Question 1

A company recently experienced an incident in which an advanced threat actor was able to shim malicious code against the hardware static of a domain controller The forensic team cryptographically validated that com the underlying firmware of the box and the operating system had not been compromised. However, the attacker was able to exfiltrate information from the server using a steganographic technique within LOAP Which of the following is me b»« way to reduce the risk oi reoccurrence?

Options :

A : Enforcing allow lists for authorized network pons and protocols

B : Measuring and attesting to the entire boot chum

C : Rolling the cryptographic keys used for hardware security modules

D : Using code signing to verify the source of OS updates

Answer: D

Question 2

A company reduced its staff 60 days ago, and applications are now starting to fail. The security analyst is

investigating to determine if there is malicious intent for the application failures. The security analyst reviews

the following logs:

22:03:50 sshd[21502]: Success login for user01 from 192.168.2.5

22:10:00 sshd[21502]: Failed login for user10 from 192.168.2.5

22:11:40 sshd[21502]: Success login for user07 from 192.168.2.58

22:12:00 sshd[21502]: Failed login for user10 from 192.168.2.5

22:13:00 sshd[21502]: Failed login for user10 from 192.168.2.5

22:13:00 sshd[21502]: Success login for user03 from 192.168.2.27

22:13:00 sshd[21502]: Failed login for user10 from 192.168.2.5

Which of the following is the most likely reason for the application failures?

Options :

A : The user’s account was set as a service account.

B : The user's home directory was deleted.

C : The user does not have sudo access.

D : The root password has been changed.

Answer: B

Question 3

During a recentsecurity event, access from thenon-production environment to the production

environmentenabledunauthorized usersto:

Installunapproved software

Makeunplanned configuration changes

During theinvestigation, the following findings were identified:

Several new users were added in bulkby theIAM team

Additionalfirewalls and routerswere recently added

Vulnerability assessmentshave been disabled formore than 30 days

Theapplication allow listhas not been modified intwo weeks

Logs were unavailablefor various types of traffic

Endpoints have not been patchedinover ten days

Which of the following actions would most likely need to be taken toensure proper monitoring?(Select two)

Options :

A : Disable bulk user creationsby the IAM team

B : Extend log retention for all security and network devices to180 daysfor all traffic

C : Review the application allow listdaily

D : Routinely update allendpoints and network devicesas soon as new patches/hot fixes are available

E : Ensure allnetwork and security devicesare sending relevant data to theSIEM

F : Configure firewall rules toonly allow production-to-non-productiontraffic

Answer: A,D,E

Question 4

A security analyst Detected unusual network traffic related to program updating processes The analyst collected artifacts from compromised user workstations. The discovered artifacts were binary files with the same name as existing, valid binaries but. with different hashes which of the following solutions would most likely prevent this situation from reoccurring?

Options :

A : Improving patching processes

B : Implementing digital signature

C : Performing manual updates via USB ports

D : Allowing only dies from internal sources

Answer: B

Question 5

After an incident response exercise, a security administrator reviews the following table:

Which of the following should the administrator do to beat support rapid incident response in the future?

Options :

A : Automate alerting to IT support for phone system outages.

B : Enable dashboards for service status monitoring

C : Send emails for failed log-In attempts on the public website

D : Configure automated Isolation of human resources systems

Answer: B

Free CAS-005 Mock Exam – Practice Online Confidently

Buying Options: