Updated Dec 22, 2023 Verified Pass CS0-003 Exam in First Attempt Guaranteed [Q38-Q62]

Share

Updated Dec 22, 2023 Verified Pass CS0-003 Exam in First Attempt Guaranteed

Free CS0-003 Sample Questions and 100% Cover Real Exam Questions (Updated 160 Questions)

NEW QUESTION # 38
The analyst reviews the following endpoint log entry:

Which of the following has occurred?

  • A. Registry change
  • B. New account introduced
  • C. Rename computer
  • D. Privilege escalation

Answer: B

Explanation:
The endpoint log entry shows that a new account named "admin" has been created on a Windows system with a local group membership of "Administrators". This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.


NEW QUESTION # 39
An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

  • A. Time synchronization
  • B. Network segmentation
  • C. Access rights
  • D. Invalid playbook

Answer: A

Explanation:
Time synchronization is the process of ensuring that all systems in a network have the same accurate time, which is essential for correlating data points from different sources. If the system has an issue with time synchronization, the analyst may have difficulty matching events that occurred at the same time or in a specific order. Access rights, network segmentation, and invalid playbook are not directly related to the issue of correlating data points. Verified Reference: [CompTIA CySA+ CS0-002 Certification Study Guide], page 23


NEW QUESTION # 40
An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

  • A. To satisfy regulatory requirements for incident reporting
  • B. To highlight the notable practices of the organization's incident response team
  • C. To hold other departments accountable
  • D. To identify areas of improvement in the incident response process

Answer: D

Explanation:
Explanation
The most likely reason to include lessons learned in an after-action report is to identify areas of improvement in the incident response process. The lessons learned process is a way of reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying areas of improvement in the incident response process can help enhance the security posture, readiness, or capability of the organization for future incidents, as well as provide feedback or recommendations on how to address any issues or challenges.


NEW QUESTION # 41
A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is compatia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task?

  • A. Add : XT @ "v=spfl mx include:_spf.comptia.org -all" to the email server.
  • B. AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.
  • C. Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.
  • D. Add TXT @ "v=spfl mx include:_spf.comptia.org +all" to the domain controller.

Answer: C

Explanation:
Adding TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record can help to prevent outside entities from spoofing the company's email domain, which is comptia.org. This is an example of a Sender Policy Framework (SPF) record, which is a type of DNS record that specifies which mail servers are authorized to send email on behalf of a domain. SPF records can help to prevent spoofing by allowing the recipient mail servers to check the validity of the sender's domain against the SPF record. The "-all" at the end of the SPF record indicates that any mail server that is not listed in the SPF record is not authorized to send email for comptia.org .


NEW QUESTION # 42
A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

  • A. Registry key values
  • B. IP address
  • C. Open ports
  • D. Operating system version

Answer: A

Explanation:
Explanation
Registry key values would be missing from a scan performed with this configuration, as the scanner appliance would not have access to the Windows Registry of the scanned systems. The Windows Registry is a database that stores configuration settings and options for the operating system and installed applications. To scan the Registry, the scanner would need to have credentials to log in to the systems and run a local agent or script.
The other items would not be missing from the scan, as they can be detected by the scanner appliance without credentials. Operating system version can be identified by analyzing service banners or fingerprinting techniques. Open ports can be discovered by performing a port scan or sending probes to common ports. IP address can be obtained by resolving the hostname or using network discovery tools.
https://attack.mitre.org/techniques/T1112/


NEW QUESTION # 43
An incident response team is working with law enforcement to investigate an active web server compromise.
The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

  • A. Move the database from the database server to the web server.
  • B. Comment out the HTTP account in the / etc/passwd file of the web server
  • C. Drop the tables on the database server to prevent data exfiltration.
  • D. use micro segmentation to restrict connectivity to/from the web and database servers.
  • E. Deploy EDR on the web server and the database server to reduce the adversaries capabilities.
  • F. Stop the httpd service on the web server so that the adversary can not use web exploits

Answer: D,E

Explanation:
Explanation
Deploying EDR on the web server and the database server to reduce the adversaries capabilities and using micro segmentation to restrict connectivity to/from the web and database servers are two compensating controls that will help contain the adversary while meeting the other requirements. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. EDR stands for Endpoint Detection and Response, which is a tool that monitors endpoints for malicious activity and provides automated or manual response capabilities. EDR can help contain the adversary by detecting and blocking their actions, such as data exfiltration, lateral movement, privilege escalation, or command execution. Micro segmentation is a technique that divides a network into smaller segments based on policies and rules, and applies granular access controls to each segment. Micro segmentation can help contain the adversary by isolating the web and database servers from other parts of the network, and limiting the traffic that can flow between them. Official References:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered


