, discourages reporting, and ignores systemic process failures that allowed the escalation delay, contrary to the post-incident review's goal of continuous improvement.

456
Drag & Dropmedium

Arrange the steps for configuring a firewall rule set in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall rule configuration involves identifying traffic, creating rules, applying to interface, testing, and monitoring.

457
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.CVSS vector string
B.Sigma rule
C.YARA rule
D.OpenIOC package only
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are designed as a generic, open-source signature format for log events, making them portable across multiple SIEM platforms (e.g., Splunk, Elastic, QRadar) without vendor lock-in. For suspicious rundll32 execution, a Sigma rule can describe the specific event log patterns (e.g., Event ID 4688 with CommandLine containing 'rundll32.exe') that can be converted into each SIEM's native query language. This portability directly meets the threat hunter's goal of creating a detection that can be reused across different environments.

Exam trap

Cisco often tests the distinction between detection artefacts (Sigma, YARA) and vulnerability scoring (CVSS), and the trap here is that candidates may confuse YARA's file-scanning capability with log-based SIEM detection, forgetting that YARA rules cannot be directly converted to SIEM queries without significant rework.

How to eliminate wrong answers

Option A is wrong because a CVSS vector string is a standardized score for vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), not a detection artefact for identifying suspicious process execution like rundll32; it describes risk, not a pattern to match in logs. Option C is wrong because YARA rules are primarily designed for file-based pattern matching (e.g., identifying malware binaries by byte sequences or strings), not for parsing Windows Event Logs or SIEM log streams; while YARA can be used for memory analysis, it is not natively portable to SIEM platforms for log-based detection.

458
MCQhard

Refer to the exhibit. The snippet is from a Windows Security log showing event ID 4688 (Process Creation). Which of the following actions should the analyst take first?

A.Kill the process with PID 0x1234
B.Investigate the creator process
C.Quarantine the file C:\Users\admin\AppData\Local\Temp\svchost.exe
D.Disable rundll32.exe on the system
AnswerB

The creator process is running from a non-standard location (Temp folder), indicating compromise.

Why this answer

The analyst should first investigate the creator process (parent process) because the suspicious svchost.exe spawned from rundll32.exe in a temp directory indicates a classic LOLBins (Living Off the Land Binaries) attack. Event ID 4688 logs the parent process PID (0x1234) and the child process; tracing the parent reveals the initial compromise vector, such as a malicious script or document that invoked rundll32.exe to execute the payload.

Exam trap

CompTIA often tests the misconception that the immediate child process (svchost.exe) is the primary threat, but the trap is that the parent process (rundll32.exe) holds the key to understanding the attack chain and should be investigated first.

How to eliminate wrong answers

Option A is wrong because killing the process with PID 0x1234 (the parent rundll32.exe) would remove the immediate threat but destroy forensic evidence needed to trace the attack chain; the analyst must first investigate to understand the full scope. Option C is wrong because quarantining the file C:\Users\admin\AppData\Local\Temp\svchost.exe is premature without confirming it is malicious via hash analysis or sandboxing, and it ignores the parent process that may have additional indicators. Option D is wrong because disabling rundll32.exe system-wide is an extreme, disruptive action that breaks legitimate Windows functionality (e.g., DLL execution for system utilities) and should only be considered after thorough investigation confirms persistent abuse.

459
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.High CPU usage on the print server
B.A password expiry warning
C.Successful DHCP renewal
D.Office document spawning a script interpreter from a user context
AnswerD

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option D is correct because the scenario describes a classic phishing attack where a malicious macro or embedded script in an Office document (the invoice) executes wscript.exe, a Windows Script Host interpreter, from the user's profile. This detection logic directly correlates the initial vector (Office document) with the suspicious process execution (script interpreter) in the user context, which is a key indicator of malware or unauthorized script activity.

Exam trap

The trap here is that candidates may focus on the process name (wscript.exe) alone and overlook the critical context of the Office document spawning it, leading them to choose a generic detection like high CPU usage or ignore the attack chain entirely.

How to eliminate wrong answers

Option A is wrong because high CPU usage on a print server is unrelated to endpoint script execution from an Office document; it indicates a performance or resource issue, not a security detection logic for script-based attacks. Option B is wrong because a password expiry warning is an administrative notification about credential aging, not a detection logic for malicious script execution or process spawning. Option C is wrong because successful DHCP renewal is a normal network configuration event that does not indicate malicious activity or script execution from an Office document.

460
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.The colour of the scanner dashboard
B.The number of installed fonts
C.Whether the hostname is shorter
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

D is correct because remediation priority is determined by asset criticality, exposure, and business impact, not by superficial attributes. The public payment API has high business impact and exposure, making it a higher priority than the isolated lab server, even though both share the same vulnerability. This aligns with risk-based vulnerability management principles where context (e.g., data sensitivity, network reachability) drives patching order.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVE should be treated equally, ignoring the risk-based prioritization that considers asset criticality, exposure, and business impact.

How to eliminate wrong answers

Option A is wrong because the colour of the scanner dashboard is a cosmetic UI element with no bearing on risk assessment or remediation priority. Option B is wrong because the number of installed fonts is irrelevant to vulnerability severity, exploitability, or business context. Option C is wrong because hostname length has no technical relationship to risk; a shorter hostname does not indicate higher exposure or criticality.

461
MCQmedium

While supporting a hybrid workforce, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which evidence should guide the decision?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the post-incident review should produce actionable improvements to the incident response process. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation and excessive dwell time by formalizing when and how to escalate, ensuring accountability and timely response in future incidents.

Exam trap

CompTIA often tests the distinction between punitive actions (blame) and process improvements (playbook updates); the trap here is that candidates may confuse accountability with blame, choosing a 'blame list' (Option C) instead of recognizing that systemic fixes are the defensible outcome.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the process failure; it lacks specificity and does not prevent recurrence. Option B is wrong because deletion of all incident tickets destroys forensic evidence, audit trails, and lessons-learned data, violating standard retention policies and potentially compliance requirements. Option C is wrong because a blame list of individual analysts fosters a punitive culture, discourages reporting, and ignores systemic process flaws; the focus should be on process improvement, not individual fault.

462
MCQmedium

A company has implemented a vulnerability management program. The security team needs to ensure that all critical vulnerabilities are remediated within 30 days. Which of the following metrics would BEST measure the effectiveness of this goal?

