Black Friday Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

CS0-002 CompTIA CySA+ Certification Exam (CS0-002) Questions and Answers

Questions 4

A security analyst is concerned about sensitive data living on company file servers following a zero-day attack that nearly resulted in a breach of millions of customer records. The after action report indicates a lack of controls around the file servers that contain sensitive data. Which of the following DLP considerations would best help the analyst to classify and address the sensitive data on the file servers?

Options:

A.

Implement a CASB device and connect the SaaS applications.

B.

Deploy network DLP appliances pointed to all file servers.

C.

Use data-at-rest scans to locate and identify sensitive data.

D.

Install endpoint DLP agents on all computing resources.

Buy Now
Questions 5

An organization is required to be able to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams. The organization would also like to be able to leverage the intelligence to enrich security event data. Which of the following functions would most likely help the security analyst meet the organization's requirements?

Options:

A.

Vulnerability management

B.

Risk management

C.

Detection and monitoring

D.

Incident response

Buy Now
Questions 6

A company's domain has been spooled in numerous phishing campaigns. An analyst needs to determine the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC upon review of the record, the analyst finds the following:

Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?

Options:

A.

The DMARC record's DKIM alignment tag Is incorrectly configured.

B.

The DMARC record's policy tag is incorrectly configured.

C.

The DMARC record does not have an SPF alignment tag.

D.

The DMARC record's version tag is set to DMARC1 instead of the current version, which is DMARC3.

Buy Now
Questions 7

A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

• Bursts of network utilization occur approximately every seven days.

• The content being transferred appears to be encrypted or obfuscated.

• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

• Single file sizes are 10GB.

Which of the following describes the most likely cause of the issue?

Options:

A.

Memory consumption

B.

Non-standard port usage

C.

Data exfiltration

D.

System update

E.

Botnet participant

Buy Now
Questions 8

In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Options:

A.

Fully segregate the affected servers physically in a network segment, apart from the production network.

B.

Collect the network traffic during the day to understand if the same activity is also occurring during business hours

C.

Check the hash signatures, comparing them with malware databases to verify if the files are infected.

D.

Collect all the files that have changed and compare them with the previous baseline

Buy Now
Questions 9

After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

Options:

A.

Header analysis

B.

File carving

C.

Metadata analysis

D.

Data recovery

Buy Now
Questions 10

A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Which of the following threats applies to this situation?

Options:

A.

Potential data loss to external users

B.

Loss of public/private key management

C.

Cloud-based authentication attack

D.

Identification and authentication failures

Buy Now
Questions 11

A small business does not have enough staff in the accounting department to segregate duties. The controller writes the checks for the business and reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control?

Options:

A.

Deterrent

B.

Preventive

C.

Compensating

D.

Detective

Buy Now
Questions 12

An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Options:

A.

The human resources department

B.

Customers

C.

Company leadership

D.

The legal team

Buy Now
Questions 13

industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacks used privilege escalation to gain access to SCADA administration and access management solutions would help to mitigate this risk?

Options:

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Buy Now
Questions 14

A security technician configured a NIDS to monitor network traffic. Which of the following is a condition in which harmless traffic is classified as a potential network attack?

Options:

A.

True positive

B.

True negative

C.

False positive

D.

False negative

Buy Now
Questions 15

Which of the following is a difference between SOAR and SCAP?

Options:

A.

SOAR can be executed taster and with fewer false positives than SCAP because of advanced heunstics

B.

SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope

C.

SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does

D.

SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts

Buy Now
Questions 16

After running the cat file01.bin | hexdump -c command, a security analyst reviews the following output snippet:

00000000 ff d8 ft e0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......|

Which of the following digital-forensics techniques is the analyst using?

Options:

A.

Reviewing the file hash

B.

Debugging the binary file

C.

Implementing file carving

D.

Verifying the file type

E.

Utilizing reverse engineering

Buy Now
Questions 17

While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

Options:

A.

An attempt was made to access a remote workstation.

B.

The PsExec services failed to execute.

C.

A remote shell failed to open.

D.

A user was trying to download a password file from a remote system.

Buy Now
Questions 18

An analyst Is reviewing a web developer's workstation for potential compromise. While examining the workstation's hosts file, the analyst observes the following:

Which of the following hosts file entries should the analyst use for further investigation?