NEW QUESTION # 44
A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

  • A. function x() { info=$(traceroute -m 40 $1 | awk 'END{print $1}') && echo "$1 | $info" }
  • B. function x() { info=$(ping -c 1 $1 | awk -F "/" 'END{print $5}') && echo "$1 | $info" }
  • C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}
    ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
  • D. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

Answer: C

Explanation:
Explanation
The function that can be used on a shell script to identify anomalies on the network routing most accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" } This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address. The function then prints the IP address and the ASN information, which can help identify any routing anomalies or inconsistencies


NEW QUESTION # 45
Which of the following describes the best reason for conducting a root cause analysis?

  • A. The root cause analysis identifies the contributing items that facilitated the event
  • B. The root cause analysis ensures that proper timelines were documented.
  • C. The root cause analysis allows the incident to be properly documented for reporting.
  • D. The root cause analysis develops recommendations to improve the process.

Answer: A

Explanation:
The root cause analysis identifies the contributing items that facilitated the event is the best reason for conducting a root cause analysis, as it reflects the main goal and benefit of this problem-solving approach. A root cause analysis (RCA) is a process of discovering the root causes of problems in order to identify appropriate solutions. A root cause is the core issue or factor that sets in motion the entire cause-and-effect chain that leads to the problem. A root cause analysis assumes that it is more effective to systematically prevent and solve underlying issues rather than just treating symptoms or putting out fires. A root cause analysis can be performed using various methods, tools, and techniques that help to uncover the causes of problems, such as events and causal factor analysis, change analysis, barrier analysis, or fishbone diagrams. A root cause analysis can help to improve quality, performance, safety, or efficiency by finding and eliminating the sources of problems. The other options are not as accurate as the root cause analysis identifies the contributing items that facilitated the event, as they do not capture the essence or value of conducting a root cause analysis. The root cause analysis ensures that proper timelines were documented is a possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Documenting timelines can help to establish the sequence of events and actions that led to the problem, but it does not necessarily identify or address the root causes. The root cause analysis allows the incident to be properly documented for reporting is also a possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Documenting and reporting incidents can help to communicate and share information about problems and solutions, but it does not necessarily identify or address the root causes. The root cause analysis develops recommendations to improve the process is another possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Developing recommendations can help to implement solutions and prevent future problems, but it does not necessarily identify or address the root causes.


NEW QUESTION # 46
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

  • A. PBleach:
    Cobain: Yes
    Grohl: No
    Novo: No
    Smear: No
    Channing: Yes
  • B. ENameless:
    Cobain: Yes
    Grohl: No
    Novo: Yes
    Smear: No
    Channing: No
  • C. TSpirit:
    Cobain: Yes
    Grohl: Yes
    Novo: Yes
    Smear: No
    Channing: No
  • D. InLoud:
    Cobain: Yes
    Grohl: No
    Novo: Yes
    Smear: Yes
    Channing: No

Answer: C

Explanation:
Explanation
The vulnerability that should be patched first, given the above third-party scoring system, is:
TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No
This vulnerability has three out of five metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are more important than Smear and Channing, according to the vulnerability management team. Therefore, this vulnerability poses a greater risk than the other vulnerabilities and should be patched first.


NEW QUESTION # 47
A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.
When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Answer:

Explanation:


NEW QUESTION # 48
Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

  • A. To perform tests against implemented security controls
  • B. To provide recommendations for handling vulnerabilities
  • C. To verify the roles of the incident response team
  • D. TO provide metrics and test continuity controls

Answer: D

Explanation:
The correct answer is A. To provide metrics and test continuity controls.
A disaster recovery exercise is a simulation or a test of the disaster recovery plan, which is a set of procedures and resources that are used to restore the normal operations of an organization after a disaster or a major incident. The goal of a disaster recovery exercise is to provide metrics and test continuity controls, which are the measures that ensure the availability and resilience of the critical systems and processes of an organization. A disaster recovery exercise can help evaluate the effectiveness, efficiency, and readiness of the disaster recovery plan, as well as identify and address any gaps or issues .
The other options are not the best descriptions of the goal of a disaster recovery exercise. Verifying the roles of the incident response team (B) is a goal of an incident response exercise, which is a simulation or a test of the incident response plan, which is a set of procedures and roles that are used to detect, contain, analyze, and remediate an incident. Providing recommendations for handling vulnerabilities is a goal of a vulnerability assessment, which is a process of identifying and prioritizing the weaknesses and risks in an organization's systems or network. Performing tests against implemented security controls (D) is a goal of a penetration test, which is an authorized and simulated attack on an organization's systems or network to evaluate their security posture and identify any vulnerabilities or misconfigurations.


