An organization needs to secure sensitive data on its critical networks by implementing controls to mitigate APTs. The current policy does not provide any guidance or processes that support the mitigation of APTs. Which of the following technologies should the organization implement lo secure sensitive data? (Select two).

1. A. WAF
2. B. VPN
3. C. VPC
4. D. IPS
5. E. SIEM
6. F. SSO

Correct Answer: DE
IPS and SIEM are technologies that can help secure sensitive data on critical networks by implementing controls to mitigate APTs. IPS stands for Intrusion Prevention System, and it is a device or software that monitors network traffic and blocks or prevents malicious packets or activities based on predefined rules or signatures. IPS can help detect and stop APTs that may try to exploit vulnerabilities or bypass security controls on critical networks. SIEM stands for Security Information and Event Management, and it is a system that collects, correlates, analyzes, and reports security data from various sources, such as logs, alerts, events, etc. SIEM can help identify and respond to APTs that may exhibit anomalous or suspicious behavior patterns on critical networks.

Which of the following control types is an organization using when restoring a backup?

1. A. Technical
2. B. Responsive
3. C. Corrective
4. D. Preventive

Correct Answer: C
The correct answer is C. Corrective. A corrective control is a type of control that is used to restore normal operations after a security incident or event has occurred. A corrective control can include actions such as restoring a backup, applying patches, reconfiguring settings, or replacing damaged components. A corrective control can help to mitigate the impact of an incident and prevent further damage or loss1.
* A. Technical is not correct. A technical control is a type of control that is implemented using hardware, software, or firmware to protect the confidentiality, integrity, and availability of information and systems. A technical control can include mechanisms such as encryption, authentication, firewalls, antivirus, or intrusion detection systems. A technical control can be preventive, detective, or responsive, depending on its function2.
* B. Responsive is not correct. A responsive control is a type of control that is used to react to a security incident or event in real time and stop or contain the attack. A responsive control can include actions such as blocking traffic, isolating systems, terminating processes, or alerting users. A responsive control can help to reduce the severity and duration of an incident and limit its spread3.
* D. Preventive is not correct. A preventive control is a type of control that is used to deter or avoid a security incident or event from happening in the first place. A preventive control can include measures such as policies, procedures, training, awareness, or physical security. A preventive control can help to reduce the likelihood and frequency of an incident and minimize its potential impact.
* 1: 24.3 Control Types - CompTIA Cybersecurity Analyst (CySA+) CS0-002 [Video] 2: OVERVIEW
CompTIA 3: 24.3 Control Types - CompTIA Cybersecurity Analyst (CySA+) CS0-002 [Video] : OVERVIEW - CompTIA

Which of the following are the most likely reasons to include reporting processes when updating an incident response plan after a breach? (Select two).

1. A. To use the SLA to determine when to deliver the report
2. B. To meet regulatory requirements for timely reporting
3. C. To limit reputation damage caused by the breach
4. D. To remediate vulnerabilities that led to the breach
5. E. To isolate potential insider threats
6. F. To provide secure network design changes

Correct Answer: BC
According to the CompTIA CySA+ Study Guide Exam CS0-002, 2nd Edition1, reporting is an essential part of the incident response process. It helps communicate the details and impact of the incident to various stakeholders, such as management, customers, regulators, law enforcement, and the public. Reporting also provides valuable feedback and lessons learned that can improve the security posture and readiness of the organization.
Based on this information, the most likely reasons to include reporting processes when updating an incident response plan after a breach are:
B. To meet regulatory requirements for timely reporting: Many industries and jurisdictions have laws and regulations that mandate reporting of security breaches within a certain time frame. Failing to comply with these requirements can result in fines, penalties, lawsuits, and loss of trust. Therefore, it is important to have a clear and consistent reporting process that ensures timely and accurate disclosure of the breach to the relevant authorities.
C. To limit reputation damage caused by the breach: A security breach can have a negative impact on the reputation and credibility of the organization. Customers, partners, investors, and the public may lose confidence in the organization’s ability to protect their data and interests. Therefore, it is important
to have a transparent and honest reporting process that informs the affected parties about the nature, scope, and consequences of the breach, as well as the actions taken to mitigate and prevent future incidents. This can help restore trust and goodwill among the stakeholders.

A company notices unknown devices connecting to the internal network and would like to implement a solution to block all non-corporate managed machines. Which of the following solutions would be best to accomplish this goal?

1. A. WPA2 for W1F1 networks
2. B. NAC with 802.1X implementation
3. C. Extensible Authentication Protocol
4. D. RADIUS with challenge/response

Correct Answer: B
This solution is the best to accomplish the goal of blocking all non-corporate managed machines from connecting to the internal network. NAC stands for network access control, which is a method of enforcing policies and rules on network devices based on their identity, role, location, and other attributes. 802.1X is a
standard for port-based network access control, which authenticates devices before granting them access to a network port or wireless access point.

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

1. A. Configure the DLP transport rules to provide deep content analysis.
2. B. Put employees' personal email accounts on the mail server on a blocklist.
3. C. Set up IPS to scan for outbound emails containing names and contact information.
4. D. Use Group Policy to prevent users from copying and pasting information into emails.
5. E. Move outbound emails containing names and contact information to a sandbox for further examination.

Correct Answer: A
Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized disclosure of sensitive data. DLP transport rules are rules that apply to email messages that are sent or received by an organization’s mail server. These rules can provide deep content analysis, which means they can scan the content of email messages and attachments for sensitive data patterns, such as client lists or contact information. If a rule detects a violation of the DLP policy, it can take actions such as blocking, quarantining, or notifying the sender or recipient. This would improve security and help prevent sales team members from sending sensitive client lists to their personal accounts. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14;
https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/data-loss-prevention