Options:

A.

::1

B.

127.0.0.1

C.

192.168.3.249

D.

198.51.100.5

Buy Now
Questions 19

A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

Options:

A.

Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.

B.

Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed

C.

Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist.

D.

Review the current blocklist to determine which domains can be removed from the list and then update the ACLs

Buy Now
Questions 20

A small organization has proprietary software that is used internally. The system has not been wen maintained and cannot be updated with the rest or the environment. Which of the following is the BEST solution?

Options:

A.

virtualize the system and decommission the physical machine.

B.

Remove it from the network and require air gapping.

C.

Implement privileged access management for identity access.

D.

Implement MFA on the specific system.

Buy Now
Questions 21

Which of the following is MOST important when developing a threat hunting program?

Options:

A.

Understanding penetration testing techniques

B.

Understanding how to build correlation rules within a SIEM

C.

Understanding security software technologies

D.

Understanding assets and categories of assets

Buy Now
Questions 22

Which of the following is the BEST option to protect a web application against CSRF attacks?

Options:

A.

Update the web application to the latest version.

B.

Set a server-side rate limit for CSRF token generation.

C.

Avoid the transmission of CSRF tokens using cookies.

D.

Configure the web application to only use HTTPS and TLS 1.3.

Buy Now
Questions 23

According to a static analysis report for a web application, a dynamic code evaluation script injection vulnerability was found. Which of the following actions is the BEST option to fix the vulnerability in the source code?

Options:

A.

Delete the vulnerable section of the code immediately.

B.

Create a custom rule on the web application firewall.

C.

Validate user input before execution and interpretation.

D.

Use parameterized queries.

Buy Now
Questions 24

An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages. Which Of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?

Options:

A.

Change the passwords on the devices.

B.

Implement BIOS passwords.

C.

Remove the assets from the production network for analysis.

D.

Report the findings to the threat intel community.

Buy Now
Questions 25

An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by pubic users accessing the server. The results should be written to a text file and should induce the date. time, and IP address associated with any spreadsheet downloads. The web server's log file Is named webserver log, and the report We name should be accessreport.txt. Following is a sample of the web servefs.log file:

2017-0-12 21:01:12 GET /index.htlm - @4..102.33.7 - return=200 1622

Which of the following commands should be run if an analyst only wants to include entries in which spreadsheet was successfully downloaded?

Options:

A.

more webserver.log | grep * xIs > accessreport.txt

B.

more webserver.log > grep ''xIs > egrep -E 'success' > accessreport.txt

C.

more webserver.log | grep ' -E ''return=200 | accessreport.txt

D.

more webserver.log | grep -A *.xIs < accessreport.txt

Buy Now
Questions 26

A security analyst is logged on to a jump server to audit the system configuration and status. The organization's policies for access to and configuration of the jump server include the following:

• No network access is allowed to the internet.

• SSH is only for management of the server.

• Users must utilize their own accounts, with no direct login as an administrator.

• Unnecessary services must be disabled.

The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

Options:

A.

Unnecessary services must be disabled.

B.

SSH is only for management of the server.

C.

No network access is allowed to the internet.

D.

Users must utilize their own accounts, with no direct login as an administrator.

Buy Now
Questions 27

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests

information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst

to provide to the security manager, who would then communicate the risk factors to the senior management team? (Select TWO).

Options:

A.

Probability

B.

Adversary capability

C.

Attack vector

D.

Impact

E.

Classification

F.

Indicators of compromise

Buy Now
Questions 28

An analyst is reviewing the output from some recent network enumeration activities. The following entry relates to a target on the network:

Based on the above output, which Of the following tools or techniques is MOST likely being used?

Options:

A.

Web application firewall

B.

Port triggering

C.

Intrusion prevention system

D.

Port isolation

E.

Port address translation

Buy Now
Questions 29

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?

Options:

A.

Generate hashes for each file from the hard drive.

B.

Create a chain of custody document.

C.

Determine a timeline of events using correct time synchronization.

D.

Keep the cloned hard drive in a safe place.

Buy Now
Questions 30

A cybersecurity analyst routinely checks logs, querying for login attempts. While querying for unsuccessful login attempts during a five-day period, the analyst produces the following report:

Which of the following BEST describes what the analyst Just found?