A.Number of critical vulnerabilities detected per month
B.Number of rescan results showing vulnerability closure
C.Percentage of systems with up-to-date patches
D.Mean time to remediate critical vulnerabilities
AnswerD

This metric directly measures whether the 30-day goal is being met.

Why this answer

The goal is to ensure all critical vulnerabilities are remediated within 30 days. Mean time to remediate (MTTR) directly measures the average time taken to fix critical vulnerabilities, making it the best metric to assess compliance with the 30-day remediation window. Other metrics, such as detection counts or patch levels, do not capture the timeliness of remediation.

Exam trap

Cisco often tests the distinction between measuring remediation activity (e.g., number of closures) versus measuring remediation timeliness (e.g., MTTR), leading candidates to pick Option B because they confuse 'closure count' with 'time to closure.'

How to eliminate wrong answers

Option A is wrong because the number of critical vulnerabilities detected per month measures the volume of new findings, not how quickly or effectively they are fixed; a high detection count could coexist with slow remediation. Option B is wrong because the number of rescan results showing vulnerability closure indicates that some fixes have been applied, but it does not measure the time taken to achieve closure, so it cannot verify the 30-day deadline. Option C is wrong because the percentage of systems with up-to-date patches is a broad compliance metric that may include non-critical patches and does not specifically track the remediation timeline for critical vulnerabilities.

463
MCQmedium

An analyst runs the above command on a server. Based on the exhibit, which of the following is the MOST likely scenario?

A.The server may be compromised with a remote access trojan listening on port 4444
B.The server is running a legitimate SSH service on port 4444
C.The server is hosting a web service on a non-standard port
D.The server is being used as a proxy for internal clients
AnswerA

Port 4444 is often used by malware.

Why this answer

The command output shows a listening service on port 4444, which is not a standard port for any common service. Port 4444 is commonly associated with remote access trojans (RATs) such as Metasploit's Meterpreter or other malware, making a compromise the most likely scenario. The analyst should investigate further to confirm malicious activity.

Exam trap

CompTIA often tests the association of non-standard ports with common malware or trojans, and the trap here is that candidates may assume any open port is legitimate or overlook the significance of port 4444's known malicious use.

How to eliminate wrong answers

Option B is wrong because SSH runs on port 22 by default (per IANA assignment), and while it could be configured on a non-standard port, there is no evidence of SSH protocol behavior or authentication in the output. Option C is wrong because web services typically use ports 80 (HTTP) or 443 (HTTPS), and port 4444 is not a registered alternative for HTTP/HTTPS. Option D is wrong because proxy services for internal clients commonly use ports like 3128 (Squid) or 8080, and port 4444 is not a standard proxy port.

464
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable the reporting user's account immediately
B.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
C.Close all similar alerts as duplicates
D.Automatically delete all messages from the sender across all mailboxes
AnswerB

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option B is correct because it describes non-destructive, automated enrichment actions that gather evidence (URL reputation, sandbox analysis, mailbox search counts) without altering systems. This aligns with SOAR best practices for the initial triage phase, where the goal is to reduce analyst workload by providing contextual data while avoiding destructive actions until confirmation of a true positive.

Exam trap

Cisco often tests the distinction between automated enrichment (safe, reversible) and automated response (potentially destructive), tricking candidates into choosing immediate containment actions like account disablement before confirmation.

How to eliminate wrong answers

Option A is wrong because disabling the reporting user's account is a destructive action that could disrupt legitimate operations and violates the requirement to avoid destructive actions before confirmation. Option C is wrong because closing all similar alerts as duplicates prematurely assumes they are false positives or duplicates without evidence, which risks missing a real threat and bypasses proper triage analysis.

465
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Web server access logs from the public website
B.Packet captures from user laptops only
C.Endpoint antivirus quarantine reports only
D.Cloud audit logs for identity, policy, and key-management API calls
AnswerD

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option D is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and authentication events. These logs provide the strongest evidence of identity and access management (IAM) compromise at the control plane, as they directly record who made what change, from which source IP, and with what outcome. In the containment trade-off phase, preserving these logs while disabling compromised keys or applying a deny-all policy balances stopping the attacker with retaining forensic evidence.

Exam trap

CompTIA often tests the distinction between control-plane and data-plane telemetry, and the trap here is that candidates confuse web server logs or endpoint logs with cloud audit logs, failing to recognize that only cloud audit logs capture identity and policy API calls at the control plane.

How to eliminate wrong answers

Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to web pages), not IAM policy changes, access key creation, or failed console logons—these are control-plane operations, not data-plane web traffic. Option B is wrong because packet captures from user laptops only show network-layer traffic (e.g., TCP/UDP flows) and cannot capture cloud API calls made to the cloud provider's control plane endpoints (e.g., `iam.amazonaws.com`), which are encrypted over TLS and not visible at the laptop's network interface. Option C is wrong because endpoint antivirus quarantine reports only log malware detections on local endpoints (e.g., file hashes, process names), not cloud-side identity or policy changes; they provide no visibility into cloud control-plane API calls.

466
Multi-Selecthard

A SOC wants to measure whether alert enrichment is improving operations. Which metrics are useful? (Choose two.)

Select 2 answers
A.Reduction in analyst triage time for enriched alerts
B.Percentage of enriched alerts with asset owner and criticality populated
C.Amount of storage used by desktop screenshots
D.Number of unused browser bookmarks
AnswersA, B

Faster triage indicates operational value.

Why this answer

Option A is correct because a primary goal of alert enrichment is to reduce the time analysts spend investigating alerts. By automatically populating context such as asset owner, criticality, and vulnerability data, enrichment eliminates manual lookup steps, directly lowering mean time to triage (MTTT). This metric quantifies operational efficiency gains from enrichment.

Exam trap

Cisco often tests the distinction between metrics that measure operational improvement (e.g., triage time reduction) versus metrics that measure data completeness (e.g., enrichment field population), and candidates may mistakenly choose a storage-related metric that seems tangentially related to operations but is irrelevant to enrichment effectiveness.

467
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Disable host firewalls permanently
B.Increase only the port range
C.Run authenticated scans using least-privilege scanner credentials
D.Trust the unauthenticated result as complete
AnswerC

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Without credentials, a vulnerability scanner can only perform unauthenticated checks, which miss many Windows patch vulnerabilities that require registry or file-level access. Running authenticated scans with least-privilege credentials allows the scanner to query the Windows Update Agent API and check installed KBs, providing accurate patch data. This directly addresses the security manager's concern about missing patch data.