NEW QUESTION # 49
Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

  • A. Compliance checks
  • B. Decomposing the application
  • C. Security by design
  • D. Review Of security requirements

Answer: B

Explanation:
The OWASP Web Security Testing Guide (WSTG) includes a section on threat modeling, which is a structured approach to identify, quantify, and address the security risks associated with an application. The first step in the threat modeling process is decomposing the application, which involves creating use cases, identifying entry points, assets, trust levels, and data flow diagrams for the application. This helps to understand the application and how it interacts with external entities, as well as to identify potential threats and vulnerabilities1. The other options are not part of the OWASP WSTG threat modeling process.


NEW QUESTION # 50
During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?

  • A. Determine a timeline of events using correct time synchronization.
  • B. Keep the cloned hard drive in a safe place.
  • C. Create a chain of custody document.
  • D. Generate hashes for each file from the hard drive.

Answer: D

Explanation:
Generating hashes for each file from the hard drive is the next action that the analyst should perform to ensure the data integrity of the evidence. Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file or a message. Hashing can help to verify the data integrity of the evidence by comparing the hash values of the original and copied files. If the hash values match, then the evidence has not been altered or corrupted. If the hash values differ, then the evidence may have been tampered with or damaged .


NEW QUESTION # 51
A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

  • A. Increasing training and awareness for all staff
  • B. Ensuring that malicious websites cannot be visited
  • C. Disabling all staff members' ability to run downloaded applications
  • D. Blocking all scripts downloaded from the internet

Answer: A

Explanation:
Increasing training and awareness for all staff is the best way to address the issue of employees being enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. This issue is an example of social engineering, which is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. Social engineering can take many forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The best defense against social engineering is to educate and train the staff on how to recognize and avoid common social engineering tactics, such as:
Verifying the identity and legitimacy of the caller or sender before following their instructions or clicking on any links or attachments Being wary of unsolicited or unexpected requests for information or action, especially if they involve urgency, pressure, or threats Reporting any suspicious or anomalous activity to the security team or the appropriate authority Following the organization's policies and procedures on security awareness and best practices Official Reference:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered


NEW QUESTION # 52
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window.
However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

  • A. Legacy systems
  • B. Lack of maintenance windows
  • C. Proprietary systems
  • D. Unsupported operating systems

Answer: C

Explanation:
Explanation
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems can pose a challenge for vulnerability management, as they may not allow users to access or modify their configuration, update their software, or patch their vulnerabilities. In this case, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. This indicates that these systems and associated vulnerabilities are examples of proprietary systems as inhibitors to remediation


NEW QUESTION # 53
While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

  • A. Obtain a new self-signed certificate and select AES as the hashing algorithm.
  • B. Use only signed certificates with cryptographically secure certificate sources.
  • C. Replace the existing certificate with a certificate that uses only MD5 for signing.
  • D. Reconfigure the device to support only connections leveraging TLSv1.2.

Answer: D

Explanation:
The vulnerability assessment report shows that the device is using SSLv3, which is an outdated and insecure protocol for secure communication over a network. SSLv3 has several known vulnerabilities, such as POODLE, that allow attackers to decrypt or modify the encrypted data. To remediate this issue, the analyst should recommend reconfiguring the device to support only connections leveraging TLSv1.2, which is a newer and more secure protocol that provides stronger encryption, authentication, and integrity protection for the data transmitted over the network.


NEW QUESTION # 54
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

  • A. /etc/ shadow
  • B. curl localhost
  • C. cat /proc/self/
  • D. ; printenv

Answer: A

Explanation:
Explanation
/etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a vulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server.
Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability. Official References:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered


NEW QUESTION # 55
Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?