Options:

A.

Users 4 and 5 are using their credentials to transfer files to multiple servers.

B.

Users 4 and 5 are using their credentials to run an unauthorized scheduled task targeting some servers In the cloud.

C.

An unauthorized user is using login credentials in a script.

D.

A bot is running a brute-force attack in an attempt to log in to the domain.

Buy Now
Questions 31

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

Options:

A.

Critical asset list

B.

Threat vector

C.

Attack profile

D.

Hypothesis

Buy Now
Questions 32

A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow;

Which of the following controls must be in place to prevent this vulnerability?

Options:

A.

Convert all integer numbers in strings to handle the memory buffer correctly.

B.

Implement float numbers instead of integers to prevent integer overflows.

C.

Use built-in functions from libraries to check and handle long numbers properly.

D.

Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.

Buy Now
Questions 33

While going through successful malware cleanup logs, an analyst notices an old worm that has been replicating itself across the company's network Reinfection of the malware can be prevented with a patch; however, most of the affected systems cannot be patched because the patch would make the system unstable. Which of the following should the analyst recommend to best prevent propagation of the malware throughout the network?

Options:

A.

Segmenting the network to include all legacy systems

B.

Placing vulnerable devices behind a firewall

C.

Scanning the entire network for malware weekly

D.

Patching systems when possible and monitoring the rest of them

Buy Now
Questions 34

Which of the following BEST explains the function of a managerial control?

Options:

A.

To help design and implement the security planning, program development, and maintenance of the security life cycle

B.

To guide the development of training, education, security awareness programs, and system maintenance

C.

To create data classification, risk assessments, security control reviews, and contingency planning

D.

To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails

Buy Now
Questions 35

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

Options:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Buy Now
Questions 36

An organization is adopting loT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far. leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?

Options:

A.

Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.

B.

Apply all firmware updates as soon as they are released to mitigate the risk of compromise.

C.

Determine an annual patch cadence to ensure all patching occurs at the same time.

D.

Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Buy Now
Questions 37

A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Options:

A.

Web-application vulnerability scan

B.

Static analysis

C.

Packet inspection

D.

Penetration test

Buy Now
Questions 38

A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements:

• The partners' PCs must not connect directly to the laboratory network.

• The tools the partners need to access while on the laboratory network must be available to all partners

• The partners must be able to run analyses on the laboratory network, which may take hours to complete

Which of the following capabilities will MOST likely meet the security objectives of the request?

Options:

A.

Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis

B.

Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools tor analysis

C.

Deployment of a firewall to allow access to the laboratory network and use of VDI In persistent mode to provide the necessary tools for analysis

D.

Deployment of a jump box to allow access to the Laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis

Buy Now
Questions 39

A security analyst is reviewing vulnerability scans from an organization's internet-facing web services. The following is from an output file called ssl-test_webapps.comptia.org:

Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?

Options:

A.

TLS_RSA_WITH_DES_CBC_SHA 56

B.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)

C.

TLS_RSA_K1TH_A£S_256_CBC_SHA 256

D.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)

Buy Now
Questions 40

Which of following allows Secure Boot to be enabled?

Options:

A.

eFuse

B.

UEFI

C.

MSM

D.

PAM

Buy Now
Questions 41

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs The analyst observes the following response codes:

• 20% of the logs are 403

• 20% of the logs are 404

• 50% of the logs are 200

• 10% of the logs are other codes

The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?

Options:

A.

cat access_log Igrep " 403 "

B.

cat access_log Igrep " 200 "

C.

cat access_log Igrep " 100 "

D.

cat access_log Igrep " 4 04 "

E.

cat access_log Igrep " 204 "

Buy Now
Questions 42

An analyst received an alert regarding an application spawning a suspicious command shell process Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

Which of the following was the suspicious event able to accomplish?

Options:

A.

Impair defenses.

B.

Establish persistence.

C.

Bypass file access controls.

D.

Implement beaconing.

Buy Now
Questions 43

A cybersecurity analyst needs to Implement controls that will reduce the attack surface of a web server. Which of the following is the best proactive control?

Options:

A.

Disabling unused modules

B.

Installing a host-based IDS

C.

Sending logs to a remote server

D.