Exam trap

Cisco often tests the misconception that increasing scan scope (ports or targets) or disabling security controls will improve vulnerability detection, when the real fix is enabling authenticated access to gather patch-level data.

How to eliminate wrong answers

Option A is wrong because permanently disabling host firewalls exposes the server to network-based attacks and violates the principle of least functionality; it does not help the scanner obtain patch data. Option B is wrong because increasing the port range only expands the network surface for unauthenticated scans, which still cannot access the registry or file system to verify installed patches.

468
Multi-Selectmedium

A security analyst suspects an insider threat based on unusual data access patterns by an employee. According to best practices, which TWO actions should the analyst take FIRST?

Select 2 answers
A.Restrict the employee's access to sensitive data.
B.Suspend the employee's accounts outright.
C.Immediately notify law enforcement.
D.Collect additional evidence without alerting the employee.
E.Confront the employee about the behavior.
AnswersA, D

Limiting access reduces risk while investigation continues.

Why this answer

Restricting the employee's access to sensitive data (A) is a correct first action because it immediately reduces the risk of further data exfiltration or damage while preserving the ability to investigate. Collecting additional evidence without alerting the employee (D) is also correct because it allows the analyst to build a forensic case covertly, preventing the insider from destroying evidence or altering behavior. Both actions align with the incident response principle of containment before eradication and the need to avoid tipping off a potential adversary.

Exam trap

CompTIA often tests the distinction between 'immediate containment' and 'overreaction' — the trap here is that candidates confuse 'suspending accounts' (a disruptive, all-or-nothing action) with 'restricting access' (a precise, reversible control), leading them to choose B instead of A.

469
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Time synchronization and timezone normalization across log sources
B.Delete one source from the timeline
C.Prioritize only the source with the highest EPS
D.Assume the firewall logs are falsified
AnswerA

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

A five-minute discrepancy between firewall and endpoint logs for the same connection strongly indicates a time synchronization issue. The analyst should first verify NTP configuration and timezone normalization across all log sources to ensure a consistent timeline. Without synchronized clocks, event ordering and correlation are unreliable, which can lead to incorrect conclusions during incident reconstruction.

Exam trap

Cisco often tests the misconception that log volume or event priority should dictate which logs to trust, when in fact time synchronization is the foundational prerequisite for any timeline-based analysis.

How to eliminate wrong answers

Option B is wrong because deleting one source from the timeline discards potentially critical evidence and does not resolve the root cause of the time offset; it merely hides the discrepancy. Option C is wrong because prioritizing the source with the highest events per second (EPS) does not address the time offset; EPS is a measure of logging throughput, not clock accuracy, and this approach would ignore the synchronization issue entirely.

470
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Close it immediately based on the email
B.Wait one year before testing
C.A retest showing the vulnerable condition is no longer present
D.Create a duplicate ticket for every asset
AnswerC

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option C is correct because the vulnerability manager must obtain objective evidence that the vulnerability has been remediated before closing the finding. An email assertion is insufficient; a retest (manual or automated) confirming the vulnerable condition is no longer present provides the verifiable proof required for closure and defensible stakeholder reporting.

Exam trap

Cisco often tests the misconception that a verbal or written assertion from the remediation team is sufficient for closure, when in fact the CompTIA framework requires objective evidence (a retest) to maintain an auditable and defensible vulnerability management program.

How to eliminate wrong answers

Option A is wrong because closing a vulnerability based solely on an email from the team bypasses the verification step, leaving the organization exposed if the patch was incomplete or misapplied. Option B is wrong because waiting one year before testing introduces an unacceptable delay, during which the vulnerability could be exploited, and violates the principle of timely remediation verification.

471
Multi-Selectmedium

A security analyst is reviewing a suspicious email attachment. Which THREE of the following are safe analysis techniques? (Choose THREE)

Select 3 answers
A.Open the attachment on a production machine
B.Submit the file to a public online scanner
C.Extract and examine the source code of the attachment
D.Use an automated malware analysis tool
E.Open the attachment in a sandbox environment
AnswersB, D, E

Online scanners like VirusTotal allow safe analysis without exposing your environment.

Why this answer

Option B is correct because submitting a suspicious file to a public online scanner (e.g., VirusTotal) allows the analyst to check the file against multiple antivirus engines and threat intelligence feeds without executing it on a live system. This technique is safe as it avoids direct exposure of the production environment to potential malware while leveraging community-sourced detection data.

Exam trap

Cisco often tests the distinction between 'safe' and 'unsafe' analysis techniques, where candidates mistakenly think examining source code (Option C) is always safe, but it can still trigger execution if the file is opened in an unsecured environment (e.g., enabling macros in Office documents).

472
MCQeasy

While supporting a hybrid workforce, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which evidence should guide the decision?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity on a web server is best confirmed by correlating web access logs showing unusual query parameters with file timestamps indicating the creation of a new executable file, process execution logs revealing the web service account spawning a shell (e.g., cmd.exe or /bin/sh), and outbound connections from that account to an external IP—this multi-source evidence chain directly matches the behavior of a web shell executing commands via HTTP GET/POST parameters. During recovery, the most defensible decision is to isolate the server and preserve these logs as forensic artifacts, guided by the evidence of unauthorized command execution and outbound C2 traffic.

Exam trap

The trap here is that candidates often focus on a single log source (e.g., only web access logs) and ignore the need for corroborating evidence from process execution and network connections, which Cisco tests to ensure you understand that web-shell confirmation requires correlating multiple indicators across different log types.

How to eliminate wrong answers

Option A is wrong because printer logs only record print jobs and device status, which have no relevance to web-server command execution or web-shell activity—they lack HTTP request details, process execution data, or network connections. Option B is wrong because the CEO's mailbox audit events track email access and sending, not web-server file changes, process spawns, or outbound connections from the web service account—they are entirely unrelated to detecting or confirming a web shell.

473
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only check whether antivirus signatures are current
B.Reinstall the browser used by the user
C.Ignore it because certutil is signed by Microsoft
D.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
AnswerD

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option D is correct because certutil.exe is a known living-off-the-land binary (LOLBin) that attackers abuse to download payloads, bypassing application whitelisting. The analyst must focus on the downloaded file's hash (to check reputation), origin URL (to assess maliciousness), and child process (to trace execution), as these provide direct evidence of malicious intent or compromise.

