CS0-002 Exam Dumps - CompTIA CySA+ Questions and Answers

"Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption."

A technical control is a type of control that uses technology or software to protect data and systems from unauthorized access or misuse3. A technical control can include encryption, authentication, firewalls, antivirus software, and other mechanisms that rely on hardware or software. Placing an ACL (access control list) on a file folder is an example of a technical control. An ACL is a list of permissions that specifies who can access or modify a file or folder4. An ACL can help to enforce confidentiality, integrity, and availability of data by restricting access to authorized users only.

A script is a program that can automate tasks or perform actions on a computer system. A script can be used to attempt multiple login attempts with different credentials, either randomly or from a list of known or guessed usernames and passwords. This can be done to gain unauthorized access to a system or to test its security12.

Users 4 and 5 are not using their credentials to transfer files or run tasks, because the report shows that they have failed login attempts on multiple servers. If they were authorized users, they would not have failed login attempts. Also, transferring files or running tasks does not require multiple login attempts on different servers.

A bot is a software application that runs automated tasks over the Internet. A bot can also be used to perform brute-force attacks, which are repeated attempts to guess a password or other authentication information. However, a bot would not use login credentials in a script, but rather generate random or common passwords to try3.

Server-side input validation is a solution that can prevent cross-site scripting (XSS) vulnerabilities by checking and filtering any user input that is sent to the server before rendering it on a web page. Server-side input validation can help to ensure that the user input conforms to the expected format, length and type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the web page. Server-side input validation can also reject or sanitize any input that does not meet the validation criteria .

The suspicious event was able to accomplish establishing persistence by creating a registry change that runs a command shell process every time a user logs on. The registry change modifies the Userinit value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key, which specifies what programs should run when a user logs on to Windows. By appending “cmd.exe,” to the existing value, the event ensures that a command shell process will be launched every time a user logs on, which can allow the attacker to maintain access to the system or execute malicious commands. The other options are not related to the registry change. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/win32/sysinfo/userinit-entry

The hosts file is a text file that maps hostnames to IP addresses, and it can be used to override DNS resolution. The hosts file entries that should be used for further investigation are the ones that point to external or suspicious IP addresses, such as 198.51.100.5, which is a reserved IP address for documentation purposes. The other entries are either loopback addresses (::1 and 127.0.0.1) or internal network addresses (192.168.3.249), which are less likely to be malicious.

Change Management

o The process through which changes to the configuration of information systems are

monitored and controlled, as part of the organization's overall configuration

management efforts

o Each individual component should have a separate document or database record that

describes its initial state and subsequent changes

▪ Configuration information

▪ Patches installed

▪ Backup records

▪ Incident reports/issues

o Change management ensures all changes are planned and controlled to minimize risk of

a service disruption

Change management is a process that ensures changes to systems or processes are introduced in a controlled and coordinated manner. Change management helps to minimize the impact of changes on the business operations and avoid unintended consequences or errors3 Change management can help prevent the issue of utility installation affecting the web server cluster by ensuring that the utility is properly planned, tested, approved, documented, communicated, and monitored.

To prevent adversaries from intercepting response and recovery details. Using a secure method of communication during incident response is important to prevent adversaries from intercepting response and recovery details that could reveal the incident response team’s actions, strategies, or findings. If the adversaries can intercept the communication, they could use it to evade detection, escalate their privileges, or launch further attacks. To ensure intellectual property remains on company servers, to have a backup plan in case email access is disabled, or to ensure the management team has access to all the details that are being exchanged are other possible reasons to use a secure method of communication, but they are not as important as preventing adversaries from intercepting response and recovery details. Reference: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Acceptance testing is a type of testing that involves verifying that an application meets the needs and expectations of the business and the end users. Acceptance testing is usually performed by users or customers who evaluate the application’s functionality, usability, performance, reliability, and compatibility. Acceptance testing helps to ensure that the application delivers the required value and quality before it goes into production.

System timeline reconstruction is a forensic analysis technique that involves creating a chronological record of events that occurred on a system based on various sources of evidence such as log files, registry entries, file timestamps, network traffic, etc. System timeline reconstruction can provide information about when and how the machine was compromised and where the malware is located by showing when suspicious activities or changes took place on the system, such as unauthorized access attempts, file creation or modification, process execution, network connections, etc.

A directory traversal attack is a type of web application attack that exploits insufficient input validation or filtering to access files or directories that are outside of the web root folder. A directory traversal attack can allow an attacker to read, modify, or execute files on the target server that are not intended to be accessible via web requests. The URL in the alert contains an example of a directory traversal attack, as indicated by the use of “…/” sequences in the query string. These sequences are used to navigate up one level in the directory hierarchy, potentially reaching sensitive files or folders on the server. In this case, the attacker is trying to access /etc/passwd file, which contains user account information on Linux systems.