Performing vulnerability scans

Buy Now
Questions 44

A security is reviewing a vulnerability scan report and notes the following finding:

As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

Options:

A.

Patch or reimage the device to complete the recovery

B.

Restart the antiviruses running processes

C.

Isolate the host from the network to prevent exposure

D.

Confirm the workstation's signatures against the most current signatures.

Buy Now
Questions 45

A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. Which of the following contains the most useful information to produce this script?

Options:

A.

API documentation

B.

Protocol analysis captures

C.

MITRE ATT&CK reports

D.

OpenloC files

Buy Now
Questions 46

A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

Options:

A.

output encoding.

B.

data protection.

C.

query parameterization.

D.

input validation.

Buy Now
Questions 47

Which of the following describes the mam difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications?

Options:

A.

Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot.

B.

Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.

C.

Unsupervised algorithms are not suitable for IDS systems, white supervised algorithms are

D.

Unsupervised algorithms produce more false positives. Than supervised algorithms.

Buy Now
Questions 48

A computer hardware manufacturer developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?

Options:

A.

Encryption

B.

eFuse

C.

Secure Enclave

D.

Trusted execution

Buy Now
Questions 49

Which of the following is an advantage of SOAR over SIEM?

Options:

A.

SOAR is much less expensive.

B.

SOAR reduces the amount of human intervention required.

C.

SOAR can aggregate data from many sources.

D.

SOAR uses more robust encryption protocols.

Buy Now
Questions 50

A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network Customers are not authorized to alter the configuration The company deployed a software process to manage unauthorized changes to the appliance log them, and forward them to a central repository for evaluation Which of the following processes is the company using to ensure the appliance is not altered from its ongmal configured state?

Options:

A.

CI/CD

B.

Software assurance

C.

Anti-tamper

D.

Change management

Buy Now
Questions 51

Which of the following solutions is the BEST method to prevent unauthorized use of an API?

Options:

A.

HTTPS

B.

Geofencing

C.

Rate liming

D.

Authentication

Buy Now
Questions 52

When of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

Options:

A.

Deidentification

B.

Hashing

C.

Masking

D.

Salting

Buy Now
Questions 53

A security analyst is monitoring a company's network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the best way for the security analyst to respond?

Options:

A.

Report this activity as a false positive, as the activity is legitimate.

B.

Isolate the system and begin a forensic investigation to determine what was compromised.

C.

Recommend network segmentation to the management team as a way to secure the various environments.

D.

Implement host-based firewalls on all systems to prevent ping sweeps in the future.

Buy Now
Questions 54

An organization wants to ensure the privacy of the data that is on its systems Full disk encryption and DLP are already in use Which of the following is the BEST option?

Options:

A.

Require all remote employees to sign an NDA

B.

Enforce geofencing to limit data accessibility

C.

Require users to change their passwords more frequently

D.

Update the AUP to restrict data sharing

Buy Now
Questions 55

A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the following solutions will best remedy the vulnerability?

Options:

A.

Prepared statements

B.

Server-side input validation

C.

Client-side input encoding

D.

Disabled JavaScript filtering

Buy Now
Questions 56

Which of the following types of controls defines placing an ACL on a file folder?

Options:

A.

Technical control

B.

Confidentiality control

C.

Managerial control

D.

Operational control

Buy Now
Questions 57

The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's singe internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT Department?

Options:

A.

Require the guest machines to install the corporate-owned EDR solution.

B.

Configure NAC to only allow machines on the network that are patched and have active antivirus.

C.

Place a firewall In between the corporate network and the guest network

D.

Configure the IPS with rules that will detect common malware signatures traveling from the guest network.

Buy Now
Questions 58

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

Options:

A.

Require users to sign NDAs

B.

Create a data minimization plan.

C.

Add access control requirements.

D.

Implement a data loss prevention solution.

Buy Now
Questions 59

A Chief Executive Officer (CEO) is concerned about the company’s intellectual property being leaked to competitors. The security team performed an extensive review but did not find any indication of an outside breach. The data sets are currently encrypted using the Triple Data Encryption Algorithm. Which of the following courses of action is appropriate?

Options:

A.

Limit all access to the sensitive data based on geographic access requirements with strict role-based access controls.

B.

Enable data masking and reencrypt the data sets using AES-256.

C.