Exam trap

Cisco often tests the misconception that a signed Microsoft binary is inherently safe, but the trap here is that attackers leverage trusted tools (LOLBins) to evade detection, so the focus must be on the binary's misuse and the artifacts it produces, not its signature status.

How to eliminate wrong answers

Option A is wrong because antivirus signatures being current does not address the abuse of a trusted Microsoft binary; attackers use LOLBins specifically to evade signature-based detection. Option B is wrong because reinstalling the browser does not remediate the underlying compromise; the execution from a user-writable directory indicates a potential backdoor or persistence mechanism unrelated to browser integrity. Option C is wrong because certutil being signed by Microsoft is exactly why it is dangerous; attackers exploit its trust to bypass security controls, so ignoring it would miss the attack entirely.

474
MCQhard

During a penetration test, an analyst successfully exploits a privilege escalation vulnerability to gain root access on a Linux server. The server is used for application development. Which of the following remediation actions would be MOST effective in preventing similar attacks?

A.Deploy a host intrusion detection system
B.Harden the kernel using sysctl parameters
C.Implement application whitelisting
D.Apply the principle of least privilege to user accounts
AnswerD

Least privilege limits what an attacker can gain after initial access, reducing the impact.

Why this answer

The principle of least privilege ensures that users and processes have only the minimum permissions necessary to perform their tasks. By applying this to user accounts, the attack surface for privilege escalation is reduced because even if an account is compromised, the attacker cannot easily escalate to root. This directly addresses the root cause of the vulnerability exploited in the scenario.

Exam trap

CompTIA often tests the distinction between detection (HIDS), system hardening (sysctl), execution control (whitelisting), and access control (least privilege), expecting candidates to recognize that preventing privilege escalation requires limiting permissions rather than just monitoring or restricting specific binaries.

How to eliminate wrong answers

Option A is wrong because a host intrusion detection system (HIDS) can detect suspicious activity after the fact but does not prevent the privilege escalation vulnerability from being exploited. Option B is wrong because hardening the kernel with sysctl parameters (e.g., disabling core dumps or restricting kernel module loading) does not address the underlying misconfiguration or weak permissions that allowed the escalation. Option C is wrong because application whitelisting controls which executables can run, but it does not prevent an attacker from abusing legitimate tools or scripts to escalate privileges once they have a foothold.

475
Drag & Dropmedium

Order the steps for a typical patch management process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management includes identification, testing, approval, deployment, and verification.

476
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest?

A.A raw CSV of 20,000 findings
B.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
C.A list of tool login names
D.A screenshot of every scanner page
AnswerB

Board reporting should connect investment to measurable risk reduction.

Why this answer

Option B is correct because it directly answers the board's question about whether cyber risk is decreasing by presenting a trend in exploitable critical exposures (showing if the number of high-risk vulnerabilities is going down), remediation SLA performance (proving the team is fixing issues within policy), and residual risk by business service (quantifying the remaining risk to critical assets). This combination provides a clear, measurable, and business-aligned view of risk reduction over time, which is exactly what executive leadership needs to make informed decisions.

Exam trap

Cisco often tests the trap that candidates confuse 'data' with 'information' — they think providing more raw data (like a CSV or screenshots) is better, when in fact executives need synthesized, trended, and risk-contextualized metrics that directly answer the business question.

How to eliminate wrong answers

Option A is wrong because a raw CSV of 20,000 findings is unprocessed, overwhelming, and lacks any trend analysis or risk context; it forces the board to perform their own analysis, which is impractical and ineffective for executive communication. Option C is wrong because a list of tool login names is completely irrelevant to demonstrating risk reduction; it provides no vulnerability data, no metrics, and no evidence of program effectiveness. Option D is wrong because a screenshot of every scanner page is a chaotic, non-aggregated dump of raw tool output that obscures trends and fails to translate technical findings into business risk language.

477
MCQmedium

In a regulated payment environment, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because isolating the workstation immediately stops the ransomware from encrypting additional file shares and prevents lateral movement. Disabling active sessions to file servers cuts off the encryption process at the network level, preserving the forensic evidence on the host and shares. This aligns with the NIST SP 800-61 containment strategy of 'stop the bleeding' before any other action.

Exam trap

Cisco often tests the misconception that recovery (backups) or broad scanning should come before containment, but the immediate priority is always to stop the attack from spreading, even if it means delaying evidence collection or recovery.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans on every subnet first wastes critical time during an active ransomware outbreak; scanning does not stop encryption and may alert the attacker. Option B is wrong because restoring backups before isolating the host risks re-encrypting the restored data if the ransomware is still active on the network; containment must precede recovery. Option C is wrong because emailing all users the ransom note spreads panic, may trigger further malicious actions, and does nothing to halt the encryption or preserve evidence.

478
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because it aligns with the SOAR playbook's goal of reducing analyst workload through automated enrichment and triage without taking destructive action. Enriching URLs and detonating attachments in a sandbox provides threat intelligence, while collecting mailbox search counts helps quantify the incident's scope. This non-destructive evidence gathering allows analysts to make informed decisions before any containment or remediation steps.

Exam trap

Cisco often tests the distinction between 'investigative' and 'remediative' actions in SOAR playbooks, trapping candidates who confuse automated triage with automated containment or cleanup.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates prematurely assumes the detection is a false positive or already handled, which can suppress legitimate threats and bypass proper investigation. Option B is wrong because disabling the reporting user's account immediately is a destructive containment action that should only occur after confirmation of compromise, not in the first automated phase. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive remediation action that could remove critical forensic evidence and impact legitimate communications if the detection is incorrect.

479
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Close the finding because the owner disagrees
B.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
C.Change the severity to informational automatically
D.Delete the server from the scan scope
AnswerB

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option B is correct because the scanner may have detected TLS 1.0 due to a false positive from a misconfigured cipher suite or a server-side protocol negotiation artifact. Manually testing with a TLS client (e.g., OpenSSL s_client -tls1) or a scanner profile that explicitly negotiates protocol versions provides definitive evidence of whether TLS 1.0 is actually enabled, resolving the discrepancy between the scanner result and the owner's claim.

Exam trap

Cisco often tests the misconception that a scanner's automated result is always authoritative, when in fact manual validation is required to confirm protocol-level findings, especially when the service owner disputes the result.