  • A. Evidence
  • B. Timeline
  • C. Impact
  • D. Scope

Answer: C

Explanation:
The correct answer is C. Impact.
The impact metric is the best way to measure the degree to which a system, application, or user base is affected by an uptime availability outage. The impact metric quantifies the consequences of the outage in terms of lost revenue, productivity, reputation, customer satisfaction, or other relevant factors. The impact metric can help prioritize the recovery efforts and justify the resources needed to restore the service1.
The other options are not the best ways to measure the degree to which a system, application, or user base is affected by an uptime availability outage. The timeline metric (A) measures the duration and frequency of the outage, but not its effects. The evidence metric (B) measures the sources and types of data that can be used to investigate and analyze the outage, but not its effects. The scope metric (D) measures the extent and severity of the outage, but not its effects.


NEW QUESTION # 56
Which of the following software assessment methods world peak times?

  • A. User acceptance testing
  • B. Dynamic analysis testing
  • C. Static analysis testing
  • D. Stress testing
  • E. Security regression testing

Answer: D

Explanation:
Stress testing is a software assessment method that tests how an application performs under peak times or extreme workloads. Stress testing can help to identify any performance issues, bottlenecks, errors or crashes that may occur when an application faces high demand or concurrent users. Stress testing can also help to determine the maximum capacity and scalability of an application .


NEW QUESTION # 57
A security analyst is logged on to a jump server to audit the system configuration and status. The organization's policies for access to and configuration of the jump server include the following:
* No network access is allowed to the internet.
* SSH is only for management of the server.
* Users must utilize their own accounts, with no direct login as an administrator.
* Unnecessary services must be disabled.
The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

  • A. Unnecessary services must be disabled.
  • B. SSH is only for management of the server.
  • C. No network access is allowed to the internet.
  • D. Users must utilize their own accounts, with no direct login as an administrator.

Answer: C

Explanation:
The server violates the policy of no network access to the internet because it has an established connection to an external IP address (216.58.194.174) on port 443, which is used for HTTPS traffic. This indicates that the server is communicating with a web server on the internet, which is not allowed by the policy. The other policies are not violated because SSH is only used for management of the server (not for accessing other devices), users are utilizing their own accounts (not logging in as an administrator), and unnecessary services are not enabled (only SSH and HTTPS are running). Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://en.wikipedia.org/wiki/Jump_server


NEW QUESTION # 58
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

  • A. Delivery
  • B. Weaponization
  • C. Exploitation
  • D. Reconnaissance

Answer: C

Explanation:
Explanation
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target's network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official References:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html


NEW QUESTION # 59
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program.
Which of the following is the best priority based on common attack frameworks?

  • A. Employ a network-based IDS
  • B. Enable SSO to enterprise applications
  • C. Conduct thorough incident response
  • D. Reduce the administrator and privileged access accounts

Answer: D

Explanation:
Explanation
The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts.
Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised.


NEW QUESTION # 60
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

  • A. Primary boot partition
  • B. Malicious tiles
  • C. Static IP address
  • D. Routing table
  • E. Hard disk

Answer: E

Explanation:
The hard disk is the piece of data that should be collected first in order to preserve sensitive information before isolating the server. The hard disk contains all the files and data stored on the server, which may include evidence of malicious activity, such as malware installation, data exfiltration, or configuration changes. The hard disk should be collected using proper forensic techniques, such as creating an image or a copy of the disk and maintaining its integrity using hashing algorithms.


NEW QUESTION # 61
A security analyst is monitoring a company's network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the best way for the security analyst to respond?

  • A. Recommend network segmentation to the management team as a way to secure the various environments.
  • B. Report this activity as a false positive, as the activity is legitimate.
  • C. Isolate the system and begin a forensic investigation to determine what was compromised.
  • D. Implement host-based firewalls on all systems to prevent ping sweeps in the future.

Answer: B

Explanation:
Reporting this activity as a false positive, as the activity is legitimate, is the best way for the security analyst to respond. A false positive is a condition in which harmless traffic is classified as a potential network attack by a security monitoring tool. Ping requests are a common network diagnostic tool that can be used to test network connectivity issues. The technician who responded to potential network connectivity issues was performing a legitimate task and did not pose any threat to the accounting and human resources servers .


NEW QUESTION # 62
......

Download Real CompTIA CS0-003 Exam Dumps Test Engine Exam Questions: https://www.latestcram.com/CS0-003-exam-cram-questions.html

Verified CS0-003 Dumps Q&As - CS0-003 Test Engine with Correct Answers: https://drive.google.com/open?id=1zDqmdbqjbOWdLrPV2giD8jczbVu62_Gr