Ensure the data is correctly classified and labeled, and that DLP rules are appropriate to prevent disclosure.

D.

Use data tokenization on sensitive fields, reencrypt the data sets using AES-256, and then create an MD5 hash.

Buy Now
Questions 60

A security analyst is evaluating the following support ticket:

Issue: Marketing campaigns are being filtered by the customer's email servers.

Description: Our marketing partner cannot send emails using our email address. The following log messages were collected from multiple customers:

• The SPF result is PermError.

• The SPF result is SoftFail or Fail.

• The 550 SPF check failed.

Which of the following should the analyst do next?

Options:

A.

Ask the marketing partner's ISP to disable the DKIM setting.

B.

Request approval to disable DMARC on the company's ISP.

C.

Ask the customers to disable SPF validation.

D.

Request a configuration change on the company's public DNS.

Buy Now
Questions 61

At which of the following phases of the SDLC shoukJ security FIRST be involved?

Options:

A.

Design

B.

Maintenance

C.

Implementation

D.

Analysis

E.

Planning

F.

Testing

Buy Now
Questions 62

A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of Incident in the future?

Options:

A.

Implement a UTM instead of a stateful firewall and enable gateway antivirus.

B.

Back up the workstations to facilitate recovery and create a gold Image.

C.

Establish a ransomware awareness program and implement secure and verifiable backups.

D.

Virtualize all the endpoints with dairy snapshots of the virtual machines.

Buy Now
Questions 63

Which of the following APT adversary archetypes represent non-nation-state threat actors? (Select TWO)

Options:

A.

Kitten

B.

Panda

C.

Tiger

D.

Jackal

E.

Bear

F.

Spider

Buy Now
Questions 64

An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issued mobile device while connected to the network. Which of the following actions would help during the forensic analysis of the mobile device? (Select TWO).

Options:

A.

Resetting the phone to factory settings

B.

Rebooting the phone and installing the latest security updates

C.

Documenting the respective chain of custody

D.

Uninstalling any potentially unwanted programs

E.

Performing a memory dump of the mobile device for analysis

F.

Unlocking the device by browsing the eFuse

Buy Now
Questions 65

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?

Options:

A.

APTs' passion for social justice will make them ongoing and motivated attackers.

B.

APTs utilize methods and technologies differently than other threats

C.

APTs are primarily focused on financial gam and are widely available over the internet.

D.

APTs lack sophisticated methods, but their dedication makes them persistent.

Buy Now
Questions 66

A vulnerability assessment solution is hosted in the cloud This solution will be used as an accurate inventory data source for both the configuration management database and the governance nsk and compliance tool An analyst has been asked to automate the data acquisition Which of the following would be the BEST way to acqutre the data'

Options:

A.

CSV export

B.

SOAR

C.

API

D.

Machine learning

Buy Now
Questions 67

A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team is initiating?

Options:

A.

Static analysis

B.

Stress testing

C.

Code review

D.

User acceptance testing

Buy Now
Questions 68

A forensic analyst is conducting an investigation on a compromised server Which of the following should the analyst do first to preserve evidence''

Options:

A.

Restore damaged data from the backup media

B.

Create a system timeline

C.

Monitor user access to compromised systems

D.

Back up all log files and audit trails

Buy Now
Questions 69

An organization is performing a risk assessment to prioritize resources for mitigation and remediation based on impact. Which of the following metrics, in addition to the CVSS for each CVE, would best enable the organization to prioritize its efforts?

Options:

A.

OS type

B.

OS or application versions

C.

Patch availability

D.

System architecture

E.

Mission criticality

Buy Now
Questions 70

A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The Organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan?

Options:

A.

Make sure the scan is credentialed, covers at hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations.

B.

Make sure the scan is uncredentialed, covers at hosts in the patch management system, and Is scheduled during of business hours so it has the least impact on operations.

C.

Make sure the scan is credentialed, has the latest software and signature versions, covers all external hosts in the patch management system and is scheduled during off-business hours so it has the least impact on operations.

D.

Make sure the scan is credentialed, uses a ironed plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.

Buy Now
Questions 71

A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements?

Options:

A.

Legal counsel

B.

Chief Security Officer

C.

Human resources

D.

Law enforcement

Buy Now
Questions 72

A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?