How to eliminate wrong answers

Option A is wrong because closing a finding solely because the owner disagrees, without independent validation, violates due diligence and could leave an unpatched vulnerability in production. Option C is wrong because changing severity to informational without technical verification bypasses proper risk assessment and may hide a real vulnerability from remediation tracking. Option D is wrong because deleting the server from the scan scope removes visibility entirely, preventing future detection of the issue and undermining the vulnerability management program's defensibility.

480
MCQmedium

A SOC analyst is reviewing logs from a web server and sees the following request: GET /../../etc/passwd HTTP/1.1. Which type of web attack is this?

A.SQL injection
B.Cross-site request forgery (CSRF)
C.Directory traversal
D.Cross-site scripting (XSS)
AnswerC

The ../ sequence is used to navigate directories.

Why this answer

The request GET /../../etc/passwd HTTP/1.1 uses '../' sequences to traverse directories outside the web root, attempting to read the /etc/passwd file. This is the classic signature of a directory traversal (path traversal) attack, which exploits insufficient input validation to access unauthorized files on the server.

Exam trap

CompTIA often tests the distinction between directory traversal and file inclusion; the trap here is confusing the '../' path manipulation with SQL injection or XSS because the request looks like a simple GET, but the attack vector is purely about file system access, not database or script injection.

How to eliminate wrong answers

Option A is wrong because SQL injection involves injecting SQL commands into input fields to manipulate a database, not path manipulation in HTTP requests. Option B is wrong because CSRF tricks a user's browser into executing unwanted actions on a trusted site, not directly requesting files via path traversal. Option D is wrong because XSS injects client-side scripts into web pages viewed by others, not server-side file access via directory traversal.

481
MCQmedium

While supporting a hybrid workforce, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence admissibility in legal proceedings. Documenting who collected the evidence, when and where it was collected, hash values (e.g., SHA-256) for integrity verification, transfer details (e.g., using a write-blocker and forensic imaging tool like FTK Imager), and the storage location (e.g., secure evidence locker or encrypted NAS) satisfies legal and organizational standards such as NIST SP 800-86.

Exam trap

Cisco often tests the distinction between operational data (e.g., ticket priority, job title) and legally required forensic documentation (chain of custody, hash values, transfer details) to trap candidates who confuse incident response triage with evidence acquisition.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because the ticket priority is an operational metric unrelated to forensic evidence handling and does not meet legal admissibility requirements. Option C is wrong because the user's job title is irrelevant to the forensic acquisition process and does not help verify that the evidence was collected, transferred, and stored without tampering.

482
MCQmedium

During a post-compromise review, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action should be prioritized before closure?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential — not by the order of detection. The domain admin workstation has elevated privileges and access to critical systems, making the second alert far more severe even if it arrived later. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk to the enterprise.

Exam trap

Cisco often tests the misconception that the first alert or the most recent alert determines severity, when in fact privilege level and asset criticality (especially domain admin vs. kiosk) are the decisive factors.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival has no bearing on severity; a later alert on a higher-privilege asset is more critical. Option C is wrong because hostname alphabetical order is irrelevant to risk assessment and would ignore privilege and asset value. Option D is wrong because an analyst's dashboard theme is a UI preference and has no impact on incident severity or recovery decisions.

483
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Disable SSH on all servers
D.Run only unauthenticated scans forever
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option B is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) often breaks the scanner's ability to authenticate. The best next step is to review the scanner account's permissions, allowed authentication methods (e.g., public key vs. password), and sudo command restrictions to ensure the scanner can still execute the necessary commands for credentialed scanning without compromising security.

Exam trap

Cisco often tests the misconception that a failed credentialed scan means the host is secure, when in reality it indicates an authentication or permission issue that must be resolved to maintain scan coverage.

How to eliminate wrong answers

Option A is wrong because assuming hosts have no vulnerabilities after a failed scan is a dangerous security oversight; a failed scan does not prove absence of vulnerabilities, only that the scanner could not authenticate. Option C is wrong because disabling SSH on all servers would break all remote administration and is an extreme, unnecessary measure that does not address the scanner's authentication failure. Option D is wrong because running only unauthenticated scans forever would miss deep vulnerabilities (e.g., missing patches, misconfigurations) that require authenticated access to detect, violating vulnerability management best practices.

484
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Ignore the indicators because TLP markings are optional
B.Publish the indicators on a public GitHub repository
C.Send the indicators to all customers
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option D is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and prohibits any wider redistribution. In the alert triage phase, using the indicators internally ensures the SOC can investigate and respond without violating the information-sharing constraints set by the vendor, which is a mandatory security practice, not optional.

Exam trap

CompTIA often tests the misconception that TLP markings are merely advisory or optional, leading candidates to choose 'ignore' or 'publish' options, when in fact TLP is a mandatory handling framework with strict enforcement requirements.

How to eliminate wrong answers

Option A is wrong because TLP markings are mandatory for handling sensitive threat intelligence; ignoring them would violate security policies and potentially expose the organization to legal or operational risks. Option B is wrong because publishing TLP:AMBER+STRICT indicators on a public GitHub repository directly violates the strict no-redistribution rule and could compromise ongoing investigations or expose the vendor's sources. Option C is wrong because sending the indicators to all customers, even if they are internal, violates the 'need to know' restriction of TLP:AMBER+STRICT, which limits sharing to only those individuals directly involved in the response.

485
MCQeasy

A company has a policy to remediate vulnerabilities within 30 days. A critical vulnerability is discovered on a database server. The patch requires a reboot, and the database cannot be taken offline during business hours. Which of the following is the BEST approach?

A.Implement a compensating control
B.Apply a hotfix without reboot
C.Schedule the patch during the next maintenance window
D.Extend the remediation deadline
AnswerA

Compensating controls reduce risk immediately while planning for patching.

Why this answer

Option A is correct because when a critical vulnerability requires a patch that mandates a reboot, but the database cannot be taken offline during business hours, implementing a compensating control (such as network segmentation, strict firewall rules, or an intrusion prevention system (IPS) signature) reduces the risk to an acceptable level until the patch can be applied. This aligns with the 30-day remediation policy by addressing the vulnerability without violating operational constraints.

Exam trap

CompTIA often tests the misconception that 'schedule the patch during the next maintenance window' is always acceptable, but the trap here is that the 30-day remediation deadline is a hard policy requirement, and scheduling alone does not guarantee compliance if the window is beyond 30 days.

