CompTIA Cybersecurity Analyst (CySA+): CS0-002

A technician at a company's retail store notifies an analyst that disk space is being consumed at a rapid rate on several registers. The uplink back to the corporate office is also saturated frequently. The retail location has no Internet access. An analyst then observes several occasional IPS alerts indicating a server at corporate has been communicating with an address on a watchlist. Netflow data shows large quantities of data transferred at those times.

Which of the following is MOST likely causing the issue?

A. A credit card processing file was declined by the card processor and caused transaction logs on the registers to accumulate longer than usual.

B. Ransomware on the corporate network has propagated from the corporate network to the registers and has begun encrypting files there.

C. A penetration test is being run against the registers from the IP address indicated on the watchlist, generating large amounts of traffic and data storage.

D. Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.

A malicious artifact was collected during an incident response procedure. A security analyst is unable to run it in a sandbox to understand its features and method of operation. Which of the following procedures is the BEST approach to perform a further analysis of the malware's capabilities?

A. Reverse engineering

B. Dynamic analysis

C. Strings extraction

D. Static analysis

The SFTP server logs show thousands of failed login attempts from hundreds of IP addresses worldwide. Which of the following controls would BEST protect the service?

A. Whitelisting authorized IP addresses

B. Enforcing more complex password requirements

C. Blacklisting unauthorized IP addresses

D. Establishing a sinkhole service