Options:

A.

VDI

B.

SaaS

C.

CASB

D.

FaaS

Buy Now
Questions 73

Which of the following, BEST explains the function of TPM?

Options:

A.

To provide hardware-based security features using unique keys

B.

To ensure platform confidentiality by storing security measurements

C.

To improve management of the OS installation.

D.

To implement encryption algorithms for hard drives

Buy Now
Questions 74

A security analyst works for a biotechnology lab that is planning to release details about a new cancer treatment. The analyst has been instructed to tune the SIEM softvare and IPS in preparation for the

announcement. For which of the following concerns will the analyst most likely be monitoring?

Options:

A.

Intellectual property loss

B.

PII loss

C.

Financial information loss

D.

PHI loss

Buy Now
Questions 75

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

Options:

A.

Release the email for delivery due to its importance.

B.

Immediately contact a purchasing agent to expedite.

C.

Delete the email and block the sender.

D.

Purchase the gift cards and submit an expense report.

Buy Now
Questions 76

A security operations manager wants some recommendations for improving security monitoring. The security team currently uses past events to create an IOC list for monitoring.

Which of the following is the best suggestion for improving monitoring capabilities?

Options:

A.

Update the IPS and IDS with the latest rule sets from the provider.

B.

Create an automated script to update the IPS and IDS rule sets.

C.

Use an automated subscription to select threat feeds for IDS.

D.

Implement an automated malware solution on the IPS.

Buy Now
Questions 77

A security analyst is investigating an active threat of the system memory. While narrowing down the source of the threat, the analyst is inspecting all processes to isolate suspicious activity Which of the following techniques is the analyst using?

Options:

A.

Live forensics

B.

Logical acquisition

C.

Timeline analysis

D.

Static acquisition

Buy Now
Questions 78

A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will best accomplish the analyst's objectives?

Options:

A.

tcpdump -w packetCapture

B.

tcpdump -a packetCapture

C.

tcpdump -n packetCapture

D.

nmap -v > packetCapture

E.

nmap -oA > packetCapture

Buy Now
Questions 79

An application must pass a vulnerability assessment to move to the next gate. Consequently, any security issues that are found must be remediated prior to the next gate. Which of the following best describes the method for end-to-end vulnerability assessment?

Options:

A.

Security regression testing

B.

Static analysis

C.

Dynamic analysis

D.

Stress testing

Buy Now
Questions 80

A security analyst is reviewing the following server statistics:

Which of the following is MOST likely occurring?

Options:

A.

Race condition

B.

Privilege escalation

C.

Resource exhaustion

D.

VM escape

Buy Now
Questions 81

A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations Which of the following steps in the intelligence cycle is the security analyst performing?

Options:

A.

Analysis and production

B.

Processing and exploitation

C.

Dissemination and evaluation

D.

Data collection

E.

Planning and direction

Buy Now
Questions 82

Which of the following are the most likely reasons to include reporting processes when updating an incident response plan after a breach? (Select two).

Options:

A.

To use the SLA to determine when to deliver the report

B.

To meet regulatory requirements for timely reporting

C.

To limit reputation damage caused by the breach

D.

To remediate vulnerabilities that led to the breach

E.

To isolate potential insider threats

F.

To provide secure network design changes

Buy Now
Questions 83

A company wants to run a leaner team and needs to deploy a threat management system with minimal human Interaction. Which of the following is the server component of the threat management system that can accomplish this goal?

Options:

A.

STIX

B.

OpenlOC

C.

CVSS

D.

TAXll

Buy Now
Questions 84

Which of the following should a database administrator for an analytics firm implement to best protect PII from an insider threat?

Options:

A.

Data deidentification

B.

Data encryption

C.

Data auditing

D.

Data minimization

Buy Now
Questions 85

A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct Business overseas must have their mobile devices checked for malicious software or evidence of tempering upon their return. The information security department oversees the process, and no executive has had a device compromised. The Chief information Security Officer wants to Implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?

Options:

A.

Implement a mobile device wiping solution for use if a device is lost or stolen.

B.

Install a DLP solution to track data now

C.

Install an encryption solution on all mobile devices.

D.

Train employees to report a lost or stolen laptop to the security department immediately

Buy Now
Questions 86

Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which of the following identity and access management solutions would help to mitigate this risk?