How to eliminate wrong answers

Option B is wrong because applying a hotfix without reboot is not feasible for a patch that explicitly requires a reboot to complete installation; a hotfix that does not require a reboot would need to be specifically designed for that purpose, and the scenario does not indicate such a hotfix exists. Option C is wrong because scheduling the patch during the next maintenance window may exceed the 30-day remediation deadline if the window falls outside that timeframe, and the policy requires remediation within 30 days, not merely scheduling. Option D is wrong because extending the remediation deadline violates the company's explicit policy to remediate vulnerabilities within 30 days, and it does not actively reduce risk during the extension period.

486
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Disable SSH on all servers
B.Assume the hosts have no vulnerabilities
C.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
D.Run only unauthenticated scans forever
AnswerC

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option C is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) can break credentialed scans if the scanner's account lacks proper permissions or uses an unsupported authentication method. The best next step is to verify that the scanner's SSH key or password is accepted, that the account has sudo privileges for required commands (e.g., `sudo -n` for non-interactive execution), and that no `sudoers` restrictions block the scanner's commands. This directly addresses the root cause without compromising security.

Exam trap

Cisco often tests the misconception that a scan failure after hardening means the hosts are secure, when in reality it signals a configuration mismatch that must be resolved to restore visibility.

How to eliminate wrong answers

Option A is wrong because disabling SSH on all servers would eliminate remote management and scanning entirely, violating security best practices and causing operational disruption; the issue is misconfiguration, not a need to remove SSH. Option B is wrong because assuming hosts have no vulnerabilities after a scan failure is a dangerous security blind spot—credentialed scans provide deeper visibility, and the failure indicates a configuration problem, not an absence of vulnerabilities.

487
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Give all users local admin rights
B.Documented risk acceptance with compensating controls and a migration/remediation plan
C.Mark the vulnerability as fixed
D.Remove the system from future reports
AnswerB

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

Option B is correct because when a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally accept the risk through documented risk acceptance, implement compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and create a migration or remediation plan to eventually retire or replace the system. This aligns with the NIST SP 800-53 risk management framework and ensures auditability and accountability for the unpatched vulnerability.

Exam trap

Cisco often tests the misconception that removing a system from reports or marking a vulnerability as fixed is an acceptable shortcut, when in reality the correct process requires formal risk acceptance with compensating controls and a documented plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly violating the principle of least privilege and making the system even more vulnerable. Option C is wrong because marking the vulnerability as fixed when it is not patched is a false positive suppression that misrepresents the security posture and can lead to compliance failures. Option D is wrong because removing the system from future reports hides the vulnerability from visibility, preventing proper tracking and risk management, which is contrary to vulnerability management best practices.

488
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Ignore all base-image vulnerabilities
B.Only rename the image tag
C.Validate exploitability and rebuild from a patched base image where feasible
D.Ship the image and document nothing
AnswerC

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option C is correct because the best next step is to validate whether the vulnerable OpenSSL binary is actually reachable or exploitable in the running container, and then rebuild from a patched base image if feasible. This balances security with business priorities by avoiding unnecessary rebuilds for non-exploitable vulnerabilities while ensuring that truly exploitable CVEs are remediated. Simply ignoring or renaming the tag does not address the underlying risk and violates secure CI/CD practices.

Exam trap

Cisco often tests the misconception that a vulnerability can be safely ignored if the application team claims the binary is unused, but the trap is that without validation (e.g., runtime reachability analysis), the claim may be false due to transitive dependencies or dynamic loading.

How to eliminate wrong answers

Option A is wrong because ignoring all base-image vulnerabilities would leave the organization exposed to known critical CVEs, violating vulnerability management policies and potentially leading to compliance failures. Option B is wrong because renaming the image tag does not remove or patch the vulnerable binary; it only obscures the issue, and the vulnerable layer remains in the image, which could still be exploited if the binary is reachable.

489
MCQmedium

The SOC receives an alert from a network sensor showing an internal host communicating with a known malicious IP over HTTPS. The analyst cannot find any process making outbound connections on the host. What should the analyst do next?

A.Capture a memory dump of the host
B.Block the IP at the firewall
C.Check for hidden processes or rootkits using specialized tools
D.Reimage the host immediately
AnswerC

Hidden processes can be detected by tools like rootkit revealers, addressing the anomaly.

Why this answer

Option D is correct because the absence of a visible process suggests the presence of a rootkit or hidden process that requires deep analysis. Other options may be premature or incomplete.

490
MCQeasy

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised credential to prevent further unauthorized access. Disabling or rotating the cloud access key stops any ongoing malicious activity, and reviewing the actions performed with it allows the incident response team to assess the scope of the breach, identify affected resources, and determine if any data was exfiltrated or modified. This aligns with the containment and eradication phases of incident response.

Exam trap

Cisco often tests the misconception that physical or network-level controls (like blocking a laptop) are sufficient for cloud credential exposure, when the real threat is the attacker using the key remotely, not the developer's device.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to greater data loss, resource abuse, and financial damage; it violates the principle of immediate containment. Option C is wrong because blocking the developer's laptop from Wi-Fi does not address the root cause—the compromised cloud access key—and the attacker is using the key from an unfamiliar IP, not the developer's device; this action is irrelevant to stopping the unauthorized cloud access.

491
MCQmedium

An analyst wants to capture all traffic to and from a specific IP address for analysis. Which command-line tool is most appropriate?

A.nmap -sS 10.0.0.1
B.netstat -ant | grep 10.0.0.1
C.iptables -L -v
D.tcpdump host 10.0.0.1
AnswerD

Captures all packets to/from that host.

Why this answer

Option D is correct because `tcpdump host 10.0.0.1` captures all packets where the source or destination IP address matches 10.0.0.1, making it the ideal tool for capturing all traffic to and from a specific IP for analysis. It operates at the packet level, using libpcap to intercept raw network frames, and the `host` filter instructs it to match both directions of traffic without additional parsing or state tracking.

Exam trap

The trap here is that candidates confuse tools that probe or display state (nmap, netstat, iptables) with tools that capture raw traffic (tcpdump), leading them to select a tool that does not actually capture packets for analysis.