Options:

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Buy Now
Questions 87

Which of the following describes the difference between intentional and unintentional insider threats'?

Options:

A.

Their access levels will be different

B.

The risk factor will be the same

C.

Their behavior will be different

D.

The rate of occurrence will be the same

Buy Now
Questions 88

During a forensic investigation, a security analyst reviews some Session Initiation Protocol packets that came from a suspicious IP address. Law enforcement requires access to a VoIP call

that originated from the suspicious IP address. Which of the following should the analyst use to accomplish this task?

Options:

A.

Wireshark

B.

iptables

C.

Tcpdump

D.

Netflow

Buy Now
Questions 89

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the first steps to confirm and respond to the incident? (Select two).

Options:

A.

Pause the virtual machine.

B.

Shut down the virtual machine.

C.

Take a snapshot of the virtual machine.

D.

Remove the NIC from the virtual machine.

E.

Review host hypervisor log of the virtual machine.

F.

Execute a migration of the virtual machine.

Buy Now
Questions 90

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

Options:

A.

Stack counting

B.

Searching

C.

Clustering

D.

Grouping

Buy Now
Questions 91

During an audit several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products Which of the following would be the BEST way to locate this issue?

Options:

A.

Reduce the session timeout threshold

B.

Deploy MFA for access to the web server

C.

Implement input validation

D.

Run a static code scan

Buy Now
Questions 92

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

Options:

A.

Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C.

Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D.

Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

Buy Now
Questions 93

A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the most appropriate product category for this purpose?

Options:

A.

SCAP

B.

SOAR

C.

UEBA

D.

WAF

Buy Now
Questions 94

As part of an Intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several detrains and reputational information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for Mergence gathering?

Options:

A.

Update the whitelist.

B.

Develop a malware signature.

C.

Sinkhole the domains

D.

Update the Blacklist

Buy Now
Questions 95

A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is compatia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task?

Options:

A.

Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.

B.

Add : XT @ "v=spfl mx include:_sp£.comptia.org -all" to the email server.

C.

Add TXT @ "v=spfl mx include:_sp£.comptia.org +all" to the domain controller.

D.

AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.

Buy Now
Questions 96

A security analyst is reviewing a firewall usage report that contains traffic generated over the last 30 minutes in order to locate unusual traffic patterns:

Which of the following source IP addresses does the analyst need to investigate further?

Options:

A.

10.18.76.179

B.

10.50.180.49

C.

192.168.48.147

D.

192.168.100.5

Buy Now
Questions 97

The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.

Which of the following BEST describes what the CIS wants to purchase?

Options:

A.

Asset tagging

B.

SIEM

C.

File integrity monitor

D.

DLP

Buy Now
Questions 98

A security analyst discovers suspicious activity going to a high-value corporate asset. After reviewing the traffic, the security analyst identifies that

malware was successfully installed on a machine. Which of the following should be completed first?

Options:

A.

Create an IDS signature of the malware file.

B.

Create an IPS signature of the malware file.

C.

Remove the malware from the host.

D.

Contact the systems administrator.

Buy Now
Questions 99

A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:

Which of the following technologies would MOST likely be used to prevent this phishing attempt?

Options:

A.

DNSSEC

B.

DMARC

C.

STP

D.

S/IMAP

Buy Now
Questions 100

A new prototype for a company's flagship product was leaked on the internet As a result, the management team has locked out all USB drives Optical drive writers are not present on company computers The sales team has been granted an exception to share sales presentation files with third parties Which of the following would allow the IT team to determine which devices are USB enabled?

Options:

A.

Asset tagging

B.

Device encryption

C.

Data loss prevention

D.

SIEMIogs

Buy Now
Questions 101

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

Options:

A.

22

B.

80

C.

443

D.

1433

Buy Now
Questions 102

A threat feed disclosed a list of files to be used as an loC for a zero-day vulnerability. A cybersecurity analyst decided to include a custom lookup for these files on the endpoint's log-in script as a mechanism to:

Options:

A.

automate malware signature creation.

B.

close the threat intelligence cycle loop.

C.

generate a STIX object for the TAXII server

D.

improve existing detection capabilities.

Buy Now
Questions 103

In response to an audit finding, a company's Chief information Officer (CIO) instructed the security department to Increase the security posture of the vulnerability management program. Currency, the company's vulnerability management program has the following attributes:

Which of the following would BEST Increase the security posture of the vulnerably management program?

Options:

A.

Expand the ports Being scanned lo Include al ports increase the scan interval to a number the business win accept without causing service interruption. Enable authentication and perform credentialed scans

B.

Expand the ports being scanned to Include all ports. Keep the scan interval at its current level Enable authentication and perform credentialed scans.

C.

Expand the ports being scanned to Include at ports increase the scan interval to a number the business will accept without causing service Interruption. Continue unauthenticated scans.

D.

Continue scanning the well-known ports increase the scan interval to a number the business will accept without causing service Interruption. Enable authentication and perform credentialed scans.

Buy Now
Questions 104

A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to 90 offline. Which of the following solutions would work BEST prevent to this from happening again?

Options:

A.

Change management

B.

Application whitelisting

C.

Asset management

D.

Privilege management

Buy Now
Questions 105

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action?

Options:

A.

Automate the use of a hashing algorithm after verified users make changes to their data.

B.

Use encryption first and then hash the data at regular, defined times.

C.

Use a DLP product to monitor the data sets for unauthorized edits and changes.

D.

Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Buy Now
Questions 106

Which of the following BEST describes HSM?

Options:

A.

A computing device that manages cryptography, decrypts traffic, and maintains library calls

B.

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

C.

A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions

D.

A computing device that manages algorithms, performs entropy functions, and maintains digital signatures

Buy Now
Questions 107

White reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with po mcai propaganda. Which of the following BEST Describes this type of actor?

Options:

A.

Hacktivist

B.

Nation-state

C.

insider threat

D.

Organized crime

Buy Now
Questions 108

A company needs to expand Its development group due to an influx of new feature requirements (rom Its customers. To do so quickly, the company is using Junior-level developers to fill in as needed. The company has found a number of vulnerabilities that have a direct correlation to the code contributed by the junior-level developers. Which of the following controls would best help to reduce the number of software vulnerabilities Introduced by this situation?

Options:

A.

Requiring senior-level developers to review code written by junior-level developers

B.

Hiring senior-level developers only

C.

Allowing only senior-level developers to write code for new features

D.

Using authorized source code repositories only

Buy Now
Questions 109

A customer notifies a security analyst that a web application is vulnerable to information disclosure The analyst needs to indicate the seventy of the vulnerability based on its CVSS score, which the analyst needs to calculate When analyzing the vulnerability the analyst realizes that tor the attack to be successful, the Tomcat configuration file must be modified Which of the following values should the security analyst choose when evaluating the CVSS score?

Options:

A.

Network

B.

Physical

C.

Adjacent

D.

Local

Buy Now
Questions 110

When investigating a compromised system, a security analyst finds the following script in the /tmp directory:

Which of the following attacks is this script attempting, and how can it be mitigated?

Options:

A.

This is a password-hijacking attack, and it can be mitigated by using strong encryption protocols.

B.

This is a password-spraying attack, and it can be mitigated by using multifactor authentication.

C.

This is a password-dictionary attack, and it can be mitigated by forcing password changes every 30 days.

D.

This is a credential-stuffing attack, and it can be mitigated by using multistep authentication.

Buy Now
Questions 111

A cybersecunty analyst needs to harden a server that is currently being used as a web server The server needs to be accessible when entenng www company com into the browser Additionally web pages require frequent updates which are performed by a remote contractor Given the following output:

Which of the following should the cybersecunty analyst recommend to harden the server? (Select TWO).

Options:

A.

Uninstall the DNS service

B.

Perform a vulnerability scan

C.

Change the server's IP to a private IP address

D.

Disable the Telnet service

E.

Block port 80 with the host-based firewall

F.

Change the SSH port to a non-standard port

Buy Now
Exam Code: CS0-002
Exam Name: CompTIA CySA+ Certification Exam (CS0-002)
Last Update: Dec 2, 2024
Questions: 372
CS0-002 pdf

CS0-002 PDF

$25.5  $84.99
CS0-002 Engine

CS0-002 Testing Engine

$30  $99.99
CS0-002 PDF + Engine

CS0-002 PDF + Testing Engine

$40.5  $134.99