How to eliminate wrong answers

Option A is wrong because `nmap -sS 10.0.0.1` performs a SYN stealth scan against the target IP, which sends crafted packets to probe open ports, not capture existing traffic. Option B is wrong because `netstat -ant | grep 10.0.0.1` displays current network connections and listening ports from the system's socket table, but it does not capture live packets or traffic content; it only shows connection state at a single point in time. Option C is wrong because `iptables -L -v` lists the current firewall rules and their packet/byte counters, but it does not capture or log individual packets for analysis; it only shows aggregate statistics for rules.

492
Multi-Selectmedium

An incident response team is analyzing a suspected malware outbreak on a corporate network. Which three of the following actions should be performed as part of the containment phase? (Choose three.)

Select 3 answers
.Isolating affected systems from the network by disabling their network interfaces.
.Creating a forensic image of the infected systems for later analysis.
.Blocking outbound communication from infected hosts at the firewall.
.Identifying and patching the vulnerability exploited by the malware.
.Implementing network segmentation to prevent lateral movement.
.Notifying law enforcement agencies about the incident.

Why this answer

Isolating affected systems from the network by disabling their network interfaces is a core containment action because it immediately stops the malware from communicating with command-and-control (C2) servers or spreading to other hosts. Blocking outbound communication from infected hosts at the firewall prevents data exfiltration and further C2 activity without requiring physical access to each machine. Implementing network segmentation (e.g., VLANs or ACLs) restricts lateral movement by limiting the infected system's ability to reach other subnets, which is critical in containing a worm or ransomware outbreak.

Exam trap

CompTIA often tests the distinction between containment actions (immediate isolation) and eradication actions (patching, imaging), so candidates mistakenly select 'creating a forensic image' or 'patching the vulnerability' as containment steps when they actually belong to later phases of the incident response process.

493
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Password spraying only
B.DNS tunnelling
C.MFA fatigue or push-bombing attack
D.SSL certificate expiry
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Option C is correct because the scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This exploits human behavior rather than a technical vulnerability, and is a common initial access vector in credential-stuffing or password-spraying campaigns. The root-cause analysis would directly identify the repeated unsolicited MFA prompts as the mechanism that led to unauthorized approval.

Exam trap

Cisco often tests the distinction between a technical attack (like password spraying) and a social-engineering variant (MFA fatigue), trapping candidates who focus only on the credential aspect and ignore the repeated-prompt behavior described in the question.

How to eliminate wrong answers

Option A is wrong because password spraying only involves trying a few common passwords against many accounts; it does not explain the repeated MFA prompts or the user's eventual approval. Option B is wrong because DNS tunnelling is a data exfiltration or command-and-control technique that encodes data in DNS queries, unrelated to MFA prompt bombardment or user approval behavior.

494
MCQeasy

An organization performs quarterly vulnerability scans of its internal network. The scans have a high number of false positives for out-of-date software that is actually up to date. Which of the following would BEST improve the accuracy of the scans?

A.Disable verbose output to reduce clutter.
B.Implement credential-based scanning.
C.Increase scan frequency to monthly.
D.Use a different vulnerability scanner.
AnswerB

Credentials allow the scanner to check actual patch levels, reducing false positives.

Why this answer

Credential-based scanning (authenticated scanning) allows the scanner to log into target systems with valid credentials, enabling it to query the local registry or package manager for the exact installed software versions. This eliminates reliance on banner grabbing or service fingerprinting, which often produce false positives when out-of-date software is detected based on network-level heuristics rather than actual installed patches.

Exam trap

The trap here is that candidates assume false positives are caused by scanner quality or frequency, rather than recognizing that unauthenticated scanning inherently lacks the visibility needed to confirm patch levels, making credential-based scanning the only direct solution.

How to eliminate wrong answers

Option A is wrong because disabling verbose output only reduces the amount of log data; it does not change the underlying detection method, so false positives from unauthenticated fingerprinting would persist. Option C is wrong because increasing scan frequency to monthly does not address the root cause of false positives; it merely repeats the same inaccurate detection more often, potentially increasing noise. Option D is wrong because simply using a different vulnerability scanner without enabling credential-based scanning would likely yield similar false positives, as most scanners rely on unauthenticated fingerprinting by default and require credentials to improve accuracy.

495
MCQhard

While supporting a hybrid workforce, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which evidence should guide the decision?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential. The domain admin workstation has elevated privileges and access to critical systems, making the same malware far more dangerous than on a kiosk. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk, not chronology or naming.

Exam trap

Cisco often tests the misconception that the first alert or a simple naming convention should drive severity, when in fact the correct approach is to evaluate the contextual risk factors like privilege and asset criticality.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival does not reflect actual risk; a later alert on a domain admin workstation is far more severe than an earlier one on a kiosk. Option C is wrong because alphabetical order of hostnames has no bearing on security risk or recovery priority; it is a meaningless sorting method that ignores privilege levels and asset criticality.

496
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Validate exploitability and rebuild from a patched base image where feasible
B.Only rename the image tag
C.Ship the image and document nothing
D.Ignore all base-image vulnerabilities
AnswerA

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option A is correct because it follows the principle of validating risk before acting. The pipeline blocks the image based on a static scan that flags a CVE, but the application team claims the vulnerable binary is not used. The best next step is to verify exploitability (e.g., by checking if the binary is actually invoked at runtime) and then rebuild from a patched base image if the vulnerability is real.

This approach ensures the weakness is addressed without hiding risk, as the rebuild removes the vulnerable component entirely.

Exam trap

Cisco often tests the misconception that a static scan finding must always be acted upon immediately, without validating exploitability or considering that a vulnerable binary may be unused in the container's runtime context.

How to eliminate wrong answers

Option B is wrong because renaming the image tag only obscures the vulnerability from scanning tools but does not remove the vulnerable binary; it hides risk rather than addressing it, violating the principle of transparency. Option C is wrong because shipping the image without documentation ignores the vulnerability entirely, which could lead to exploitation in a different runtime context or fail compliance audits; it is a security bypass that does not validate or mitigate the risk.

497
MCQhard

A large enterprise uses a vulnerability management platform that integrates with Active Directory and a configuration management database (CMDB). During a quarterly scan, a critical vulnerability (CVE-2021-44228) is detected on a legacy application server running an end-of-life (EOL) version of Java. The server supports a critical business process and cannot be upgraded or patched because the vendor no longer provides updates. The analyst must reduce the risk to an acceptable level. What is the best approach?

A.Remove the server from the network until it can be replaced
B.Apply a vendor-supplied hotfix to mitigate the vulnerability
C.Replace the server with a newer model that supports patching
D.Implement network segmentation and strict access controls to limit exposure
AnswerD

Segmentation and access controls reduce the likelihood and impact of exploitation, providing a compensating control when patching is infeasible.

Why this answer

Network segmentation combined with strict access controls limits the attack surface and potential impact, providing a practical risk reduction when patching is not possible. Removing the server would disrupt business, hotfixes are unavailable, and replacement is a long-term project.

498
Multi-Selecthard

A regulator asks for incident evidence after a data exposure. Which items should be coordinated before disclosure? (Choose two.)

Select 2 answers
A.Evidence package with timeline, scope, and affected data categories
B.Unreviewed analyst speculation
C.Passwords for all production systems
D.Legal review of notification obligations
AnswersA, D

A structured package supports accurate reporting.

Why this answer

Option A is correct because a coordinated evidence package ensures that the disclosure to the regulator includes a verified timeline, scope, and affected data categories, which is essential for demonstrating due diligence and compliance with breach notification laws. Without this coordination, the evidence may be incomplete or inconsistent, potentially leading to regulatory penalties or loss of trust.

Exam trap

Cisco often tests the distinction between raw, unverified data and coordinated, legally reviewed evidence, so candidates mistakenly choose 'unreviewed analyst speculation' thinking it provides timely insight, but it fails the admissibility and accuracy requirements for regulatory disclosure.

499
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Use them internally with only people who need to know and avoid wider redistribution
B.Send the indicators to all customers
C.Publish the indicators on a public GitHub repository
D.Ignore the indicators because TLP markings are optional
AnswerA

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option A is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. In detection engineering, using these indicators to create tuned detection rules (e.g., SIEM correlation logic) reduces false positives by focusing on verified threat data while preserving the signal by not over-broadening the rule scope.

Exam trap

The trap here is that candidates may think TLP:AMBER+STRICT allows sharing with all internal staff or partners, but the '+STRICT' modifier explicitly restricts distribution to only those with a direct need to know within the same organization.

How to eliminate wrong answers

Option B is wrong because TLP:AMBER+STRICT forbids sharing with all customers; it is limited to internal personnel with a need to know. Option C is wrong because publishing on a public GitHub repository violates the TLP:AMBER+STRICT restriction and could expose sensitive threat intelligence to adversaries. Option D is wrong because TLP markings are mandatory for handling classified threat intelligence; ignoring them would breach trust and potentially violate data-sharing agreements.

500
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Always sort only by CVSS base score
B.Remediate alphabetically by CVE ID
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Remediate only vulnerabilities with vendor logos in the report
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because it combines threat intelligence (CISA KEV and high EPSS) with environmental context (asset exposure) to prioritize the vulnerability that is actively exploited and likely to be used in attacks, even though its CVSS base score is medium. This aligns with risk-based vulnerability management, which weights exploitability and business impact over raw severity scores.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that candidates ignore the KEV/EPSS context and choose to remediate high-CVSS issues first, failing to apply risk-based prioritization that accounts for real-world exploitability.

How to eliminate wrong answers

Option A is wrong because sorting only by CVSS base score ignores exploitability context (e.g., KEV, EPSS) and environmental mitigations, leading to wasted effort on high-CVSS but non-exploitable issues. Option B is wrong because remediating alphabetically by CVE ID has no relation to risk, exploitability, or business impact, and is a purely arbitrary ordering. Option D is wrong because vendor logos do not indicate exploitability or risk; a vulnerability with a vendor logo may still be non-exploitable in the environment, while a KEV-listed vulnerability without a logo poses real threat.

501
Multi-Selecthard

A cloud security posture tool reports public access on object storage. Which follow-up checks matter? (Choose two.)

Select 2 answers
A.Whether the storage account name is short
B.Whether sensitive objects were accessed or downloaded
C.Whether the administrator uses dark mode
D.Whether public access is effectively allowed by bucket and account policies
AnswersB, D

Access evidence supports impact assessment.

Why this answer

Option B is correct because the primary concern with public access to object storage is data exposure. Checking whether sensitive objects were accessed or downloaded determines if a breach actually occurred, which is a critical follow-up step in vulnerability management. Without this check, you cannot assess the real-world impact of the misconfiguration.

Exam trap

The trap here is that candidates often focus on the misconfiguration itself (public access) rather than the necessary forensic step of verifying actual data exposure, leading them to pick irrelevant options like account name length or UI settings.

502
Multi-Selectmedium

Which three of the following are key considerations when implementing a vulnerability management lifecycle in an enterprise environment? (Choose three.)

Select 3 answers
.Establishing a remediation prioritization framework based on asset criticality and exploitability
.Scanning all assets with the highest possible scan intensity to ensure no vulnerability is missed
.Integrating threat intelligence feeds to contextualize vulnerabilities and focus on active threats
.Performing vulnerability scans only during off-peak hours to minimize network disruption
.Defining a formal remediation SLA that aligns with organizational risk tolerance
.Using default scan credentials from the vulnerability scanner vendor for consistency

Why this answer

Establishing a remediation prioritization framework based on asset criticality and exploitability is correct because it ensures that vulnerabilities posing the greatest risk to the business are addressed first. This aligns with risk-based vulnerability management, where not all vulnerabilities are equal; prioritizing by asset value and exploitability (e.g., CVSS exploitability metrics or active exploitation evidence) optimizes resource allocation and reduces overall risk exposure.

Exam trap

CompTIA often tests the distinction between operational best practices (like scanning intensity or timing) and strategic lifecycle components (like prioritization frameworks, threat intelligence integration, and SLA definitions), leading candidates to confuse tactical scanning habits with core lifecycle pillars.

503
Multi-Selecthard

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Select 2 answers
A.Remove the web shell and close the exploited vulnerability
B.Reconnect the server before checking persistence
C.Rotate credentials exposed to the compromised web server
D.Only block the analyst's IP address
AnswersA, C

Both malicious artefact and entry path must be addressed.

Why this answer

Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.

Exam trap

Cisco often tests the distinction between containment (e.g., isolating the server) and eradication (e.g., removing the threat and fixing the root cause), so candidates may mistakenly choose actions that only contain the incident rather than fully eliminate the attacker's access.

Page 6

Page 7 of 7

All pages